Google responds, claims new privacy policy will not effect sensitive data

Last week, CivSource reported on several concerns over Google’s new privacy policy raised by government IT consultants Jeff Gould and Doug Miller. In the article, both men raised several concerns about Google’s new privacy policy and what it might mean for government customers. Google has responded, in an attempt to address those concerns.

On March 1, Google ushered in a new privacy policy for its consumer applications including services like Gmail, Google Search, YouTube and Google Plus. Even before it was fully introduced the new policy raised a variety of concerns in both consumer and public sector circles as individuals reconcile what privacy really looks like on the internet. I spoke with Google spokesmen Tom Sarris and Tim Drinan of Google Enterprise about the new privacy policy and what it will mean for government users.

“The thing that many people don’t understand is that the policy isn’t completely new, its a consolidation of our previous policies across all of these disparate areas into a plain English version that is more readable. We aren’t capturing anything new,” Drinan explains. “For our enterprise and government customers, any contracts they have with us that were made separately will supersede the consumer privacy policy.”

He points to an existing agreement with Google Apps for Government client – the General Services Administration (GSA). According to Drinan, the GSA maintains a separate privacy contract with Google that complies with federal security regulations. Regulations which would prohibit much of the data collection practices contained in the current consumer version of the privacy policy.

A claim which is backed up by a statement from the GSA – “The recent changes announced by Google pertain only to their free, publicly available services. These changes do not apply to Google Apps for Government, which is the version used by GSA. Our usage of the Google Apps solution is governed by contractual agreement with Google and our prime contractor, Unisys. The solution is compliant with all federal regulations and requirements, including those regarding privacy and data protection.”

Despite that, some concerns remain about the overall process of using Google Apps in a public sector setting. Users who use Google services for both personal and public sector use are in essence subject to two privacy policies depending on how they are logged in.

If an individual is logged into their government account, they’ll be protected under the contract governing their agency. If an individual logs in on their personal account they’ll be governed by the consumer policy. Drinan notes that no data will be shared between the two accounts.

Although these nuances may not be immediately clear to an individual user. Google is in a unique position, being a government service provider that is also the custodian of the retail consumer internet experience. A position which may not be fully understood by individuals.

Drinan explains that Google Apps for Government account administrators may open or block access to other sites and services like YouTube, although most clients maintain blocks on many of these areas.  However, once a user logs in from a device that is not behind a wall like that, now they are governed by both policies depending on how they are logged in – conditions which can be risky in the era of mobile access, telework and multiple workflows.

I asked Drinan if there is a warning process or some kind of education that comes from Google about how these worlds work together or when users are switching between them. He notes that they leave the education component largely up to the clients themselves. He also also pointed me to a two blog posts that the company has put up to help clear up any questions about the two policies.

“We went through an extensive notification process before the policy took effect for Google users. It was one of the largest notification efforts we’ve undertaken,” He says.