RealTime IT News

Google's E-Mail, Cloud Security Criticized

Google already has the technology to protect users from e-mailing while drunk. Surely that's enough?

Not according to a group of security industry experts. The 38 signatories of the open letter to Eric Schmidt, Google's CEO include such notaries as Bruce Schneier, Ben Edelman, and Jeff Moss.

The letter says that Google can set the standard for security in cloud services by enabling HTTPS and other security features by default. That's why the letter's not written to any of several other companies that it says are equally at fault.

"Google is not the only Web 2.0 firm which leaves its customers vulnerable to data theft and account hijacking. Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to these attacks," the letter says.

Google has already responded. "We know HTTPS is a good experience for many power users who've already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn't holding us back," wrote Alma Whitten, Google software engineer, in a blog post.

"But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects," Whitten said.

Christopher Soghoian, a Ph.D. candidate at Indiana University and research fellow at Harvard University, organized the group.

"I wrote the letter, and then asked a bunch of my friends and colleagues to sign it," he said in an e-mail to InternetNews.com.

The purpose of the letter, Soghoian explained, was "to get Google (and others) to do the right thing, and offer their users transport-level encryption, and thus protection when checking their e-mail or using other cloud services on untrusted networks (like coffee shops, universities and libraries)."

He said he targeted Google because it was the best -- and not the worst -- in this area.

"Google already offered HTTPS -- just not by default," he said. "I thought it would be easier (and more realistic) to pressure Google into flipping the switch, and make this the default. The other companies would be more of an uphill struggle. My hope is that ... others will follow their example."

Cloud security

It's not the first time experts have criticized Google over security. In May, privacy activist outfit EPIC filed a complaint with the Federal Trade Commission (FTC) claiming that Google designed its cloud services to have inadequate security and that this shortcoming is an unfair business practice.

"The FTC should hold accountable the purveyors of Cloud Computing Services, particularly when service providers make repeated, unequivocal promises to consumers regarding information security," the complaint said.

The allegations also come against a backdrop of recent security issues faced by cloud-based and Web 2.0 services. Facebook and Twitter have been attacked. Last year Yahoo's HotJobs suffered a breach.

Google itself knows the risks. The social security numbers of employees were exposed in a breach last year.

"We take security very seriously, and we're proud of our record of providing security for free web apps," Google's Whitten said.