Google Using 'Double Talk' on Cloud Security, Says Consumer Group
A consumer advocacy group that is opposed to a plan by the city of Los Angeles to adopt Google's hosted e-mail and office applications is accusing the company of a double standard on security issues.
In a letter to Bernard Parks, chairman of the Los Angeles City Council's Budget and Finance Committee, Consumer Watchdog claimed that Google was being hypocritical in marketing Google Apps to the city.
The letter, by Consumer Watchdog advocate John Simpson, faulted Google for "blandly assuring" customers about the security of its cloud-based services while at the same time warning of multiple security risks in federally required 10-Q financial statements.
"Google says one thing when trying to sell its products, but something else in federally required filings aimed at shareholders," Simpson said in the letter.
A Google spokesman said in e-mail that Consumer Watchdog was more interested in "generating headlines and taking sides in a contract bidding process than in taking a fair and reasonable look at cloud computing."
In a "fact check" note Google has been circulating to L.A. council officials, the company also downplayed Consumer Watchdog's claims and said the group was being paid to target Google specifically.
In the note, Google said that the risk factors it had mentioned in the financial report were similar to that made by others. As an example it showed Microsoft's risk statements, which were nearly identical to the comments made by Google and that Consumer Watchdog had highlighted.
Simpson's letter represents the latest effort to get the city of L.A to change its mind about a $7.25 million plan to replace its Novell GroupWise e-mail and Microsoft Office applications with Google Apps.
Under the plan, the city would transition about 30,000 users to Google's cloud-based e-mail and office productivity products. Originally, the migration was supposed to happen by the end of December 2009 but the deadline has now been pushed back to the middle of next year.
City officials have said that they expect the move will save Los Angeles more than $13 million in software licensing and manpower costs over the next five years. If approved, Los Angeles will become the second major city, after Washington, D.C., to migrate its applications to Google's cloud services.
Critics of the planned move have questioned the projected cost benefits and have expressed concern about the security and privacy implications of having the city's office and e-mail applications hosted in the cloud.
Among those who have publicly voiced such concerns are the Los Angeles Police Department, the city attorney's office and some public interest groups, including Consumer Watchdog.
Google has downplayed the concerns. It has argued that most of the criticisms of its service have stemmed from an incomplete understanding of the project, and of cloud computing in general.
More recently, Google has tried to assuage security concerns related to its cloud offerings by pointing to its "Gov Cloud" offering which it is developing for use by state and federal government agencies . The company has said the service will meet the requirements of the Federal Information Security Management Act (FISMA) when it is released.
Consumer Watchdog's Simpson told Computerworld that there was a "difference in tone" between Google's attempts to reassure potential users about the security of its hosted applications and in its federally regulated communications.
In Google's most recent 10-Q statements, the company has painted a picture that is at odds with its security assurances in public, Simpson said. His letter pointed to various statements in the 10-Q report where Google talks about its systems being vulnerable to disruptions from terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses and computer denial of service attacks.
Such threats could "jeopardize the security of information stored in a user's computer or in our computer systems and networks," Google has noted. In addition, "some of our systems are not fully redundant, and our disaster recovery planning cannot account for all eventualities," the report warned.
"Google puts the best spin possible when they are talking about benefits of cloud computing," he said. "However, when they are talking about cloud security in the context of a report to shareholders they are singing a completely different tune. That difference smacks of corporate hypocrisy."
He also said it would be disingenuous for anybody to suggest that Google's comments in its financial statement are the kind of standard disclaimers that every company makes.
"The single biggest problem with cloud computing and the rush to it is that providers have focused on things like latency and access" without adequate thought for security, Simpson said. As a result, it is important to air the security issues in public and work on resolving them, he said.