The Electronic Privacy Information Center (EPIC) has petitioned
the U.S. Federal Trade Commission (FTC) to investigate the privacy and security safeguards of Google's cloud computing services, which include Gmail, Google Docs and Picasa Web Albums. This follows a recent security breach that has exposed private Google Docs files to unauthorized parties. EPIC
is a Washington-based, non-profit civil liberties watchdog organization that also focuses its attention on cyber-privacy issues. As the group points out, some of their previous achievements in this area include convincing the FTC to "order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines."
In the 15-page-long complaint
(PDF) submitted to the FTC, EPIC gives several examples of Google data breaches that have placed the privacy of the users at risk. These include two vulnerabilities affecting Gmail and Google Desktop discovered in 2005 that exposed user login credentials and personal data. Another Google Desktop vulnerability disclosed in 2007 that allowed unauthorized access to data has also been cited.
The most well-documented incident is, however, the recent Google Docs security breach. "On March 7, 2009, Google disclosed user generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files." the complaint reads.
EPIC alleges that Google misleads consumers. To back up this claim it gives examples of the company's deceptive advertising practices. "Files are stored securely [Google's own emphasis] online," the Google Docs home page reads. Furthermore, a Help document regarding the "privacy and security" of the service states as follows: "Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers."
However, this is in contradiction with the company's Terms of Service, EPIC maintains. "Google's Terms of Service explicitly disavow any warranty or any liability for harm that might result from Google’s negligence, recklessness, mal intent, or even purposeful disregard of existing legal obligations to protect the privacy and security of user data," the complaint continues.
EPIC asks the FTC to start an investigation into the adequacy and sufficiency of Google's security safeguards, requires the search giant to change its Terms of Services with respect to its cloud computing infrastructure and forces it to be more transparent when it comes to security policies. The group also asks that Google be forced to actually stop offering such services until the proposed verifications are made.
Responding to a request for comment from The Register
, a Google spokesperson has announced that, "We have received a copy of the complaint but have not yet reviewed it in detail. Many providers of cloud computing services, including Google, have extensive policies, procedures and technologies in place to ensure the highest levels of data protection."
Google's position on cloud computing seems to be the exact opposite of EPIC's. "[...] Cloud computing can be more secure than storing information on your own hard drive," the company representative notes. "We are highly aware of how important our users' data is to them and take our responsibility very seriously," they stress.