March 18th, 2009
EPIC claim on Google Docs rings hollow
In the aftermath of a security boo-boo, in which a “a very small percentage” of Google Docs users had their documents exposed to the worldunintended collaborators, the Electronic Privacy Information Center has officially asked the Federal Trade Commission to investigate whether Google engages in deceptive business practices.
Here’s the argument: Google has advertised Google Docs “files are stored securely online.” At least some of those docs were not secure. Therefore, Google engages in deceptive marketing and business practices.
Seems a little overly simplistic, hm? Under this regime, any security breach - ever - by a cloud computing company opens them up to a claim of deceptive business practices. Let’s look at the legal standards
A practice is “unfair” if: 1) it causes substantial injury to consumers; b) the harm is not outweighed by any countervailing benefits;
and c) the harm is not reasonably avoidable.
EPIC says Google is clearly unfair: the leak caused injury to consumers, the harm in not outweighed and the harm was not avoidable. But the standard is “substantial” injury. And while it’s not nice to have your private data exposed online, there have been no assertions I’m aware of that anyone suffered any real, monetary damage from the leak. There certainly are countervailing benefits: the use of the cloud service for creating, collaborating and sharing documents. I don’t dispute the third factor — there’s nothing consumers could have done to avoid injury from the leak (short of not using Google’s service.)
Next up: What’s the definition of “deceptive business practices”?
a) A representation, omission or practice that is likely
to mislead the consumer.
b) The practice is examined from the perspective of a reasonable
person in the circumstances. If the practice “is directed primarily to a
particular group, the Commission examines
reasonableness from the perspective of that group.”
c) The representation, omission or practice must be a material one, i.e.,
it is likely to affect the consumer’s conduct or decision regarding the
product or service.
(a) Computer security can’t be a zero-tolerance activity. You can’t say, you can never, ever have any security glitch or else your advertising will be deceptive. (b) EPIC would have the FTC examine the incident based on the class of “Internet users.” Do Internet users expect that there is never any security problems of any kind, or do they expect that they will be dealt with immediately, that they will be communicated with, and that steps will be taken to address any substantial problems created? I would argue the latter. (c) Finally would users really not sign up with Google if they had known there was a chance that there would be some foul-up along these lines? From the perspective of the class of Internet users, I would say that everyone understands there is a risk, that a consumer-level free service is not going to have the security of an iron-clad enterprise service and that people already factor that in to calculating what kind of data they’re going to put on Google as opposed to their corporate network, or their personal laptop.
None of which is to say that you can’t find claims of security to be grounds for deceptive business, but I think the standard is where credit card data is exposed, or where the company’s negligence allowed criminals to tap into their network, or the network was so poorly secured that the marketing claims were nothing but hot air. But that is a much different standard than having a small problem, quickly rectified.
