By Doug Miller
This week I read about Google’s new achievement of ISO 27001 compliance for its Google Apps offering. One of the more interesting news pieces was a story in Wired where Eran Feigenbaun (aka Eran Raven) Google’s Director of Security for Google Apps was interviewed and compared Google Apps to a bank “in the days when a bank was a new idea”. His actual quote was:
“It’s very similar to the situation banks were in hundreds of years ago. They had to convince us to give them our money, to take the money out from under the mattress and put it in the bank.”
The more I think about it, the more I agree with Mr. Feigenbaun. Google is like a bank for our data. But before I dive more into the banking analogy, I think it is worth noting that it makes total sense for Google to do everything it possibly can to secure its infrastructure by conforming with ISO 27001 and other standards.
After all, Google has access to more personal information than just about any other entity in the world. This information, which is submitted by Google users in the form of web search phrases, email messages, videos, pictures and more, has enormous value to Google as an advertising company. By mining, combining and analyzing all the data that flows into Google’s services, it is able to provide more relevant searches and display ads that directly relate to what we are doing on the web. This collection of data – much of which is personal profile information – is really Google’s most valuable asset. By using this data, Google can make its platform more attractive to advertisers by reaching customers who are looking for related products and services. This information generates almost $40 billion a year in ad revenue and has helped to propel Google to a market valuation of almost $200 billion.
At this point you are probably thinking, but wait – isn’t this my data? Things such as personal emails are mine not Google’s. Not so fast. Once you use Google services or upload information to Google services (e.g. send an email) Google, through its terms of service gets:
“a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
To be clear, it is still your data. Google just has a license to also use it “for the limited purpose of operating, promoting, and improving our Services, and to develop new ones”. Which pretty much covers everything.
So Google has a huge incentive to protect your (and its) data so that other ad companies and hackers don’t steal it. After, if Google lost exclusive access to its data, or more importantly lost the trust of users – including government agencies and schools – who willingly and freely provide them with a steady flow of valuable information, they would be out of business. Without paying advertisers, Google would just be a search engine without revenue.
Back to the banking analogy which I particularly like given the focus of this blog is the new information economy. Our data is our new asset which has real value in the digital economy.
When you submit content in Google services (e.g. execute a search, create an email in Gmail, upload a video to YouTube), it is like a making a deposit in your bank. You are placing your valuable information in Google’s hands and they promise to protect it.
And just like a bank, they have use of your assets – in this case your data – while it is deposited in their “vault”.
So as a bank can use your money to invest and built its profits where it wants once you deposit money with them, Google has a license to use your data to enhance its services including building new ones to help expand its business, which is focused on advertising.
But here the similarity ends:
- When you withdraw your money from the bank, the bank no longer has use of your funds. With Google, when you withdraw your data, Google has a license to continue to use the data. In Google’s words “this license continues even if you stop using our Services”.
- Most banks will pay you interest when you deposit money with them – especially if it is a long term deposit. With Google, you do not get interest although they might argue you get to use their free services in exchange for them having access and the use of your data. That might be a fair argument although most people don’t think of it that way. It should also be noted that Google actually charges some types of customers (e.g. businesses and government customers) for the use of its services yet it still has access to the data that is used in conjunction with its services. This is kind of like large recurring monthly bank fees even though the bank has the use of your money.
- Finally, banks are now heavily regulated mainly to address past failures with attempts at self-regulation and reckless investing resulting in bank failures. Even with regulation, banks have repeatedly acted in ways that are counter to the best interests of its depositors. However, we at least have the FDIC to protect our deposits to some extent. As Mr. Feigenbaun says Google is more similar to what it was like with banks a hundred years ago. That’s exactly correct. With Google and many other keepers of our online data, there is very little regulation in this country to protect our data and how it can be used. And there is certainly nothing close to the equivalent to FDIC. If Google loses my data or stops the service there is no recourse – even as even as a paying Google Apps for Business customer (see section 14 – DISCLAIMER OF WARRANTIES in Google’s TOS for Google Apps for Business customers).
So if we go back to Eran Feigenbaun’s bank analogy, we should all start thinking of our data as a valuable asset which when deposited in the cloud needs to be secured and managed in a responsible way. The key is not how secure the bank is (most cloud service providers are away ahead of the rest of us in their ability to secure their data centers). No – the key is knowing how our data can be used once it is deposited into our “trust accounts” in the cloud.