Privacy group slams Google's cloud services

The non-profit Electronic Privacy Information Center (Epic) has filed a complaint with the US Federal Trade Commission (FTC) about the security standards of Google's cloud computing services.

The filing (PDF) highlights a number of "privacy and security risks" concerning an array of Google services, including Gmail, Google Docs, Google Desktop, Picasa Web Albums and Google Calendar.

Epic's main concern is that Google does not encrypt the information held on its servers.

The group argues that doing so would ensure more respect for individuals' privacy, and "provide users with the ability to fully control and customise their online experience".

The complaint states that Google's service terms do not adequately match its promise to consumers that documents stored on Google servers are secure.

Epic points to the homepage for Google Docs as an example, which states that "files are stored securely online".

But Epic argues that Google's Terms of Service "explicitly disavow any warranty or any liability for harm that might result from Google's negligence, recklessness, mal intent, or even purposeful disregard, of existing legal obligations to protect the privacy and security of user data".

The filing claims that Google's security practices have led to a number of data breaches, including a case on 7 March this year when some Google Docs users discovered that their documents had been shared with unauthorised users.

Epic has asked the FTC to review Google's privacy safeguards and service terms, and to instruct the company to disclose all incidents of data loss or breach.

It also asks the FTC to forbid Google from offering cloud computing services "until safeguards are verifiably established", and for Google to contribute US$5m to a public fund that will help support research into privacy enhancing technologies, including encryption, effective data anonymisation, and mobile location privacy.

Epic was established in 1994 to focus public attention on emerging civil liberties issues, and to protect privacy.

The organisation has previously complained to the FTC about the security standards relating to the single sign-on service provided by Microsoft Passport, as well as those employed by data broker ChoicePoint.

The FTC appeal about Google's services cites Section 5 (a) of the Federal Trade Commission Act (15 U.S.C) which prohibits unfair or deceptive acts or practices in, or affecting, commerce.

"Google's inadequate security practices, and the resultant Google Docs data breach, caused substantial injury to consumers, without any countervailing benefits," said Epic in the filing.