On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging the Commission to open an investigation into Google’s Cloud Computing Services — including Gmail, Google Docs, and Picasa — to determine “the adequacy of the privacy and security safeguards.” The complaint follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take “such measures as are necessary” to ensure the safety and security of information submitted to Google. EPIC observed that Google repeatedly assures consumers that Google Cloud Computing Services store user-generated data securely. However, The Google Docs data breach is only one example of known security flaws involving Google’s Cloud Computing Services. Previous data breaches involved Gmail and Google Desktop Search. For more information on Cloud Computing Services generally, see EPIC’s Cloud Computing and Privacy page.
EPIC previously initiated the complaint to the FTC regarding Microsoft Passport in which the Commission subsequently required Microsoft to implement a comprehensive information security program for Passport and similar services. EPIC also filed the complaint with the Commission regarding databroker ChoicePoint, Inc. In that matter, the Commission determined that ChoicePoint’s failure to employ reasonable security policies compromised the sensitive personal data of consumers, and assessed fines of $15 m. Further, EPIC brought the complaint to the Federal Trade Commission regarding the need to establish privacy safeguards as a condition of the Google-Doubleclick merger. Although the Commission failed to act in that matter, a subsequent review by the Department of Justice in a similar matter made clear that such a consolidation of Internet advertisers would have led to monopoly concentration and would have been against the public interest.
The FTC’s primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” Although this law does not grant the FTC specific authority to protect privacy, it has been routinely used to bring public attention to significant privacy issues and to provide a legal basis for reforming business activities that threaten consumer privacy. Under its Section 5 authority to regulate “unfair or deceptive” trade practices, the FTC has “brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.”
The FTC is reviewing EPIC’s March 17, 2009 complaint, which describes Google’s unfair and deceptive business practices concerning the firm’s Cloud Computing Services. The Commission stated that EPIC’s complaint “raises a number of concerns about the privacy and security of information collected from consumers online.” Commission investigations are confidential until the FTC decides to issue a formal complaint or close the investigation.
As of September 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs such as word processing applications whose functionality is located on the web.
According to the Pew Internet and American Life Project, an overwhelming majority of users of Cloud Computing Services expressed serious concern about the possibility that a service provider would disclose their data to others. 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.
An October 2008 study reports that 74.6% of surveyed IT executives and CIOs said security is the biggest challenge for the cloud computing model.
A March 2009 survey from TRUSTe underscores ongoing concern about Internet-based services, with 35% of users responding that their privacy has been invaded or violated in the last year due to information they provided via the Internet.
Google operates numerous Cloud Computing Services, including:
- Google Docs: online document storage and editing;
- Google Desktop Search: integrated local and remote search;
- Gmail: email in the cloud;
- Picasa Web Albums: online photo storage;
- Google Calendar: cloud-based scheduling.
Google routinely represents to consumers that documents stored on Google servers are secure. For example, the homepage for Google Docs states “Files are stored securely online” (emphasis in the original) and the accompanying video provides further assurances of the security of the Google Cloud Computing Service.
Google also explicitly assures consumers that “Google Docs saves to a secure, online storage facility . . . without the need to save to your local hard drive.”
Google encourages users to “add personal information to their documents and spreadsheets,” and represents to consumers that “this information is safely stored on Google’s secure servers.” Google states that “your data is private, unless you grant access to others and/or publish your information.”
Google represents to consumers, “Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers.”
In January 2005, researchers identified several security flaws in Google’s Gmail service. The flaws allowed theft of “usernames and passwords for the ‘Google Accounts’ centralized log-in service” and enabled outsiders to “snoop on users’ email.”
In January 2007, security experts identified another security flaw in Google Desktop. The vulnerability “could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control.”
On March 7, 2009, Google disclosed user-generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files. On March 26, 2009, security consultants revealed additional security flaws in Google Docs. The flaws permit unauthorized individuals to access user-generated Google Docs content.
The FTC has previously settled cases involving unfair and deceptive trade practices highlighted in EPIC complaints. For example, on July 26, 2001, EPIC and twelve organizations submitted a complaint to the FTC, detailing the serious privacy risks of Microsoft Windows XP and Microsoft Passport. The complaint alleged that Microsoft “has engaged, and is engaging, in unfair and deceptive trade practices intended to profile, track, and monitor millions of Internet users,” and that the company’s collection and use of personal information violated Section 5 of the Federal Trade Commission Act.
After Microsoft announced a series of changes to Windows XP and Passport in response to the complaint, EPIC et al. submitted a supplement to the FTC further detailing specific ways Microsoft XP and Passport would harm consumers’ interests.
The privacy and security risks outlined in the complaint were: facilitation of online profiling through a sign on requirement for Passport in order to view web content; covert sharing of consumers’ personal information within the MSN network; an increase in the amount of unsolicited commercial e-mail from the sharing of e-mail addresses within the MSN network (with no option for the consumer to opt-out of such a system); and Microsoft’s failure to establish adequate security standards to ensure that personal information held by Microsoft, such as credit card data, were protected from disclosure to third parties.
In August 2002, the FTC announced a settlement in its privacy enforcement action against Microsoft. The settlement required that Microsoft establish a comprehensive information security program for Passport, and prohibited any misrepresentation of its practices regarding information collection and usage.
The agreement was significant because the FTC did not uncover any security breaches, but acted nonetheless based on the potential for security problems. This action demonstrated that the FTC has the authority to protect online privacy, and that the Commission will hold companies to a very high standard in their representations to consumers about privacy policies. Since the FTC settlement of the EPIC complaint against Passport, industry groups have moved toward decentralized identity systems that are more robust, provide more security, and are better for privacy. For more information, see EPIC’s page on Microsoft Passport Investigation Docket.
The FTC has imposed substantial penalties for data breaches that exposed personal consumer information. For example, In December 2004, EPIC filed a complaint with the Federal Trade Commission against databroker ChoicePoint, alleging that Choicepoint failed to safeguard sensitive consumer data. EPIC urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC alleged that Choicepoint failed to employ adequate privacy safeguard and security practices concerning consumer information. Furthermore, EPIC urged the Commission to analyze whether the sale of dossiers gave businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.
In February 2005, EPIC supplemented the ChoicePoint complaint with new information. First, an article written by Robert O’Harrow Jr. of the Washington Post quoted ChoicePoint representatives saying that the company acts like an “intelligence agency” and that the data industry should be subject to new regulations because of how personal information is being used. O’Harrow’s article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers’ data be accurate and their practices accountable to the public. Second, the letter included a dialogue from Declan McCullagh’s Politechbot.com mailing list concerning EPIC’s December 2004 complaint. A list message from a private investigator who uses ChoicePoint noted that the company maintains an audit trail of clients who access personal information. The EPIC supplement points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial databroker has turned in a user for prosecution as a result of an audit showing prohibited use of the service. Last, the EPIC supplement included a transcript of a recent television broadcast, “Someone’s Watching,” that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial databroker to access a stranger’s Social Security Number, employment details, and other information without any legal justification.
In 2005, based on the EPIC complaint, the FTC alleged that ChoicePoint did not have reasonable procedures to screen and verify prospective businesses for lawful purposes and as a result compromised the personal financial records of more than 163,000 customers in its database. Because of this data breach, the FTC alleged that ChoicePoint violated the Fair Credit Reporting Act by furnishing the financial records to subscribers that did not have a permissible purpose to obtain them. The FTC additionally alleged that ChoicePoint engaged in unfair or deceptive practices in violation of Section 5 of the Federal Trade Commission Act.
In January 2006, the FTC announced a settlement with ChoicePoint, requiring the company to pay $10 million in civil penalties and provide $5 millions for consumer redress. It is the largest civil penalty in FTC history. ChoicePoint was also required to verify, “(1) the business identity of the subscriber, and (2) that the subscriber is a legitimate business engaged in the business certified and has a permissible purpose for obtaining consumer reports.” The FTC also required ChoicePoint to establish, implement, and maintain “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers.”
all day, every day.” (quote from AdAge).
On April 20, 2007, EPIC, CDD, and US PIRG filed a complaint with the Federal Trade Commission, requesting that the Commission open an investigation into Google’s proposed acquisition of Doubleclick, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. EPIC further urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. The three groups filed a supplement to the complaint with the Commission in June 2007.
On December 21, 2007, the FTC approved the proposed merger without conditions in a 4-1 opinion. EPIC responded, saying that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google- Doubleclick merger. EPIC said that the FTC “had reason to act and authority to act, and failed to do so.” Commissioner Harbour dissented from the decision, stating that “If the Commission closes its investigation at this time, without imposing any conditions on the merger, neither the competition nor the privacy interests of consumers will have been adequately addressed.” Commissioner Leibowitz, in a concurring opinion, warned that “industry participants must stop being coy and start being more forthcoming about their practices, the consumer information they collect, and how they use it” and recommended the adoption of an opt-in standard for online services. The unconditional approval comes as a surprise following the earlier “Second Request” by the Commission which has historically indicated an intent to block a merger or impose conditions as a requirement for merger approval.
At a hearing before the European Parliament on January 21, 2008, EPIC President Marc Rotenberg testified that the European Commission must establish privacy safeguards because the US Federal Trade Commission failed to do so during the US merger review. Mr. Rotenberg also said that Google was beginning to reveal the characteristics of an “information monopolist” and that it was important for governments to act to preserve the rights of citizens and to safeguard competition and innovation in the information economy.
Although the FTC failed to place conditions on the Google/Doubleclick merger, a subsequent review by the Department of Justice in a similar matter derailed a deal between Google and Yahoo. The DOJ review made clear that such a consolidation of Internet advertisers would have led to monopoly concentration and would have been against the public interest.
- More Security Loopholes Found In Google Docs, TechCrunch, Mar. 26, 2009
- 10 security threats to watch out for in 2009, Tech Republic, Mar. 25, 2009
- Privacy group urges probe of Google cloud services, Vancouver Sun, Mar. 19, 2009
- EPIC Complains To The FTC About Google Cloud, Digital Trends, Mar. 19, 2009
- Google Inquiry Sought Over Privacy Concerns, Wall Street Journal, Mar. 18, 2009
- FTC Asked to Investigate Google’s Privacy Breaches, PC Magazine, Mar. 18, 2009
- Google’s Cloud is Safer Than My Den, U.S. News & World Report, Mar. 18, 2009
- Group asks U.S. FTC to probe Google privacy safety, Reuters, Mar. 18, 2009
- EPIC files FTC complaint about Google cloud services, IT World, Mar. 18, 2009
- FTC urged to investigate security of Google services, Info World, Mar. 18, 2009
- Privacy Group Asks F.T.C. to Investigate Google, NY Times, Mar. 17, 2009
- Group Asks FTC To Probe Google Privacy Protections’ Adequacy, Wall Street Journal, Mar. 17, 2009
- Group asks U.S. FTC to probe Google privacy safety, Washington Post, Mar. 17, 2009
- Privacy activist asks FTC to halt Google apps, Cnet, Mar. 17, 2009
- FTC questions cloud-computing security, Cnet, Mar. 17, 2009
- Privacy group complains to FTC about Google, SF Chronicle, Mar. 17, 2009
- Privacy group to FTC: Google’s cloud is unsafe, ZDnet, Mar. 17, 2009