Cloud computing is where dynamically scalable and often virtualised resources are provided as a service over the Internet. The word “cloud” acts as a diagrammatic metaphor for a complex computer network. Users of the services don’t need to have knowledge of or control over the technology infrastructure “in the cloud” that supports them. The problem from a privacy perspective is the data is held by third party servers, managed by private firms who provide remote access.
Google provides an extensive array of Cloud Computing Services. These include unlimited free email (“Gmail”), online document storage and editing (“Google Docs”), an integrated desktop and internet search (“Google Desktop”), an online photo storage (“Picasa Web Albums”) and a scheduling program (“Google Calendar”). As of September 2008, 26 million people use Gmail.
While Google are quick to advertise the security safety of their products, EPIC say there are several flaws with cloud computing services. They noted a bug found in 2005 where Internet Explorer exposed web surfers’ hard-drive data to malicious web sites. Last week, the Wall Street Journal disclosed Google had shared “a very small number” (0.05 per cent) of online documents with users who weren’t authorised to see them. The bug hit users who changed their sharing settings on multiple presentations and documents at once, causing Google to make those documents available to others the owner had shared a document before. The Journal says the bug shows systems for managing file access permissions can break down, causing documents to end up in the wrong hands.
IT Security expert Greg Conti says Google is a vulnerable target because of the amount of data it has. Conti says the problem is endemic. ”It almost impossible for you, your employer, and online companies to provide impervious protection against attack”, he says “therefore, your data is at risk.”
EPIC backs up its case by pointing to Google’s false advertising. It quotes the Federal Trade Commission Act which regulates unfair and deceptive trade practices. The act allows for three factors that support a finding of unfairness. The practice must cause substantial injury, not be outweighed by countervailing benefits and the harm is not reasonably avoidable. EPIC says Google’s inadequate security policy fails all three tests and is deception likely to mislead customers. EPIC also quote several test cases which it believes give precedence to act against Google.
EPIC says the popularity of Cloud Computing Services means data breaches pose a heightened risk of identity theft. It says the FTC should hold purveyors accountable, “particularly when service providers make repeated, unequivocal promises to consumers regarding information security.” They want FCC to open an investigation. They also want Google to revise its terms of service, make their information security policies more transparent, take Cloud Computing off the market until safeguards are established, and contribute $5 million to support research on privacy enhancing technologies. Google has not reviewed the complaint in detail but says “it has policies in place to ensure data is protected”.