Is Google Too Big?

The government, too, might like to see what's in your Gmail inbox and your Docs and Spreadsheets files, including when you created, accessed, or deleted the data. Since you identify yourself whenever you sign in to your account, Google could use logs for the originating IP address of account activity, combined with ISP logs, to help confirm that it really was you who updated that spreadsheet or wrote that e-mail.

Google must comply with search warrants and subpoenas in civil or criminal cases that target your data, just as you would if you stored your data on your own servers. The difference, however, is that Google has no obligation to inform you that it has received such a warrant and has turned over your files to the authorities. "You lose both factual and legal control over your documents if you use an online service like Google," says former Department of Justice computer crime unit head Mark Rasch, current managing director of technology for forensic consulting firm FTI in Washington, D.C.

"Google Apps makes [the situation] even worse," Rasch adds, explaining: "This is not just communications, it's all my documents and spreadsheets that are subject to subpoena, search warrant, or civil discovery. The hard part is that Google is under no legal obligation to notify me, and in particular kinds of investigations, they're going to be prohibited from notifying me."

Being left in the dark about these types of searches can also result in serious liabilities should your files contain sensitive client data and communications. "Let's say I'm a lawyer, and I've got privileged information that I store using a Gmail account," Rasch continues. "The government seizes that Gmail account and reads my files. Under the law, I must assert the attorney-Client privilege, or I have waived it," he explains.

In short, if Google chooses not to inform you of such searches, you have waived that privilege. Only strong encryption--a technology Google currently does not support--offers real privacy protection for documents kept online, according to Rasch.

Harvard's Edelman recommends using Google services just for specific business documents in which collaboration among geographically dispersed teams is unusually important. "I wouldn't move my whole business onto Google Apps," he counsels.

Google Apps and similar Web services certainly have appeal for many small and medium-size businesses. When San Francisco's SFBay Pediatrics, a midsize practice, went looking for an interoffice communications, scheduling, and calendaring system, CIO Andrew Johnson considered "a slew" of products, including Microsoft Exchange and other systems that he would have to install and maintain in-house.

He selected Google Apps Premier Edition (the ad-free commercial version of Google Apps) because of Google's good reputation and his staff's familiarity with Gmail. Also, the Google services free the practice from setting up a significant IT structure. "We don't want to spend the time tracking down server issues, maintaining servers, and paying up-front costs," Johnson says.

So far, SFBay has had a positive experience with Google Apps, which it uses for such tools as a shared phone-call log that receptionists, nurses, and physicians can view and update. Though core features are still being rolled out, Johnson has configured SFBay's Google Apps account to comply with the privacy rules of the Department of Health and Human Services's Health Insurance Portability and Accountability (HIPAA) regulations. "We're taking it in little baby steps," Johnson adds.

Secret Life of Files

Google's online trove of sensitive personal and business data is proving attractive to law enforcement agencies, a fact not lost on the company: Last year it successfully warded off a Department of Justice subpoena demanding millions of search queries. (This request, the company countered, was excessive and an invasion of user privacy.)

The search giant also recently announced that it would begin deleting IP address information--which can be used to identify users--from its logs after 18 months. However, these steps may not be enough to reassure the most security-conscious users of Google applications.

"Even if you trust the service to do the right thing with the data, which I tend to do in the case of Google," says Lauren Weinstein, cofounder of People for Internet Responsibility, "it doesn't mean that someone won't come along and make demands for access to that data that wouldn't occur if the data was on your own machine."

Weinstein worries that if companies such as Google don't take a stronger role in protecting user privacy, less-savvy groups, including legislators, judges, and federal government agencies, may feel obliged to step in with solutions that could hamper all online services. "Not being evil is good, but it's not good enough," Weinstein says.

"What you really need to do is not only not be evil, but you've got to try to keep other people from doing evil with your magic. And that's a harder step to take."

What Google Knows About You

Relying on Google's free services can boost your productivity, but they may also put your privacy on the line, your business at risk, and your data out of reach. Click on the icon below to see our chart of Google services and their potential risks.