Group questions Google government contract claims
An organization headed by a former federal CIO contends that despite Google's claims, its consumer privacy policy does apply to government customers in some cases.
SafeGov.org, a group focused on promoting a set of best practices for cloud deployment in the government, has cited three instances where it found Google Apps for Government (GAFG) contracts governed by the company's consumer privacy policy.
In a blog post, SafeGov.org said the CAFG contracts in each case explicitly incorporated the consumer privacy policy that Google had said did not apply to government contracts.
SafeGov was co-founded by Karen Evans, de facto federal CIO during the George W. Bush Administration.
The latest Google consumer privacy policy was created earlier this year amid some controversy.
The new policy allows Google to combine user data from services like YouTube, Gmail and Google search to create a single profile for each user of its various services.
Google argued that the new policy is shorter, easier to understand than the myriad plans it replaced and will allow the company to deliver better and more targeted services.
SafeGov and other organizations at that time had said that the new privacy policy posed a serious risk for government users of Google cloud services. The critics maintained that the user tracking and inference-making done under the policy policy would significantly increase the risk of accidental data exposure and data leaks from government agencies.
In response to those criticisms, Google announced that government clients wouldn't be subject to the terms if its new policy. Government clients would instead be governed by individual contracts that superseded the company's consumer privacy policy.
In a statement to Computerworld at the time, Google said that its contracts have always contained privacy language the superseded any general privacy policy.
However, Jeff Gould, a partner at SafeGov, told Computerworld that he has uncovered publicly posted Google government contracts in Illinois. California and Texas that clearly appear to be governed by the general consumer privacy policy.
In each instance, the government agencies cited contracted with a third party to implement Google cloud services at their sites.
In each case, Gould said, the contracts pointed to Google's standard consumer privacy policy as the minimum standard for handling customer data. None of the contracts required Google to exceed the requirements of its consumer privacy policy.
All three contracts are current and point to the company's latest privacy policy. One of the contracts was signed after Google's new privacy policy went into effect March 1, Gould said.
While Google is unlikely to be doing any user tracking or data mining at these sites, there is nothing in the privacy language that would prevent the company from doing so, he said.
"On the face of it, these contracts do not supersede the privacy policy but on the contrary actually incorporates it," Gould said.
Gould conceded that Google may be unaware of the contract terms written by the third party firm.
"What we are saying now is they ought to clean this up. They really never thought about this at all when they launched the new privacy policy," Gould said.
Going forward, Google needs to ensure that all of its government privacy policies contain language specifically stating that the company will not track or mine information, Gould said.
Each policy should also specifically state that it supersedes the company's consumer privacy police, he added.
"What we are saying here is that this is not necessarily a great evil, but it is a direct contradiction of what they said in January," he said.
Google did not immediately respond to a request for comment onSafeGov.org's claims.
(Source: computerworld.com)
