Focusing public attention on emerging privacy and civil liberties issues

In re Google and Cloud Computing

Top News

  • Administration Announces Cloud Computing Initiative, but Privacy Umbrella Missing: Chief Information Officer Vivek Kundra announced the launch of “Apps.gov”, a website where federal agencies can obtain cloud-based IT services. The initiative is aimed at "lowering the cost of government operations while driving innovation." Currently, the administration's main goal is to increase the size and scale of cloud computing, but key concerns, such as security and privacy, have received little attention. In March, EPIC filed a complaint with the FTC urging the agency to open and investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." Subsequently, thirty-eight computer security researchers and privacy academics sent a letter to Google's CEO, asking Google to uphold privacy promises made to users of Google Cloud Computing services. The FTC investigation is ongoing; no response has been received from Google. For more information, see EPIC's page on “Cloud Computing”. (Sep. 17, 2009)
  • EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing: In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing. (Aug. 12, 2009)
  • Expert Group Asks Google to Improve Cloud Computing Privacy : A letter signed by 38 researchers and academics in the fields of computer science, information security and privacy law was sent to Google's CEO. The letter asks Google to uphold privacy promises made to users of Google Cloud Computing services. In March, EPIC filed a complaint with the FTC urging an investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." The EPIC complaint specifically recommended the adoption of encryption to help safeguard privacy and security. Addressing concerns about data vulnerability and interception, the expert group has asked Google to enable HTTPS (web-based encryption) by default in several Google apps, including Gmail. See also EPIC's page on Cloud Computing and EPIC's Page on In re Google and Cloud Computing. (Jun. 16, 2009)
  • EPIC Urges Privacy Protections for Government's Use of Social Media: The DHS Privacy Office is seeking public comments on developing best practices on the government's use of social media. EPIC submitted comments on the benefits, issues and privacy best practices. EPIC recommended Privacy Act protections to the data collected, prohibit commercialization and sharing, and the use of a model certification system. See also EPIC's page on Social Networking Privacy, Network Advertising Initiative, and Deep Packet Inspection and Privacy.. (Jun. 3, 2009)
  • EPIC Seeks Government Agreements with Social Networking Companies: EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing. (Apr. 30, 2009)
  • Federal Trade Commission to Review EPIC Cloud Computing Complaint: The Federal Trade Commission will review EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint describes numerous data breaches involving user-generated information stored by Google, including the recently reported breach of Google Docs. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," federal regulators said. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. For more information, see EPIC's complaint to the FTC. EPIC's Cloud Computing Page. (Mar. 19, 2009)
  • EPIC Petitions FTC to Investigate Google, Cloud Computing Services: EPIC has formally asked the Federal Trade Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. (Mar. 17, 2009)

EPIC's Complaint

On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging the Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The complaint follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. EPIC observed that Google repeatedly assures consumers that Google Cloud Computing Services store user-generated data securely. However, The Google Docs data breach is only one example of known security flaws involving Google's Cloud Computing Services. Previous data breaches involved Gmail and Google Desktop Search. For more information on Cloud Computing Services generally, see EPIC's Cloud Computing and Privacy page.

EPIC previously initiated the complaint to the FTC regarding Microsoft Passport in which the Commission subsequently required Microsoft to implement a comprehensive information security program for Passport and similar services. EPIC also filed the complaint with the Commission regarding databroker ChoicePoint, Inc. In that matter, the Commission determined that ChoicePoint's failure to employ reasonable security policies compromised the sensitive personal data of consumers, and assessed fines of $15 m. Further, EPIC brought the complaint to the Federal Trade Commission regarding the need to establish privacy safeguards as a condition of the Google-Doubleclick merger. Although the Commission failed to act in that matter, a subsequent review by the Department of Justice in a similar matter made clear that such a consolidation of Internet advertisers would have led to monopoly concentration and would have been against the public interest.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." Although this law does not grant the FTC specific authority to protect privacy, it has been routinely used to bring public attention to significant privacy issues and to provide a legal basis for reforming business activities that threaten consumer privacy. Under its Section 5 authority to regulate "unfair or deceptive" trade practices, the FTC has "brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information."

FTC Review of EPIC's Complaint

The FTC is reviewing EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. The Commission stated that EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online." Commission investigations are confidential until the FTC decides to issue a formal complaint or close the investigation.

Impact of Cloud Computing

As of September 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs such as word processing applications whose functionality is located on the web.

According to the Pew Internet and American Life Project, an overwhelming majority of users of Cloud Computing Services expressed serious concern about the possibility that a service provider would disclose their data to others. 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.

An October 2008 study reports that 74.6% of surveyed IT executives and CIOs said security is the biggest challenge for the cloud computing model.

A March 2009 survey from TRUSTe underscores ongoing concern about Internet-based services, with 35% of users responding that their privacy has been invaded or violated in the last year due to information they provided via the Internet.

Google's Cloud Computing Services - Representations

Google operates numerous Cloud Computing Services, including:

  1. Google Docs: online document storage and editing;
  2. Google Desktop Search: integrated local and remote search;
  3. Gmail: email in the cloud;
  4. Picasa Web Albums: online photo storage;
  5. Google Calendar: cloud-based scheduling.

Google routinely represents to consumers that documents stored on Google servers are secure. For example, the homepage for Google Docs states "Files are stored securely online" (emphasis in the original) and the accompanying video provides further assurances of the security of the Google Cloud Computing Service.

Google Img1

Google also explicitly assures consumers that "Google Docs saves to a secure, online storage facility . . . without the need to save to your local hard drive."

Google Img2

Google encourages users to "add personal information to their documents and spreadsheets," and represents to consumers that "this information is safely stored on Google's secure servers." Google states that "your data is private, unless you grant access to others and/or publish your information."

Google Img3

Google represents to consumers, "Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers."

Google Img4

Google's Cloud Computing Services - Known Flaws

In January 2005, researchers identified several security flaws in Google's Gmail service. The flaws allowed theft of "usernames and passwords for the 'Google Accounts' centralized log-in service" and enabled outsiders to "snoop on users' email."

In December 2005, researchers discovered a vulnerability in Google Desktop and the Internet Explorer web browser. The security flaw exposed Google users' personal data to malicious internet sites.

In January 2007, security experts identified another security flaw in Google Desktop. The vulnerability "could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control."

On March 7, 2009, Google disclosed user-generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files. On March 26, 2009, security consultants revealed additional security flaws in Google Docs. The flaws permit unauthorized individuals to access user-generated Google Docs content.

FTC Review of EPIC Microsoft Passport Complaint (2001 - 2002)

The FTC has previously settled cases involving unfair and deceptive trade practices highlighted in EPIC complaints. For example, on July 26, 2001, EPIC and twelve organizations submitted a complaint to the FTC, detailing the serious privacy risks of Microsoft Windows XP and Microsoft Passport. The complaint alleged that Microsoft "has engaged, and is engaging, in unfair and deceptive trade practices intended to profile, track, and monitor millions of Internet users," and that the company's collection and use of personal information violated Section 5 of the Federal Trade Commission Act.

After Microsoft announced a series of changes to Windows XP and Passport in response to the complaint, EPIC et al. submitted a supplement to the FTC further detailing specific ways Microsoft XP and Passport would harm consumers' interests.

The privacy and security risks outlined in the complaint were: facilitation of online profiling through a sign on requirement for Passport in order to view web content; covert sharing of consumers' personal information within the MSN network; an increase in the amount of unsolicited commercial e-mail from the sharing of e-mail addresses within the MSN network (with no option for the consumer to opt-out of such a system); and Microsoft's failure to establish adequate security standards to ensure that personal information held by Microsoft, such as credit card data, were protected from disclosure to third parties.

In August 2002, the FTC announced a settlement in its privacy enforcement action against Microsoft. The settlement required that Microsoft establish a comprehensive information security program for Passport, and prohibited any misrepresentation of its practices regarding information collection and usage.

The agreement was significant because the FTC did not uncover any security breaches, but acted nonetheless based on the potential for security problems. This action demonstrated that the FTC has the authority to protect online privacy, and that the Commission will hold companies to a very high standard in their representations to consumers about privacy policies. Since the FTC settlement of the EPIC complaint against Passport, industry groups have moved toward decentralized identity systems that are more robust, provide more security, and are better for privacy. For more information, see EPIC's page on Microsoft Passport Investigation Docket.

FTC Review of EPIC ChoicePoint Complaint (2004-2006)

The FTC has imposed substantial penalties for data breaches that exposed personal consumer information. For example, In December 2004, EPIC filed a complaint with the Federal Trade Commission against databroker ChoicePoint, alleging that Choicepoint failed to safeguard sensitive consumer data. EPIC urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC alleged that Choicepoint failed to employ adequate privacy safeguard and security practices concerning consumer information. Furthermore, EPIC urged the Commission to analyze whether the sale of dossiers gave businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.

In February 2005, EPIC supplemented the ChoicePoint complaint with new information. First, an article written by Robert O'Harrow Jr. of the Washington Post quoted ChoicePoint representatives saying that the company acts like an "intelligence agency" and that the data industry should be subject to new regulations because of how personal information is being used. O'Harrow's article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers' data be accurate and their practices accountable to the public. Second, the letter included a dialogue from Declan McCullagh's Politechbot.com mailing list concerning EPIC's December 2004 complaint. A list message from a private investigator who uses ChoicePoint noted that the company maintains an audit trail of clients who access personal information. The EPIC supplement points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial databroker has turned in a user for prosecution as a result of an audit showing prohibited use of the service. Last, the EPIC supplement included a transcript of a recent television broadcast, "Someone's Watching," that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial databroker to access a stranger's Social Security Number, employment details, and other information without any legal justification.

In 2005, based on the EPIC complaint, the FTC alleged that ChoicePoint did not have reasonable procedures to screen and verify prospective businesses for lawful purposes and as a result compromised the personal financial records of more than 163,000 customers in its database. Because of this data breach, the FTC alleged that ChoicePoint violated the Fair Credit Reporting Act by furnishing the financial records to subscribers that did not have a permissible purpose to obtain them. The FTC additionally alleged that ChoicePoint engaged in unfair or deceptive practices in violation of Section 5 of the Federal Trade Commission Act.

In January 2006, the FTC announced a settlement with ChoicePoint, requiring the company to pay $10 million in civil penalties and provide $5 millions for consumer redress. It is the largest civil penalty in FTC history. ChoicePoint was also required to verify, "(1) the business identity of the subscriber, and (2) that the subscriber is a legitimate business engaged in the business certified and has a permissible purpose for obtaining consumer reports." The FTC also required ChoicePoint to establish, implement, and maintain "a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers."

all day, every day." (quote from AdAge).

Review of the Google/Doubleclick Merger (2007 - 2008)

On April 20, 2007, EPIC, CDD, and US PIRG filed a complaint with the Federal Trade Commission, requesting that the Commission open an investigation into Google's proposed acquisition of Doubleclick, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. EPIC further urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. The three groups filed a supplement to the complaint with the Commission in June 2007.

On December 21, 2007, the FTC approved the proposed merger without conditions in a 4-1 opinion. EPIC responded, saying that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google- Doubleclick merger. EPIC said that the FTC "had reason to act and authority to act, and failed to do so." Commissioner Harbour dissented from the decision, stating that "If the Commission closes its investigation at this time, without imposing any conditions on the merger, neither the competition nor the privacy interests of consumers will have been adequately addressed." Commissioner Leibowitz, in a concurring opinion, warned that "industry participants must stop being coy and start being more forthcoming about their practices, the consumer information they collect, and how they use it" and recommended the adoption of an opt-in standard for online services. The unconditional approval comes as a surprise following the earlier "Second Request" by the Commission which has historically indicated an intent to block a merger or impose conditions as a requirement for merger approval.

At a hearing before the European Parliament on January 21, 2008, EPIC President Marc Rotenberg testified that the European Commission must establish privacy safeguards because the US Federal Trade Commission failed to do so during the US merger review. Mr. Rotenberg also said that Google was beginning to reveal the characteristics of an "information monopolist" and that it was important for governments to act to preserve the rights of citizens and to safeguard competition and innovation in the information economy.

Although the FTC failed to place conditions on the Google/Doubleclick merger, a subsequent review by the Department of Justice in a similar matter derailed a deal between Google and Yahoo. The DOJ review made clear that such a consolidation of Internet advertisers would have led to monopoly concentration and would have been against the public interest.

Legal Documents

FTC Letter to EPIC, Mar. 18, 2009
EPIC's Complaint to the FTC, Mar. 17, 2009

News Items on EPIC FTC Complaint