Opinion: Time for Google to bring us a trustworthy cloud

Powered by SC Magazine

Why is Google so bad at information security?

For the sake of a trustworthy cloud, it’s time for Google to get its information security act together.

Like most IT journalists I tend to pay a lot of attention to what happens at the ad-search giant. It's a consequence of its weight in the market and history of influencing society and business, often for the better.

And, of course, because Google has created so many cool gadgets with which to amuse us.

So it has been with dismay bordering on incredulity that I have often been gobsmacked by its ambivalence to information security and trust.

Hardly a week has gone by recently when Google hasn't made the headlines - not for a flashy new technology, its social good deeds or insatiable appetite for acquisition but because it has screwed the pooch on some security issue or other.

These are uber-smart people, these Googlers. I have seen them trounce a room of hundreds of very smart people -- including a few game show winners and pub-trivia regulars -- in IQ tests and I suspect there are enough geniuses at the company's Sydney headquarters to form their own chapter of Mensa.

So why does Google do such a poor job of keeping people's information secure?

It's true that Google has bought some great hosted security services and over the New Year added email domain keys for Apps but that can't right the crooked tilt of the organisation's halo.

A saying I heard as a kid was: "Fool me once, shame on you; fool me twice, shame on me"; what do I say to being repeatedly fooled?

Whether it's malware it allowed to sneak on the Android Market, losing 150,000 Gmail subscribers' email accounts and data, losing calendar data, relying on antiquated disaster recovery methods, hitting the top malware charts, or infractions incurred on its behalf, Google's security stance is not consistent with its dominance.

Frankly, it's just slack and no longer acceptable.

And it's a big worry for anyone who considers the cloud a viable option for their organisation or personal data or that of their customers. Because, as a market leader, Google's approach to security, trust and compliance is the standard that other providers feel they must meet, and little more. And, right now, that standard should give you pause for thought before moving into the cloud.

The penny dropped for me that Google wasn't serious about security when Germany's data protection commissioner outed it for snarfing packets from open wi-fi networks as its Street View cars rolled down our boulevards, streets and lanes.

I love Street View, the ability to see where you're going before you get there is a great comfort especially when you're in a strange part of town or an entirely new city. And because there are legitimate concerns over the use of images, Google came around to the view that people had a right not to be included in Street View after many expressed their outrage.

But it was the collective shoulder-shrug, dissembling over, at first, whether Google had grabbed people's free-to-air packets, whether it had the right to, blaming the victims (it's not our fault your wi-fi network was open, you should be more careful), what it did with the information and why, in the first place, it had collected them at all that set off warning bells.

Security. Governance. Reliability. Risk. Compliance. Trust. Privacy.

It seems an uncomfortable, even boring, fit to Google's lightspeed engineers intent on changing the world a line of code at a time. And in some ways maintaining our privacy, at least, is a difficult proposition for a company that revolves around selling us ads and making money off our activities.

And although Google properly commissioned a report into its Street View debacle, it would have been happy to see the matter go away by deleting the information before fuller inquiries could be conducted.

My worries were heightened at the time when I put questions to Google's head of engineering in Australia, Alan Noble (remember, Google Maps originated here). Noble knew, or ought to have known, who the wi-fi culprit coder was but no sanction would be taken, he said.

Although Google eventually came around to the point of view that capturing people's private information and storing it without their permission or knowledge was unacceptable and possibly illegal, I feel that in its DNA there's a cognitive dissonance and a sense, still, that it did nothing wrong despite its public statements.

There was another technology company that dominated IT that once had a similar attitude.

More than 10 years ago, after the first surge of modern, internet-enabled malware hammered the credibility and stock price of software behemoth and Google-of-its-day, Microsoft's Bill Gates in one of his last major acts as chief executive officer initiated the Trustworthy Computing scheme.

Gates was talking not just about patching technologies after the fact but a fundamental and radical change to sew security into the fabric of software written at the desktop and applications maker and extending that appreciation to the wider industry.

At the time, open source and free software made much of the "many-eyes" approach to security; that is, with lots of people viewing code, it will be inherently more secure than a proprietary system or "security through obscurity". This is the approach Google, at its core an organisation that believes in free-software principles, chose for its Android Market smartphone app store.

While information security at Microsoft is still a day-by-day proposition, it has made big advances in software architecture to protect users' data and the weave of society as we become more connected with every device we slip into our pockets, slide on to our desktops or nurse in our possessions.

And Microsoft has spearheaded cross-vendor industry consortiums to further that dialog; a step Google was reluctant to make.

It's time for Google to wake from its slumber, to amp up the volume on information security and make the net safer for us all.

I call on Google to update Microsoft's vision with its own initiative, let's call it "Trustworthy Cloud".

This isn't an engineering task - a task Google with its likely genius-level median IQ is more than up to - as much as it is one of recrafting the culture of the organisation to put security first in everything it does.

Google needs to understand that information security must be built in at the outset of every project and is integral to its long-term success, that of their customers and partners and our path to the cloud.

Copyright © iTnews.com.au . All rights reserved.

Opinion: Time for Google to bring us a trustworthy cloud
Google's Street View was a high-profile case of the giant's lax information security but there are other examples.
Top Stories
Australia passes data retention into law
Mammoth last-ditch effort by Greens, indies knocked back.
ATO to kill off e-Tax
Veteran software to be replaced by more modern myTax.
CSC embroiled in CBA IT bribery scandal
ServiceMesh named in alleged dodgy dealing.
Google's Street View was a high-profile case of the giant's lax information security but there are other examples.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Xero now includes an inventory function built-in
Mar 26, 2015
Xero has added inventory and other major new features to the latest release of its cloud ...
Apple reveals its new MacBook
Mar 13, 2015
Replacing the MacBook Air as Apple's thinnest laptop, the new MacBook comes packed with features.
Xero has released a new version of its app for the iPad
Mar 6, 2015
iPad-wielding Xero users can now take advantage of a new version of the iOS app for the cloud ...
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
The 2015 Xero Roadshow is on: here are the locations and dates
Feb 6, 2015
The 2015 Xero Roadshow kicked off this week - see where you can attend at locations around ...
Latest Comments
Do you support the Government's data retention scheme?

   |   View results