Should the new Google privacy policy concern enterprises?

Google’s tentacles reach deep into most enterprises, but should enterprises worry about the new Google privacy policy? Expert Michael Cobb discusses.

Reactions to the new Google privacy policy have ranged from praise to anger, with some declaring it a positive step forward, while others claim it may be illegal. As most enterprises make use of Google’s services, either directly by using its enterprise products or through employees using the consumer versions, it is important that those responsible for security policy cut through the hype and hysteria to assess how these changes actually...

affect them.

Regardless of the third-party provider, enterprises must understand the risks involved and ensure any service-level agreements include the needed security and liability protections.

In a nutshell, Google has replaced the separate privacy policies it had for each of its products with a single policy that covers all of them. The new policy is shorter and easier to understand. It explains what information Google collects and why it is collected, how the information is used, and how to access and update it.

The search giant's core privacy guidelines, however, haven’t actually changed. Google will not sell personal information or share it externally, but user data will now be shared across its products. This means that Google will combine user data from services like YouTube, Gmail and its search engine to create a single, merged profile for each user of its services.

Simplifying the wording and harmonising policy across so many different products whilst being transparent is to be applauded, even if this initiative is driven by Google’s need to continually improve the relevancy of its ads. By aggregating data from different services, Google can deliver more targeted ads to its users and thus boost revenue. However, it’s this type of data aggregation that has alarmed many people. When information from across multiple sources is combined, it greatly increases Google’s ability to build comprehensive and detailed personal profiles of its users, which also reduces their anonymity.

However, from an enterprise perspective, Google isn’t collecting more information than it was before this change. The new privacy policy hasn’t altered its contractual agreements for enterprise customers. Google users should have separate accounts for personal and business use, but this ought to be company policy anyway; if it's not, the privacy policy change is a good opportunity to communicate to staff the importance of separate business and personal user accounts.

If an enterprise still has privacy concerns, it has various options available: prohibit the use of certain Google services, such as Google Mobile, which invokes the use of a mobile device's GPS capability; require employees to access some services, like search, while signed out of their Google account so Google can't associate search queries with business user accounts. Note that Google's log-out function is now much more powerful than previous versions in Google products. It logs a user out of every Google service for that account on a single client machine.

Deal with privacy laws

Key questions regarding privacy laws in the workplace.

Learn how to comply with various U.S. state data privacy laws.

The new Google privacy policy should make employees more efficient, as search results should be quicker and more appropriate. However, relying on any third-party service always involves risks. The provider could go bust, increase prices, or change its terms and conditions. Business continuity plans should cover all of these eventualities. Regardless of the third-party provider, enterprises must understand the risks involved and ensure any service-level agreements include the needed security and liability protections.

Businesses use cloud-based services such as the Google Apps package to save money and improve productivity. If Google shows this change in its privacy policy makes its services better and enterprises feel the benefits outweigh the risks, then enterprises will continue to rely on Google’s products. I imagine those enterprises with concerns over employee anonymity had already ruled out broad use of Google’s products, and existing users who do not like the new policy can always stop using its services, though Google's ubiquity makes that challenging. Still, since Google states that it keeps nine months' worth of data for non-logged-in users, and data on logged-in users until the user chooses to delete it or close his or her account, anyone who uses Google for business purposes should, at the very least, use its services anonymously without logging in.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was first published in April 2012
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

-ADS BY GOOGLE

SearchStorage.com.au

SearchCIO.com.au

SearchFinancialSecurity

SearchMidmarketSecurity

SearchSecurityChannel

Close