Google Drive problem is a public cloud problem, says privacy expert

The explosion of outrage from privacy advocates over Google Drive's terms of service appears to have subsided somewhat, after a number of analysts agreed with the company that its terms are no more intrusive than those of other cloud storage services like Dropbox, Microsoft's Skydrive or Apple's iCloud.

The more significant message, privacy experts say, is that the public cloud -- any public cloud -- is not the place for corporations to be storing sensitive or confidential information.

The offending language in the new Google storage and synchronization service states that Google reserves the right to "use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute" content uploaded to their services.

But that is preceded by a statement that, "You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours."

Nilay Patel, writing a comparison of cloud storage services in The Verge, says that while Google's terminology may be "a little off-putting," it is actually a bit more restrictive than some others. For example, he notes that Dropbox's terms of service says, "You give us the permissions we need to do those things solely to provide the Services."

While that language, "is definitely friendlier than Google's, it's actually more expnsive, since it's more vague," Patel writes.

"Where Google specifically lists the rights and permissions it needs to run its services using precise legal terminology like 'create derivative works,' Dropbox just says you're giving it 'the permissions we need.' Exactly what those permissions are is left unsaid and undefined -- and could change as Dropbox changes the types of services it provides."

Still, Rafe Neeleman, writing on CNET News, quotes the High Tech Law Institute's Eric Goldman saying, "the language is not drafted nearly as tightly as we would expect from a company of Google's size and stature," adding that it is, "poorly written and likely to confuse users."

And Nick Triantos, founder and CEO of ionGrid remains convinced that Google will, in fact, end up with some form of ownership of user content. "It sounds fairly clear to me that they don't have to return your data to you [if you leave their service]," he says.

"It isn't necessarily because of malice, but because it can be a lot of work to go through and delete it all. It's more of an effort to simplify things," Triantos says. "But it also give them the right to mine the content of a word-processing document so could target you with better ads."

While none of this may be a huge problem for the average individual user, it should be a stark warning for corporations, he says. "The public cloud is already so far away from what a good IT department would want."

Most companies have a clear policy that says anyone who shares sensitive documents outside of the security perimeter will be fired. But so many employees, including some CEOs, are doing it, the policy is rarely enforced.

This, he says, will eventually lead to disaster. "If you're working for a large bank, you could go to prison for it. Even if none of that information leaked out, the fact that you're putting it into the public cloud is enough to put you in jail."

Why aren't more corporations concerned about it? "One company is eventually going to get sued," Triantos says, "and then everybody is going to go to firefighting mode. It may not be at the top of people's minds until then."

The bottom line for enterprises, he says, is that it doesn't really matter if it is Google Drive or any of its competitors. They are not private and they are not secure. So, don't use them, Triantos says.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCNET NetworksDropboxGoldmanGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts