step forward, while others claim it may be illegal. As most enterprises make use of Google’s services, either directly by using its enterprise products or through employees using the consumer versions, it is important that those responsible for security policy cut through the hype and hysteria to assess how these changes actually affect them.
Regardless of the third-party provider, enterprises must understand the risks involved and ensure any service-level agreements include the needed security and liability protections.
In a nutshell, Google has replaced the separate privacy policies it had for each of its products with a single policy that covers all of them. The new policy is shorter and easier to understand. It explains what information Google collects and why it is collected, how the information is used, and how to access and update it.
The search giant's core privacy guidelines, however, haven’t actually changed. Google will not sell personal information or share it externally, but user data will now be shared across its products. This means that Google will combine user data from services like YouTube, Gmail and its search engine to create a single, merged profile for each user of its services.
Simplifying the wording and harmonising policy across so many different products whilst being transparent is to be applauded, even if this initiative is driven by Google’s need to continually improve the relevancy of its ads. By aggregating data from different services, Google can deliver more targeted ads to its users and thus boost revenue. However, it’s this type of data aggregation that has alarmed many people. When information from across multiple sources is combined, it greatly increases Google’s ability to build comprehensive and detailed personal profiles of its users, which also reduces their anonymity.
If an enterprise still has privacy concerns, it has various options available: prohibit the use of certain Google services, such as Google Mobile, which invokes the use of a mobile device's GPS capability; require employees to access some services, like search, while signed out of their Google account so Google can't associate search queries with business user accounts. Note that Google's log-out function is now much more powerful than previous versions in Google products. It logs a user out of every Google service for that account on a single client machine.
Deal with privacy laws
Key questions regarding privacy laws in the workplace.
Learn how to comply with various U.S. state data privacy laws.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.