Google’s New Privacy Policy Is Unacceptable and Jeopardizes Government Information in the Cloud

Karen EvansJeff Gould by Karen Evans, KE&T Partners
Jeff Gould, SafeGov.org
Wednesday, January 25, 2012

According to SafeGov.org experts Jeff Gould and Karen Evans, Google's recent changes to its privacy policy allowing it to combine information about users pulled from the entire range of its online products raises serious privacy concerns for Google Apps For Government (GAFG) that should not be overlooked by public sector officials who have already made the move to the cloud or who are looking to move to the cloud.

"This is a significant change for the GAFG service that Google sells to Federal, State and Local governments and warrants further review by the public sector. We hope Google will quickly clarify that it does not intend its new privacy policy to apply to GAFG users especially in light to their responsibilities under the Privacy Act and the E-Government Act."

"As founding experts of the forum SafeGov.org, our mission is to promote trusted and responsible cloud computing for the public sector. By fostering a better understanding of the benefits and limitations of cloud technologies, SafeGov.org works to empower government users to make well-informed procurement decisions from the growing universe of marketplace offerings.  Google's new privacy policy will have a serious impact on the information collection practices and responsibilities for its GAFG service.  By issuing this statement now, we seek to make government agencies aware of the issue before the new policy is implemented - and while there is still time to influence it." 

"We recommend that Google immediately suspend the application of its new privacy policy to GAFG users.  The default setting for GAFG and for all similar services from other vendors should be no information sharing at all between services.  Furthermore, Google should clarify where its consumer product line ends and its enterprise products begin. Government users want to be assured that the cloud services they use are tailored to the unique security and privacy requirements of the public sector. Google could address this concern by issuing Terms of Service for all Google online products guaranteeing public sector users their data will not be cross-referenced, data mined or otherwise used for purposes not originally collected in support of their public sector missions."

"We hope Google will receive the message from its many users at all levels of government that this new privacy policy should be reconsidered prior to implementation. Google's competitors in the cloud marketplace must also be held to the same high standards. We call upon all cloud vendors to make the same commitment we ask of Google, namely to adopt privacy and security policies supporting government information statutes, policies and procedures in the cloud."

More information

2 comments for “Google’s New Privacy Policy Is Unacceptable and Jeopardizes Government Information in the Cloud”

  1. Dan Israel

    Posted Wednesday, January 25, 2012 at 9:25:04 PM

    As a Google employee who works on Google Apps for Government, I'd like to point out that the changes to Google's privacy policy do not alter our contractual commitments to our Enterprise customers, including our Google Apps for Government customers. Google offers our customers industry-leading security & privacy controls. You are welcome to learn more about those here:
    http://www.google.com/apps/intl/en/privacy/

  2. Jeff Gould

    Posted Monday, February 06, 2012 at 5:41:07 PM

    Dan,

    Thanks for your comment about the new Google privacy policy and thanks for visiting SafeGov.org. I’m sure your team at Google Apps for Government is trying to do the right thing for your customers. But unfortunately Google’s repeated assurances that the new policy doesn’t apply to government just don’t add up.

    Google execs have said that the new policy “does not change our contractual agreements, which have always superseded Google’s Privacy Policy for enterprise customers” (Washington Post). But when I look at published examples of GAFG contracts, a very different picture emerges. For example, the City of Los Angeles GAFG contract contains what for all the world looks like a boilerplate Google Services Agreement, which states unambiguously that Google’s standard privacy policy does apply to the city and can be updated at will by Google. The contract then points to a Google web page that says the existing policy will be replaced by the new policy on March 1.

    Google has also suggested that its Federal customers in particular already understand that the new policy doesn’t concern them and aren’t worried (Politico). But not everyone shares that interpretation. Marc Rotenberg of the Electronic Privacy Information Center (EPIC), for example, notes that the GSA in response to the new policy “basically said to Google forget it, you’re not going to do this with the Federal agencies”. In any event, the implication that only Federal GAFG users are exempted from the policy change and that State and Local users are not exempt is truly alarming.

    Here is another very serious problem that affects all GAFG users. Google stated in its letter to Congress last week that “users will still be able to use many of our products – such as Google Search and YouTube – without having to log into their Google Account”. True, but if a Federal employee logs into her GAFG account, she is also logged into Google Search and YouTube (neither of which are covered by GAFG terms of service). If she logs out of the services not covered by GAFG, she will be logged out of everything. So in practice it appears that Google’s new privacy policy will allow it to share data between GAFG and non-GAFG sessions. This should raise red flags with Federal IT administrators. Google should not entangle government users in such a confusing and ambiguous policy, which is clearly unsafe.

    So what should Google do now? I still hope the GAFG product group will use this opportunity to create a privacy policy specifically dedicated to government users at all levels (State and Local as well as Federal), in which you promise not to data mine any content that government users post to the Google cloud. In fact, I think all the cloud vendors should make this same commitment. That way government users will be able to have confidence that their data is indeed safe and secure in the cloud.

    Jeff Gould
    SafeGov.org

    PS: Readers who want to check the Google Apps for Government contract with the City of Los Angeles can find it here:
    http://clkrep.lacity.org/onlinecontracts/2009/C-116359_c_11-20-09.pdf
    The Google privacy policy language and pointers are contained in Appendix J.

Post a comment

Sign in to comment.

Not yet registered? Join the debate