Google is the world’s largest search engine, and Android by some estimates is the most popular mobile platform, but the company is facing several problems related to privacy and security, as well as the validity of claims made in regard to software designed for use by the government.

To Be Certified or Not to Be Certified

The most recent trouble for Google concerns questions from the U.S Department of Justice about whether or not Google Apps for Government was certified under the Federal Information Security Management Act (FISMA). The issue of certification was raised by Senate Subcommittee on Financial Management Chairman Tom Carper (D-Del.) at an April 12 hearing, based on questions submitted the prior day by Citizens Against Government Waste (CAGW) as part of its ongoing efforts to improve the effectiveness and efficiency of government information technology procurement and management. 

The controversy over certification was cited by Chairman Carper as being “serious” and he tweeted that he wanted to “get to the bottom” of the issue. Following up on those questions, the U.S. Court of Federal Claims on April 26 released a sworn statement from the General Services Administration (GSA) that Google Apps for Government has not been certified under the FISMA.  Nonetheless, the company continues to make such a claim on its website. 

GSA Associate Administrator for the Office of Citizen Services and Innovative Technologies Doug McClure stated at the Senate hearing that Google Apps Premier was FISMA certified, but that Google Apps for Government was a new product or “subset” of Premier.  He said that GSA had to re-certify the product, “based on those changes that Google has announced for the ‘Apps for Government’ product offering.”  It was not clear at that time if he was talking about re-certifying Premier, or certifying Apps for Government for the first time.  His sworn statement makes it clear that Apps for Government is not certified at all.

Mr. McClure told the Court of Claims that “no final determination has been made by GSA regarding FISMA certification for Google Apps for Government.”  There is nothing vague about that statement, and it undermines every representation made by Google, both on its website and in discussions with federal agencies, that Google Apps for Government is FISMA certified.  GSA’s separate public statement, attached to Mr. McClure’s sworn declaration, reiterates that Google Apps Premier is certified, but GSA is working “with Google to review the additional controls to update the existing July 2010 FISMA certification.”  The agency’s evaluation will determine if the “additional controls” will be “rolled into” that certification.  Regardless of the outcome of the review, Google Apps for Government has clearly not been approved under FISMA.

The taxpayers’ money and the integrity of the procurement process are both at risk when a contractor makes claims that are not supported by the facts.  Companies cannot be permitted to represent their products as meeting important government standards when they have not been approved.  CAGW has urged GSA and the Senate Subcommittee on Federal Financial Management to require that Google remove the claim of FISMA certification from its website and any other documents until GSA completes its review of Google Apps for Government and officially approves or disapproves the product.

Not Gaga Over Google

On April 14, The Los Angeles Times reported on the massive problems facing the city in its efforts to migrate to that same Google system.  The saga of Google in Los Angeles began when the city council unanimously approved an agreement to replace Novell’s GroupWise email system with Google Apps in October 2009.  City Councilman Paul Koretz said, “It’s unclear if this is cutting edge, or the edge of a cliff and we’re about to step off.”  The city was supposed to complete implementation by June, 2011 and then add the L.A. Police Department and other law enforcement agencies once security and functionality concerns were resolved.

However, problems arose quickly, and have now blossomed into a full-blown debacle.  First, as cited in CAGW’s May 5, 2010 blog post, an April 13, 2010 letter from the City Administrative Officer to the Chair of the Information Technology and Government Affairs Committee expressed concerns over Google Apps’ privacy safeguards and cost.  Next, CAGW chronicled in its October 21, 2010 blog post how the city decided to delay implementation, citing cost and security concerns. 

Then, on November 24, 2010, L.A. Chief Technology Officer Randi Levin wrote a scathing letter to Computer Sciences Corporation, the prime contractor for installing Google Apps, citing numerous failures in the implementation of the system.  She noted that CSC and Google had not met its deadline and wanted additional time to draft a plan for migration for the LAPD, and that the contractors wanted the police department to make “unacceptable” operational and policy changes.  In fact, she said that the repeated failure to meet deadlines went “beyond a mere failure to communicate in a timely manner, and instead, on several occasions, has risen to the level of misrepresentation.”

She asked CSC to sign an amendment to the contract that would commit the company to implement the migration plan by a date certain, and pay for the cost of any delays, among other requirements. 

By the time that L.A. Times reporter David Sarno wrote his latest of several articles on Google Apps on April 14, the city was considering legal action against the company.  Sarno noted that Google “has been unable to meet crucial security requirements,” and has “opened itself up to criticism that it was exaggerating its ability to do so.”  He also wrote that City Controller Wendy Greuel has opened up an investigation and sent a letter to the city technology agency asking for an explanation of what had occurred.  Google’s response was that the city was at fault for asking the company to “meet new requirements that were not part of the original contract and which required work to implement in a cloud computing environment.” 

One day before the article was published, State Senator Joel Anderson (R-36) sent a letter to Google CEO Larry Page, asking for information about both the DOJ questions regarding Google Apps for Government certification, and the security issues surrounding implementation for the city of Los Angeles.

Despite the ongoing questions regarding FISMA certification and L.A.’s migration to the cloud, the company is maintaining a sunny outlook.  The Google Apps for Business website states that “Google Apps for Government, now with FISMA certification” is the “first” to obtain that designation.  Ironically, it quotes L.A. CTO Randi Levin as follows: “In addition to empowering employees across the city, everyone will benefit from Google’s security controls, which will provide a higher level of security for City data than exists with our current system.” She would probably not stand by that statement today.  With 20,621 employees, according to the company’s first quarter 2010 financial report, and revenue of $6.77 billion, one would think that someone at Google would pay attention to the accuracy of the information contained on the company’s website. 

Taxpayers can save money when cloud computing systems are properly implemented by contractors and government agencies.  In fact, New York City Mayor Michael Bloomberg projects savings of $100 million from the city’s new data center, and Miami city officials claimed savings of 75 percent of costs related to software, hardware and staff efficiencies in the first year of implementation.  Many other cities are watching to see how this important technology will work before they move ahead with their own plans.  CAGW will be continuing to monitor progress around the nation, and will develop a set of best principles for governments at all levels to consider before moving forward into cloud computing.

Google Gets Double Secret Probation

It seems fairly clear that Google engineers thought it would be cute to name buttons on its Google Buzz social network, “Sweet! Check out Buzz,” “Nah, go to my inbox,” and “Turn Off Buzz,” but the Federal Trade Commission (FTC) – and thousands of consumers who joined Buzz – did not think it was very funny that saying “no” meant saying yes to to enrolling in some features of Buzz.  Nor was anyone pleased that Google failed “to adequately disclose that consumers’ frequent email contacts would become public by default.”  That comment and others were contained in a scathing announcement of a proposed settlement regarding the FTC’s complaint that Google engaged in deceptive practices and violated the company’s privacy promises to consumers.

The FTC noted that this is the first time a company has been required “to implement a comprehensive privacy program to protect the privacy of consumers’ information.”  The settlement “bars Google from misrepresenting the confidentiality of individuals’ information,’” requires the company to “obtain users’ consent before sharing their information with third parties” if there is any change in the promises made when the users’ information was first collected, forces Google to “establish and maintain a comprehensive privacy program,” and requires that “for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices” (that’s the double secret probation part of the agreement). In other words, a company that was established in 1998 and controls two-thirds of the Internet search engine business never had a comprehensive privacy program and needs a babysitter to make sure that it doesn’t again misrepresent its privacy policies.   The FTC is also considering antitrust action against the company. 

Google is now under close scrutiny by legislators and antitrust regulators; has a business model that depends almost entirely on algorithms derived from collecting and analyzing information about individuals for advertising purposes (not that there’s anything wrong with that); “mistakenly” took in private information when it was creating Street View for Google Earth; asked for the Social Security numbers of children because they supposedly did not want duplicate submissions for its “Doodle 4 Google” contest; and the company’s number six principle is that “you can make money without doing evil.”  Privacy violations may not be evil, but they are certainly not ethical.  And it certainly boggles the mind that Google did not think about the consequences of its actions or adhere to its own privacy principles long before the FTC had to slap them with unprecedented sanctions.

Doodle 4 Google is described on the company’s website as being “all about creativity and enjoying designing fun things.  Think about how you want to change the world.”  Given the FTC settlement announcement, the misleading “certification” of Google Apps for Government, the ongoing migration mess in Los Angeles and other recent problems, more and more people will think hard about how they want to change Google, which may not be so much fun for the company.