Should the FTC shut down Gmail and Google Docs because of an already-fixed bug?

by on March 18, 2009 · 15 comments

Earlier this month, Google made news when it announced that its cloud computing productivity suite Google Docs had suffered a technical glitch that temporarily compromised a subset of users’ shared documents. After becoming aware of this glitch, Google notified its users via email and posted an entry to the Official Google Docs Blog that offered a more detailed explanation of what happened.

It turns out that a bug in Google’s permissions code was causing certain documents that had been shared by their author with other users but subsequently unshared to remain visible to those users. By the time Google notified its users, the bug had already been resolved, and Google estimates that only around 0.05% of all documents were vulnerable due to the glitch. As to how many documents were actually viewed by unauthorized parties, it’s unclear at this point.

All in all, the Google Docs glitch, while troubling, seems relatively minor as far as bugs go. Nevertheless, the Electronic Privacy Information Center’s Mark Rotenberg jumped on the chance to attack Google, as he often does when Google makes news for anything privacy-related. Yesterday, EPIC filed a complaint with the Federal Trade Commission that called on the FTC to investigate Google’s privacy safeguards, order Google to shut down all cloud computing services—including Gmail, which has 26 million users—pending a thorough privacy evaluation, and force Google to pay $5 million to a fund that would be setup for “privacy research.”

Watchdog activist groups like EPIC can play a useful role in the public discourse on privacy, helping to publicize unsavory behavior by companies and educating consumers about keeping data secure. Unfortunately, however, these groups’ admirable focus on protecting privacy sometimes edges on the myopic, causing them to overreact to data breaches and sometimes even call for regulatory interventions that are decidedly anti-consumer. EPIC’s latest complaint about Google is a classic example of this.

How would it be in consumers’ interests for the FTC to shut down Google’s cloud computing services until Google can offer its users an ironclad data security guarantee? Gmail has been at the forefront of innovation in webmail, and was among the first providers to offer its users gigabytes of free storage and SSL-encrypted IMAP connectivity. And Google Docs is a wildly popular alternative to Microsoft Office that doesn’t cost a dime to use. Shutting down both of these services would be extremely detrimental to the millions of consumers and small businesses who find the service useful and valuable and are willing to accept the small risk of a bug or data breach. But Mark Rotenberg wants to deny consumers that choice. Concerned users can already close their Google account and switch to another productivity suite; Google even makes it easy for users to export their data in an open source format for painless migration.

It’s unrealistic to expect watertight privacy safeguards in a world in which information sharing is on the rise. As collaborative software and cloud computing grow in popularity, the number of potential avenues for breaches, bugs, and compromises will only increase. But closing every service that suffers a bug until federal regulators can comb through every line code isn’t the solution—the solution already exists. Companies like Google risk losing billions of dollars if consumers lose faith in cloud-based products.

Leaks of sensitive data did not begin with the invention of the Internet, and breaking agreements that promise confidentiality has long been a matter of civil liability. In other words, the proper venue for recourse against Google is not the FTC but the courts. Instead of EPIC complaining to the FTC, victims of the Google Docs bug should be taking Google to court. There’s no reason for the FTC to intervene every time there’s a security flub when existing liability laws combined with market pressures already give the Googles of the world a strong incentive to guard against breaches.

The ever-present threat of FTC action against firms can have extremely destructive consequences for online innovation. What EPIC is advocating — for the FTC force a company to shut down one of its product suites on account of a single, relatively minor bug — would be a case of harmful regulatory action.

Previous post:

Next post: