Google says privacy change won't affect government users
Company downplays privacy, security concerns from former federal IT official Jaikumar Vijayan
January 26, 2012 (Computerworld)
Google today dismissed concerns by a former senior federal IT official that the company's controversial new privacy policy would create problems for customers of Google Apps for Government (GAFG).
In a statement, Google said the new policy will not change existing contracts that define how it handles and stores data belonging to government users of its cloud services. "Enterprise customers using Google Apps for Government, Business or Education have individual contracts that define how we handle and store their data," Amit Singh, vice president of Google Enterprise said in a statement.
"As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," he said.
According to Singh, Googles contractual agreements have always superseded its privacy policy for enterprise customers.
All core productivity and collaboration applications that a government, business or educational institution pays for are covered by contract, a Google spokesman today said. However, if an administrator were to turn on a Google application not covered by the contract, that application would be subject to Googles new privacy rules, he said.
Singh was responding to concerns raised Wednesday by Karen Evans, former de facto federal CIO and administrator of e-government and IT at the White House Office of Management and Budget.
Evans, who is now an independent consultant, is a founding member of Safegov.org, which is focused on promoting a set of best practices for cloud deployment in the government. On Wednesday, Evans and another Safegov partner, Jeff Gould, CEO of Peerstone Research, released a statement saying that Google's new privacy policy threatens the security of government data in the cloud.
The two of them called on Google to "immediately suspend" the application of its new privacy policy to GAFG users, calling it a significant change that needed further review by the public sector.
Google earlier this week announced that it was replacing separate privacy policies for each of its services with one universal policy. Under the policy, Google will combine user data from services like YouTube, Gmail and Google search and create a single merged profile for each user of its services. Google said the new policy is shorter, easier to understand and will allow the company to deliver better and more targeted services.
According to Evans and Gould, however, the's new policy will have a serious impact on the information collection practices and responsibilities for its GAFG service.
Gould said in an interview that the biggest problem involves GAFG use of technology that is optimized for things like indexing, ad tagging and data mining. The same functions that allow Google to do all sorts of user tracking and data consolidation on the consumer side, exist on its government applications as well, though it is unclear if they are always enabled, he said.
"Google's new privacy policy allows them to look at everything you do on their services and draw a connection between them," he said. "If you put something in your calendar that says you'll be in Oklahoma City next week, Google will look at Google+ to see if you have any acquaintances there and ask you if you want to notify them of your visit."
This sort of tracking and inference-making greatly heightens the risk of accidental data exposure and data leaks, he said. "Even though the risk might seem small for a single individual, when you multiply it by thousands of government users, the risk is much higher," he said.
"A government user does not want Google studying everything they do and drawing correlations about what they are doing. Basically Google should not be making inferences about them," Gould said.
Google maintains that individual contracts it has with GAFG customers clearly define what the company can and cannot do with customer data. Those contracts are unchanged by this week's announcement, the company said.
John Pescatore, an analyst with Gartner, said its unclear whether the policy changes apply to Googles paying users. If the personal data of paying users of Google Apps is going to be treated the same as the personal data of the free, advertising supported Google Apps, I think it is a major problem."
If the answer is yes, it should cause many organizations to think twice, he said.
Gould called on Google to come out with a privacy policy explicitly for Google Apps for Government. "As far as I can tell, they don't have one now,"
he said. "The policy should state that they won't do any advertising-related data mining at all of information in government user's accounts." He added that Google's competitors should also adopt similar policies for government users.
Such a disclaimer is vital, because not all government contracts will include specific privacy language, he said. "Mentions of privacy on the GAFG page all seem to point to the generic Google Apps privacy policy, which as we've seen ... is subject to the changes scheduled for March 1."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.
Read this story online here: http://bit.ly/z5xNcw
Comments
Post a Comment