Wednesday 8 June 2011

Google security and privacy myth busting

Have had a great day at Google CAB. Some of it was under NDA (non disclosure agreement), but there was a lot I can report on.  This first post is going to concentrate on a topic that I think is really important - and much misunderstood. Security and privacy. It's the main topic of discussion when we tell people we've gone Google.

Let's start with data centre security. The scale of Google's operation is that they can afford to spend much more on security than we can. In fact, they can afford to spend more on security than most governments. They use biometrics including retinal scanning and thermographics for access control, their data centre hardware is built by them, and they completely destroy decommissioned discs by overwriting the data, crushing them, shredding them, and then recycling the materials. Their infrastructure is built with failure in mind, they have multiple connections from different providers to the internet, and all of their data centres can run independently to the power grid. There's an excellent video about their data centres here:



In terms of security of the data, they employ a full time team of security experts including cryptographers, specialists in application security, expert hackers. They have automated intruder detection and repulsion systems - and much more that they weren't prepared to share with us, understandably.

I can assure all of our users, your data is much more secure with Google than with us.

But what about privacy I hear you say -  the Patriot Act means the US government can intercept and read your data, Google doesn't know where your data is, it's illegal to export our research data, data protection means we can't do this, it's OK for students but not staff - I could go on and on quoting the many things people have said to me. And they're all wrong!

So, lets bust some myths:
Google is the data processor, we are the data owners. They do not own our data.
Our data is stored in data centres in Europe and the US, where there is confidence in the policies of the countries where these are located - it is not stored all over the world.
All of our data is protected by Safe Harbor, which is fully compliant with the EU Data Processing Directive, and the UK Data Protection Act.
Moving to Google Apps does not increase our exposure to export controls (important in terms of research data).
The Patriot Act is a red herring. Exactly the same laws exist in the UK, but they aren't run through the courts. In the US there is a judicial process, here there isn't.

There's a number of reasons why you might chose not to go with Google, but concerns about security and privacy shouldn't be part of them. Trust me. I'm not that stupid. Neither are they!

9 comments:

Anonymous said...

"The Patriot Act is a red herring. Exactly the same laws exist in the UK, but they aren't run through the courts. In the US there is a judicial process, here there isn't"

So the question then becomes; do you trust the UK government (with it's private processes) more, or less, than the US government (with judicial process).

The US and UK governments have different priorities, and different attitudes on a variety of topics, so it wouldn't be completely inconsistent to for someone to answer "Even without the courts' involvement, I still trust the UK government more".

I don't think it's fair to simply dismiss that concern as a "red herring"

Anonymous said...

Chris - you are misinformed re the Patriot Act. The key difference between it and EU legislation is that it potentially allows US authorities to access your data for a variety of reasons including commercial purposes. This can be a serious issue for some research data that is protected by by contractual relationships with a commercial funder eg pharmacutical research.

cal said...

Thanks for the update, had been eagerly anticipating it from your twitter posts. Interesting points about google's security practices.

Arthur said...

"Our data is stored in data centres in Europe and the US, where there is confidence in the policies of the countries where these are located - it is not stored all over the world."

Do you have this in writing/contact?

John said...

Good post Chris - we had exactly the same issues raised with us when we went with Google. I don't think you, or Google for that matter, will ever convince some people, but its nice to see some of the myths being busted.

Unknown said...

Hi Folks. Thanks for all your comments. Will try and answer them.

IMO Patriot Act is a Red Herring - and its not just me who thinks so. Here's a quote from Ann Cavoukian, Information and Privacy Commissioner for the Canadian province of Ontario:

"You just heard before myself .... make a compelling case about outsourcing e-mail onto the cloud. That, of course, is your decision. But, don’t let things like the Patriot Act… I mean, it’s just such a red herring. It’s nothing."

It's nothing to do with whether you trust the US system more than the UK one, its about risk, how you assess it and how you manage it.

And I'm certainly not misinformed about the Patriot Act in terms of its remit. There are commercial clauses in the Patriot Act, in part because of the need to tackle money laundering, but the key point is that it's a judicial process. If the US government tried to access our research data commercial grounds (which is extremely unlikely), then there'd be an opportunity to challenge that using the judicial system. UK anti-terrorism legislation also covers money laundering, so it's not restricted to the US. The worry is when a secret or direct government-company approach is made: such things can happen for a number of reasons in most countries.

As I said. It's all about risk assessment.

And yes, we do have a contractual relationship with Google about where our data is stored.

So, thanks for the comments - happy to answer any more questions that come up

George Credland said...

I'd have thought it far more likely that a security attack would come by compromising user accounts than directly accessing their data centers.

Either like the Sony attacks (they can also afford to spend a lot more on security than we do but it hasn't helped their customers!), or installing spyware onto the client devices to capture the account details.

Maybe the Chromebook initiative will help with the latter if software is centrally managed instead of installed on the device by the user.

Anonymous said...

You write: "then there'd be an opportunity to challenge that using the judicial system."

And what about this:
"The second tool which the US Government has is found in Section 505 of the Patriot Act. It is under this section that the Government can issue National Security Letters whereby they can request that personal information be disclosed to them. The information can be accessed where it meets the following criteria: that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. No court order is necessary for a National Security Letter to be issued; however, the type of information that is retrievable is more limited than through that available in a Section 215 (see above) order."
taken from here

Unknown said...

Thanks for sharing a nice post for

Qadit highly respected name for data privacy and security sector in India. Our Protection guards important assets with simply deployed and managed solutions, including data loss prevention and encryption.


Data privacy and security