Send in the Clowns Part Deux: Nailing Down Privacy Issues on Google’s Government Apps

MTP readers will remember the dynamic head of Security for Google Apps, Eran Raven a/k/a Eran Feigenbaum:

In October and November 2007, Raven was one of ten mentalist contestants on the primetime NBC series Phenomenon, which was hosted by Tim Vincent and judged by Criss Angel and Uri Geller.

Isn’t that just too awesome?  Criss Angel and Uri Geller.  Now there’s a twofer.

So what is interesting about this is that Mr. Raven-Feigenbaum’s role at Google appears to be placing him in direct contact with information flowing through U.S. Government agencies–through apps.  How could that be, you say?  How could Google get its hands on U.S. Government data?  Wouldn’t the government’s privacy policy be called–classified?  Requiring a security clearance, not a nailgun?

SafeGov.org has an interesting take on how Google’s new privacy policy opens up government data to…Google.

…[T]he more important question raised by [Google’s] new privacy policy, in our view, was whether it is compatible with the growing adoption of Google Apps for Government (GAFG) by Federal, State and Local governments. As consenting adults, consumers arguably have the right to let corporations track their web activity and data mine their content in exchange for the privilege of using a valuable computer service at no monetary cost. But when a government agency contracts and pays for the same service, one wants to be certain that it is a safe and secure repository for government data. The idea that the cloud provider is still entitled to exploit user content and web behavior for advertising purposes – as the Google Privacy Policy explicitly allows – remains controversial.

SafeGov.org raised the issue of the privacy policy’s impact on government users in a statement issued on our web site. To its credit, Google immediately reacted by agreeing with us.  Google VP of Enterprise Amit Singh told The Washington Post and other publications that “enterprise customers” who use GAFG have individual contracts defining how Google could handle and store their data. These enterprise contracts, he insisted, “have always superseded Google’s Privacy Policy….”

Unfortunately, it now appears that Google’s assertion that its government contracts “supersede” the privacy policy may not entirely accord with the facts. We have recently discovered a certain number of published GAFG contracts not only contain no language stating that they “supersede” or in any way invalidate the privacy policy, but actually point directly to the policy on Google’s web site and explicitly incorporate it into their text.

Technewsworld highlighted the problem:

Google’s consumer privacy policies may make some users squirm, but those policies could be downright unacceptable if applied to government workers who use Google services thanks to the company’s contracts with public institutions.

So it looks like government work might end up passing through Google Apps subject to Google’s consumer privacy policy (which basically allows Google to slice and dice the data pretty much at will).  According to Computerworld, “…Google government contracts in [and apparently with the States of] Illinois. California and Texas that clearly appear to be governed by the general consumer privacy policy.”

Which sounds like security for any apps involved would be in the capable hands of Mr. Raven.

Thank goodness he has it all nailed down.