Google and Salesforce.com: the compliance angle
By Dennis Howlett in Editorial
Posted in compliance on
Much has been made of the tie up between Google and Salesforce.com. At first blush the deal has much merit, especially given that Salesforce.com has done a credible job of providing solid integration with Google Apps, and specifically with Gmail, GTalk, GoogleDocs and Spreadsheets. I wonder about the compliance angle.
During yesterday’s dog and pony show in San Francisco, executives from Google were keen to talk up the work Postini has done as providing a solid, secure, data solution for large scale business. Salesforce.com is already seen as a trusted provider for business applications running in the cloud. Where’s the problem?
My analyst colleague Josh Greenbaum has questioned the extent to which Google owns your content, noting that the Terms of Service (ToS) say:
“… you grant Google a worldwide, non-exclusive, royalty-free license to reproduce, adapt, modify, publish and distribute such Content on Google services for the purpose of displaying, distributing and promoting Google services…”
IDC’s Frank Gens thinks this argument has been shot down by the Writely founders, now part of Google offering that:
Google cannot legally, and doesn’t want to, make public your private data. [Upon looking at the Google Terms, it also appears to me that Google has revised its terms to more clearly point this out.]
Like Josh, I am no lawyer but what I do know is that there is an ongoing inconsistency with Google Apps ToS which make it very difficult for the ordinary person to figure out the extent to which Google is protecting the privacy of business data and who owns what.
Right now, I defy anyone to explain to me how Google is offering to protect business data when, in its ToS it says in regard to Google Docs:
“You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Service. By submitting, posting or displaying the Content you give Google a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through the Service for the sole purpose of enabling Google to provide you with the Service in accordance with its Privacy Policy.”
The link for this was lifted directly from Frank’s post and I can find no difference between what it says now and what Josh was referring to.
Google’s business model depends on being able to aggregate data it collects through its cloud computing platform. That provides it with the basis upon which it can display targeted advertising. No-one I know is concerned about this element of the implicit deal you do when you use Google’s free apps. It is the: “non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content” that causes concern. That is because these additional ‘terms’ appear to override Google’s otherwise transparent approach to general privacy. These general terms were last updated in October, 2005.
Elsewhere, Mike Arrington of TechCrunch notes that Google is trying to distance itself from its ‘Do No Evil’ moniker. I’m sure it is. As commercial businesses grow it is very difficult to live up to ideals of this kind. But if Google, which otherwise generally tries hard to be a good partner, is incapable of revisiting its ToS, then you have to ask: Will your data be compliant if it is in the Google cloud? At least one questioner at yesterday’s show put exactly that point to Google exec Dave Girouard, asking if Google will be (for example) HiPAA compliant. There was no clear answer.
My sense is that Google hasn’t thought this through, or if it has, then its lawyers are incapable of figuring out a wording that doesn’t destroy the business model of ‘free for ads.’ This is an issue that won’t go away any time soon. If you’re a smaller business then you may not be so concerned. But if you’re part of a supply chain where data is exchanged that might include emails and IM chats with larger third parties that are subject to compliance standards, then you need to think about this.
Rated: 73.33% (3 votes)
Loading ...Comment by Frank Gens - April 15, 2008 on 4:10 pm
Hi Dennis - I’m no lawyer either, for sure. And I don’t want to unreservedly vouch for Google’s corporate morals. But I think the key part of Google’s ToS noted above is: “…for the sole purpose of enabling Google to provide you with the Service in accordance with its Privacy Policy”. Looks to me that they’re basically saying: “we need to copy, move around, store, transmit and otherwise manipulate your content as part of delivering the Apps functionality, so you’re giving us permission to do that”. About how others can/can’t get access your content, they point to their Privacy Policy, which basically says: “You (not Google) decide who can/can’t get access to your content. And you can delete it from Google servers when you cancel the service.” Sounds pretty standard - not nefarious - to me.
But, having said that, should Google do MORE to assure customers about content privacy? It’s pretty clear, and our friendly debate about what Google’s policy really is demonstrates, that they ABSOLUTELY SHOULD clarify what their real policy and behavior is. And they probably need to consider changing it, to err more on the side of customer comfort, and less on the side of Google legal CYA.
Comment by dennish - April 15, 2008 on 4:42 pm
Hey Frank - good to see you here. I wanted to comment at your place but found a login wall. If I’m not clear then I apologize. I don’t say Google is playing in a nefarious manner - partners tell me they are surprisingly (compared to others), easy to work alongside. But I do say that business has to trust its providers in the round.
What you’re highlighting is exactly the kind of inconsistency that gives me a headache when thinking about what to say to the business considering the Google option.
On the question of what they could/should do, I doubt we have any disagreement.
Make a comment
Most commented posts
- Shai Agassi's next big thing
4 comments
- What does transparency really mean?
- Thank you Pakistan, yours: YouTube
- Google and Salesforce.com: the compliance angle
- When will the confusion end?
- So what is this GRC thing?
- Materiality and Web 2.0 in GRC/CSR
- The Grumpy Old Man: my kinda guy
- Saas, low calories and conserving energy
Highest Rated Blog Posts
- What does transparency really mean? (100%)
- Green ethernet from D-Link: a start (100%)
- So what is this GRC thing? (100%)
- Compliance in China: a case in point (100%)
- Going green in Las Vegas: (100%)
- Materiality and Web 2.0 in GRC/CSR (100%)
- Who cares about GRC? (86.6%)
- Shai Agassi's next big thing (83.4%)
- The Grumpy Old Man: my kinda guy (80%)
- When will the confusion end? (80%)