Can We Abandon Confidentiality For Google Apps?

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

yes..

..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

Re:yes..

[TheMMaster]

If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.

So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.

Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.

Re:yes..

[jonnyj]

I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.

What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

Re:yes..

[chadplusplus]

IAAL too, and I saw nothing in there relating to whether the various state bars have given this the thumbs up. I suspect this would depend greatly upon the relative progressiveness of the pertinent state bar. I'd be interested in seeing an ethics ruling concerning this if you have any citations. (Sorry, I'm not paying Lexis to do a search just to satisfy my curiosity.)

Re:yes..

[rjh]

IANAL. My only legal credential is that I come from a family of lawyers and judges who are absolutely adamant about their moral obligation to preserve privilege.

As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.

As they have explained it to me, anything you give to Google can be subpoenaed. Google is currently one of the most-frequently-served companies in the world, and Google gives full and enthusiastic cooperation with lawfully issued subpoenas.

If you really see nothing wrong with risking the privilege of your work product by putting it into the hands of a third party, and if you really see nothing wrong with making it discoverable via subpoena, then by all means use Google Docs. However, for my own sake, I refuse to deal with lawyers who use outsourced IT services.

The bottom line

[Samalie]

If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.

If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.

Re:The bottom line

[eln]

If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust any Internet-based system as your free platform for email/document creation/document storage.

FTFY. If your documents exist on the Internet, especially unencrypted, they won't be confidential for very long. Whether or not Google as a company is trustworthy or not is irrelevant. If anyone hacked into your Google account, they would have access to everything. If a random employee at Google decided to sell your stuff to a tabloid, there's nothing you could do to stop them until it was already too late. Without ironclad confidentiality agreements with real penalties for breaking said agreements, you shouldn't be trusting any third party with this stuff, and you certainly shouldn't have it on the Internet.

Just accept it

[scoile]

Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.

The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.

Accept that the best you can do is educate them and provide alternatives.

Re:Say hello to your lawyer

[Red+Flayer]

It's been said before:

If you're response to an Ask Slashdot submission about $X is "Ask a lawyer about $X", then you should rewrite the Ask Slashdot question in your mind to "What should I know before I talk to a lawyer about $X?"

Lawyers are expensive. Community knowledge can e very helpful in reducing the amount needing to be spend on legal fees, and I'm sure plenty of Slashdotters have good insight that can help the submitter.

For my part, all I can say is that I wouldn't use a doctor if I knew they used Google Apps. There's too much risk that an employee at Google might let loose the secret of my debilitating suppurative penile encrustations.

No physical security

[pentalive]

No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.

Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.

Re:No

[vux984]

Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?

Word/Excel/Powerpoint? I really wouldn't worry about it, as long as they meet his needs. (Although, I'd consider giving OO.o a try.)

Outlook - yeah, I'd suggest he pony up for a new copy, or switch to something else.

In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?

Lost productivity.

1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)

2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.

Think about it... you are getting standard edition for "free". Google wouldn't do unless some non-trivial number of users is READING and CLICKING on those ads. If your secretary is working on a budget spreadsheet, and gets distracted by an google ad in the corner of her spreadsheet, gets distracted and clicks on it, and goes browsing for 20 minutes as a result... that costs you money. And THAT is PRECISELY what your beloved partner google is counting on. THAT is their entire business model. Give you the app for free, and then extract a profit by luring your staff to click ads instead of work.

Now you might counter that google ads are unobtrusive and easily ignored. That's true to a point, but I find adds in my productivity apps VERY distracting; far more than I do on the web. I personally won't use ad supported software, but don't find them nearly so distracting on the web. Maybe its just me... But face facts google is a multi-billion dollar advertising company as direct result of people not ignoring those ads. So the ads =DO= work. Maybe YOU don't click them, but SOMEBODY is. And every time they work on someone in your company they cost you money.

I don't object to google apps for home and noncommercial use, and their 'premium' stuff is ad free, as you are now paying them directly for service.

But a business owner who gets his staff to use standard edition? Its idiotic... what's next? Will you switch to "free" printer toner from the Jehova's Witnesses, and in exchange they'll have witnesses wander around your office to spread the good news?

Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?

What makes you so confident ODF will be readable in 20 years by Google Apps, or that a google apps will even exist? All ODF being a standard ensures is that you WILL be able to write something that can read it 20 years from now, because the specification is documented and public. There is no gaurantee google apps or anything else will run it 20 years from now. And if you are looking to archive ODF, you should probably make a point of storing something that can actually read it too, ideally along with its source, unless you want to gamble on having to implement something yourself from scratch 20 years from now.

Google apps doesn't enable you to avoid making your own backups, and if anything google apps, makes it slightly more complicated. Google apps could disappear tomorrow (unlikely in the immediate future, but possible, and who knows what the more distant future holds; companies have been shut off before), so not only do you need backups, but you should have some means of reading them too... because you can't rely on google apps being available or supporting the files.