Privacy activist asks FTC to halt Google apps

File photo: EPIC director Marc Rotenberg at Stanford University talking about Google and privacy in 2007.

(Credit: Declan McCullagh/CNET)

A privacy advocacy group has asked the Federal Trade Commission to pull the plug on Gmail, Google Docs, Google Calendar, and the company's other Web apps until government-approved "safeguards are verifiably established."

If the FTC grants the request, hundreds of millions of Internet users would be unable to access their e-mail or documents until the agency's formidable collection of lawyers in Washington, D.C., became satisfied with the revised applications. The outage would extend to businesses that pay for access to Google Apps.

The Electronic Privacy Information Center submitted the far-reaching request to the FTC in a letter from its director, Marc Rotenberg, on Tuesday. It argues that a formal legal injunction halting all Google cloud-computing services pending formal government approval is necessary to "adequately safeguard the confidential information" of users.

"If we were talking about a child safety seat that could not be securely attached to a car passenger seat, the commission in that instance would say to the company, 'Look, you've got to fix that problem,'" Rotenberg, a lawyer and adjunct law professor, said in a telephone interview on Tuesday. "Consumers are at risk when that product is in the marketplace. We have a similar view of cloud computing at this point: people are at risk."

EPIC sent the letter a week after a bug in Google Docs exposed a small fraction of word-processing and presentation documents. Google said the problem affected only 0.05 percent of documents stored at the site, that affected Google Docs users had been notified, and it affected only people with whom users had already shared documents.

As an additional punishment, EPIC wants Google to be forced to pay $5 million into a "public fund" that it and like-minded advocacy groups could financially benefit from.

For its part, Google said it was reviewing EPIC's letter and provided CNET with this statement: "Many providers of cloud computing services, including Google, have extensive policies, procedures and technologies in place to ensure the highest levels of data protection. Indeed, cloud computing can be more secure than storing information on your own hard drive. We are highly aware of how important our users' data is to them and take our responsibility very seriously."

Paragraph 57 of EPIC's letter asks the FTC to "enjoin Google from offering cloud computing services until safeguards are verifiably established."

Microsoft and Yahoo declined to comment on Tuesday.

EPIC regularly sends letters to the FTC asking for action against technology companies. It sent one last year targeting Ask.com, which had already discontinued the practice in question. In 2000, the group targeted DoubleClick; it also questioned Microsoft's Passport authentication system, which yielded a settlement in August 2002.

The complaints invoke the FTC's legal authority to file civil lawsuits against "unfair or deceptive acts or practices." In this case, EPIC claims that Google is violating that law because of its "inadequate security practices."

"One of the powers of the FTC is to say if you can't provide a safe product, we can take it from the marketplace," Rotenberg said. He acknowledged having the FTC attempt to pull the plug on Google Apps until privacy fixes were done was a long shot, but said the broader goal was to raise awareness of the privacy and security risks of cloud computing. (EPIC previously claimed Gmail was illegal and attempted to have it shut down.)

Jim Harper, director of information policy studies at the free-market Cato Institute, said that nothing Google has done is unfair or deceptive.

"EPIC is unable to persuade the public of a problem, so it goes to a very willing government agency that has nothing else to do but machinate about these kinds of issues," Harper said. He added, referring to the $5 million fund EPIC wants Google to set up: "This is a new fundraising tool."

CNET's Stephanie Condon contributed to this report

(Disclosure: Declan McCullagh is married to a Google employee.)

[lkrupp]

"If the FTC grants the request, hundreds of millions of Internet users would be unable to access their e-mail or documents until the agency's formidable collection of lawyers in Washington, D.C. became satisfied with the revised applications. The outage would extend to businesses that pay for access to Google Apps."

Which is precisely why the FTC would not even consider granting such a request. This is just a publicity stunt by yet another advocacy group seeking attention from the press. It's a non story.

[mrcjacobs]

I agree wholeheartedly that this is just a publicity stunt. Anyone with half a brain, lets hope there's someone at the FTC that fits in that group, would see this filing for what it is.... A blatant attempt at self enrichment by EPIC.

[BIGELLOW]

Agreed. After all, why should ONLY Google need to shut off their services? They could do the same to AOL, Microsoft, Amazon, and just about every ISP which provides email and other similar hosted services. This is such a non-issue it's not even funny.

[tdtolle]

This is a perfect example of a grab play for money driven purely by greed. They see the name "Google" and immediately think how they can get into their pocket. There is not even a thought about the end user and the impact it will have on them. The very people they claim to be "protecting".

[boboberg]

This is ridiculous. On what grounds is our privacy being violated by an e-mail app or an online calendar? These people are morons. Mark Montgomery boboberg@nyc.rr.com

[gerrrg]

It just doesn't pass muster that EPIC would be so concerned with Google's cloud computing, but it has not a single targeted article, posting or court filing regarding either Heartland's recent 100 million user breach of data (third-party transaction processor for Visa/MasterCard), or the fact that Microsoft's OS bugs have led to hundreds of thousands of bots / computer zombies ready for a DDOS attack.


Something is rotten in the state of Denmark.

[Nataku4ca]

o yes, another attempt at screwing the big companies, cant they come up with better ways of doing this?

[KevenM111]

Since they're also going after Google Apps, this would also inadvertently affect thousands of little companies. Everyone loses, except for EPIC in their quest for funding.

[Imalittleteapot]

Oh yes, screw with my email. Couldn't shut down ChoicePoint instead or anything that might make sense.

[KevenM111]

I was steamed when I first read this article where privacy activist group, Electronic Privacy Information Center has made a request of the FTC to temporarily halt key Google services, specifically, Gmail, Google Calendar, and Google Apps.

The request was apparently stimulated by Google's recent bug where a small portion of Docs users accidentally had some documents mistakenly shared with others. In their letter to the FTC, EPIC builds their case by citing other previous security issues with Google in the past. Should the FTC grant EPIC's request, then Gmail, Google Calendar and Google Apps could effectively be shut down pending a review by the FTC to ensure that Google does in fact comply with the safety and privacy policies advertised. The topping on the cake is that EPIC is also seeking a $5 Million payment from Google into a public fund to be used by EPIC and similar privacy watchdog groups.

This is at best, a publicity stunt on the part of EPIC, and at worst, an irresponsible move that seeks ONLY to further EPIC's goals, at the cost of millions of users' inconvenience and loss of business.

Here's the reality of things: Privacy is never 100% guaranteed. Not in your home, your basement, on your computer, nor in the cloud. **** happens, and when it does, you can be sure there will an organization like EPIC ready to capitalize on the situation and find someone to blame, all in order to keep their incompetence afloat.

I'm not against privacy, but there is a reasonable limit to how much one can expect, which is what this all comes down to. Does Google take reasonable precautions in protecting your data? Common sense says "Yes". Google Apps employs 256 bit encryption for SSL connections (your bank probably uses 64 or 128 bit). The reports of bugs in their systems are usually blown out of proportion (then later, the inflated reports are referenced as 'fact') - for example, the two prior cases of Google vulnerabilities cited in EPIC's letter were not 'bugs' in the sense that your coworkers might accidentally get into your account, but bugs in the sense that hackers could find a way into the system. With the growth of new tools at anyone's disposal, there can't be a reasonable expectation that a system will ALWAYS be hacker proof.

At the end of the day, we have to ask ourselves - what's more secure? A Google server, or your laptop? A world class hacker might get to your data in Google's servers (technically, this has yet to happen), but your laptop, should you accidentally leave it on the subway will reveal its contents to an average user. Perhaps, EPIC should ask the FTC to halt all laptop manufacturers until they can ensure better privacy by legislating that all hard drives be encrypted.

I am not a Google employee, nor am I affiliated with Google in any manner.
I am a simple user who can't stand self serving 'public advocacy groups' who could care less of the repercussions of their actions (Shutting down Google Apps would bring thousands of a businesses around the world to a halt, but this isn't their problem apparently)

[KevenM111]

I was steamed when I first read this article where privacy activist group, Electronic Privacy Information Center has made a request of the FTC to temporarily halt key Google services, specifically, Gmail, Google Calendar, and Google Apps.

The request was apparently stimulated by Google's recent bug where a small portion of Docs users accidentally had some documents mistakenly shared with others. In their letter to the FTC, EPIC builds their case by citing other previous security issues with Google in the past. Should the FTC grant EPIC's request, then Gmail, Google Calendar and Google Apps could effectively be shut down pending a review by the FTC to ensure that Google does in fact comply with the safety and privacy policies advertised. The topping on the cake is that EPIC is also seeking a $5 Million payment from Google into a public fund to be used by EPIC and similar privacy watchdog groups.

This is at best, a publicity stunt on the part of EPIC, and at worst, an irresponsible move that seeks ONLY to further EPIC's goals, at the cost of millions of users' inconvenience and loss of business.

Here's the reality of things: Privacy is never 100% guaranteed. Not in your home, your basement, on your computer, nor in the cloud. **** happens, and when it does, you can be sure there will an organization like EPIC ready to capitalize on the situation and find someone to blame, all in order to keep their incompetence afloat.

I'm not against privacy, but there is a reasonable limit to how much one can expect, which is what this all comes down to. Does Google take reasonable precautions in protecting your data? Common sense says "Yes". Google Apps employs 256 bit encryption for SSL connections (your bank probably uses 64 or 128 bit). The reports of bugs in their systems are usually blown out of proportion (then later, the inflated reports are referenced as 'fact') - for example, the two prior cases of Google vulnerabilities cited in EPIC's letter were not 'bugs' in the sense that your coworkers might accidentally get into your account, but bugs in the sense that hackers could find a way into the system. With the growth of new tools at anyone's disposal, there can't be a reasonable expectation that a system will ALWAYS be hacker proof.

At the end of the day, we have to ask ourselves - what's more secure? A Google server, or your laptop? A world class hacker might get to your data in Google's servers (technically, this has yet to happen), but your laptop, should you accidentally leave it on the subway will reveal its contents to an average user. Perhaps, EPIC should ask the FTC to halt all laptop manufacturers until they can ensure better privacy by legislating that all hard drives be encrypted.

I am not a Google employee, nor am I affiliated with Google in any manner.
I am a simple user who can't stand self serving 'public advocacy groups' who could care less of the repercussions of their actions (Shutting down Google Apps would bring thousands of a businesses around the world to a halt, but this isn't their problem apparently)

[aka_tripleB]

I think most of you are too close to the situation to see its true scope. But Google, along with most if not all cloud service, offer no real protection of your data. They should be required to meet a certain level of security; however, there should be a window to implement this until they are forced to shut down until it is implemented. People have been comfortable with the current level of security (not me, this is why I don't store sensitive info in the cloud), so users should be affected unless their service won't adhere to standards to protect its users.

[zenlive]

I'm surprised that Vint Cerf is on the advisory board for EPIC. Looks like he doesn't exert that much influence over the organization. Google shouldn't be singled out by EPIC when every company out there with some sort of cloud service is in the same boat..

[zasyatkin]

I completely agree with the general consensus that this is absurd. Whats funny about this that at least a few of the FTC employees, must use Gmail for their personal emails, so this will hopefully get denied very quickly.

By the way, isn't there a law against filling frivolous lawsuits, like these?

[NearChaos]

Last time I checked, no one forced anybody to use Gmail, et al. If you're worried about your privacy, then stop using these services, or don't start. And be sure to adjust your tin foil hat regularly.

[tralfazmx]

They are just looking for a settlement.

Google, don't take the easy way out and pay the greedy b#&turds or they will just go after the next poor sucker.

I hate these kinds of low-life companys that produce nothing but lawsuits and loss.

[gggg sssss]

Sounds like an attempt at a stimulus package for lawyers. Probably the whole ratbag bunch that once worked ( were employed by??) Madoff, AIG, Lehman. To the bottom of the sea with them.

[gggg sssss]

not of course conspiring or counselling harm to lawyers, just suggesting they join Jacques Cousteau, or The Beatles he he

[ambigous]

"As an additional punishment, EPIC wants Google to be forced to pay $5 million into a "public fund" that it and like-minded advocacy groups could financially benefit from."

Say no more :}

[Advocate4Liberty]

This chumbalone wants to invite Big Brother even further up our shorts. Where is he? Who is he? Run him out of the country on a rail!

[sarah_oneill]

It's an important step what EPIC has done, but I think its unlikely that the FTC will do all they ask. There's a related article that is interesting <a href="http://www.atelier-us.com/e-business-and-it/article/petition-served-to-ftc-to-investigate-google-cloud-services">here</a>:

http://www.atelier-us.com/e-business-and-it/article/petition-served-to-ftc-to-investigate-google-cloud-services

[digitalmoneylife]

Talking about the wrong stuff. Why Google? There zillions other stuff that keep our privacy info. shut down those which aren't as useful as Gmail or G. app. What is going on with this world?