The following Op-Ed Commentary was published in The Daily News of Los Angeles on Monday, October 26, 2009. John M. Simpson is a consumer advocate with Consumer Watchdog. His email is firstname.lastname@example.org.
Google wants the city of Los Angeles to switch its 30,000 e-mail users to an Internet-based system it operates, but rather than address real questions about the security of such "cloud computing" systems the Internet giant changes its story depending on its audience.
The City Council is set today to consider a $7.25 million contract with Computer Sciences Corp. to make the switch.
The difference in tone between Google’s attempts to reassure potential users of its applications about security concerns and its explicit warnings of the applications’ risks in communications aimed at shareholders required by federal law smacks of hypocrisy. Typical of Google’s reassuring words are these in a promotional document titled "Introduction to Google:"
"Google goes to great lengths to protect the data and intellectual property on servers that host user data. These facilities are protected around the clock and we have a dedicated security operations team who focuses specifically on maintaining the security of our environment."
Such talk would be reassuring were it not for the words coming from the other side of the corporate mouth. When Google is communicating with shareholders and must meet federal requirements for full disclosure, the tone is entirely different. The reassurances completely disappear and the risks are highlighted.
Contrast the earlier statement to those in Google’s federally mandated Form 10-Q for the Securities and Exchange Commission filed on Aug. 4, 2009:
"(As) nearly all of our products and services are web based, the amount of data we store for our users on our servers (including personal information) has been increasing. Any systems failure or compromise of our security that results in the release of our users’ data could seriously limit the adoption of our products and services as well as harm our reputation and brand and, therefore, our business. We may also need to expend significant resources to protect against security breaches. The risk that these types of events could seriously harm our business is likely to increase as we expand the number of web based products and services we offer as well as increase the number of countries where we operate."
Or this: "These products and services are subject to attack by viruses, worms, and other malicious software programs, which could jeopardize the security of information stored in a user’s computer or in our computer systems and networks."
And then there is this:
"The availability of our products and services depends on the continuing operation of our information technology and communications systems. Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems."
Some of our data centers are located in areas with a high risk of major earthquakes. Our data centers are also subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties. Some of our systems are not fully redundant, and our disaster recovery planning cannot account for all eventualities. The occurrence of a natural disaster, a decision to close a facility we are using without adequate notice for financial reasons, or other unanticipated problems at our data centers could result in lengthy interruptions in our service. In addition, our products and services are highly technical and complex and may contain errors or vulnerabilities."
Google is attempting to reassure would-be purchasers of its services that there is nothing to worry about, while warning investors of everything that can go wrong so as to limit potential liability. Google wants to have it both ways. Maybe such hypocrisy is the norm in the world of corporate giants. Microsoft buries similar warnings in its SEC filings. However, L.A. City Council members should demand a higher standard of candor before they commit to Google’s e-mail system.
If Google’s system is ultimately adopted, the city must insist on adequate security guarantees. While Google has announced its intention to create a "government cloud" with higher security standards to serve federal, state, and local governments, it does not yet exist.
Despite Google’s best intentions, it may never exist. We are all too familiar with technology companies’ tendencies to over promise and under deliver. While the government cloud could provide a solution to many concerns if it is in fact built and implemented as described by the current optimistic rhetoric, we are not there yet.
Google says it hopes to win Federal Information Security Management Act approval for the government cloud. However, it is quite possible it will not meet those standards, or at least not as rapidly as Google hopes. It would be folly to commit the city to a system that has not yet been thoroughly tested and demonstrated. Council should not rush into this deal. This is truly a time when haste makes waste.
Another troubling aspect of the proposed contract as currently written is the lack of consequences for Google if there is a security breach or loss of data. Essentially Google’s only obligation, other than following any federal or state laws, which may apply, is to send the city an e-mail explaining what happened.
At a minimum, the city should insist that the contract provide for liquidated damages in the event of a security breach, data loss or interruption in service.