Google Drive terms of service: 'A toxic brew'

Google isn't about to make your private files public, but that doesn't excuse its sloppy terms of service.

Rafe Needleman Former Editor at Large
Rafe Needleman reviews mobile apps and products for fun, and picks startups apart when he gets bored. He has evaluated thousands of new companies, most of which have since gone out of business.
Rafe Needleman
4 min read

Google has inadvertently stoked privacy concerns about files uploaded to its newly released Google Drive by issuing poorly written rules that are more apt to confuse than to clarify.

While private files winding up on Google Drive may not be as privacy-protected as the ones on your hard disk, fact is that Google is not granting itself free rein to use personal data. But you'd be hard-pressed to know that given a "toxic brew" of conflicting claims found in the company's omnibus privacy policy, according to a legal expert who has closely reviewed Google's policies.

"The language is not drafted nearly as tightly as we would expect from a company of Google's size and stature," says Eric Goldman of the High Tech Law Institute. He describes the covenants as poorly written and likely to confuse users by virtue of Google mashing licensing and privacy statements together.

Asked for comment, Google offered the following statement:

As our Terms of Service make clear, 'what belongs to you stays yours.' You own your files and control their sharing, plain and simple. Our Terms of Service enable us to give you the services you want -- so if you decide to share a document with someone, or open it on a different device, you can.

Google isn't doing itself favors with its communications, according to Goldman, who calls "that 'plain and simple' bit" a red flag. "You know someone is doing arm-waving," he says.

So what does Google really mean in its terms of service? The section of the agreement that people are complaining about, "Your Content in our Services," starts off clearly. The license grant, which is the first portion of the privacy agreement, sounds good:

Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

But then Google puts a big question mark over that agreement:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps).

At face value, this looks like Google is claiming an unrestricted license to users' files, for purposes up to and including advertising its own services. But that's not what Google means. Google isn't about to make users' private files public. The whole architecture of Google Drive is to either store privately or let users share files. In fact, Goldman notes, it would vitiate the whole nature of Google Drive for Google to treat private files as public. "I don't think Google will do it, and that's not the problem," he says.

However, the problem is that Google's one-size-fits-all-services terms of service agreement is too vague. Legally, it does leave Google with an unreasonable amount of leeway regarding user files. Legal experts note that privacy should trump all licensing issues, and that Google could easily re-draft the agreement to accurately reflect the way the company actually treats user data. For example, the privacy agreement could say we'd never use the data publicly, or for promotional purposes.

Google does give itself some wiggle room in the agreement to allow narrower terms to apply to certain products, but as of yet there are no such terms for Google Drive.

There is real exposure for users: The agreement doesn't protect users if Google -- not the user -- deems it necessary to give litigants or government representatives access to private files, and it won't prevent Google from terminating access to their own files if "Google thinks a file violates someone's rights. The example of what happened to innocent users caught during the MegaUpload saga is still fresh in people's memories.

The conflict between needing access to user data to run a service and user privacy is not limited to Google. But other companies have more thoughtful policies. Dropbox, after suffering through a user backlash over a policy similar to Google's current TOS, updated its terms with very clear limitations:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won't share your content with others, including law enforcement, for any purpose unless you direct us to.

Dropbox, Goldman says, "stops at limited rights 'to operate services.'" It's more narrow and more appropriate for a cloud storage service, he says. He thinks Google would do well to emulate this, and step away from the concept that a unified privacy and licensing plan can work across the entire suite of Google services.

While the future points to the cloud, the present may still last quite awhile with many users still avoiding putting personal or sensitive data on Internet services except when he needs their specific features, like real-time collaboration. Despite what Google, Microsoft, and other providers offering limitless storage in the sky will claim, a cloud storage drive does not offer the same privacy protections as a personal hard drive.