Google boosts security but storage glut continues

Dennis Fisher sounds off on the latest issues affecting the information security community.

Google has been on a hot streak practically from its beginning.

First, it took on Yahoo, the reigning king of search, and won so decisively that the company's name has now become a verb synonymous with Web searches. Google's executives then turned their attention to Microsoft and the company's dominant position in the enterprise software market.

Knowing that it would be difficult to beat Microsoft at its own game, Google instead created a suite of business applications and gave them away for free online. Google Apps has by no means displaced Office, but it has caught the attention of everyone who matters in Redmond and caused plenty of sleepless nights. And let us not forget Google's insanely successful IPO in 2004. After opening at about $100, the stock now trades north of $440 a share.

It seemed nothing could dent the company's sterling image. Nothing, that is, except privacy. Google executives this week finally decided it was time to address this weak point and amend the company's privacy policy to help allay users' concerns about how their personal information is stored and used.

Privacy has been the company's one Achilles' heel, the only thing that critics have consistently hammered the company for. By the very nature of its business, Google collects untold terabytes of data each data on its users, their preferences, dislikes, searching habits and even some personally identifiable information, depending on which services a user employs.

About Behind The Firewall:
In his weekly column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community. 

Recent columns:

Savvy hackers take the hardware approach

RFID dispute: Vendors still hostile toward full disclosure

Data breach: If customers don't act, data will remain at risk

Google, along with the other major search providers, has been criticised by privacy advocates, government watchdogs and others for collecting too much data and holding on to it for too long. And last year the company was roasted for agreeing to demands by the Chinese government that it censor search results returned to users in China. For a company whose motto is "Do no evil" and is ranked eighth on the Fortune list of the most admired companies , that's an issue.

To help fix the problem, Google's new policy calls for the company to anonymise its server log data after 18-24 months. The company will still keep log data for longer periods, but no one will be able to connect any of the data to any particular user. Google plans to implement the policy gradually, but says it will be in place within a year.

This is an important step, and one for which Google deserves to be applauded. But it is not a panacea for all of the privacy concerns people have raised. It does not address the issue of how much data the company collects, which, given the number of users it serves each day, is a major concern. But Google clearly is making progress. Adding this language to the company privacy policy is not just a symbolic gesture. Government regulators have shown no hesitation in forcing companies to adhere to their own policies. The most famous example is the Federal Trade Commission's action against Microsoft in 2002 for failing to live up to the terms of its privacy policies for the Passport single sign-on service.

That's something that Google would like to avoid, and the company's executives believe the changes to its policies will help it do so.

"By anonymising our server logs after 18-24 months, we think we're striking the right balance between two goals: continuing to improve Google's services for you, while providing more transparency and certainty about our retention practices. In the future, it's possible that data retention laws will obligate us to retain logs for longer periods. Of course, you can always choose to have us retain this data for more personalised services like Search History. But that's up to you," Google's privacy counsel for Europe, Peter Fleischer, and its deputy general counsel, Nicole Wong, wrote in a blog post announcing the changes.

It remains to be seen whether this is a significant shift in direction for Google or just a bit of legal window dressing, but for now things look promising.

Read more on IT risk management