Some cloud providers reserve the right to scan your data for various violations, but few enterprises know if they or their employees have agreed to such terms of service.
On Halloween, Google told its Google G Suite users that “this morning, we made a code push that incorrectly flagged a small percentage of Google Docs as abusive, which caused those documents to be automatically blocked. A fix is in place and all users should have full access to their docs.”
That misfire reminded everyone that cloud providers have access to all your data. Many people worried that Google was scanning users’ documents in real time to determine if they’re being mean or somehow bad. You actually agree to such oversight in Google G Suite’s terms of service.
Those terms include include personal conduct stipulations and copyright protection, as well as adhering to “program policies.” Who knows what made the program that checks for abuse and other violations of the G Suite terms of service to go awry. But something did.
And it’s not just Google that has such terms. Chances are you or your employees have signed similar terms in the many agreements that people accept without reading.
The big concern from enterprises this week was not being locked out of Google Docs for a time but the fact that Google was scanning documents and other files. Even though this is spelled out in the terms of service, it’s uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud.
So, do SaaS, IaaS, and PaaS providers make it their business to go through your data? If you read their privacy policies (as I have), the good news is that most don’t seem to. But have you actually read through them to know who, like Google, does have the right to scan and act on your data? Most enterprises do a good legal review for enterprise-level agreements, but much of the use of cloud services is by individuals or departments who don’t get such IT or legal review.
Enterprises need to be proactive about reading the terms of service for cloud services used in their company, including those set up directly by individuals and departments. It’s still your data, after all, and you should know how it is being used and could be used.
Typically, these terms are not negotiable, so you have to be prepared to block cloud providers whose terms are unacceptable and provide users an alternative. But cloud providers might be willing to rewrite portions of their terms of service over privacy concerns if you enterprise is large enough—so ask!
Perhaps the scariest part of this is that you typically have no way of auditing the public cloud to determine if they are checking out your data or not, whether or not their terms of service give them that right. At the end of the day, this comes down to trust. But you should at least be aware of what your providers can do, so you can decide whom to trust.