Google has inadvertently stoked privacy concerns about files
uploaded to its newly released Google Drive by issuing poorly written
rules that are more apt to confuse than to clarify.
While private files winding up on Google Drive may not be as
privacy-protected as the ones on your hard disk, fact is that Google
is not granting itself free rein to use personal data. But you'd be
hard-pressed to know that given a "toxic brew" of conflicting claims
expert who has closely reviewed Google's policies.
"The language is not drafted nearly as tightly as we would expect from
a company of Google's size and stature," says Eric Goldman of the High Tech Law Institute. He
describes the covenants as poorly written and likely to confuse users
by virtue of Google mashing licensing and privacy statements together.
Asked for comment, Google offered the following statement:
As our Terms of Service make clear, 'what belongs to you stays yours.'
You own your files and control their sharing, plain and simple. Our
Terms of Service enable us to give you the services you want -- so if
you decide to share a document with someone, or open it on a different
device, you can.
Google isn't doing itself favors with its communications, according to
Goldman, who calls "that 'plain and simple' bit" a red flag. "You know
someone is doing arm-waving," he says.
So what does Google really mean in its terms of service? The section
of the agreement that people are complaining about, "Your Content in
our Services," starts off clearly. The license grant, which is the
first portion of the privacy
agreement, sounds good:
Some of our Services allow you to submit content. You retain ownership
of any intellectual property rights that you hold in that content. In
short, what belongs to you stays yours.
But then Google puts a big question mark over that agreement:
When you upload or otherwise submit content to our Services, you give
Google (and those we work with) a worldwide license to use, host,
store, reproduce, modify, create derivative works (such as those
resulting from translations, adaptations or other changes we make so
that your content works better with our Services), communicate,
publish, publicly perform, publicly display and distribute such
content. The rights you grant in this license are for the limited
purpose of operating, promoting, and improving our Services, and to
develop new ones. This license continues even if you stop using our
Services (for example, for a business listing you have added to Google
At face value, this looks like Google is claiming an unrestricted
license to users' files, for purposes up to and including advertising
its own services. But that's not what Google means. Google isn't about
to make users' private files public. The whole architecture of Google
Drive is to either store privately or let users share files. In fact,
Goldman notes, it would vitiate the whole nature of Google Drive for
Google to treat private files as public.
"I don't think Google will do it, and that's not the problem," he says.
However, the problem is that Google's one-size-fits-all-services terms
of service agreement is too vague. Legally, it does leave Google with
an unreasonable amount of leeway regarding user files. Legal
experts note that privacy should trump all licensing issues, and that
Google could easily re-draft the agreement to accurately reflect the
way the company actually treats user data. For example, the privacy
agreement could say we'd never use the data publicly, or for
Google does give itself some wiggle room in the agreement to allow
narrower terms to apply to certain products, but as of yet there are
no such terms for Google Drive.
There is real exposure for users: The agreement doesn't protect users
if Google -- not the user -- deems it necessary to give litigants or
government representatives access to private files, and it won't
prevent Google from terminating access to their own files if "Google
thinks a file violates someone's rights. The example of what happened
to innocent users caught during the MegaUpload saga is still fresh in
The conflict between needing access to user data to run a service and
user privacy is not limited to Google. But other companies have more
thoughtful policies. Dropbox,
after suffering through a user backlash over a policy similar to
Google's current TOS,
updated its terms with very clear limitations:
To be clear, aside from the rare exceptions we identify in our Privacy
Policy, no matter how the Services change, we won't share your content
with others, including law enforcement, for any purpose unless you
direct us to.
Dropbox, Goldman says, "stops at limited rights 'to operate
services.'" It's more narrow and more appropriate for a cloud storage
service, he says. He thinks Google would do well to emulate this, and
step away from the concept that a unified privacy and licensing plan
can work across the entire suite of Google services.
While the future points to the cloud, the present may still last quite
awhile with many users still avoiding putting personal or sensitive
data on Internet services except when he needs their specific
features, like real-time collaboration. Despite what Google, Microsoft,
and other providers offering limitless storage in the sky will claim,
a cloud storage drive does not offer the same privacy protections as a personal hard drive.