Opinion: Time for Google to bring us a trustworthy cloud

Why is Google so bad at information security?

For the sake of a trustworthy cloud, it’s time for Google to get its information security act together.

Like most IT journalists I tend to pay a lot of attention to what happens at the ad-search giant. It's a consequence of its weight in the market and history of influencing society and business, often for the better.

And, of course, because Google has created so many cool gadgets with which to amuse us.

So it has been with dismay bordering on incredulity that I have often been gobsmacked by its ambivalence to information security and trust.

Hardly a week has gone by recently when Google hasn't made the headlines - not for a flashy new technology, its social good deeds or insatiable appetite for acquisition but because it has screwed the pooch on some security issue or other.

These are uber-smart people, these Googlers. I have seen them trounce a room of hundreds of very smart people -- including a few game show winners and pub-trivia regulars -- in IQ tests and I suspect there are enough geniuses at the company's Sydney headquarters to form their own chapter of Mensa.

So why does Google do such a poor job of keeping people's information secure?

It's true that Google has bought some great hosted security services and over the New Year added email domain keys for Apps but that can't right the crooked tilt of the organisation's halo.

A saying I heard as a kid was: "Fool me once, shame on you; fool me twice, shame on me"; what do I say to being repeatedly fooled?

Whether it's malware it allowed to sneak on the Android Market, losing 150,000 Gmail subscribers' email accounts and data, losing calendar data, relying on antiquated disaster recovery methods, hitting the top malware charts, or infractions incurred on its behalf, Google's security stance is not consistent with its dominance.

Frankly, it's just slack and no longer acceptable.

And it's a big worry for anyone who considers the cloud a viable option for their organisation or personal data or that of their customers. Because, as a market leader, Google's approach to security, trust and compliance is the standard that other providers feel they must meet, and little more. And, right now, that standard should give you pause for thought before moving into the cloud.

The penny dropped for me that Google wasn't serious about security when Germany's data protection commissioner outed it for snarfing packets from open wi-fi networks as its Street View cars rolled down our boulevards, streets and lanes.

I love Street View, the ability to see where you're going before you get there is a great comfort especially when you're in a strange part of town or an entirely new city. And because there are legitimate concerns over the use of images, Google came around to the view that people had a right not to be included in Street View after many expressed their outrage.

But it was the collective shoulder-shrug, dissembling over, at first, whether Google had grabbed people's free-to-air packets, whether it had the right to, blaming the victims (it's not our fault your wi-fi network was open, you should be more careful), what it did with the information and why, in the first place, it had collected them at all that set off warning bells.

Security. Governance. Reliability. Risk. Compliance. Trust. Privacy.

It seems an uncomfortable, even boring, fit to Google's lightspeed engineers intent on changing the world a line of code at a time. And in some ways maintaining our privacy, at least, is a difficult proposition for a company that revolves around selling us ads and making money off our activities.

And although Google properly commissioned a report into its Street View debacle, it would have been happy to see the matter go away by deleting the information before fuller inquiries could be conducted.

My worries were heightened at the time when I put questions to Google's head of engineering in Australia, Alan Noble (remember, Google Maps originated here). Noble knew, or ought to have known, who the wi-fi culprit coder was but no sanction would be taken, he said.

Although Google eventually came around to the point of view that capturing people's private information and storing it without their permission or knowledge was unacceptable and possibly illegal, I feel that in its DNA there's a cognitive dissonance and a sense, still, that it did nothing wrong despite its public statements.

There was another technology company that dominated IT that once had a similar attitude.

More than 10 years ago, after the first surge of modern, internet-enabled malware hammered the credibility and stock price of software behemoth and Google-of-its-day, Microsoft's Bill Gates in one of his last major acts as chief executive officer initiated the Trustworthy Computing scheme.

Gates was talking not just about patching technologies after the fact but a fundamental and radical change to sew security into the fabric of software written at the desktop and applications maker and extending that appreciation to the wider industry.

At the time, open source and free software made much of the "many-eyes" approach to security; that is, with lots of people viewing code, it will be inherently more secure than a proprietary system or "security through obscurity". This is the approach Google, at its core an organisation that believes in free-software principles, chose for its Android Market smartphone app store.

While information security at Microsoft is still a day-by-day proposition, it has made big advances in software architecture to protect users' data and the weave of society as we become more connected with every device we slip into our pockets, slide on to our desktops or nurse in our possessions.

And Microsoft has spearheaded cross-vendor industry consortiums to further that dialog; a step Google was reluctant to make.

It's time for Google to wake from its slumber, to amp up the volume on information security and make the net safer for us all.

I call on Google to update Microsoft's vision with its own initiative, let's call it "Trustworthy Cloud".

This isn't an engineering task - a task Google with its likely genius-level median IQ is more than up to - as much as it is one of recrafting the culture of the organisation to put security first in everything it does.

Google needs to understand that information security must be built in at the outset of every project and is integral to its long-term success, that of their customers and partners and our path to the cloud.