How Google Drive's terms of service measure up
It is not paranoid to believe that giant Internet corporations are after your personal data. That much is perfectly true—we only need argue about to what extent.
Whenever a new service that stores and shares data on our behalf launches—whether those data are contacts, files, or photos—people get rightly antsy about how the provider will manhandle our material. Recall how a developer discovered that social-networking service Path uploaded your entire contacts list from its iOS app to its servers back in February? We can accept that it was unintentional, but it revealed that Apple had a policy but no monitoring nor mechanism covering such behavior. (Path apologized, said it was only using the information for connecting people with existing Path members, and changed its software.)
Given this environment, one might suspect that Google would give more thought to how it described what it would do with files uploaded to and synchronized via its new Google Drive service, launched last week. Instead, the search firm linked to the overhauled centralized privacy and usage policies set a little less than two months ago. (The company took more than 60 separate policies and distilled them into one). By doing so, Google freaked out a number of Internet denizens, who wondered if the company was making a copyright grab and trying to pretend otherwise.
Google’s checkered past
Google’s approach to user information is mixed. While it is superb on the security side, providing secure, encrypted access to most of its services, and actively monitoring Gmail accounts for patterns of unfamiliar account access, its privacy score is far worse. It signed a consent decree in March 2011 with the Federal Trade Commission (FTC) over its Google Buzz social-network launch in 2010. Buzz tied into Gmail, exposed private information without disclosure, and—according to the settlement with the FTC—misled users about whether they could opt in or out of the social network.
The consent decree requires Google to adhere for 20 years to tight strictures about privacy, including audits. But then in February, Google was discovered to be strategically bypassing default settings in both the desktop and mobile versions of Safari that should have prevented it from storing tracking cookies. The San Jose Mercury News says the FTC is nearing the end of an investigation that could result in a finding that the consent decree was violated—if so, the resulting fines could be in the millions of dollars.
And in April, the FCC released a report that stated Google had intentionally designed its Street View Wi-Fi positioning system to collect data passing over unencrypted Wi-Fi networks, despite the company’s previous protestations in 2010 and later that it such collection was the result of an accidental debugging mode left on in production. The FCC said that was false, and fined Google for obstructing the investigation. (The FTC closed an investigation without making charges earlier, and the FCC report stated it lacks clear authority to pursue violations of communications laws.)
Despite that, Google didn’t try to assuage concerns about what its access to uploaded files in Google Drive might mean to individuals wary of the firm and concerned about the sanctity of their data. Instead, Google linked to its generic terms of service that spells out what you give up when you upload and sync. The salient part:
Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.
Many people have taken this to read that Google has engineered a wholesale acquisition of the rights, without compensation, of any files that are uploaded to a Google Drive. That’s not the best reading, but it’s a reasonable reaction to such broad terms—partly because the first paragraph (about “what belongs to you stays yours”) seems in conflict with the second, which gives Google a specific copyright license for your stuff.
Google has to obtain a license from you to store and transfer your files for your purposes on its servers and other infrastructure. The license is “an artifact of copyright law’s collision with modern technology,” says McSherry. That license has to encompass many different ways in which the firm may handle files. Her concern lies not with the bulk of the legal language, but Google’s aside about services, that your data may be used to “develop new ones,” given that such future services aren’t specified. McSherry said her druthers would be Google to strip that portion, and require users accept a revised license each time a new service that doesn’t fall inside the scope of the license requires access to store data.
Google could be clearer
A year ago, I wrote an article at BoingBoing about the debacle that enveloped TwitPic, when it updated a set of copyright terms from a single line to what seemed to be a true attempt to gain rights to use without it being quite clear that was the case. Other photo-sharing services had better and clearer terms that said explicitly they were keeping their hands off your rights except for storage and display.
Google could have learned a thing or two from TwitPic about how people react to believing that stuff they own is being licensed via what feels like fine-print subterfuge. Google’s competitors in file storage certainly didn’t trod the same path. Contrast Google’s relevant partial paragraph with the same at Dropbox, written in legally binding but delightfully clear language:
By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.
We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe.
SugarSync’s terms are a bit terse, but substantially more limited and clear contrasted with Google’s:
In order to make the Service available to you, we need your permission to sync and store your Files. Accordingly, you hereby grant to SugarSync a license: (i) to use, copy, transmit, distribute, store and cache Files that you choose to sync and/or store; and (ii) to copy, transmit, publish, and distribute to others the Files as you designate, whether through the sharing or public linking features of the Service, in each case solely to provide the Service to you.
Microsoft’s usage contract is generic, like Google’s, as its SkyDrive service is part of the broader Windows Live approach to the world. Nonetheless, there’s a sensitivity to explaining how user files are handled that Google could learn from:
Except for material that we license to you, we don’t claim ownership of the content you provide on the service. Your content remains your content. We also don’t control, verify, or endorse the content that you and others make available on the service….You understand that Microsoft may need, and you hereby grant Microsoft the right, to use, modify, adapt, reproduce, distribute, and display content posted on the service solely to the extent necessary to provide the service.
In the end, I expect that Google will bow to concerns, and possibly inquiries from the government, and fix up the terms to be closer to those of its competitors. I don’t believe Google is attempting anything more nefarious than covering its posterior to prevent customers from having a legal standing (and the potential of success) to sue it for routine handling of files.
EFF’s McSherry has a broader concern encompassing Google and all cloud services. Namely, that users are generally unaware of how and when third parties, not the service providers themselves, may gain access. That may occur both under the terms of the contract and when governments require access (with or without subpoenas) and prohibit a provider informing the data’s owners of such intrusion. Users “should be worried about a whole heck of a lot of other things,” McSherry said.
[Glenn Fleishman copyrighted a computer program in 1979 when he didn’t know any better. He is a senior contributor to Macworld, a contributor editor and programmer at TidBits, and one of the writers of the Economist’s Babbage blog. He appears regularly on public radio to discuss the tech industry.]