Group questions Google government contract claims

Evidence suggests that some of Google's government contracts are governed by consumer privacy policy, SafeGov says

An organization headed by a former federal CIO contends that despite Google's claims, its consumer privacy policy does apply to government customers in some cases., a group focused on promoting a set of best practices for cloud deployment in the government, has cited three instances where it found Google Apps for Government (GAFG) contracts governed by the company's consumer privacy policy.

In a blog post, said the CAFG contracts in each case explicitly incorporated the consumer privacy policy that Google had said did not apply to government contracts.

SafeGov was co-founded by Karen Evans, de facto federal CIO during the George W. Bush Administration.

The latest Google consumer privacy policy was created earlier this year amid some controversy.

The new policy allows Google to combine user data from services like YouTube, Gmail and Google search to create a single profile for each user of its various services.

Google argued that the new policy is shorter, easier to understand than the myriad plans it replaced and will allow the company to deliver better and more targeted services.

SafeGov and other organizations at that time had said that the new privacy policy posed a serious risk for government users of Google cloud services. The critics maintained that the user tracking and inference-making done under the policy policy would significantly increase the risk of accidental data exposure and data leaks from government agencies.

In response to those criticisms, Google announced that government clients wouldn't be subject to the terms if its new policy. Government clients would instead be governed by individual contracts that superseded the company's consumer privacy policy.

In a statement to Computerworld at the time, Google said that its contracts have always contained privacy language the superseded any general privacy policy.

However, Jeff Gould, a partner at SafeGov, told Computerworld that he has uncovered publicly posted Google government contracts in Illinois. California and Texas that clearly appear to be governed by the general consumer privacy policy.

In each instance, the government agencies cited contracted with a third party to implement Google cloud services at their sites.

In each case, Gould said, the contracts pointed to Google's standard consumer privacy policy as the minimum standard for handling customer data. None of the contracts required Google to exceed the requirements of its consumer privacy policy.

All three contracts are current and point to the company's latest privacy policy. One of the contracts was signed after Google's new privacy policy went into effect March 1, Gould said.

While Google is unlikely to be doing any user tracking or data mining at these sites, there is nothing in the privacy language that would prevent the company from doing so, he said.

"On the face of it, these contracts do not supersede the privacy policy but on the contrary actually incorporates it," Gould said.

Gould conceded that Google may be unaware of the contract terms written by the third party firm.

"What we are saying now is they ought to clean this up. They really never thought about this at all when they launched the new privacy policy," Gould said.

Going forward, Google needs to ensure that all of its government privacy policies contain language specifically stating that the company will not track or mine information, Gould said.

Each policy should also specifically state that it supersedes the company's consumer privacy police, he added.

"What we are saying here is that this is not necessarily a great evil, but it is a direct contradiction of what they said in January," he said.

Google did not immediately respond to a request for comment's claims.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about cloud computing in Computerworld's Cloud Computing Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place