Upload your private diary, novel manuscript, amateur movie or digitally crafted song to Google’s new Google Drive and it’s totally impervious to company tinkering, right? Not necessarily. In fact the way things are currently laid out within Google’s service terms, the company could theoretically pore over your G-Drive data at leisure, mining it for information about you, say, to use in its relentless pursuit of more personalized ads.
When Google simplified its “terms of service” last month, it did so in part by pulling all of its separate privacy policies under one umbrella, consolidating text and admirably rewriting things in a way that sounds at least a little less like mind-numbing, cover-every-base legalese.
(MORE: 5 Reasons to Give Google Drive a Shot)
But that catchall approach means services you interact with in very different ways wind up covered under a blanket policy, and the obvious problem with that, is that many of Google’s services are unique, with Google Drive’s singularity in terms of exposing your most sensitive personal information taking the cake. Imagine storing everything you’ve ever written as well as your work files containing sensitive business or corporate information, your tax receipts, annual credit reports, personal credentials (birth certificate, scans of your passport, etc.) and so forth on your G-Drive. Think that data’s untouchable by Google? Think again.
In its “terms of service,” Google states that “Some of our Services allow you to submit content,” Google Drive (nee Google Docs) being the most obvious one. Google rightly acknowledges that “You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.” Rest easy, in other words, Google’s not looking to co-opt your intellectual property.
It’s the next part that’s unsettling, where Google basically gives itself blanket permission to content-peep at leisure:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
If it lives on Google’s property, in other words, Google grants itself and anyone else it approves a global go-ahead to do pretty much anything with your content except pass it off as its own. Eyebrows raised? They should be. It means Google’s saying it can, even as Google Drive goes live, silently collect information about what we’ve placed on its servers, and I don’t mean innocuous demographics, like how many people store stuff in Microsoft Word versus Google Document, iWork Pages or plain old Rich Text format — the company’s basically granted itself a license to look at whatever’s in your content, too.
“The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones,” states Google, but since “advertising” — Google’s bread and butter — works as a catchall under any of those, it means the company could, in theory, poke around in any of your content or pass information about that content along to third parties under the auspices of self-perpetuation.
(MORE: Google’s Privacy and Dashboard Options: Still a Tangled Web)
The company does note that “in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.” I’ve scanned around Google’s G-Drive pages looking for something that exempts users from its blanket license, but all I get when I click on privacy links is redirected to the “terms of service” page.
If any Google service warrants privacy firewalling, it’s Google Drive. This isn’t YouTube or Calendar or even Gmail — the potential for someone’s most sensitive data to be snooped, whether to glean info for marketing or otherwise, is too high. Mark Zuckerberg may not be entirely wrong when he suggests the age of privacy is over or that privacy is no longer a “social norm,” but we have to draw a line somewhere.
Google ought to create a privacy exception that “narrows the scope” of its service terms for Google Drive, one that minimally states the company will never circulate the information generated from searching within your G-Drive data in any way. Barring that, you may want to forego using Google Drive to store sensitive data, maintaining and backing it up offline.
You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.
What do those “limited rights” amount to? In addition to day-to-day operations-grade stuff, Dropbox states that
We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews … You give us the permissions we need to do those things solely to provide the Services. This permission also extends to trusted third parties we work with to provide the Services, for example Amazon, which provides our storage space (again, only to provide the Services).
Dropbox’s language is more restrictive than Google’s — there’s no blanket license granted to “use, host, store, reproduce, modify…” etc. your data, for instance, but the door’s not entirely closed, either. Would you pay companies like Google or Dropbox to keep the door shut, say a monthly or annual fee for a “premium tier” version? I might, if it meant knowing my data was as secure as possible — not just from the machinations of hackers, but the prying eyes of corporate data miners, too.