How Google Compromises Your Privacy
SCOTUS, Social Security Numbers, Identity Theft, and Undocumented Foreign Workers

Data Breach By Google JotSpot

Monday's post discussed the reasons for consumers to know what privacy they give up when using Google services. Part of that assessment is knowing what personal data Google has about you, especially if your data is hacked, stolen, or exposed during a data breach.

Last week, C/Net News reported:

"... Google's JotSpot service, which allows people to collaborate on online documents, exposes user names and e-mail addresses to anyone on the Internet, but Google says the problem is due to administrator users not making the settings private. As a result, sensitive user data is indexed by Google's crawler and made accessible on the Web, said Ben Edelman, a Harvard Business School professor and security researcher.”

What data was breached?

"CNET News was able to view full user names, e-mail addresses, and group memberships of JotSpot users. This was done by searching Google for "user management" pages on JotSpot that list registered users for different JotSpot projects or groups. Such a search conducted late on Thursday brought up about 2,800 results."

This news story highlights the need for companies to consistently and effectively train their employees on effective data security habits and the company's data security policies. Otherwise, data breaches are bound to happen.

This data breach is no different than the multitude of breaches where company employees all too often lax about data security and leave laptops unprotected; and store massive amounts of sensitive data about customers, employees, and former employees. It's no different than an employee copying files with sensitive data to an unprotected folder or sub-folder on a public Internet server.

Edelman added:

"... that even if the problem is due to users not setting the privacy settings adequately, the matter still reflects poorly on Google. "This is not good design. Showing e-mail addresses is hard to defend" especially when Web crawlers can scoop them up, he said. "It's a question of what users could reasonably understand and accept. The privacy policy doesn't give any indication" that the data could be exposed to the Web."

Perhaps more importantly:

"The problem also exposes a chink in Google's hosted services business, which relies on customers--individuals and companies--having faith in Google's ability to secure customer data..."

I agree 1,000% with Edelman. If a vendor is going to encourage users to collaborate on documents via the Internet, then that vendor should make the privacy settings and features in their application as "bullet-proof" as possible.

That may mean making the default document access settings private. It may mean extra on-screen messages and warnings when users deviate from standard document access privacy settings. It may mean adding to the application a default set of settings that match the company's internal policy so that changed settings can be easily discovered and messaged.

And, the Google JotSpot or Sites Privacy Policy should explicitly describe the consequences when users deviate from the most secure document access privacy settings. Otherwise, data breaches are bound to happen -- which benefits nobody.


Feed You can follow this conversation by subscribing to the comment feed for this post.

John Taylor

Good article George.

Remember, Google is not so large that they are not covered under the FACTA articles 114 and 315, as well as GLB. They must perform employee training on how to deal with any PII held on client accounts and employees alike. Being a non-banking business they have until May 1st '09 to initiate a response policy at the board level, and train all staff.


The comments to this entry are closed.