Risk
4/27/2012
09:24 AM
Connect Directly
RSS
E-Mail
50%
50%

Google Drive Privacy: 4 Misunderstood Facts

Privacy and security questions have bedeviled the launch of Google's new online file-storage service. Ignore the hype and consider these four key facts.

Oracle v. Google: Tour The Evidence
Oracle v. Google: Tour The Evidence
(click image for larger view and for slideshow)
When people upload a file to the new Google Drive online file-storage service, who owns the file?

For answers, one might turn to the unified terms of service that cover all Google products: "When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations, or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display, and distribute such content."

In other words, Google appears to reserve the right to do anything it pleases with uploaded data. Or does it?

With such questions now bedeviling Google Drive, here are four privacy--and file-ownership--facts about the new service.

[ Is proposed Cyber Intelligence Sharing and Protection Act (CISPA) a threat to your privacy? Read CISPA Bill: 5 Main Privacy Worries. ]

1. Google's All-In-One Privacy Policy Creeps People Out

Google's terms of service--which applies to all of the company's "Services"--seems quite wide-reaching. So, does that mean that Google would actually take people's content and reuse it? "I'm sure that the assertion of perpetual, worldwide rights over their customers' intellectual property and the use cases of promoting, improving, or developing new services based on that content is just the result of over-zealous lawyers attempting to head any potential future lawsuit off at the proverbial pass, rather than an outright attempt to go against their in formal motto, 'Don't be evil,'" said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post.

2. Google Doesn't Own People's Files

With such comments accompanying the launch of Google Drive, the company moved quickly to issue a statement clarifying what its terms of service means. "As our Terms of Service make clear, 'what belongs to you stays yours,'" according to the statement. "You own your files and control their sharing, plain and simple. Our Terms of Service enable us to give you the services you want--so if you decide to share a document with someone, or open it on a different device, you can."

3. Competing Services Offer Similar Privacy Policies

Services such as Dropbox, Apple's iCloud, and Microsoft's SkyDrive differ in that they only detail the terms of service for a single service, as opposed to Google, which uses a single privacy policy to cover everything from Gmail, Google+, Google Docs, and in the future, even the merger between Google Drive and Chrome OS.

But in a close reading of Google Drive competitors' privacy policies, The Verge found that they essentially reserve the same types of rights for themselves--only "they just use slightly more artful language to communicate them." Or as the Microsoft SkyDrive terms of service put it: "Your content remains your content."

4. Files Hosted In Cloud Face Certain Security Risks

Are fears over what Google might do with people's Drive files overblown? From a privacy standpoint, the Electronic Frontier Foundation's media relations director and digital rights analyst, Rebecca Jeschke, told Ars Technica that many users of cloud-based file storage and sharing services would do well to remember past cyberlocker takedowns. "In light of Megaupload, it's possible that users are worried about the wrong thing," she said. Notably, uploaded files might get lost, stolen, exposed, made irretrievable, or even obtained directly from the service provider with a court order, perhaps without the owner's knowledge.

In other words, would-be users of online file storage services should weigh more than just Google's privacy policy before trusting their files to the cloud. And in the words of the Microsoft SkyDrive terms of service: "If you don't agree, don't use the service. Thanks."

InformationWeek is conducting a survey to determine where enterprises stand on their IPv6 deployments, with a focus on security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive a 16-GB Apple iPad. Take our D-Day for IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/1/2012 | 12:11:21 PM
re: Google Drive Privacy: 4 Misunderstood Facts
I have this neat little thing called a "thumb drive". I just put it into a thing called a "USB Port" on my computer, and I can save files directly onto this "thumb drive". I can then disconnect it, and it is small enough to fit in my pocket. I can than go to any other computer that has a "USB Port", put it in there, and access these files.

While I do have to pay money for the "thumb drive", it doesn't come with a privacy policy. The only problem is, when other people start talking about their "cloud stategy", I have nothing to say.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/30/2012 | 6:49:25 PM
re: Google Drive Privacy: 4 Misunderstood Facts
I would think that most companies big enough to have legal counsel on staff would be looking at implementing their own private cloud on some scale anyway, so the reading of the Google TOS with regards to Google Docs would be moot. And even in the case that companies would be looking to use Google's services, I'm pretty sure that most people are smart enough not to put anything out there that's copyrighted. Now, the question that I've always asked goes back to the idea of trust. Let's say that you're an organization that is leveraging Google (or Microsoft) for cloud services - and you're working on a project that Google (or Microsoft) has their eyes on with regards to some developing technology. What happens when Google (or Microsoft) gets that technology to market before you do? Chalk it up to simply being slow in developing, coincidence or is there something more sinister at work there?

The big problem that I see is more along the lines of personal usage by private individuals. With Google (and Microsoft) in the Internet advertising business, what would it take for them to simply scan your documents, pull a few key words and start focusing their advertising on the contents of your documents? They would have the inside track on marketing to what you are (or might possibly be, as per your uploaded content) looking for.

I can see how this gets into some seriously sticky situations down the road... it's not going to be pretty until everything gets all shaken out.

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/30/2012 | 6:37:59 PM
re: Google Drive Privacy: 4 Misunderstood Facts
@paperlessme - that's indeed true, everyone is tracking you because they're looking to make a buck, or penny, or fraction of a penny off of your on-line behaviors... what you surf, what you read, what you listen to - anything that you consume from the Internet. There's BIG business in doing that, otherwise why would the IAB (iab.net) exist?

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/30/2012 | 6:35:40 PM
re: Google Drive Privacy: 4 Misunderstood Facts
@gws-tex - as a corollary to your comment... if you don't want it shared, ... - don't digitize it and put it on a system with an active Internet connection (unless you're willing to secure the daylights out of your system, be vigilant and hope that you outfox the rest of the world that's trying to get your data).

Andrew Hornback
InformationWeek Contributor
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
4/30/2012 | 6:16:50 PM
re: Google Drive Privacy: 4 Misunderstood Facts
I agree that this is the big risk and the neither political party has the right mindset to address it.

Re the cloud providers themselves we can quibble till the cows come home over whether Google's TOS gives it more, fewer or the equivalent loopholes to infringe on our privacy the competition.

The reality when an individual deals with a cloud vendor is that me David, they Goliath. If they do infringe I have to sue after the fact. At that point the language may or may not protect me but where it my confidential data?

My conclusion on both fronts? Common sense. Backing up non-confidential stuff can be very convenient. Backing up a password protected file or two temporarily to make remote access while travelling easy, probably a reasonable risk if you can delete it and wipe it when you're done. Everything else, keep it local and create secure remote access.

Eventually there will be legal tests of this language. That-alas-is when the road forward will become clear.
Tom Mariner
50%
50%
Tom Mariner,
User Rank: Apprentice
4/30/2012 | 1:38:32 PM
re: Google Drive Privacy: 4 Misunderstood Facts
"Obtained directly from the service provider with a court order, perhaps without the owner's knowledge." Now we are getting to the real danger!! We have a government of lawyers and their ethic says that if there is any information anywhere that will help their case, they want it to make sure their side wins. Yeah, it starts with "national security". Then with that as a precedent, it becomes criminal, any criminal, and finally civil in quick order. You being accused of a parking ticket will be sufficient for your neighborhood lawyer to snoop every file you have stored "in the cloud". Don't get me started on divorce actions or political campaigns.

So we have decisions -- if we want people and companies to take advantage of this great "cloud" tool, we are going to have to erect impenetrable barriers, even by national security to the same level as if the data were stored on servers deep in the bowels of your building. Or we could keep our attorneys lazy and earning great fees for easy data retrieval. And Google, Microsoft, etc. remember that when that divorce lawyer or music attorney comes after Millie Housewife for downloading two Beetles songs, they're going to come after you too for storing them -- and their normal penalty will be a big fraction of your net worth -- and with a jury trial, a bunch of civilians are going to make the decision -- a 50 / 50 chance -- until a new privacy law is passed or you get out of the "cloud" business.
ebest542
50%
50%
ebest542,
User Rank: Apprentice
4/29/2012 | 9:57:33 PM
re: Google Drive Privacy: 4 Misunderstood Facts
The ability of Google to modify and make decisions about uploaded content without your intervention, is definitionally taking a form of copyright control. I wish there was free online storage as another backup but online storage of intellectual property is approaching Russian Roulette: trust on the internet is like trusting a hairdresser who likes bald heads.
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
4/29/2012 | 9:35:29 PM
re: Google Drive Privacy: 4 Misunderstood Facts
https://www.google.ca/intl/en/...

"Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours."

Oops, I guess you'll have to delete all of that comment, mostly because you couldn't be bothered to research this.

The only way Google will be able to reproduce, prepare derivative works on, distribute, perform, display is if YOU tell them to.

This is part of their unified Terms Of Service / Privacy Policy, so if you're really worried about this (and choose to continue ignoring) -- feel free to remove all your content from Youtube, Google Docs, Gmail, etc. There's Google Takeout for that, if you don't feel comfortable.

I certainly hope that whatever product you use in place of Google is as forthcoming and open about their practices; most zealots will grasp at skewed articles and take them as truths -- ignoring the previous practices.
bobz..1
50%
50%
bobz..1,
User Rank: Apprentice
4/29/2012 | 3:52:25 PM
re: Google Drive Privacy: 4 Misunderstood Facts
Ownership under copyright law is often unhelpful in understanding the effects of a copyright transaction.

What does GǣownershipGǥ of a copyrights mean? Under U.S. Copyright law, the owner of a copyright has the exclusive right to do and to authorize others to do the following:

GTo reproduce the work in copies or phonorecords;
GTo prepare derivative works based upon the work;
GTo distribute copies or phonorecords of the work to the public by sale or other transfer of ownership, or by rental, lease, or lending;
GTo publicly perform the work, in the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, and sound recordings by means of digital audio transmission;
GTo publicly display the work, in the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work.

Under the Google license, the owner of the content has granted Google these rights:

"When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations, or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display, and distribute such content."

Of the five exclusive rights that comprise copyright ownership, Google has been granted a license to exercise all five rights. Google can do anything with your content that you can do with your content other than sue people for copyright infringement. You no longer have any control over how your content is used G what you give to Google can be used by Google as Google (Gǣand those we work withGǥ G whoever that might be) without limitation.

Under the Microsoft license, the owner of the content has granted Microsoft these rights:

"You control who may access your content. If you share content in public areas of the service or in shared areas available to others you've chosen, then you agree that anyone you've shared content with may use that content. When you give others access to your content on the service, you grant them free, nonexclusive permission to use, reproduce, distribute, display, transmit, and communicate to the public the content solely in connection with the service and other products and services made available by Microsoft. If you don't want others to have those rights, don't use the service to share your content.
You understand that Microsoft may need, and you hereby grant Microsoft the right, to use, modify, adapt, reproduce, distribute, and display content posted on the service solely to the extent necessary to provide the service."

The rights that you grant Microsoft are solely to enable the access that you control; sharing, if any, what you have chosen to share with those you have chosen. Microsoft is only claiming a license to do the tasks required to implement the control you have decided upon.

Comparing the Google license to the Microsoft license demonstrates the fact that GǣowningGǥ your stuff really doesnGt explain the rights to the stuff. Google exercises all the rights of ownership without limitation as Google sees fit without regard to your desires. The recently released FTC report on Google Street View suggests that GǣdonGt be evilGǥ is a fig leaf, not a mission statement. Microsoft exercises rights of ownership to implement your wishes.

Copyright is about control. While the words used by Google and Microsoft are similar, the results are not the same. Under the Google license, Google has control equal to the ownerGs control. Under MicrosoftGs license, control is retained by the owner.
paperlessme
50%
50%
paperlessme,
User Rank: Apprentice
4/29/2012 | 2:46:10 PM
re: Google Drive Privacy: 4 Misunderstood Facts
Forget about privacy today. Everyone is tracking you in this connected world, not just your friends. Still, it remains simple to lock the door when we use public restrooms and have some privacy. Just as easy it is to encrypt your private data when placing it in the public domain. There are plenty of free tools to help us along - check out "Google docs encrypt file"
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio