Google Spreadsheets: Secure Enough to Trust?

Earlier this month, Google launched Google Spreadsheets, a web-based competitor to one of the industry’s leading productivity applications, Microsoft’s Excel.

While the already-fawning analyst community is predicting mass self-immolations at Microsoft’s Redmond, Wash. headquarters, I’m once again left scratching my head, trying to understand what Google is up to.

The privacy and security questions alone are so daunting that I’m left wondering how Google’s leaders think that even the most impressive web-based application will compete with, much less supplant, Microsoft’s mediocre Office suite.

According to various news reports, the consensus among the analyst community is that Google Spreadsheets is intended to make Microsoft quake in its boots. The analysts, reading as usual from the company’s PR talking points, seem to think the consumer market is crying out for an advertising-littered web-based alternative to Microsoft’s stagnant and boring Excel.

So the theory goes, once Google can win over millions of consumers, enterprises will be forced to adopt it, and then the days of the villainous Microsoft Office “paperclip” will finally be over.

Setting aside for a moment the abysmal history of consumer-oriented web companies who tried to create enterprise versions of their products, I think the deeper question is: Who in their right mind would trust their critical personal and financial data to the data mining machinery of Google? Then, assuming you could find individual users who would, what enterprise would do the same?

It can sometimes be difficult to remember how Google makes its money, given the company’s attention-deficit disorder with regard to its competitive directions. Regardless of what line of business it’s getting into today, the company still makes most of its money by sifting through the world’s data and dotting it with advertisements.

For most people, using an application like a spreadsheet is a pretty personal task. Users tend to be keeping track of things like financial data, home-based business finances, or sometimes just organizing things from their disorganized personal life, such as kids’ soccer practice schedules and brackets for their office football pool.

Ads and Amortization

While lots of that data isn’t exactly what somebody would consider a national security secret, most folks aren’t keen to have others nosing around in such personal documents. Especially when it comes to sensitive financial information, Big Brother isn’t who you want watching over your shoulder while you tinker with your retirement plan or your tax estimates.

Yet, in order to make money from a free web-based spreadsheet, Google will eventually have to pepper such online experiences with targeted advertisements.

For those who only have a rare or occasional need for a spreadsheet application, the hassle of being bombarded with ads while trying to wrestle with an amortization formula may be an acceptable trade-off.

And who knows, since the ad targeting system might be able to detect that you’d make a lousy accountant, the ads for “Hire an Accountant!” might be just the hint you need to leave this stuff to a professional.

But what makes such targeted advertising possible is that Google will indeed have to sift through your data. Those spreadsheets will be residing on the company’s massive servers, where they’ll be analyzed and data-mined in order to spot advertising opportunities.

What if their algorithms, while searching through your spreadsheet to find relevant ads to serve, discover you have indeed been cheating on your taxes? Will they serve up ads for tax attorneys and bail bondsmen before the Feds come after you?

Will they know in advance that the Feds are coming because they turned over your records to the IRS in one of the government’s regular subpoena “fishing expeditions” and illegal warrantless search and surveillance schemes?

Even if you assume that Google keeps true to its “don’t be evil” mantra, there’s still the small matter that systems get hacked, employees get greedy and larcenous, and government investigators get overzealous.

Undone by 'Un-dos'?

To that end, it is worth noting that the Department of Justice is looking into new laws that would require service providers to collect and store interactive usage data for up to two years in order to facilitate anti-terrorism and other investigations.

Will that data include your “undos”? Think about the time when you entered in some bogus tax data into a spreadsheet, just for the amusement of seeing what your finances would look like if you never had to pay any taxes.

Yes, after enjoying your daydream, you quickly erased the entries and put back in your actual values, but would a version be stored by Google? Could that be subpoenaed and introduced as evidence of intent to defraud?

These are not insignificant questions. And as I have pointed out in several columns here on eSecurity Planet, Google doesn’t have a track record of inspiring faith in their foresight and thoughtfulness on such tough questions.

Before consumers will truly be comfortable entrusting any amount of valuable data to an online service like Google Spreadsheets, these questions of privacy and security will have to be answered in a clear and compelling manner.

Moreover, what might be compelling answers to a consumer only begin to scratch the surface of the kinds of questions that must necessarily be asked by corporate security officers and IT managers. When you look at Google’s bewildered responses to the enterprise privacy and security concerns posed by usage of the Google Desktop software, I’ll lay you good odds that we’ll see more companies firewalling Google Spreadsheets than canceling purchase orders for Microsoft Office.

This is not to say that Microsoft hasn’t been abysmally negligent in its management of privacy and security problems in its own software. In fact, in the course of writing this column, I had to reboot my laptop twice in order to apply various Microsoft security patches!

But corporate IT departments have learned to cope with Microsoft’s chronic issues. Grafting all those potential problems onto a web-based application hosted on a third-party service creates as many new challenges as it claims to solve.

Google will have to answer a lot of questions, not only to the satisfaction of clueless consumers and sycophantic analysts, but also to corporate privacy and security experts before Google Spreadsheets can begin to be seen as a credible alternative – much less a threat – to an entrenched application like Microsoft Excel.