In Google We Trust

Continued from page 2

Far more troubling for me, however, is Gmail's data security story.

Like privacy, security is a much deeper concept than most Internet users realize. Being free from spyware and viruses is important, certainly. But so is data integrity -- retaining data whole, without additions, deletions, or other modifications. While Google provides a ton of storage and great availability, there is no obvious way to back up your e-mail once it has been delivered, read, and archived. This means that you have no choice but to trust Google totally for your data integrity.

But nowhere in Gmail's "Terms of Use" does the company promise that it won't delete some or all of your mail -- now, or in the future. In fact, the termination clause of Gmail's policy gives the company the right to delete any account, for any reason, at any time, with no user recourse.

Gmail could provide a backup system, of course. Google Desktop already downloads mail in the background for offline access, and it would be trivial to let users save that e-mail in archive files on their hard drives, for subsequent burning onto CD-ROMs or DVDs. Perhaps Gmail will do this in the future. But it doesn't do it now.

The mere existence of that huge archive of personal e-mail -- an archive that can neither be backed up nor deleted on demand -- should give users pause. For example, such an archive could become a one-stop-shopping destination for subpoenas in civil litigation and criminal investigations. Gmail's early adopters now have nearly two years' worth of mail archived in the system -- an attractive body of evidence in, say, a nasty divorce proceeding.

The preservation of old messages wasn't previously a concern because earlier online e-mail providers like Hotmail didn't offer their users enough storage. Also, folder-based archives give users a strong incentive to throw most messages away rather than keeping them all. And of course, if you download your e-mail with POP (the post office protocol) and keep it on a hard drive in your living room, you are responsible for the security of your mail -- and you have the option of fighting a subpoena in court rather than turning over your files.

Many of my concerns could be addressed through the clever use of encryption. Mail could be encrypted while stored on Google's servers and only decrypted when it is displayed to Gmail users. This would dramatically reduce the risk of a subpoena: now an attorney fishing for incriminating documents would have to demand not just e-mail but also the user's decryption key. This would give users more opportunities to fight subpoenas -- or perhaps to "lose" their keys.

Whether or not these risks actually matter to you depends on what uses, if any, you make of the Gmail service. But how Google responds to persistent concerns about privacy and data security should matter to everyone who uses the Web. For better or worse, Google remains the hottest Internet company on the planet -- and the example it sets with Gmail will shape the products and policies of hundreds of other companies using Ajax technology to build new Web-based services.

Home page image courtesy of Jason Schneider.

Simson Garfinkel is a postgraduate fellow at Harvard University's Center for Research on Computation and Society.