FOR IMMEDIATE RELEASE March 17, 2009 Contact: Marc Rotenberg, Executive Director John Verdi, Staff Counsel (202) 483-1140 rotenberg@epic.org verdi@epic.org EPIC FILES FEDERAL TRADE COMMISSION COMPLAINT CONCERNING GOOGLE DATA BREACH, CALLS FOR FEDERAL INVESTIGATION INTO CLOUD COMPUTING SECURITY WASHINGTON, DC - The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission arising from the recent Google Docs data breach. On March 7, 2009, Google, Inc. announced that it had inadvertently disclosed user-generated documents stored on the cloud computing service. EPIC's complaint calls for the FTC to investigate the adequacy of Google's privacy and security safeguards. EPIC also asked the Commission to enjoin Google from offering cloud computing services until safeguards are verifiably established. In 2000, an EPIC complaint to the FTC resulted in the Commission's imposition of a comprehensive information security program for Microsoft Passport and similar services. In December 2004, EPIC filed a complaint with the Commission against databroker ChoicePoint, Inc. The complaint resulted in $15 million in civil penalties and redress - the largest FTC fine for consumer privacy violations. Recently, EPIC brought a complaint to the Federal Trade Commission calling for privacy safeguards as a condition of the Google-Doubleclick merger. Although the Commission failed to act in that matter, a subsequent review by the Department of Justice in a similar matter led Google to back off a proposed deal with Yahoo. EPIC's complaint describes Google's routine assurances that it will secure documents on its servers. Google encourages users to "add personal information to their documents and spreadsheets." Yet Google's cloud computing services have been increasingly subject to security vulnerabilities, including high-profile data breaches involving Gmail and Google Desktop. EPIC's complaint notes that Google stores and transmits documents in plain text, while some other cloud computing services encrypt data to safeguard users' privacy. EPIC Executive Director Marc Rotenberg said, "Given the growing dependence of US consumers, businesses, and federal agencies on cloud computing services, providers like Google must ensure the security of personal information stored on their servers. The Google Docs data breach highlights the hazards of Google's inadequate security practices, as well as the risks of cloud computing services generally. There is ample precedent for the Federal Trade Commission to begin an investigation." EPIC is a public interest research center in Washington, D.C. EPIC was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC has a long history of protecting consumer privacy through advocacy before regulatory commissions. More information is available at: "In the Matter of Google and Cloud Computing Services: Complaint and Request for Injunction, Request for Investigation and for Other Relief" (filed by EPIC, Mar. 17, 2009) http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf