Post-Snowden, cloud is still the future. But it’s hard to trust privacy controls.
Almost since its launch, I’ve been a paying subscriber to Google’s email service.
Google are one of the good guys. They changed the world. Without them, life would be worse. Email would be a spam fuelled nightmare of viruses, with truckloads of digital rubbish at the top of the in-box and important communications lost forever. Search would be the one way to make sure you never find what you’re looking for – the haystack to go with the needle. Online advertising would still be flashing banner ads offering online meds and adult dating, with an epileptic fit thrown in for free.
In fact, Google are so good, I picked them as a solutions partner when I set up an internet company in the early 2000’s. It was a good call.
But the world had changed. Five years ago, cloud computing providers only had to show your data was safe from the recognised threat agents of the time — criminals, competitors, and kids. That they did.
They never pretended to keep your data safe from governments. They can’t, and that would be an unreasonable expectation in any case.
There has always been an unwritten rule for online personal data — that companies asking us to trust them with our data will only release that data when required to do so, and will tell us how often that happens so we can understand the risk we accept.
Google are good at that. They challenge government requests, often successfully. They produce an annual report telling us just what requests they get.
However they knew more than they were telling, and over the years that has built up into a major disconnect between the world they are able to share, the world they legally can’t, and the world nobody — at least officially — even knew about.
What use is a report detailing government requests for data, when the governments concerned by-pass that process by intercepting the data in transit or simply require the company not to say when a request has been received?
Very little is the answer. False assurance makes you feel comfortable when you shouldn’t be, and it’s a major issue with security reporting generally.
To be fair to Google, they told us this was the case. They told us, for example, that some requests could not be reported — even statistically. We knew there was a gap, but we thought it was a small one.
Post-Snowden, it turns out to be a big one.
Whilst controls are of course in place over the state data collection programmes we now know about, we also know that there are weaknesses with these controls or their governance and oversight which limit how much confidence we can have in them .
So whilst I’m not really too concerned if my government knows where I’m meeting my wife for lunch or what I bought on Amazon last week, I’d rather they only looked if they have a legitimate reason to do so. I’m a private citizen, not a soap opera for spooks.
If you believe that some level of privacy is desirable – and you don’t have to — this is all good reason to be concerned. But it still wasn’t — yet — the smoking gun that made it time to say goodbye to one of the best could email services available today. Would another provider be better? It was hard to say.
The smoking gun was discovered thanks to the statement the company made about privacy in their recent court filing. One sentence that would undermine customer confidence for any cloud services provider, namely that:
“a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”
In fairness Google simply quoted a ruling in a previous court case, but it is enough. By using it in their defence they expressed agreement with it.
Claiming that UK data protection law does not apply to a service provided in the UK — to UK citizens on contracts signed in Britain by a company with a local presence — compounds the matter . Legally they may be justified in their stance, but you’d only argue the applicability if you didn’t like the obligations.
So here’s the truth: if I choose to share my data with you so you can process it for me, I do so in the expectation that my privacy will be respected and assured to the extent possible to do so. I understand that you will process that data as I asked you to do in the contract I signed, but I expect you to protect my privacy when you do that. I expect that data to be kept private unless the law dictates otherwise, and I expect you to understand why that is important to me.
My expectation of privacy is not just legitimate, it’s the bedrock on which our relationship is founded. This is not because I have something to hide , but because it’s mine. It’s my data, or my company’s data. It’s not my cloud provider’s data and that should be respected in both word and deed.
And here’s the nub of the issue: it’s clear that for all their technical controls, reporting and good intent, at the end of the day Google don’t really believe it matters. If they did, they’d never have made the argument in court, and they’d have jumped on the opportunity to show respect for national data protection legislation.
Some years ago, a jeweller called Gerald Ratner stood up and compared his company’s jewellery to a prawn sandwich. The sandwich, he declared, would last longer. And that was the end of his business. It may well have been true, but when you buy someone jewellery it’s an important thing, whatever your budget. Diamonds may be forever, but so in the minds of his customers were mass produced costume earrings. he didn’t understand their values.
In recent weeks, we’ve discovered that Google — along with other US based hosted email providers — have also misunderstood their customers’ values. They failed to understand that cloud services depend on consumers and businesses sharing virtually everything about themselves with their cloud partner. That’s more than a commercial relationship — it’s a marriage, and regardless of contract terms it stands or falls on trust.
It was a Ratnerism on the grandest scale.
And that’s the endgame. What was missing from our relationship before was a shared understanding, and the post 9/11 legislative environment made Google blameless in that.
Take away the trust however, and you know the relationship is over.
It turns out we just had different values all along.