Wednesday, March 18, 2009

Google’s EPIC fail: privacy group wants cloud computing safeguards

A privacy group has requested the US Federal Trade Commission shut down Google mail, docs, Picasa and other services because they don’t adequately safeguard the confidential information that they obtain. The stunning request was made by the Electronic Privacy Information Center (EPIC) and outlines the risks of Google’s cloud computing services. The request is far from frivolous and could have profound consequences for the industry in general, and Google in particular.

EPIC, who describe themselves as “a public interest research organization”, have requested the FTC open an investigation to determine the adequacy of the privacy and security safeguards. They also want them to assess Google’s claims about the service. In a letter to the government regulatory body, EPIC suggest they “enjoin
Google from offering such services until safeguards are verifiably established.”

According to Wikipedia, Cloud computing is where dynamically scalable and often virtualised resources are provided as a service over the Internet. As that rather dense definition shows this is not a simple concept to grasp. The word “cloud” acts as a diagrammatic metaphor for a complex computer network. Thankfully then, users of the services don’t need to have knowledge of or control over the technology infrastructure "in the cloud" that supports them. The problem from a privacy perspective is that the data is held by third party servers, which is managed by private firms who provide remote access.

Google currently provides an extensive array of Cloud Computing Services. These include unlimited free email (“Gmail”), online document storage and editing ("Google Docs"), an integrated desktop and internet search ("Google Desktop"), an online photo storage ("Picasa Web Albums") and a scheduling program (“Google Calendar”). And the number of people who use these services is growing. As of September 2008, 26 million people use Gmail.

While Google are quick to advertise the security safety of their products, EPIC say there are several known flaws with their cloud computing service. They noted a bug found in 2005 where Internet Explorer exposed web surfers' hard-drive data to malicious web sites. And as recently as last week, the Wall Street Journal disclosed Google had shared “a very small number” (0.05 per cent) of online documents with users who weren’t authorised to see them. The bug hit users who changed their sharing settings on multiple presentations and documents at once, causing Google to make those documents available to others whom the owner had shared a document before. The Journal says the bug shows systems for managing file access permissions can break down, causing documents to end up in the wrong hands.

IT Security expert Greg Conti says Google is a particularly vulnerable target because of the amount of data it has. However Conti qualifies his remarks by saying the problem is endemic. ”It almost impossible for you, your employer, and online companies to provide impervious protection against attack”, he says “therefore, your data is at risk.”

Therefore EPIC backs up its case by pointing to Google’s false advertising. It quotes the Federal Trade Commission Act which regulates unfair and deceptive trade practices. The act allows for three factors that support a finding of unfairness. The practice must cause substantial injury, not be outweighed by countervailing benefits and the harm is not reasonably avoidable. EPIC says Google’s inadequate security policy fails all three tests. They say Google's advertising is deception likely to mislead customers. EPIC also quote several test cases which it believes give precedence to act against Google.

EPIC says the popularity of Cloud Computing Services means that data breaches pose a heightened risk of identity theft. It says the FTC should hold purveyors accountable, “particularly when service providers make repeated, unequivocal promises to consumers regarding information security.” They want FCC to open an investigation. They also want Google to revise its terms of service, make their information security policies more transparent, take Cloud Computing off the market until safeguards are established, and contribute $5 million to support research on privacy enhancing technologies (I presume it's five million as the document talks about a strange number called “$5,000,0000”). Google has not reviewed the complaint in detail but says “it has policies in place to ensure data is protected”.


Keven said...

My information is not private when it's on my laptop if I should lose it. Should EPIC aim to halt laptop manufacturers until these manufacturers can provide adequate privacy in the form of encrypted hard drives?

Derek Barry said...

There's a difference Keven.

Manufacturers don't make false claims about providing secure environments (though perhaps there may be a market for encrypted hard drives).