Focusing public attention on emerging privacy and civil liberties issues

In re Google and Cloud Computing

Top News

  • Google Transparency Report Reveals Risks of Cloud-based Computing: According to a recent report from Google, the company received 20,938 requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The United States accounted for 7,969 requests in the 2012 report. And of these requests, Google provided user data to the US government in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. And earlier this year, Google reduced safeguards for Gmail users, over the objections of many lawmakers and users, when it consolidated privacy policies across its various Internet services. In 2009, EPIC L3[urged] the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. For more, see EPIC - "Cloud Computing". (Nov. 14, 2012)
  • European Expert Group Affirms Privacy Rules for Cloud Service Providers: The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing. (Jul. 3, 2012)
  • Google Terms of Service Grant Company Broad Rights over Data of Google Drive Users: Google’s Terms of Service--which govern Google’s cloud-based file storage, Google Drive--give the company the right to “reproduce, modify, create derivative works” using uploaded content, as well as to “publicly perform, [and] publicly display” files. In 2009, EPIC asked the FTC to require privacy safeguards for Google's cloud-based services. EPIC cited previously-discovered privacy and security flaws, including one that disclosed user-generated documents saved on Google Docs to users of the service who lacked permission to view the files, and another that permitted unauthorized individuals to access user-generated Google Docs content. For more information, see EPIC: Cloud Computing and Privacy. (Apr. 26, 2012)
  • Google Backs Off Privacy Policy Change for Federal Government: In response to growing concern about the impact of Google's proposed policy change on user privacy and cloud-computing services, the company said that its planned privacy changes will not apply to US federal agencies. A report from Safegov.org "Google’s New Privacy Policy Is Unacceptable and Jeopardizes Government Information in the Cloud" recommended that "Google immediately suspend the application of its new privacy policy to Google Apps For Government users." Google told POLITICO's Morning Tech "cloud contracts are crafted with 'narrow, specific obligations' on how data can be used and stored. And those data requirements in the cloud contracts trump the company's standard privacy policy." (Feb. 3, 2012)
  • Twitter Adopts Privacy Enhancing Technique, Defaults to HTTPS: Twitter has joined the ranks of Gmail with a decision to implement HTTPS functionality by default for all users in order to encrypt data and protect privacy. The change stems from several security problems in early 2011, including two incidents where hackers gained administrative control of the popular service and led to a settlement with the Federal Trade Commission requiring Twitter to adopt stronger security measures. Earlier, EPIC had pointed out the importance of HTTPS by default in a complaint to the Commission regarding Google and Cloud Computing Services. For more information, see EPIC: Social Networking Privacy and EPIC: In re Google and Cloud Computing. (Aug. 24, 2011)
  • Chairman Leahy Announces New Subcommittee on Privacy and Technology: Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has established a new Subcommittee on Privacy, Technology and the Law as part of his commitment to protecting “Americans’ privacy in the digital age.” Sen. Al Franken (D-MN) will chair the subcommittee, which will will cover privacy laws and policies, new business practices, social networking sites, privacy standards, and the privacy implications of emerging technologies. For related information, see EPIC: Social Networking Privacy, EPIC: Cloud Computing. (Feb. 16, 2011)
  • Facebook Enables Full-Session Encryption: Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA," to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy. (Feb. 7, 2011)
  • NIST Seeks Comments on Guidelines for Cloud Computing: The National Institute for Standards and Technology (NIST) has announced that it is accepting comments on two draft documents on cloud computing: the NIST Definition of Cloud Computing and the Guidelines on Security and Privacy in Public Cloud Computing. The documents were prepared after the Federal Chief Information Officer asked NIST to develop standards and guidelines to assist the federal government’s secure adoption of cloud computing. EPIC has warned of the ongoing privacy risks associated with cloud computing since its expansion into the public sphere in 2008. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Comments on both NIST documents are due no later than February 28, 2011. For more information, see EPIC: Cloud Computing and EPIC: In re Google and Cloud Computing. (Feb. 3, 2011)
  • DHS Privacy Office Releases 2010 Annual Report: The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office. (Sep. 24, 2010)
  • Google Adds Two-Factor Authentication to Google Apps: Google announced today that it is adding two-factor verification for Google Applications. This will allow users to set up a one-time code delivered to a mobile phone, in addition to a regular password. Currently this option is only available for paid Google apps, although it will be available to all users in the coming months. If an administrator of a paid Google Apps account enables two-factor verification, then all users will be required to submit their mobile phone number. Google Apps operate by using cloud computing. In March 2009, EPIC filed a complaint with the Federal Trade Commission over Google's lack of adequate safeguards for its Cloud Computing Services. For more information, see EPIC: Cloud Computing. (Sep. 24, 2010)

EPIC's Complaint

On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging the Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The complaint follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. EPIC observed that Google repeatedly assures consumers that Google Cloud Computing Services store user-generated data securely. However, The Google Docs data breach is only one example of known security flaws involving Google's Cloud Computing Services. Previous data breaches involved Gmail and Google Desktop Search. For more information on Cloud Computing Services generally, see EPIC's Cloud Computing and Privacy page.

EPIC previously initiated the complaint to the FTC regarding Microsoft Passport in which the Commission subsequently required Microsoft to implement a comprehensive information security program for Passport and similar services. EPIC also filed the complaint with the Commission regarding databroker ChoicePoint, Inc. In that matter, the Commission determined that ChoicePoint's failure to employ reasonable security policies compromised the sensitive personal data of consumers, and assessed fines of $15 m. Further, EPIC brought the complaint to the Federal Trade Commission regarding the need to establish privacy safeguards as a condition of the Google-Doubleclick merger. Although the Commission failed to act in that matter, a subsequent review by the Department of Justice in a similar matter made clear that such a consolidation of Internet advertisers would have led to monopoly concentration and would have been against the public interest.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." Although this law does not grant the FTC specific authority to protect privacy, it has been routinely used to bring public attention to significant privacy issues and to provide a legal basis for reforming business activities that threaten consumer privacy. Under its Section 5 authority to regulate "unfair or deceptive" trade practices, the FTC has "brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information."

FTC Review of EPIC's Complaint

The FTC is reviewing EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. The Commission stated that EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online." Commission investigations are confidential until the FTC decides to issue a formal complaint or close the investigation.

Impact of Cloud Computing

As of September 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs such as word processing applications whose functionality is located on the web.

According to the Pew Internet and American Life Project, an overwhelming majority of users of Cloud Computing Services expressed serious concern about the possibility that a service provider would disclose their data to others. 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.

An October 2008 study reports that 74.6% of surveyed IT executives and CIOs said security is the biggest challenge for the cloud computing model.

A March 2009 survey from TRUSTe underscores ongoing concern about Internet-based services, with 35% of users responding that their privacy has been invaded or violated in the last year due to information they provided via the Internet.

Google's Cloud Computing Services - Representations

Google operates numerous Cloud Computing Services, including:

  1. Google Docs: online document storage and editing;
  2. Google Desktop Search: integrated local and remote search;
  3. Gmail: email in the cloud;
  4. Picasa Web Albums: online photo storage;
  5. Google Calendar: cloud-based scheduling.

Google routinely represents to consumers that documents stored on Google servers are secure. For example, the homepage for Google Docs states "Files are stored securely online" (emphasis in the original) and the accompanying video provides further assurances of the security of the Google Cloud Computing Service.

Google Img1

Google also explicitly assures consumers that "Google Docs saves to a secure, online storage facility . . . without the need to save to your local hard drive."

Google Img2

Google encourages users to "add personal information to their documents and spreadsheets," and represents to consumers that "this information is safely stored on Google's secure servers." Google states that "your data is private, unless you grant access to others and/or publish your information."

Google Img3

Google represents to consumers, "Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers."

Google Img4

Google's Cloud Computing Services - Known Flaws

In January 2005, researchers identified several security flaws in Google's Gmail service. The flaws allowed theft of "usernames and passwords for the 'Google Accounts' centralized log-in service" and enabled outsiders to "snoop on users' email."

In December 2005, researchers discovered a vulnerability in Google Desktop and the Internet Explorer web browser. The security flaw exposed Google users' personal data to malicious internet sites.

In January 2007, security experts identified another security flaw in Google Desktop. The vulnerability "could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control."

On March 7, 2009, Google disclosed user-generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files. On March 26, 2009, security consultants revealed additional security flaws in Google Docs. The flaws permit unauthorized individuals to access user-generated Google Docs content.

FTC Review of EPIC Microsoft Passport Complaint (2001 - 2002)

The FTC has previously settled cases involving unfair and deceptive trade practices highlighted in EPIC complaints. For example, on July 26, 2001, EPIC and twelve organizations submitted a complaint to the FTC, detailing the serious privacy risks of Microsoft Windows XP and Microsoft Passport. The complaint alleged that Microsoft "has engaged, and is engaging, in unfair and deceptive trade practices intended to profile, track, and monitor millions of Internet users," and that the company's collection and use of personal information violated Section 5 of the Federal Trade Commission Act.

After Microsoft announced a series of changes to Windows XP and Passport in response to the complaint, EPIC et al. submitted a supplement to the FTC further detailing specific ways Microsoft XP and Passport would harm consumers' interests.

The privacy and security risks outlined in the complaint were: facilitation of online profiling through a sign on requirement for Passport in order to view web content; covert sharing of consumers' personal information within the MSN network; an increase in the amount of unsolicited commercial e-mail from the sharing of e-mail addresses within the MSN network (with no option for the consumer to opt-out of such a system); and Microsoft's failure to establish adequate security standards to ensure that personal information held by Microsoft, such as credit card data, were protected from disclosure to third parties.

In August 2002, the FTC announced a settlement in its privacy enforcement action against Microsoft. The settlement required that Microsoft establish a comprehensive information security program for Passport, and prohibited any misrepresentation of its practices regarding information collection and usage.

The agreement was significant because the FTC did not uncover any security breaches, but acted nonetheless based on the potential for security problems. This action demonstrated that the FTC has the authority to protect online privacy, and that the Commission will hold companies to a very high standard in their representations to consumers about privacy policies. Since the FTC settlement of the EPIC complaint against Passport, industry groups have moved toward decentralized identity systems that are more robust, provide more security, and are better for privacy. For more information, see EPIC's page on Microsoft Passport Investigation Docket.

FTC Review of EPIC ChoicePoint Complaint (2004-2006)

The FTC has imposed substantial penalties for data breaches that exposed personal consumer information. For example, In December 2004, EPIC filed a complaint with the Federal Trade Commission against databroker ChoicePoint, alleging that Choicepoint failed to safeguard sensitive consumer data. EPIC urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC alleged that Choicepoint failed to employ adequate privacy safeguard and security practices concerning consumer information. Furthermore, EPIC urged the Commission to analyze whether the sale of dossiers gave businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.

In February 2005, EPIC supplemented the ChoicePoint complaint with new information. First, an article written by Robert O'Harrow Jr. of the Washington Post quoted ChoicePoint representatives saying that the company acts like an "intelligence agency" and that the data industry should be subject to new regulations because of how personal information is being used. O'Harrow's article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers' data be accurate and their practices accountable to the public. Second, the letter included a dialogue from Declan McCullagh's Politechbot.com mailing list concerning EPIC's December 2004 complaint. A list message from a private investigator who uses ChoicePoint noted that the company maintains an audit trail of clients who access personal information. The EPIC supplement points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial databroker has turned in a user for prosecution as a result of an audit showing prohibited use of the service. Last, the EPIC supplement included a transcript of a recent television broadcast, "Someone's Watching," that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial databroker to access a stranger's Social Security Number, employment details, and other information without any legal justification.

In 2005, based on the EPIC complaint, the FTC alleged that ChoicePoint did not have reasonable procedures to screen and verify prospective businesses for lawful purposes and as a result compromised the personal financial records of more than 163,000 customers in its database. Because of this data breach, the FTC alleged that ChoicePoint violated the Fair Credit Reporting Act by furnishing the financial records to subscribers that did not have a permissible purpose to obtain them. The FTC additionally alleged that ChoicePoint engaged in unfair or deceptive practices in violation of Section 5 of the Federal Trade Commission Act.

In January 2006, the FTC announced a settlement with ChoicePoint, requiring the company to pay $10 million in civil penalties and provide $5 millions for consumer redress. It is the largest civil penalty in FTC history. ChoicePoint was also required to verify, "(1) the business identity of the subscriber, and (2) that the subscriber is a legitimate business engaged in the business certified and has a permissible purpose for obtaining consumer reports." The FTC also required ChoicePoint to establish, implement, and maintain "a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers."

all day, every day." (quote from AdAge).

Review of the Google/Doubleclick Merger (2007 - 2008)

On April 20, 2007, EPIC, CDD, and US PIRG filed a complaint with the Federal Trade Commission, requesting that the Commission open an investigation into Google's proposed acquisition of Doubleclick, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. EPIC further urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. The three groups filed a supplement to the complaint with the Commission in June 2007.

On December 21, 2007, the FTC approved the proposed merger without conditions in a 4-1 opinion. EPIC responded, saying that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google- Doubleclick merger. EPIC said that the FTC "had reason to act and authority to act, and failed to do so." Commissioner Harbour dissented from the decision, stating that "If the Commission closes its investigation at this time, without imposing any conditions on the merger, neither the competition nor the privacy interests of consumers will have been adequately addressed." Commissioner Leibowitz, in a concurring opinion, warned that "industry participants must stop being coy and start being more forthcoming about their practices, the consumer information they collect, and how they use it" and recommended the adoption of an opt-in standard for online services. The unconditional approval comes as a surprise following the earlier "Second Request" by the Commission which has historically indicated an intent to block a merger or impose conditions as a requirement for merger approval.

At a hearing before the European Parliament on January 21, 2008, EPIC President Marc Rotenberg testified that the European Commission must establish privacy safeguards because the US Federal Trade Commission failed to do so during the US merger review. Mr. Rotenberg also said that Google was beginning to reveal the characteristics of an "information monopolist" and that it was important for governments to act to preserve the rights of citizens and to safeguard competition and innovation in the information economy.

Although the FTC failed to place conditions on the Google/Doubleclick merger, a subsequent review by the Department of Justice in a similar matter derailed a deal between Google and Yahoo. The DOJ review made clear that such a consolidation of Internet advertisers would have led to monopoly concentration and would have been against the public interest.

Legal Documents

FTC Letter to EPIC, Mar. 18, 2009
EPIC's Complaint to the FTC, Mar. 17, 2009

News Items on EPIC FTC Complaint