If you have something to hide from the government, don't use Google Drive

If you have something to hide from the government, don't use Google Drive

Summary: Just as with Dropbox, SkyDrive, or any other cloud service provider, if you have something to hide from the government, don't put it in the cloud. Here's why.


Google Drive arrived at long last this afternoon, and unlike its social networking project, it hasn't needed any publicity from the press to generate excitement.

But what happens when a European citizen, or non-U.S. citizen, uploads sensitive data or personal information --- or even those photos from a family vacation a few months back --- to a service where its datacenters are outside of your own legal jurisdiction?

Whose laws apply, and do you have any legal protection while your files are stored in a U.S. server, as you sit at your office desk in London or Brussels, or Sydney or Tokyo?

Don't think for one minute this problem is limited to Google Drive. Just like any other cloud service, such as Dropbox, Microsoft's SkyDrive, or Box.net, which is hosted within the United States --- even if it has European or non-U.S. datacenters --- where your documents actually reside remains an important and contentious topic.

This isn't new. U.S. law allows law enforcement to search until they are blue in the face. It's just the way it goes, and has been the case for over a decade at least. The UK authorities are the same, and so are the Germans, the Australians, and most other economically developed countries in the world.

But because the technology world revolves around Silicon Valley based companies, we are more concerned and focused on U.S. law, as it's the only one that really applies.

In the case of Google Drive, the search giant makes it clear that it can transfer your data outside Europe to the U.S. for any purpose:

"As part of providing the Services, Google may transfer, store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data."

Because all of these companies are U.S.-based, they have to comply with the laws of the United States, but also comply with foreign laws in some cases --- such as the European Union --- particularly if the company markets itself as an international company, or targets users outside the United States.

With this, a conflict emerges. Whose law should the company follow if there is a conflict? If Europe says, "you can't take data outside of your European datacenter," but the U.S. government requests a users' files in that datacenter, there is a problem that frankly nobody knows the answer to.

Not yet. Despite it reaching the European Parliament, the Commission denies there is a problem, but has stonewalled its own Parliament over questions, and continues to miss the damn point.

But the same applies in reverse. Any UK wholly-owned cloud computing company, with datacenters and its operations center both within the borders, means the UK government can access such data under similar Patriot Act-like laws. The UK has intelligence sharing agreements with the U.S. anyway, so that data could easily be handed back to base for further snooping.

While the cloud is a fantastic way of keeping your employees, staff, students or anyone else for that matter connected to the files and content when they need it, it should not be a compromise for document or corporate security.

Simply put: don't put anything in the cloud --- whether it be Google Drive, Dropbox, SkyDrive, or any other service --- that you would not want anyone seeing. Because at least if the feds come knocking at your door, at least you know what they're after, and why they're after it.

"If you have something to hide [from the government or otherwise], don't use the cloud". It really is as simple as that.

With the cloud, there's no way of knowing for sure that your data isn't going elsewhere. At least in your own private cloud, you can control who has it and where it goes. For a start, someone from the government has to physically knock on your office door to request the documents, whereas in the cloud, they can take what they like and prevent the cloud provider from saying anything.

Enough screaming into the wind. It's enough to say: "don't use the cloud for mission-critical or sensitive documents." It's as obvious as telling someone to wrap up before they go out because it's chilly outside, or telling someone not to put their hand in that white-hot fire.

But on days like today, it's easy to get wrapped up in the "shiny, shiny," and forget there is an actual world of politics out there.

Image credit: Google/ZDNet.


Topics: Storage, CXO, Data Centers, Google, Government, Government US, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Encryption

    Or encrypt it such that you're the only person with a private key. If governments really want your data, make them work for it!
    Jeff Kibuule
    • Required Reading

      Just read Dan Brown Digital Fortress for an interesting theory on that!
  • Actually it should read "Don't use the Internet"

    The US government collects a massive amount of data every day from high-volume taps like the one at the AT&T San Francisco office. So anything from cloud uploads to email attachments to forum posts gets swept up in the dragnet. Cloud files are a little more susceptible to fishing expeditions because it is quasi-permanent, but that's about the only difference.
    terry flores
  • Corollary matter

    A corollary matter I learned awhile back: because I was concerned about certain data possibly being subject to discovery if a U.S. lawsuit was ever filed I deliberately opened a hosting account with a company in Argentina. I was shocked when I later did a tracert and found out the data was actually being hosted in Texas.

    The general attitude is that, overall, U.S. hosting is just a lot more reliable--faster speed, less downtime, etc. Whether it's true or not, that is the perception. So even though a company may be formed and doing business outside the U.S., may do business only in a language other than English, and doesn't seek any U.S. customers, unless it expressly advertises that its servers are located in that country, you should assume that at some point at least some of the data will be hosted from a U.S. server.
  • Exactly right

    What should really give people pause is that a lot of these companies do business in China and other totalitarian states where due process is not scrupulously observed, and that do employ agents outside their own borders.

    The moral of the story is that sensitive data must be encrypted before it goes on the Internet. Period.
    John L. Ries
  • One answer: Client side dedup and very very strong crypto

    If you deduplicate and use very strong crypto on the client before any data ever leaves it doesn't really matter where its stored. You need to do per account dedup and crypto to ensure that the data is encrypted using keys that are unique to each client. Most of the services mentioned use real dedup so even if they encrypt for transport/storage it's so weak you might as well not bother and data can be compared to other users data to try to unwind the crypto. You also want the code to be open source so you can actually see what is being done to your sensitive data. www.cyphertite.com has all these features. Near as we call tell it's the safest cloud backup solution out there. Windows and Mac version of this should be coming soon.
  • Meh! Just more FUD

    Why have a title that implies that Google Drive is giving away our details to anyone who asks nicely when this is a problem that affects other cloud providers?

    @ Zach "Simply put: don???t put anything in the cloud ??? whether it be Google Drive, Dropbox, SkyDrive, or any other service
  • Those freaking low-life SPAMMERS are really annoying...

  • Which to believe?

    I find it very interesting that while reading this blog about NOT storing your data in the cloud, the right side of the page has the following:


    Does Your Cloud Storage Strategy Measure Up? The idea of storing your data in a virtualized environment is no longer something to think about, implementation is critical for success.

    Investing in A Cloud-Based Back-End Check out this white paper to learn about the tools you'll need to switch to a cloud-based back-end.

    Sponsored Links

    ??? SaaS Cloud Computing
    On-Demand Savvis IT Services. Scalable. Secure. Affordable.

    ??? 2TB Cloud Storage: $16
    Appears on your computer like any disk drive. Access files anywhere.

    On the same website page, we are getting messages telling us to both trust the cloud and not to trust the cloud.
  • Encryption...

    ... only works against govts which won't put you in jail for not providing decrypted data on demand.

    Such advanced western democracies as ... the UK, for instance.
    Uncle Stoat
  • The summary says it all

    "If you have something to hide, don't put it on the Internet" is good advice, if a little obvious. The truth is that any service that you trust can and will be compelled to cooperate with governments regardless of what they claim in their privacy blurb, and any service that really won't cooperate with a legal writ is likely run by shady individuals who are plundering it for themselves anyway.

    Then again, maybe it isn't so obvious given the prevalence of exactly this kind of error.