EPIC's Preemptive Strike Against Google's Cloud Computing Services
In a pretty bold move, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC requesting an investigation into Google's Cloud Computing Services. [I'd link to the EPIC site, but at the time I drafted this post, the link didn't resolve, at least not from a Google search . . . hmmmm (kidding about the Google part).]
The Complaint [link to JD Supra page] alleges that: (1) Google's services take in and store a ton of personal information; (2) Google invites users to share this personal information; (3) Google disclaims responsibility in their Terms of Service; and (4) there have been known compromises. The key fact in number four is the recent disclosure by Google that Google docs were compromised and non-authorized viewers were allowed to view restricted documents. [link] I applaud EPIC's instinct and their preemptive strike feels necessary in some respects. Courts are mostly rejecting claims brought by users who suffer as a result of a data breach. As a result, data breach victims are left with little actual recourse. It's interesting for EPIC to put the issue in front of the FTC in this way.
The problems with the complaint in my opinion are that EPIC seems to be asking the FTC to take a look under Google's hood and inspect all of its privacy and security practices (and place the FTC's approval on what works, and require changes as to what doesn't work). I'm not aware of the FTC taking this type of broad prospective action, and the examples cited in the complaint are all actions after the fact. (I guess you could argue that the Google docs breach is what this is all about but a quick read of the complaint makes clear it's not . . . EPIC is asking for a much more thorough review. To me, it feels like in response to a minor incident, EPIC is asking the FTC to undertake an exhaustive review.) Another problem is that EPIC highlights the disclaimers in Google's terms of use. Users are agreeing to not hold Google liable, and it's unclear where the average consumer fits in as far as what they expect from Google (and other similarly situated companies). I've used Google docs, for example, and I didn't see Google as making any special guarantees of security (I didn't read the terms of use, but that's another story). (Still, the dissonance between Google's marketing and their terms of use may strike a note, and Google may be well advised to tweak its marketing practices and/or terms.) The FTC will probably be reluctant to accept EPIC's invitation to review Google's privacy practices for another reason. Does anyone really expect Google to disclose the full panoply of its security apparatus, and for the FTC to review these? Structurally and practically, this seems untenable. It just doesn't seem like the FTC's role to conduct a thorough "investigation into Google's Cloud Computing Services," particularly its privacy and security safeguards.
Then again, maybe this isn't the old FTC - so things could turn out different: "Obama FTC Spells Trouble: Part II". Ken Magill argues in this post that the FTC is going to take a very pro-regulatory turn. Ken's typically a good read, but his evidence is fairly anecdotal for this assertion. I haven't read anything that seems particularly instructive on what the new FTC has in store. Either way it will be interesting to see what happens. (It's surprising that we haven't seen class action lawyers jump on the Google data breach.)
On a side note: it's interesting how ubiquitous Google is. In writing this post I probably accessed it six times. If it were not a force of good, the monster from Stephen King's It would make for a good analogy for Google. You almost expect Google to needle you when you say bad things about it, and it literally has a window into everything you say. A fantastic notion obviously, but when a website doesn't quickly resolve from a Google search you actually wonder if it's possible that Google is ticked off at you (or at EPIC).
The Complaint [link to JD Supra page] alleges that: (1) Google's services take in and store a ton of personal information; (2) Google invites users to share this personal information; (3) Google disclaims responsibility in their Terms of Service; and (4) there have been known compromises. The key fact in number four is the recent disclosure by Google that Google docs were compromised and non-authorized viewers were allowed to view restricted documents. [link] I applaud EPIC's instinct and their preemptive strike feels necessary in some respects. Courts are mostly rejecting claims brought by users who suffer as a result of a data breach. As a result, data breach victims are left with little actual recourse. It's interesting for EPIC to put the issue in front of the FTC in this way.
The problems with the complaint in my opinion are that EPIC seems to be asking the FTC to take a look under Google's hood and inspect all of its privacy and security practices (and place the FTC's approval on what works, and require changes as to what doesn't work). I'm not aware of the FTC taking this type of broad prospective action, and the examples cited in the complaint are all actions after the fact. (I guess you could argue that the Google docs breach is what this is all about but a quick read of the complaint makes clear it's not . . . EPIC is asking for a much more thorough review. To me, it feels like in response to a minor incident, EPIC is asking the FTC to undertake an exhaustive review.) Another problem is that EPIC highlights the disclaimers in Google's terms of use. Users are agreeing to not hold Google liable, and it's unclear where the average consumer fits in as far as what they expect from Google (and other similarly situated companies). I've used Google docs, for example, and I didn't see Google as making any special guarantees of security (I didn't read the terms of use, but that's another story). (Still, the dissonance between Google's marketing and their terms of use may strike a note, and Google may be well advised to tweak its marketing practices and/or terms.) The FTC will probably be reluctant to accept EPIC's invitation to review Google's privacy practices for another reason. Does anyone really expect Google to disclose the full panoply of its security apparatus, and for the FTC to review these? Structurally and practically, this seems untenable. It just doesn't seem like the FTC's role to conduct a thorough "investigation into Google's Cloud Computing Services," particularly its privacy and security safeguards.
Then again, maybe this isn't the old FTC - so things could turn out different: "Obama FTC Spells Trouble: Part II". Ken Magill argues in this post that the FTC is going to take a very pro-regulatory turn. Ken's typically a good read, but his evidence is fairly anecdotal for this assertion. I haven't read anything that seems particularly instructive on what the new FTC has in store. Either way it will be interesting to see what happens. (It's surprising that we haven't seen class action lawyers jump on the Google data breach.)
On a side note: it's interesting how ubiquitous Google is. In writing this post I probably accessed it six times. If it were not a force of good, the monster from Stephen King's It would make for a good analogy for Google. You almost expect Google to needle you when you say bad things about it, and it literally has a window into everything you say. A fantastic notion obviously, but when a website doesn't quickly resolve from a Google search you actually wonder if it's possible that Google is ticked off at you (or at EPIC).
Comments