Google has inadvertently stoked privacy concerns about filesuploaded to its newly released Google Drive by issuing poorly writtenrules that are more apt to confuse than to clarify.
While private files winding up on Google Drive may not be asprivacy-protected as the ones on your hard disk, fact is that Googleis not granting itself free rein to use personal data. But you'd behard-pressed to know that given a "toxic brew" of conflicting claimsfound in the company's omnibus privacy policy, according to a legalexpert who has closely reviewed Google's policies.
"The language is not drafted nearly as tightly as we would expect froma company of Google's size and stature," says Eric Goldman of the High Tech Law Institute. Hedescribes the covenants as poorly written and likely to confuse usersby virtue of Google mashing licensing and privacy statements together.
Asked for comment, Google offered the following statement:
As our Terms of Service make clear, 'what belongs to you stays yours.'You own your files and control their sharing, plain and simple. OurTerms of Service enable us to give you the services you want -- so ifyou decide to share a document with someone, or open it on a differentdevice, you can.
Google isn't doing itself favors with its communications, according toGoldman, who calls "that 'plain and simple' bit" a red flag. "You knowsomeone is doing arm-waving," he says.
So what does Google really mean in its terms of service? The sectionof the agreement that people are complaining about, "Your Content inour Services," starts off clearly. The license grant, which is thefirst portion of the privacyagreement, sounds good:
Some of our Services allow you to submit content. You retain ownershipof any intellectual property rights that you hold in that content. Inshort, what belongs to you stays yours.
But then Google puts a big question mark over that agreement:
When you upload or otherwise submit content to our Services, you giveGoogle (and those we work with) a worldwide license to use, host,store, reproduce, modify, create derivative works (such as thoseresulting from translations, adaptations or other changes we make sothat your content works better with our Services), communicate,publish, publicly perform, publicly display and distribute suchcontent. The rights you grant in this license are for the limitedpurpose of operating, promoting, and improving our Services, and todevelop new ones. This license continues even if you stop using ourServices (for example, for a business listing you have added to GoogleMaps).
At face value, this looks like Google is claiming an unrestrictedlicense to users' files, for purposes up to and including advertisingits own services. But that's not what Google means. Google isn't aboutto make users' private files public. The whole architecture of GoogleDrive is to either store privately or let users share files. In fact,Goldman notes, it would vitiate the whole nature of Google Drive forGoogle to treat private files as public."I don't think Google will do it, and that's not the problem," he says.
However, the problem is that Google's one-size-fits-all-services termsof service agreement is too vague. Legally, it does leave Google withan unreasonable amount of leeway regarding user files. Legalexperts note that privacy should trump all licensing issues, and thatGoogle could easily re-draft the agreement to accurately reflect theway the company actually treats user data. For example, the privacyagreement could say we'd never use the data publicly, or forpromotional purposes.
Google does give itself some wiggle room in the agreement to allownarrower terms to apply to certain products, but as of yet there areno such terms for Google Drive.
There is real exposure for users: The agreement doesn't protect usersif Google -- not the user -- deems it necessary to give litigants orgovernment representatives access to private files, and it won'tprevent Google from terminating access to their own files if "Googlethinks a file violates someone's rights. The example of what happenedto innocent users caught during the MegaUpload saga is still fresh inpeople's memories.
The conflict between needing access to user data to run a service anduser privacy is not limited to Google. But other companies have morethoughtful policies. Dropbox,after suffering through a user backlash over a policy similar toGoogle's current TOS, updated its terms with very clear limitations:
To be clear, aside from the rare exceptions we identify in our PrivacyPolicy, no matter how the Services change, we won't share your contentwith others, including law enforcement, for any purpose unless youdirect us to.
Dropbox, Goldman says, "stops at limited rights 'to operateservices.'" It's more narrow and more appropriate for a cloud storageservice, he says. He thinks Google would do well to emulate this, andstep away from the concept that a unified privacy and licensing plancan work across the entire suite of Google services.
While the future points to the cloud, the present may still last quiteawhile with many users still avoiding putting personal or sensitivedata on Internet services except when he needs their specificfeatures, like real-time collaboration. Despite what Google, Microsoft,and other providers offering limitless storage in the sky will claim,a cloud storage drive does not offer the same privacy protections as a personal hard drive.