Feeds

Swedish watchdog: Google's chocolate cloud? Nej, not private

Bans official use of ad giant's apps suite

3 Big data security analytics techniques

The Google bods who sell the ad giant's software services in Europe have been banned from flogging their wares to Sweden's public sector due to unresolved privacy concerns.

The ruling came after a local council was prohibited from using Mountain View's cloud services, and applies to Sweden's local and central government, though not to private sector firms.

Salem, a town of around 16,000 about 30km southwest of Stockholm, wanted to sign a licence to use Google Apps, but Sweden's data protection authority blocked the deal.

The judgment is not linked to the recent controversy over the NSA's surveillance web-snooping scheme but reflective instead of deep-seated concerns about the security and privacy implications of using US-based cloud service providers.

This is not the first time Sweden has expressed its concerns. The issue first came up in 2011 when Swedish Datainspektionen (data protection regulators) ruled that Google's terms and conditions, which allow it to do what it likes with customer data "for the purposes of providing, maintaining and improving the services" was unacceptable.

In particular there were concerns about Google handing customer data to third-party subcontractors as well as what would happen with potentially sensitive data if and when the contract was terminated for any reason.

Datainspektionen ordered Salem to renegotiate a contract incorporating tougher privacy protections. Salem returned with a revised deal last month but that too was judged as deficient. The decision leaves Salem with the option of either going through another round of renegotiation, with an uncertain outcome, or looking for another way to deliver IT services.

UK-based privacy expert and campaigner Simon Davis tipped us off about Google Apps' second knock-back in Salem. The ruling prohibits Sweden's public sector bodies from using Google Apps cloud services, according to Davis.

"Google was the only service cited in the judgment. It will apply to all cloud providers, but Google is the one with the deficient contract," Davis told El Reg.

In a blog post, Davis said other regulators across Europe may take a close interest in the Swedish ruling.

The decision comes at a critically important moment for Google. A group of EU data protection regulators is currently deciding how to respond to the company’s controversial new privacy policy which allows the company to amalgamate data across all its products and services for whatever purposes it sees fit. Regulators are concerned that this condition is perilous to data protection rights. The Swedish decision reflects many of these anxieties.

IT security industry veteran Paul Ducklin, writing on Sophos's Naked Security blog, said that Swedish regulators were entitled to take a stricter line about taxpayer data held by local councils than they would for private businesses in similar circumstances.

"It's one thing to outsource your own IT services - personal email, blogging, website and so forth - to save time and money," Ducklin writes. "That's your own choice to make."

"And it's fair enough if you're a company whose customers can vote with their chequebooks if they don't like the service provider you've chosen. But as a 'customer' of a local government, you don't have that liberty, so you are stuck with the privacy-related decisions made by your council," he added. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.