Google Drive Problem Is a Public Cloud Problem, Says Privacy Expert
The explosion of outrage from privacy advocates over Google Drive's terms of service appears to have subsided somewhat, after a number of analysts agreed with the company that its terms are no more intrusive than those of other cloud storage services like Dropbox, Microsoft's Skydrive or Apple's iCloud.
The more significant message, privacy experts say, is that the public cloud -- any public cloud -- is not the place for corporations to be storing sensitive or confidential information.
The offending language in the new Google storage and synchronization service states that Google reserves the right to "use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute" content uploaded to their services.
But that is preceded by a statement that, "You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours."
Nilay Patel, writing a comparison of cloud storage services in The Verge, says that while Google's terminology may be "a little off-putting," it is actually a bit more restrictive than some others. For example, he notes that Dropbox's terms of service says, "You give us the permissions we need to do those things solely to provide the Services."
While that language, "is definitely friendlier than Google's, it's actually more expnsive, since it's more vague," Patel writes.
"Where Google specifically lists the rights and permissions it needs to run its services using precise legal terminology like 'create derivative works,' Dropbox just says you're giving it 'the permissions we need.' Exactly what those permissions are is left unsaid and undefined -- and could change as Dropbox changes the types of services it provides."
Still, Rafe Neeleman, writing on CNET News, quotes the High Tech Law Institute's Eric Goldman saying, "the language is not drafted nearly as tightly as we would expect from a company of Google's size and stature," adding that it is, "poorly written and likely to confuse users."
And Nick Triantos, founder and CEO of ionGrid remains convinced that Google will, in fact, end up with some form of ownership of user content. "It sounds fairly clear to me that they don't have to return your data to you [if you leave their service]," he says.
"It isn't necessarily because of malice, but because it can be a lot of work to go through and delete it all. It's more of an effort to simplify things," Triantos says. "But it also give them the right to mine the content of a word-processing document so could target you with better ads."
While none of this may be a huge problem for the average individual user, it should be a stark warning for corporations, he says. "The public cloud is already so far away from what a good IT department would want."
Most companies have a clear policy that says anyone who shares sensitive documents outside of the security perimeter will be fired. But so many employees, including some CEOs, are doing it, the policy is rarely enforced.
This, he says, will eventually lead to disaster. "If you're working for a large bank, you could go to prison for it. Even if none of that information leaked out, the fact that you're putting it into the public cloud is enough to put you in jail."
Why aren't more corporations concerned about it? "One company is eventually going to get sued," Triantos says, "and then everybody is going to go to firefighting mode. It may not be at the top of people's minds until then."
The bottom line for enterprises, he says, is that it doesn't really matter if it is Google Drive or any of its competitors. They are not private and they are not secure. So, don't use them, Triantos says.
Read more about cloud security in CSOonline's Cloud Security section.