Do Google’s Government Contracts Really Supersede its Privacy Policy?

Karen EvansJeff Gould by Karen Evans, KE&T Partners
Jeff Gould, SafeGov.org
Friday, June 15, 2012

Summary: Google says its consumer privacy policy does not apply to government users. But new evidence suggests that it does.

Background to the Controversy

Earlier this year, a controversy arose over the impact of Google’s new privacy policy on users of the firm’s Google Apps for Government cloud service. The policy, which became effective March 1, authorizes Google to combine information gained about individual users from the entire range of its online services into unified super-profiles that help it to optimize ad delivery.

Most of the media coverage dealt with the impact of Google’s new policy on consumers. Should they accept the proposed trade-off between privacy and access to Google’s impressive suite of no-cost web services such as Gmail? Conservatives and privacy advocates tend to say no, while libertarians may tend to say “let the people decide.” Does the new policy comply with current or evolving government regulations regarding online privacy? In the U.S., the answer is still up in the air, in Europe it’s probably “no”.

But the more important question raised by the new privacy policy, in our view, was whether it is compatible with the growing adoption of Google Apps for Government (GAFG) by Federal, State and Local governments. As consenting adults, consumers arguably have the right to let corporations track their web activity and data mine their content in exchange for the privilege of using a valuable computer service at no monetary cost. But when a government agency contracts and pays for the same service, one wants to be certain that it is a safe and secure repository for government data. The idea that the cloud provider is still entitled to exploit user content and web behavior for advertising purposes – as the Google Privacy Policy explicitly allows – remains controversial.

SafeGov.org raised the issue of the privacy policy’s impact on government users in a statement issued on our web site. To its credit, Google immediately reacted by agreeing with us. Google VP of Enterprise Amit Singh told The Washington Post and other publications that “enterprise customers” who use GAFG have individual contracts defining how Google could handle and store their data. These enterprise contracts, he insisted, “have always superseded Google’s Privacy Policy.” Another executive in Google’s Enterprise division, Tim Drinan, acknowledged in an interview with the website, CivSource, Federal security regulations “would prohibit much of the data collection practices contained in the current consumer version of the privacy policy.”

Why the Privacy Policy is Questionable for Government

We believe there are a number of reasons why Google’s privacy policy is questionable in the government environment. Consider Google’s list of the kinds of user information the policy authorizes it to collect and combine:

  • “Information you give us… like your name, email address, telephone number or credit card”
  • “Information about the services that you use and how you use them, like when you visit a website that uses our advertising services or you view and interact with our ads and content”
  • “Device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number)”
  • “Details of how you used our service, such as your search queries”
  • “Cookies and anonymous identifiers [sent] when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites”

The text of the privacy policy unambiguously grants Google the right to use this information to optimize the delivery of targeted ads based on each user’s individual profile:

  • “We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.”

We believe the collection and use of this type of information about individuals by a cloud service officially contracted by a government agency may not be compatible with existing privacy rules and legislation. As noted above, shortly after SafeGov.org issued its statement, Google executives appeared to agree with us and promised that they will “maintain [their] enterprise customers’ data in compliance with the confidentiality and security obligations provided to their domain.”

Google Contracts Say the Policy Does Apply to Government

Unfortunately, it now appears that Google’s assertion that its government contracts “supersede” the privacy policy may not entirely accord with the facts. We have recently discovered a certain number of published GAFG contracts not only contain no language stating that they “supersede” or in any way invalidate the privacy policy, but actually point directly to the policy on Google’s web site and explicitly incorporate it into their text.

For example, the State of Texas has published a contract it negotiated with Google partner SADA Systems containing the following clause regarding Customer Data, which we quote in its entirety:

  • “Customer Data. SADA will treat all Customer Data in accordance with local laws and regulations applicable to the data and will implement policies and procedures with respect to the Customer Data no less protective of the rights of Customer or its End Users as those found in Google’s Privacy Policy (located at http://www.google.com/intl/en/privacy/privacy-policy.html) or Google’s Privacy Notice (located at http://www.google.com/apps/intl/en/terms/users_privacy.html). Changes to the Privacy Policy and Privacy Notice will be made as stated in the applicable policy. For purposes of this GAC Agreement, “Customer Data” means all data and information provided by Customer’s End Users via the sign up process for the Services, as well as data, including electronic messages and any attachments provided, generated, transmitted or displayed via the Services by Customer or its End Users.”

Several things are noteworthy about this clause and the Google Apps Customer Agreement document of which it is part:

  1. The agreement is not with Google directly, but with its integration partner SADA Systems. SADA is one of the most highly regarded cloud integration firms in the country, and has many successful implementations of GAFG in the public sector. It also implements Microsoft’s competing Office 365 product. The firm’s competence and domain knowledge are not open to doubt.
  2. We have discovered two other published examples which, except for the customer’s name, are word-for-word identical to the Texas document – these are the GAFG contracts for the town of Downers Grove Illinois and Del Norte County California. These three examples prove that this language is part of a standard document created by SADA.
  3. All three examples mentioned are current and point to the most recent version of the Google Privacy Policy, dated March 1, 2012. The Texas contract runs from December 2011 to December 2013. The Downers Grove contract was concluded in November 2011. The Del Norte agreement is dated March 20, 2012.
  4. The agreement states that the Google Privacy Policy is a minimum standard for the handling of Customer Data. However, it does not require Google to exceed this standard.
  5. We observe that the user information Google’s privacy policy allows it to collect is much more extensive than the information the State of Texas’ own web site allows it to collect about its users. According to the Privacy and Security Policy published by the State’s Department of Information Resources (signatory of the above-mentioned Google Apps agreement), the State’s web site uses only first-party cookies and collects only limited technical information in order to improve the site’s management.

A later clause in the SADA document states that it is the “entire agreement.” Although some government contracts may contain non-public clauses or appendices, that does not appear to be the case in this instance. The State of Texas publishes the entire sequence of documents constituting its contract with SADA and expressly stipulates their order of precedence. Nothing in this sequence suggests the Google privacy policy is in any way “superseded” by the contract.

What It All Means

What are we to make of all this? We do not necessarily conclude Google is currently engaged in the systematic data mining of user content and web behavior that its privacy policy authorizes. It might be doing this. The incorporation of its privacy policy into the SADA agreement undeniably allows for the potential for this type of data mining. Nevertheless, we conclude Google may have been factually mistaken when it asserted in January its new privacy policy does not apply to government customers.

What should happen next? We hope Google will correct the misunderstanding that has arisen regarding the applicability of its consumer privacy policy to users of GAFG. Ideally, Google would remove the link to the policy from its user agreements and insert language stating unambiguously that the policy does not apply to government customers.

We also recommend government entities purchasing and/or purchased cloud services from any vendor go back and review their contracts and agreements, revising them as necessary to ensure they comply fully with established Federal, State and Local privacy policies and legislation. For example, we observe the Google Privacy Policy appears to grant significantly broader rights to Google than those authorized by the State of Texas’ own web privacy policy, from which we cite the following excerpt as an example:

“For online transactions conducted on Texas.gov, individuals will be requested to enter information about themselves and/or the organization with which they are affiliated. When personally identifiable information is requested, there will be an indication of whether the disclosure of such information is mandatory or optional to continue the transaction... Texas.gov uses server logs and persistent cookies to collect information about the number and types of visitors to Texas.gov and how they use the website… However, no attempt is made to match this information with the identity of the visitor, except as is required to comply with a law enforcement investigation.”

We believe in addition to complying with existing legislation, it is in the interest of Federal, State and Local governments to verify their cloud vendor contracts are consistent with their own stated privacy policies.

In conclusion, we would like to reiterate that GAFG is an innovative product with many useful features. In particular, the simplicity and attractive pricing of GAFG has had a beneficial effect on public sector email and collaboration markets. Google’s pioneering deployment of consumer cloud technology into the enterprise space is putting pressure on traditional enterprise players like Microsoft and IBM to make their own offerings more attractive. These are all good things.

In order to continue to accrue benefits to the American taxpayers, it would be advantageous for all cloud service providers to make clear that the sophisticated user tracking and ad targeting functionality of any of their consumer products is neither appropriate nor acceptable in its public sector offerings.

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate