before the federal trade commission washington, dc 20580...
TRANSCRIPT
1
BeforetheFederalTradeCommissionWashington,DC20580
IntheMatterof ) )Google,Inc.and )CloudComputingServices)________________________________)
ComplaintandRequestforInjunction,RequestforInvestigationandforOtherRelief
SUMMARYOFCOMPLAINT
1. Thiscomplaintconcernsprivacyandsecurityrisksassociatedwiththeprovisionof“CloudComputingServices”byGoogle,Inc.toAmericanconsumers,businesses,andfederalagenciesoftheUnitedStatesgovernment.RecentreportsindicatethatGoogledoesnotadequatelysafeguardtheconfidentialinformationthatitobtains.GiventhepreviousopinionsoftheFederalTradeCommissionregardingtheobligationofserviceproviderstoensuresecurity,EPICherebypetitionstheFederalTradeCommissiontoopenaninvestigationintoGoogle’sCloudComputingServices,todeterminetheadequacyoftheprivacyandsecuritysafeguards,toassesstherepresentationsmadebythefirmregardingtheseservices,todeterminewhetherthefirmhasengagedinunfairand/ordeceptivetradepractices,andtotakeanysuchmeasuresasarenecessary,includingtoenjoinGooglefromofferingsuchservicesuntilsafeguardsareverifiablyestablished.SuchactionbytheCommissionisnecessarytoensurethesafetyandsecurityofinformationsubmittedtoGooglebyAmericanconsumers,Americanbusinesses,andAmericanfederalagencies.
PARTIES
1. TheElectronicPrivacyInformationCenter(“EPIC”)isapublicinterestresearchorganizationincorporatedinWashington,DC.EPIC’sactivitiesincludethereviewofgovernmentandprivatesectorpoliciesandpracticestodeterminetheirimpactontheprivacyinterestsoftheAmericanpublic.Amongitsotheractivities,EPICinitiatedthecomplainttotheFTCregardingMicrosoftPassportinwhichtheCommissionsubsequentlyrequiredMicrosofttoimplementacomprehensiveinformationsecurityprogramfor
2
Passportandsimilarservices.1EPICalsofiledthecomplaintwiththeCommissionregardingdatabrokerChoicePoint,Inc.2Inthatmatter,theCommissiondeterminedthatChoicePoint’sfailuretoemployreasonablesecuritypoliciescompromisedthesensitivepersonaldataofconsumers,andassessedfinesof$15m.3Further,EPICbroughtthecomplainttotheFederalTradeCommissionregardingtheneedtoestablishprivacysafeguardsasaconditionoftheGoogle‐Doubleclickmerger.4AlthoughtheCommissionfailedtoactinthatmatter,asubsequentreviewbytheDepartmentofJusticeinasimilarmattermadeclearthatsuchaconsolidationofInternetadvertiserswouldhaveledtomonopolyconcentrationandwouldhavebeenagainstthepublicinterest.5
2. Google,Inc.("Google")wasfoundedin1998andisbasedinMountainView,California.Google’sheadquartersarelocatedat1600AmphitheatreParkway,MountainView,CA94043.Atalltimesmaterialtothiscomplaint,Google’s
1IntheMatterofMicrosoftCorporationFileNo.0123240,DocketNo.C‐4069(Aug.2002),availableatttp://www.ftc.gov/os/caselist/0123240/0123240.shtm.Seealso,Fed.TradeComm’n,“MicrosoftSettlesFTCChargesAllegingFalseSecurityandPrivacyPromises”(Aug.2002)(“TheproposedconsentorderprohibitsanymisrepresentationofinformationpracticesinconnectionwithPassportandothersimilarservices.ItalsorequiresMicrosofttoimplementandmaintainacomprehensiveinformationsecurityprogram.Inaddition,Microsoftmusthaveitssecurityprogramcertifiedasmeetingorexceedingthestandardsintheconsentorderbyanindependentprofessionaleverytwoyears.”),availableathttp://www.ftc.gov/opa/2002/08/microsoft.shtm.2SeeEPIC,EPICChoicepointPage,http://epic.org/privacy/choicepoint/.3U.S.FederalTradeCommission,ChoicePointSettlesDataSecurityBreachCharges;toPay$10MillioninCivilPenalties,$5MillionforConsumerRedress,January26,2006,availableat:http://www.ftc.gov/opa/2006/01/choicepoint.shtm.4IntheMatterofGoogle,Inc.andDoubleClick,Inc.,ComplaintandRequestforInjunction,RequestforInvestigationandforOtherRelief,beforetheFederalTradeCommission(Sept.20,2007),availableathttp://epic.org/privacy/ftc/google/epic_complaint.pdf;Privacy?ProposedGoogle/DoubleClickDeal,http://epic.org/privacy/ftc/google/(lastvisitedMar.162009).5“GoogleWon’tPursueYahooAdDeal,”N.Y.Times,Nov.5,2008(“TheJusticeDepartmentnotifiedGoogleandYahooearlyWednesdaythatitwasplanningtofilesuittoblockthedeal,whichcalledforGoogletoplaceadsalongsidesomeofYahoo’ssearchresults.”),availableathttp://www.nytimes.com/2008/11/06/technology/internet/06google.html;seealsoDep’tofJustice,“Yahoo!Inc.andGoogleInc.AbandonTheirAdvertisingAgreement‐ResolvesJusticeDepartment’sAntitrustConcerns,CompetitionIsPreservedinMarketsforInternetSearchAdvertising,”Nov.5,2008,availableathttp://www.usdoj.gov/opa/pr/2008/November/08‐at‐981.html.
3
courseofbusiness,includingtheactsandpracticesallegedherein,hasbeenandisinoraffectingcommerce,as"commerce"isdefinedinSection4oftheFederalTradeCommissionAct,15U.S.C.§45.
THEIMPORTANCEOFPRIVACYPROTECTION
3. TherightofprivacyisapersonalandfundamentalrightintheUnitedStates.Theprivacyofanindividualisdirectlyimplicatedbythecollection,use,anddisseminationofpersonalinformation.Theopportunitiestosecureemployment,insurance,andcredit,toobtainmedicalservicesandtherightsofdueprocessmaybejeopardizedbythemisuseofpersonalinformation.
4. TheexcessivecollectionofpersonaldataintheUnitedStatescoupledwith
inadequatelegalandtechnologicalprotectionhaveledtoadramaticincreaseinthecrimeofidentitytheft.6
5. CloudComputingServicesarerapidlybecominganintegralpartofthe
UnitedStateseconomy,withimplicationsforbusinessdevelopment,security,andprivacy.AMarch2009studyexpectscorporateITspendingoncloudservicestogrowalmostthreefold,reachingUS$42billion,by2012.7
6. TheFederalTradeCommissionhasastatutoryobligationtoinvestigateand
prosecuteviolationsofSection5oftheFederalTradeCommissionActwherecompanieshaveengagedinunfairand/ordeceptivetradepractices.
STATEMENTOFFACTS
"CloudComputingServices"Defined
7. "CloudComputingServices"involve"asoftwareandserverframework(usuallybasedonvirtualization)"thatuses"manyserversforasingle
6Fed.TradeComm’n,“FTCReleasesListofTopConsumerFraudComplaintsin2008”(Feb.26,2009)(Thelist,containedinthepublication“ConsumerSentinelNetworkDataBookforJanuary‐December2008,”showedthatfortheninthyearinarow,identitytheftisthenumberoneconsumercomplaint,with313,982complaintsreceived)availableathttp://www.ftc.gov/opa/2009/02/2008cmpts.shtm.TherecentFTCreportalsoindicatesaparticularrisktoindividualsages20‐29,i.e.theInternetuserswhoarebecomingmostdependentonnewcloudbasedservices.7"IDCSaysCloudComputingIsMoreThanJustHype;WorldwideITSpendingOnCloudServicesExpectedToReachUS$42BillionBy2012,"PressRelease,Mar.6,2009availableathttp://www.idc.com/getdoc.jsp?containerId=prMY21726709.
4
software‐as‐a‐servicestyleapplicationortohostmanysuchapplicationsonafewservers."8
8. CloudComputingServicesareanemergingnetworkarchitecturebywhichdataandapplicationsresideonthirdpartyservers,managedbyprivatefirms,thatprovideremoteaccessthroughweb‐baseddevices.9Thismodelofservicedeliveryisincontrasttoanarchitectureinwhichdataandapplicationstypicallyresideonserversorcomputerswithinthecontroloftheend‐user.
9. SomeCloudComputingServicesuseencryption,bydefault,to"respect
individualprivacy"and"provideuserswiththeabilitytofullycontrolandcustomizetheironlineexperience."10Onefirmhasstatedthatitisa"keyprinciple"that"usersowntheirdata,andhavecompletecontroloveritsuse.Usersneedtoexplicitlyenablethirdpartiestoaccesstheirdata."11
AmericanConsumers,Educators,andGovernmentEmployeesAreIncreasinglyUsingCloudComputingServices
10. AsofSeptember2008,69percentofAmericanswereusingwebmailservices,
storingdataonline,orotherwiseusingsoftwareprogramssuchaswordprocessingapplicationswhosefunctionalityislocatedontheweb.12
11. AccordingtoareportofthePewInternetandAmericanLifeProject,an
overwhelmingmajorityofusersofCloudComputingServicesexpressedseriousconcernaboutthepossibilitythataserviceproviderwoulddisclosetheirdatatoothers:13
• 90%ofcloudapplicationuserssaytheywouldbeveryconcernedifthecompanyatwhichtheirdatawerestoredsoldittoanotherparty.
8“PerspectivesonCloudComputingandStandards,”NIST,InformationTechnologyLaboratory,http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2008‐12/cloud‐computing‐standards_ISPAB‐Dec2008_P‐Mell.pdf(lastvisitedMar.11,2009).9“CloudComputingGainsinCurrency,”InternetandAmericanLifeProject,(Sep.12,2008),availableathttp://pewresearch.org/pubs/948/cloud‐computing‐gains‐in‐currency.SeealsoCloudcomputing,Wikipedia,http://en.wikipedia.org/wiki/Cloud_computing(lastvisitedMar.16,2009).10IntroducingWeave,Mozilla,Dec.12,2007,availableathttp://labs.mozilla.com/2007/12/introducing‐weave.11OverviewofOAuthforWeave,https://wiki.mozilla.org/Labs/Weave/OAuth(lastvisitedMar.16,2009).12Id.13“CloudComputingGainsinCurrency,”supranote9.
5
• 80%saytheywouldbeveryconcernedifcompaniesusedtheirphotosorotherdatainmarketingcampaigns.
• 68%ofusersofatleastoneofthesixcloudapplicationssaythey
wouldbeveryconcernedifcompanieswhoprovidedtheseservicesanalyzedtheirinformationandthendisplayedadstothembasedontheiractions.
12. ArecentsurveyfromTRUSTeunderscoresongoingconcernaboutInternet‐
basedservices,with35%ofusersrespondingthattheirprivacyhasbeeninvadedorviolatedinthelastyearduetoinformationtheyprovidedviatheInternet.14
Google'sCloudComputingServicesRepresentations
13. GooglecurrentlyprovidesanextensivearrayofCloudComputingServices,includingemail(“Gmail”),15onlinedocumentstorageandediting("GoogleDocs"),16integrateddesktopandinternetsearch("GoogleDesktop"),17onlinephotostorage("PicasaWebAlbums"),18andschedulingprograms(“GoogleCalendar”).19
14. InSeptember2008,comScoreMediaMetrixreportedthat26million
consumersusedGoogle'sGmailCloudComputingServices.20
15. InNovember2008,4.4millionconsumersusedtheGoogleDocsCloudComputerService.21
16. ThenumberofconsumersusingGoogleDocsmorethandoubledin2008,
increasing156percent.22
17. CriticaltothearchitectureofeverysingleGoogleCloudComputingServiceisthatthecustomer'sdataresidesonaGoogleserver,i.e.acomputer‐based
14BehavioralAdvertisingSurvey,TRUSTe,Mar.4,2009availableathttp://www.truste.org/about/press_release/03_04_09.php.15Gmail,http://mail.google.com(lastvisitedMar.17,2009).16GoogleDocs,http://docs.google.com(lastvisitedMar.17,2009).17GoogleDesktop,http://desktop.google.com(lastvisitedMar.17,2009).18PicasaWebAlbums,http://picasaweb.google.com(lastvisitedMar.17,2009).19GoogleCalendar,http://www.google.com/calendar(lastvisitedMar.17,2009).20SaulHansell,AOL’sLudditesLoveTheirE‐MailMoreThanGoogle’sGeeks,N.Y.Times,Sept.12,2008availableathttp://bits.blogs.nytimes.com/2008/09/12/aols‐luddites‐love‐their‐e‐mail‐more‐than‐googles‐geeks.21“Happy2ndAnniversary,GoogleDocs&Spreadsheets,”Nov.13,2008availableathttp://blog.compete.com/2008/11/13/google‐docs‐spreadsheets‐microsoft‐office.22Id.
6
informationretrievalsystemunderthecontrolofGoogle–notthecustomerorend‐user.
18. Thepermanenttransferoftheuser’sdata,fromdevicesandserverswithin
thecontroloftheuser,toGooglehasprofoundimplicationsforprivacyandsecurity.23
19. GoogleroutinelyrepresentstoconsumersthatdocumentsstoredonGoogle
serversaresecure.Forexample,thehomepageforGoogleDocsstates“Filesarestoredsecurelyonline”(emphasisintheoriginal)andtheaccompanyingvideoprovidesfurtherassurancesofthesecurityoftheGoogleCloudComputingService.24
20. Googlealsoexplicitlyassuresconsumersthat"GoogleDocssavestoasecure,onlinestoragefacility...withouttheneedtosavetoyourlocalharddrive."25
23See,e.g.,WorldPrivacyForum,PrivacyintheClouds:RiskstoPrivacyandConfidentialityfromCloudComputing,”Feb.26,2009,http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf24“WelcometoGoogleDocs,”https://docs.google.com/(lastvisitedMar.8,2009).25"GettingtoknowGoogleDocs:Savingyourdocs,"http://docs.google.com/support/bin/answer.py?answer=44665&topic=15119(lastvisitedMar.11,2009);seealso"GettingtoknowGoogleDocs:Savingyourpresentation,"http://docs.google.com/support/bin/answer.py?hl=en&answer=69074(lastvisitedMar.11,2009).
7
21. Googleencouragesusersto"addpersonalinformationtotheirdocumentsandspreadsheets,"andrepresentstoconsumersthat"thisinformationissafelystoredonGoogle'ssecureservers."Googlestatesthat"yourdataisprivate,unlessyougrantaccesstoothersand/orpublishyourinformation."26
22. Googlerepresentstoconsumers,"Restassuredthatyourdocuments,spreadsheetsandpresentationswillremainprivateunlessyoupublishthemtotheWeborinvitecollaboratorsand/orviewers."27
26"Privacyandsecurity:Keepingdataprivate,"http://docs.google.com/support/bin/answer.py?hl=en&answer=87149(lastvisitedMar.11,2009).27"Privacyandsecurity:Privacyandsecurityofyourcontent,"http://docs.google.com/support/bin/answer.py?answer=37615&ctx=sibling(lastvisitedMar.11,2009)
8
23. However,Google'sTermsofServiceexplicitlydisavowanywarrantyoranyliabilityforharmthatmightresultfromGoogle’snegligence,recklessness,malintent,orevenpurposefuldisregardofexistinglegalobligationstoprotecttheprivacyandsecurityofuserdata.28
Google'sCloudComputingServices–KnownFlaws
24. OnMarch7,2009,Googlediscloseduser‐generateddocumentssavedonitsGoogleDocsCloudComputingServicetousersoftheservicewholackedpermissiontoviewthefiles.(the"GoogleDocsDataBreach")29ThisisjustoneofmanyexampleofknownflawswithGoogle’sCloudComputingServices.Forexample:
• InJanuary2005,researchersidentifiedseveralsecurityflawsinGoogle's
Gmailservice.Theflawsallowedtheftof"usernamesandpasswordsforthe'GoogleAccounts'centralisedlog‐inservice"andenabledoutsidersto"snooponusers'email."30
• InDecember2005,researchersdiscoveredavulnerabilityinGoogle
DesktopandtheInternetExplorerwebbrowser.31ThesecurityflawexposedGoogleusers'personaldatatomaliciousinternetsites.32
28GoogleTermsofService,("14.ExclusionofWarranties,”“15.LimitationofLiability”http://www.google.com/accounts/TOS?hl=en29“OnYesterday’semail,”Mar.7,2009,availableathttp://googledocs.blogspot.com/2009/03/on‐yesterdays‐email.html;seealso“GoogleDisclosesPrivacyGlitch,”TheWallStreetJournal,Mar.8,2009,availableathttp://blogs.wsj.com/digits/2009/03/08/1214.30JohnLeyden,GoogleplugsbraceofGMailsecurityflaws,TheRegister,Jan.17,2005availableathttp://www.theregister.co.uk/2005/01/17/google_security_bugs.31GoogleDesktopExposed:ExploitinganInternetExplorerVulnerabilitytoPhishUserInformation,MatanGillon,Nov.30,2005availableathttp://www.hacker.co.il/security/ie/css_import.html;seealsoAndrewOrlowski,PhishingwithGoogleDesktop,TheRegister,Dec.3,2005availableathttp://www.theregister.co.uk/2005/12/03/google_desktop_vuln.
9
• InJanuary2007,securityexpertsidentifiedanothersecurityflawin
GoogleDesktop.Thevulnerability"couldenableamaliciousindividualtoachievenotonlyremote,persistentaccesstosensitivedata,butinsomeconditionsfullsystemcontrol."33
25. ComputersecurityexpertGregContiobservesthatdatabreachesatGoogle
areparticularlyproblematicrelativetootherCloudComputingServicesproviders:"Googleisanevenbiggertargetbecauseoftheamountofdataithas."34(emphasisintheoriginal).
26. Furthermore,usersfacerisksposedbytheverynatureofCloudComputing
Services:
Byplacingapplications,andtheirdatafiles,oncentralizedservers,welosecontrolofourdata.Criticalinformationthatwasoncesafelystoredonourpersonalcomputersnowresidesontheserversofonlinecompanies....With[CloudComputingServices],wecouldfindbothaccesstotheapplicationandourdataatriskbyplacingbothinthehandsofathirdparty.35
THEFTC'SAUTHORITYTOREGULATEUNFAIRANDDECEPTIVETRADEPRACTICES
27. Section5(a)oftheFederalTradeCommissionAct,15U.S.C.§45(a),prohibits
unfairordeceptiveactsorpracticesinoraffectingcommerce.
28. TheFederalTradeCommission(“FTC”)generallyidentifiesthreefactorsthatsupportafindingofunfairness:whetherthepracticeinjuresconsumers,whetheritviolatesestablishedpublicpolicy,andwhetheritisunethicalorunscrupulous.36Apracticeis“unfair”if:1)itcausessubstantialinjuryto
32Id.33WatchfireDiscoversGoogleDesktopVulnerabilityThatHackersCouldExploittoGainFullSystemControl,PressRelease,Feb.21,2007availableathttp://web.archive.org/web/20070223064417/http://www.watchfire.com/news/releases/02‐21‐07.aspx;seealsoYairAmit,DannyAllan,andAdiSharabani,OvertakingGoogleDesktop,2007availableathttp://web.archive.org/web/20070223064417/http://download.watchfire.com/whitepapers/Overtaking‐Google‐Desktop.pdf.34GREGCONTI,GOOGLINGSECURITYat19(2009).35Id.at15.36Fed.TradeComm’nPolicyStatementonUnfairness(Dec.17,1980),availableathttp://www.ftc.gov/bcp/policystmt/ad‐unfair.htm.
10
consumers;b)theharmisnotoutweighedbyanycountervailingbenefits;andc)theharmisnotreasonablyavoidable.37
29. Google'sinadequatesecuritypractices,andtheresultantGoogleDocsData
Breach,causedsubstantialinjurytoconsumers,withoutanycountervailingbenefits.
30. Theharmwasreasonablyavoidable,inthatthedamagecouldhavebeen
avoidedormitigatedbytheadoptionofcommonsensesecuritypractices,includingthestorageofpersonaldatainencryptedform,ratherthanincleartext.
31. DeceptionoccursunderSection5ifthereisamaterialrepresentation,
omission,orpracticethatislikelytomisleadreasonableconsumers.38TheFTCPolicyStatementonDeceptionstatesthattheCommissionanalyzesdeceptivebusinesspracticesunderthefollowingrubric:
a)Theremustbearepresentation,omissionorpracticethatislikelytomisleadtheconsumer.Thisincludesthe"useofbaitandswitchtechniques."39
b)Thepracticeisexaminedfromtheperspectiveofareasonablepersoninthecircumstances.Ifthepractice"isdirectedprimarilytoaparticulargroup,"suchasInternetusers,"theCommissionexaminesreasonablenessfromtheperspectiveofthatgroup."40
c)Therepresentation,omissionorpracticemustbeamaterialone,i.e.itislikelytoaffecttheconsumer’sconductordecisionregardingtheproductorservice.41
32. Googlemadematerialrepresentationsthatmisledconsumersregardingits
securitypractices,andusersreasonablyreliedonGoogle'spromises.
33. AsdemonstratedbytheGoogleDocsDataBreach,Google'smaterialrepresentationsweredeceptive.
PREVIOUSFTCDATASECURITYACTIONS
37OrkinExterminatingCompany,Inc.v.FTC,849F.2d1354,1364(11thCir.1988).38Fed.TradeComm’n,PolicyStatementonDeception,Oct.14,1983,availableathttp://www.ftc.gov/bcp/policystmt/ad‐decept.htm.39Id.40Id.41Id.
11
34. UnderitsSection5authority,theFTChas"broughtanumberofcasestoenforcethepromisesinprivacystatements,includingpromisesaboutthesecurityofconsumers’personalinformation."42
35. TheCommissionhasalso"useditsunfairnessauthoritytochallengeinformationpracticesthatcausesubstantialconsumerinjury."43
36. OnMarch27,2008,FTCChairmanDeborahPlattMajorasstated:
Bynow,themessageshouldbeclear:companiesthatcollectsensitiveconsumerinformationhavearesponsibilitytokeepitsecure…theFTChaschargedcompanieswithsecuritydeficienciesinprotectingsensitiveconsumerinformation[onmorethan20occasions].InformationsecurityisapriorityfortheFTC,asitshouldbeforeverybusinessinAmerica.44
TheChoicepointSettlement
37. In2005,theCommissiondeterminedthatChoicePoint’sfailuretoemploy
reasonablesecuritypoliciescompromisedthesensitivepersonaldataofmorethan163,000consumers.45
38. OnJanuary26,2006,theCommissionannouncedthesettlementofitscase
againstChoicePoint,requiringthecompanytoimplementacomprehensive42FederalTradeComm'n,EnforcingPrivacyPromises:Section5oftheFTCAct,http://ftc.gov/privacy/privacyinitiatives/promises.html;see,e.g.InthematterofGenicaCorp.,FederalTradeComm'nFileNo.0823113(Feb.5,2009)(AgreementContainingConsentOrder)availableathttp://ftc.gov/os/caselist/0823113/090125genicaagree.pdf;InthematteroftheTJXCompanies,Inc.,FederalTradeComm'nFileNo.0723055(Mar.27,2008);InthematterofReedElsevierInc.andSeisint,Inc.,FederalTradeComm'nFileNo.0523094(Mar.27,2008)(AgreementContainingConsentOrder)availableathttp://www.ftc.gov/os/caselist/0523094/080327agreement.pdf;InthematterofChoicepoint,Inc.,FederalTradeComm'nFileNo,0523069(Jan.26,2006)(StipulatedFinalJudgment)availableathttp://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf.43Id.44FederalTradeComm'n,AgencyAnnouncesSettlementofSeparateActionsAgainstRetailerTJX,andDataBrokersReedElsevierandSeisintforFailingtoProvideAdequateSecurityforConsumers’Data(Mar.27,2008),http://www.ftc.gov/opa/2008/03/datasec.shtm.45U.S.FederalTradeCommission,ChoicePointSettlesDataSecurityBreachCharges;toPay$10MillioninCivilPenalties,$5MillionforConsumerRedress,January26,2006,availableat:http://www.ftc.gov/opa/2006/01/choicepoint.shtm.
12
informationsecurityprogram,obtainindependentsecurityauditsfortwentyyears,andpay$10millionincivilpenaltiesand$5millioninconsumerredress.
TheTJX,ReedElsevier,andSeisintConsentOrders
39. OnMarch27,2008,theFTCobtainedconsentordersagainstTheTJX
Companies,Inc.,ReedElsevier,Inc.,andSeisint,Inc.46Theordersarosefromthecompanies'failurestoprovidereasonablesecuritytoprotectsensitivecustomerdata,andtheresultingdatabreaches.47
40. TheCommissionchargedthatTJX"createdanunnecessaryrisktopersonal
informationbystoringiton,andtransmittingitbetweenandwithin,itsvariouscomputernetworksincleartext."48
41. Theordersrequirethatthecompaniesimplementcomprehensive
informationsecurityprogramsandhireindependentthird‐partysecurityprofessionalstoreviewtheprogramsbienniallyfortwentyyears.49
TheCompgeeks.comConsentOrder
42. OnFebruary5,2009,theFTCobtainedaconsentorderagainst
Compgeeks.com.50TheorderarosefromaFTCcomplaintthatthecompany"fail[ed]toprovidereasonablesecuritytoprotectsensitivecustomerdata,"andtheresultingdatabreaches.51
43. Theorderrequiresthecompanytoimplement"acomprehensiveinformation
securityprogramthatisreasonablydesignedtoprotectthesecurity,
46FederalTradeComm'n,AgencyAnnouncesSettlementofSeparateActionsAgainstRetailerTJX,andDataBrokersReedElsevierandSeisintforFailingtoProvideAdequateSecurityforConsumers’Data(Mar.27,2008),http://www.ftc.gov/opa/2008/03/datasec.shtm.47Id.48Id.49InthematteroftheTJXCompanies,Inc.,FederalTradeComm'nFileNo.0723055availableathttp://www.ftc.gov/os/caselist/0723055/080327agreement.pdf;InthematterofReedElsevierInc.andSeisint,Inc.,FederalTradeComm'nFileNo.0523094availableathttp://www.ftc.gov/os/caselist/0523094/080327agreement.pdf.50FederalTradeComm'n,ConsumerElectronicsCompanyAgreestoSettleDataSecurityCharges;BreachCompromisedDataofHundredsofConsumers(Feb.5,2009),http://ftc.gov/opa/2009/02/compgeeks.shtm.51Id.
13
confidentiality,andintegrityofpersonalinformationcollectedfromoraboutconsumers,"andobtainbiennialsecurityauditsfortwentyyears.52GOOGLE’SINADEQUATESECURITYISANUNFAIRBUSINESSPRACTICE
44. GoogleprovidesCloudComputingServicestomillionsofconsumers,and
encouragesconsumerstostorepersonal,sensitiveinformationontheservices.
45. PriortotheGoogleDocsDataBreach,GoogleknewthatCloudComputingServicesaresusceptibletodatabreaches.
46. Googleknewthatdisclosureofpersonaluserdatacouldcausesubstantial
injurytoconsumers,withoutanycountervailingbenefits.
47. Googlewasawarethatcommonsensesecuritymeasures,includingstoringuserdatainencryptedform,ratherthanincleartext,couldreducethelikelihoodandextentofconsumerinjury.
48. Googleknewthatadatabreachcouldexposesensitiveuserdatastoredon
GoogleCloudComputingServices.Butthecompanycreatedanunnecessaryrisktousers'databyemployingunreasonablesecuritypractices,includingthestorageandtransmissionofpersonalinformationonitscomputernetworkincleartext.
49. AsaresultofGoogle'sinadequatesecuritypractices,theGoogleDocsData
Breachexposedconsumers'personalinformationtootherusersofGoogle'scloudcomputingservice.
GOOGLE’SINADEQUATESECURITYISADECEPTIVETRADEPRACTICE
50. Asdescribedabove,Googleencouragesconsumerstosavepersonaldatatothecompany'sCloudComputingServices,andrepeatedlyassuresusersthatitwillsafeguardtheirinformation.
51. ConsumershadeveryreasontorelyonGoogle'sexplicitsecuritypromises,andsuchassurancesgototheheartofconsumers'concernsregardingCloudComputingServices.
52. Consumers'justifiedprivacyexpectationsweredashedbytheGoogleDocs
PrivacyBreach,anincidentthatexposedusers'personalinformation.52InthematterofGenicaCorp.,FederalTradeComm'nFileNo.0823113availableathttp://ftc.gov/os/caselist/0823113/090125genicaagree.pdf.
14
CONCLUSION
53. TheGoogleDocsDataBreachhighlightsthehazardsofGoogle'sinadequate
securitypractices,aswellastherisksofCloudComputingServicesgenerally.TherecentgrowthofCloudComputingServicessignalsanunprecedentedshiftofpersonalinformationfromcomputerscontrolledbyindividualstonetworksadministeredbycorporations.DatabreachesconcerningCloudComputingServicescanresultingreatharm,whicharisesfromthecentralizednatureoftheservicesandlargevolumeofinformationstored"inthecloud."Pastdatabreacheshaveresultedinseriousconsumerinjury,includingidentitytheft.AsaresultofthepopularityofCloudComputingServices,databreachesontheseservicesposeaheightenedriskofidentitytheft.TheFTCshouldholdaccountablethepurveyorsofCloudComputingServices,particularlywhenserviceprovidersmakerepeated,unequivocalpromisestoconsumersregardinginformationsecurity.
REQUESTFORRELIEF
54. OpenaninvestigationintoGoogle'sCloudComputingServices,specificallyconcerning:
a. theadequacyofGoogle'sprivacyandsecuritysafeguardsregarding
storageofpersonalinformationonitsCloudComputingServices;and
b. thesufficiencyofGoogle'sprivacyandsecuritysafeguardsinlightofthecompany'sassurancestoconsumersregardingitsCloudComputingServices.
55. RequireGoogletoreviseitsTermsofServicewithrespecttoCloud
ComputingServices,includingbutnotlimitedtoGmail,GoogleDocs,GoogleDesktop,Picasa,andGoogleCalendar,soastomakeclearthecompany’songoing,affirmativeobligationstosafeguardthesecurityandprivacyofthedatathatitobtains.
56. CompelGoogletomakeitsinformationsecuritypoliciesmoretransparent,andtodiscloseallincidentsofdatalossordatabreachtotheFederalTradeCommission.
57. EnjoinGooglefromofferingCloudComputingServicesuntilsafeguardsareverifiablyestablished.
58. CompelGoogletocontribute$5,000,0000toapublicfundthatwillhelp
supportresearchconcerningprivacyenhancingtechnologies,includingencryption,effectivedataanonymization,andmobilelocationprivacy.
15
EPICreservestherighttosupplementthispetitionasotherinformationrelevanttothisproceedingbecomesavailable.
Respectfullysubmitted,
MarcRotenberg,esq.EPICPresidentJohnVerdi,esqEPICCounsel AnirbanSen,esq.EPICFellow
ELECTRONICPRIVACYINFORMATIONCENTER1718ConnecticutAve.,NWSuite200Washington,DC20009202‐483‐1140(tel)202‐483‐1248(fax)
March17,2009