On March 17, 2009, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC asking the agency to open an investigation into Google’s cloud computing services, through which Google provides data storage and applications to users who can access these services remotely over the Internet. Specifically, EPIC alleged that Google violated Section 5 of the FTC Act by failing to implement adequate security measures to protect user data and by misrepresenting the actual security of user data in its Terms of Service.
Google hosts a number of cloud computing services on its servers, including its Webbased e-mail (Gmail), online document storage and editing (Google Docs), integrated desktop and Internet search (Google Desktop), online photo storage (Picasa Web Albums), and scheduling (Google Calendar) services.
According to EPIC, Google routinely represents to customers that data stored on its servers is private and secure, yet disavows any warranty or liability for harm that might result from Google’s “negligence, recklessness, mal intent, or even purposeful disregarding of existing legal obligations to protect the privacy and security of user data.”
Highlighting a March 7 breach during which user data stored on Google Docs was temporarily exposed to unauthorized users, among other alleged security flaws, EPIC urged the FTC to find that Google committed both unfair and deceptive trade practices under Section 5. First, EPIC claimed that Google’s inadequate security practices constitute an unfair trade practice by creating an unreasonable and avoidable risk to user data. In failing to implement commonsense securing measures— such as storing user data in encrypted form, which EPIC claimed is a standard followed by many cloud computing services— EPIC contended that Google creates an unreasonable risk of consumer injury realized by the March 7 breach.
Second, EPIC claimed that Google’s actions constitute a deceptive trade practice by misleading consumers about the security of user data stored on its servers. EPIC asserted that Google’s numerous representations about security were deceptive in light of the March 7 breach that “dashed” users’ justified privacy expectations. EPIC concluded by emphasizing generally the risks associated with cloud computing services. Given the increasing popularity of such services and the massive amount of data they consolidate in a centralized location,
EPIC argued that data breaches can lead to serious and widespread consumer injury, including a heightened risk of identity theft, and that the FTC should hold Google accountable for inadequately performing its duty to protect consumer data.
EPIC requested many forms of relief, including that the FTC: (1) determine the adequacy of Google’s privacy and security safeguards; (2) assess the representations made by Google regarding these services; (3) require Google to revise its Terms of Service; (4) compel Google to make its information security policies more transparent; (5) enjoin Google from offering cloud computing services until safeguards are verifiably established; and (6) compel Google to contribute $5 million to a public fund that will help support research concerning privacy enhancing technologies.
In a March 18 letter, posted on EPIC’s Web site, the FTC thanked the organization for its complaint and indicated its interest in setting up a meeting with EPIC leadership to discuss the issue further.