Dissecting the EPIC Complaint against Google
By Craig Balding
EPIC forwards this complaint on 3 primary fronts:
- the specific ways that Google represents their security controls to consumers (yet disclaims all responsibilities in the Terms of Service)
- the “harm” caused by the recent Google Docs privacy breach
- the claim that Google has “inadequate security”
Secondary arguments include citing a number of other, older vulnerabilities in Google online services and referencing some significant privacy breaches where the FTC acted before. In my view, these are distractions and inconsistent with the primary argument. The call for Google to pay 5 million dollars is poorly framed, seemingly an afterthought and potentially devisive. I suspect EPIC will have lost the goodwill of privacy moderates by making such a demand. Had they just dropped the number and left the call for a fund, it might have made it more palatable.
Given the complaint is 15 pages long, there is plenty to comment on. For the sake of brevity, lets contain our analysis to the primary arguments, introduce a potential curveball and go “one step beyond” to examine the implications for Google users should the FTC rule in EPICs favour.
What Google Says About Security
EPIC highlights two specific security claims made by Google.
On the Google Docs homepage
Getting to know Google Docs> Saving your presentation
The complaint then goes on to suggest that Google “encourages users to add personal information to their documents and spreadsheets” and repeats the statement made by Google that “your data is private, unless you grant access to others and/or publish your information”.
Having built their primary argument based on public statements made on Google online properties, they bring out the Google Terms of Service which states in Section 14.1 that the services are provided “as is”, with no warranty and that Google does “not represent or warrant” that [14.2 B] “your use of the Services will be uninterrupted, timely, secure or free from error”. Section 15 states that Google will not be liable for losses.
The Harm Caused By The Google Docs Privacy Breach
EPIC then attempts to link the Google Docs privacy breach with harm experienced by Google users:
Curious. 2 sentences in a 15 page report where EPIC could have firmly established the ‘harm’ case. No examples, no quantification, no impact analysis. Perhaps EPIC is playing its hand carefully and is readying a parade of impacted users who can demonstrate they were “harmed” by the privacy snafu. Failing that, it would mean they have built their case on the morality of a software privacy bug at a popular online service and ultimately, an industry wide disparity between the big print a company uses to market their services (and software!) as trustworthy and the small print where the lawyers spell out the case for the defense.
The Claim That Google has Inadequate Security
The third and final primary argument. Skipping past the reminder from EPIC to the FTC that they acted in response to other privacy breaches, EPIC goes on to state that Google’s “inadequate security is an unfair business practice” and that Google’s “Inadequate Security” is a deceptive trade practice”. They argue that the Google Docs privacy breach was a result of inadequate security practices and that Google:
- encourages people to share “sensitive” documentation in promoting their services
- “knew that Cloud Computing Services are susceptible to data breaches”
- “knew that disclosure of personal user data could cause substantial injury to customers”
- was “aware that commonsense security measures, including storing user data in encrypted form, rather than in clear text, could reduce the likelihood and extent of consumer injury”
- “created an unnecessary risk to users’ data by employing unreasonable security practices, including the storage and transmission of personal information on its computer network in clear text”
What I find fascinating about this is that EPIC is drawing a significant conclusion about Google’s security practices based on the fact that Google doesn’t take “commonsense” security measures. In other words, because Google hasn’t implemented a PKI and DRM for document sharing in a (for many) free service, Google is somehow employing unreasonable security practices (!).
This just strikes me as really unreasonable and wholly unrealistic. If the FTC mandated those level of security protections to “qualify” for accepting data that consumers choose to put in the Cloud, you can say goodnight to *all* of the popular Web 2.0 services.
With Google thoroughly chastised, they draw the following “big picture” conclusion:
First Google, now the Cloud Computing as a whole - I’d better change my domain name fast! ;-).
A Potential Curveball
After I posted my thoughts on how Google Security responded to the Google Docs sharing problem I was contacted by a Google Docs user who stated that he reported a sharing problem to Google in January. He discovered a large number of documents shared with over a hundred people (he gave specific numbers that I’m intentionally not quoting to protect his privacy). He states he called Google Tech support who initiated a support case.
Assuming this is true (and based on his note, I have no reason to doubt it) it means either:
- Google Docs has suffered another sharing problem that was quietly fixed (no notification?)
- If this is the same sharing problem, it means at least someone in Google knew about it from late January which completely changes how their responsiveness to dealing with this problem will be perceived.
What If EPIC Gets Their Way
If the FTC went as far as forcing Google to suspend its services, we will witness the largest Denial of Legitimate Service (DoLS) attack in history.
Can you imagine how that would play out? I suspect it would also be the worst PR disaster of all time for EPIC as Google users turn on them in their droves…
In their concern for privacy, one part of security that EPIC seems to have forgotten is availability and the Cloud is all about that.