Google’s misleading security claims to the government raise serious questions


Posted by David Howard
Corporate Vice President & Deputy General Counsel

Last Friday afternoon, I learned that a batch of court documents had been unsealed and had revealed one particularly striking development: the United States Department of Justice had rejected Google’s claim that Google Apps for Government, Google’s cloud-based suite for government customers, has been certified under the Federal Information Security Management Act (FISMA). Given the number of times that Google has touted this claim, this was no small development.

How did this all come about? Last year, the Department of the Interior selected Microsoft offerings for its new cloud-based email system. In October, Google responded by suing the Government. As a result, the work of engineers and IT professionals was replaced, at least temporarily, by filings by lawyers. This meant significant delay for the Department of the Interior, which was trying to save millions of dollars and upgrade the email services for its 88,000 employees. Google announced its lawsuit with a proclamation of support for “open competition.” It then touted the security benefits of Google Apps for Government. Google filed a motion for a preliminary injunction telling the court three times in a single document (see pages 18, 29, & 37), that Google Apps for Government is certified under FISMA.

Google has repeated this statement in many other places as well. Indeed, for several months and as recently as this morning, Google’s website states, “Google Apps for Government – now with FISMA certification.” And as if that’s not sufficient, Google goes farther on another webpage and states “Google Apps for Government is certified and accredited under the Federal Information Security Management Act (FISMA).”

I’ll be the first to grant that FISMA certification amounts to something. The Act creates a process for federal agencies to accredit and certify the security of information management systems like e-mail, so FISMA-certification suggests that a particular solution has proven that it has met an adequate level of security for a specific need.

So imagine my surprise on Friday afternoon when, after some delay, some of the court papers were unsealed, at least in part. There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ’s brief says (on page 13) “On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.”

This revelation was apparently as striking to the lawyers at the Department of Justice as it was to me. The Justice Department brief states “We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court’s attention.”

The Justice Department acknowledges that the General Services Administration (GSA) had certified a different Google offering, Google Apps Premier, for its own particular use under FISMA last July. As the DOJ’s brief explains, “However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government.” Lest there be any doubt about the situation, the brief adds, “To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.” Backing all this up are five attachments to the brief devoted to this issue, two of which unfortunately remain redacted at this stage of the proceeding.

As I read all this on Friday, my first reaction was that perhaps something positive could come out of Google’s lawsuit. For months a number of people have been asking for details about Google’s FISMA certification. To put it charitably, because of Google’s unwillingness to provide answers, the facts have remained opaque. As a result of the lawsuit, it looks like we finally are beginning to get some answers.

As I thought about this further, my second reaction was to wonder what Google is thinking as it continues to claim that Google Apps for Government has FISMA certification. I don’t pretend to have all the answers and I acknowledge that there are frequently two sides to a story. But what is the other side of the story in this instance?

Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government. If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?

Nor does it seem likely that Google believes that the two offerings are so similar that the differences simply won’t matter to people. After all, if the facts are so good, why persist in telling a fiction? Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government. Instead, Google has continued to state that Google Apps for Government has FISMA certification itself.

So why did Google tell governments and the public that Google Apps for Government was FISMA certified even before it had applied for that certification? We’ll have to wait for Google to tell us what they were thinking, but I do believe that one thing is evident. When it comes to security, the facts matter. As the Justice Department pointed out in its brief, Google’s initial FISMA certification for Google Apps Premier applied only to the infrastructure set-up and security needs of the General Services Administration. As the DOJ pointed out in its brief (on page 10), the Department of Interior concluded that it “had only a low tolerance for risk” given “its responsibility to manage sensitive information such as Indian trust data and law enforcement data.” Google may not like the Interior Department’s approach, but it certainly seems reasonable.

While we wait for Google to provide its side of the story, perhaps it’s time to ask another question: at the very least, isn’t it past time for Google to issue a correction on its website? The Department of Justice has concluded squarely that Google Apps for Government does not have FISMA certification.

Open competition should involve accurate competition. It’s time for Google to stop telling governments something that is not true.

Comments (55)

  1. Anonymous says:

    Google Apps is FISMA-Certified. Stop throwing FUD Microsoft and fanboys

    http://www.google.com/…/trust.html

  2. Anonymous says:

    There are a lot of government execs who can benefit from the facts presented.

  3. Not buying it says:

    Sorry, Microsoft calling Google out on security issues holds no water with me. I realize part of your corporate duties is to spread FUD, which is being admirably accomplished by your proxies suing Google's proxies over Android. But for those of us in the tech world with a pair of open eyes and a brain can see right through it.

  4. Deceptive advertising says:

    @Not buying it

    This is not about calling out Google on security issues. This is about calling out Google for lying to the US government and using false advertising to promote their Google Apps for Government product.

  5. Smartypants says:

    For those of us who have dealt with Google in an enterprise environment over the past 5 years, this sort of smug, disingenuous behavior comes as no surprise.

    Reminds me a lot of dealing with Microsoft in 97.

  6. aaron wall says:

    I thought "openness" was only good for non-Google entities?

    Google assured us that they needed to keep things in a black box so scammers can't manipulate them. Maybe their external view of the world was shaped by a keen understanding of their shady internal practices?

  7. Michael says:

    There's only one thing you need to remember about Microsoft: it's a trap. They routinely fund front companies to cause legal troubles for competitors and structure their entire business model around trapping their customers.

    Plus, their products and services are generally just buggy and insecure.

  8. Kevin says:

    Wow Microsoft, you guys are awesome *sarcasm*. So basically Google's App suite that has less security than their government App suite has FISMA certification but Microsoft's does not. Wow you guys really caught em' on that one *sarcasm*. So maybe the government should use the only product that is FISMA certified, Google Apps.

    I think the lawyers run Microsoft now.

    P.S. I love how you wrote at the end "open competition should involve accurate competition. It's time for Google to stop telling governments something that is not true". Are you guys for real? You might as well just write "look out everybody the Google-BoogeyMan is going to come out of your closet at night and steal all your information". Is it "open competition" if only Microsoft products are available for government contracts?

  9. The Advocate says:

    … and Google say 'do no evil' – really! It's black and white – either it was FISMA certified or not – it appears not.

  10. Liar, liar... says:

    Google just got caught with their pants down. They screwed up – they should apologise for their lawsuit – pay the costs and concentrate on getting their product certified.

  11. DavidR says:

    Interesting: MS calling out companies as liars. Pot, kettle, black?

  12. Read this says:

    "In addition, the Microsoft cloud infrastructure (GFS) has received Federal Information Security Management Act (FISMA) Authorization to Operate (ATO)." – excerpt from http://www.microsoft.com/…/bpos

  13. J0wn says:

    This is what happens when your Corp is getting clouted in every department and you have poor showing in the market place.

    You start throwing FUD around in an attempt to make yourself look better ( SCO vs Linux anyone? ).

  14. Joel says:

    I'm on Google side, even with a few million lies, I'd still trust them over anything MS says or does. I hope the very worst for Microsoft.

  15. Hands up if you work for Google says:

    Seems to be a bit too much anti-MS comment here when Google are the ones in the wrong (this time). I have heard no denial from Google saying they are wrong and it IS certified which is the moot point here.

  16. Google = fail (this time). says:

    Perhaps Google were hoping to sell the product THEN get it certified. I'm with the govt on this one and if it was not certified it's the end of the story. Plus (side issue) I'm a bit nervous that Google knows a bit too much about everyone already.

  17. Tom says:

    "I hope the very worst for Microsoft" — Really? They employ over 88,000 people, and so really? Is it ok if one company allows untruths to propagate in order to gain a sale? In 25 years of dealing with them I've NEVER known MS to lie to us and I trust them with our data compared with some others. Anyone worth their weight in salt who has worked in the IT field for a few years would likely agree that Microsoft is pretty serious about security. Sure there are bugs that pop up which could have some serious ramifications if left unaddressed, but they generally provide a workaround, patch them quickly and give a reasonable disclosure about it. Understand that my intention is not to knock the competition, but in cases like this where it appears a competitor is gaining an unfair advantage by not making an issue clear (FISMA issue), then MS (or anyone else for that matter) has every right to say something.

  18. Chuck says:

    TL;DR:  Microsoft is afraid of Google — very afraid.

  19. Afraid of Google says:

    Yes I agree, especially considering that Google is a master of the art of marketing and perception, whereas Microsoft is, well,, Microsoft.

  20. Greg says:

    IE 9 sure looks a lot like Firefox 4.  Microsoft rips off just about everyone these days.

  21. MS Bob says:

    First I would like to give kudos to MS for allowing comments on this post and not deleting unfriendly comments.  

    As for why Google would file a separate FISMA application even if they thought they didn't need it, it doesn't seem that odd to me.  I often submit extra information with my tax return that I don't think the IRS really needs to see in order to head off any questions before they can even arise.  I know I don't need to include that information because I have read the rules that cover my particular case very closely, but I don't know that there won't be some idiot bureaucrat at the IRS looking over my return who won't be so aware of what the rules are for my case.  They have to keep all of tax law in their head, I only have to keep the parts relevant to me in my head.

    I could easily imagine something similar being the case here.  Google thinks it doesn't need additional FISMA certification, but it wants to nip questions about it (from people like Microsoft lawyers and DOJ investigators) in the bud by going ahead and getting it officially certified.

    That may not be the case here, but I read a comment elsewhere that FISMA doesn't apply to apps, but rather to the infrastructure that supports the apps, and if the infrastructure is the same here, that would seem to indicate that FISMA for Google Premier Apps would also apply to Google Apps for Gov.

    Anyway, hopefully Google will respond to clear up what their thinking was.

  22. Goog, how do I trust you any more? says:

    I thought my gmail messages are in trusted hands. I can't trust your statements any more my favorite Google.

  23. RosarioM says:

    I'm sorry, your argument holds no water. If the Department of the Interior confirmed Google was not FISMA compliant and as result went with MS, then I can see how Google has no case against the DOI. But I believe their main complaint was that they were not even given a chance to compete against MS for the DOI business. This complaint is still valid, even if their product was utter crap (which in reality against Excel, Google's spreadsheets are like Lotus 123 from the 80s). Either case, this is MS trying to turn the argument around, but the question still remains: Did the DOI do a proper evaluation or did they just pick MS?

  24. Otterit says:

    FYI: FISMA is NOT..REPEAT NOT..a Certification!!

  25. fjpoblam says:

    While MS certainly is not beyond reproach for problems in the past, those are not the issue here. The issue is also not whether Google spies on people. And it is not whether Google claims to "do no evil". (This they do NOT claim, by the way: their corporate claim is, "don't BE evil". This is substantially different from "don't DO evil." Think about it: they can do it without being it. Google does know evil.)

    Google's false claim to FISMA certification is the issue. Whether it is MS who pointed it out, or whether it is the DOJ, or someone else, shouldn't matter. Google should be held to account!

  26. FUD says:

    Microsoft doing what it does best. SPREADING FUD. Nothing new really.

  27. Laura Taylor says:

    This has little to do with taking sides. Google is claiming that one system should be considered FISMA compliant because another system that is similar apparently received an ATO (which designates FISMA compliance). However, that is not how FISMA compliance works. Each system has to be separately reviewed with all of the requisite documentation and risk assessments. Additionally, DOI is under no obligation to honor an ATO from any other agency. Google will have a difficult time proving its case.

    Laura Taylor, Certified FISMA Compliance Practitioner (CFCP)

    Chair, CFCP Exam Advisory Board (FISMA Center)

    Author of FISMA Certification & Accreditation Handbook

    CEO Relevant Technologies

  28. leoplan says:

    @Laura Taylor. From Wikipedia:

    In July 2010, Google Apps for Government was the first cloud computing collaboration platform to received the FISMA certification. This approval will make it easier for United States based governmental agencies or groups to evaluate and adopt Google Apps
    for use within their organizations. Google Apps for Government includes all of the applications in the company’s Google Apps Premier Edition (GAPE) suite, including Gmail, Google Docs, Google Calendar and Postini security services. The collaboration platform,
    which Google hosts in its servers and provisions over the Web, will run government agencies $50 per user per year, or the same as GAPE for non-governmental customers.

    en.wikipedia.org/…/FISMA

  29. John says:

    For those who call this post M$ FUD without having properly read the the claims, here is what the US Gov documents say. The last sentence is pretty clear about Google!

    On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO, and this Court, it appears that Google‟s Google Apps for Government does not have FISMA certification. […] We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court‟s attention. According to the GSA, Google‟s Google Apps Premier received FISMA certification on July 21, 2010. However, Google intends to offer Google Apps for Government as a more restrictive version of its product and, Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government. […] To be clear, in the view of GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.

  30. DaveK says:

    >"Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government. If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?"

    Well, that would indeed be hard to understand, if google were a person, with a single individual's consistent perspective, knowledge and beliefs, but it isn't; and since google is a corporation rather than a person, it's entirely possible for people in one department to be thinking one thing and people in another department thinking another.  The old left-hand-right-hand syndrome.  Marketing announcing something as if it were ready when in fact it's still some way off in the pipeline happens in most large firms, yours being no exception, and the "something" they pre-announce can just as easily be a certification as a product.

    That seems more likely than your implied hypothesis, that some one individual involved with drafting the lawsuit both knew that they didn't have certification and yet somehow thought it would be possible to lie to about it to the same government that issues such certification without getting found out.  That /would/ be irrational and hard to understand.  But prod.dev telling marketing that they're going for FISMA cert for GAfG and it's a sure thing since it's only a cut-down version of GAPE; marketing starting to plug it as certified since they think it's in the bag and will surely be the case by the time the new product launches anyway; and then someone in legal taking the company's PR statements as source material when writing their suit… that I can believe.

    Embarassing ***-up on Google's part, sure.  But I can't see how it could have been any part of any conspiracy other than one for Google to deliberately commit suicide in court, and that's unlikely.

    Unless of course you managed to get your own man inside Google!  Hey, maybe MS still has something to teach Google about how to be evil after all!  Surely the only logical explanation for your hypothesis that Google lied on purpose would be that someone, presumably a competitor, planted a saboteur inside Google's legal team?

    Just kidding…. I think! 😉

  31. That With A Straight Face says:

    Have you already forgotten the OOXML ISO unpleasant events? If so, please let me remember you:

    http://www.wired.com/…/ooxml_vote

    And if you don't see any relation with these events, think harder.

  32. lololol says:

    This post shows how M$ operates in vain.  In most users' minds, M$ is already an untrustworthy company that it has no position to criticize others. Even though M$ can bribe or bully its way to its advantage, temporarily, it eventually will be proved wrong and bad.

  33. not buying 'not buying it' says:

    see right through what exactly? the fear that microsoft realized a lie in their competitor's claim? uncertainty about what google tells you and that google is the god that rules all that is technology on earth (***sarcasm*)? or doubt that google can bounce back from this with regards to the government?

  34. Not Surprised, Again says:

    Lies and misleading information is what you get from Google.  Every time we asked Google for documented information regarding security & privacy they would push us to start a “pilot.”  Google absolutely has no controls for managing security and god speed if you have a user that outside the US.  I am not surprised by this information at all.  We always felt dirty after our meetings.  

  35. The Real Deal says:

    Microsoft is struggling and is having to result to legal attacks. Hey guys … wake up! Build a better product and people and government will want to buy it. Right now it seems that your company is sadly … fading away.

  36. Wikisceptic says:

    @leoplan

    Before you quote chapter and verse from Wikipedia to make a point perhaps it would be advisable to check the origin of the information to satisfy yourself of it's veracity.  If you go back to your Wikipedia link, click on the source reference and you'll find the online press article that your Wikipedia quotation is based on.  If you read this article you will clearly see that the information presented is "according to Google".

    So on this basis, your point is what?

  37. John says:

    Having actually spent a day examining the whole GSA FISMA packet we came to the conclusion that it DID encompass what is now Google Apps for Government. Obviously so did GSA.  Now that Microsoft is rebranding BPOS as 365 I wonder if they will have the same issue, is any BPOS accrediation encompass 365?  Don't know the answer, but there is a lot of mudslinging going on here…

  38. Lou Skunt says:

    too bad M$ didnt spend its money on its products rather than attacking competitors and startups.. Programmers are cheaper than lawyers anyway.

    Maybe they should hire a guy that ensures that they keep the settings in the same place in the next version of windows. sometimes i wonder if microsoft uses windows internally..

  39. SemSam says:

    Here we go again, another Microsoft junkie using false allegations to attack other companies, if there is one company which masters lying and the art of unethical practices it would be Microsoft.

  40. What is status of Office365 FISMA certification says:

    While I’m sure that Microsoft feels compelled to raise this FISMA issue, and they’re probably technically correct, wouldn’t it be better to focus on their own FISMA certification effort rather than "calling out" Google?

    That said, apparently the City of Los Angeles is also expressing concerns(http://www.latimes.com/…/la-fi-google-email-20110414,0,6531667.story)

  41. not buying #2 says:

    f you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part — it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in actually its offering actually is. It calls Microsoft's FUD "irresponsible".

    http://www.groklaw.net/article.php

    Bad MSFT Bad! Now go sit in the corner!

  42. Joel B says:

    Groklaw: Microsoft Cloud Services Aren't FISMA Certified

    http://www.groklaw.net/article.php

    Posted by David Howeird

    Corporate FUDeputy General Counsel

  43. That With A Straight Face/2 says:

    http://www.groklaw.net/article.php

    Nice try Mr. David Howard; I have a sweet suggestion for a new title for you, after: "Corporate Vice President & Deputy General Counsel", what about: "Microsoft FUD Vice President and Apostle"?

    Lies, lies… only damned lies from Microsoft!

  44. Koen says:

    Pure lies :

    Google Apps for Business is FISMA == Google Apps for Government.

    Its only fair competiton when MS wins right, just like the past 25 years, right.

    Pls MS, dont talk about open competition, it sounds bad from your mouth.

  45. PANTS ON FIRE says:

    google needs to stop lying to people. Who knows how many other things they are lying about? What gets me even more irked is that their website still says that they have FISMA certification! What I don't get is, first, could google be sued or something for lying to the government? second, why they're still going after the contract. BTW: Does Microsoft's solution have FISMA certification? @Koen really? I mean, look at it. Google apps for buisiness is not Google apps for government. Google will admit that. If it was the same, why is google applying for a FISMA certification for Google Apps for Government? PS to u: dont say "pls" it's "plz" if u really want to talk like that.

  46. PANTS ON FIRE says:

    google needs to stop lying to people. Who knows how many other things they are lying about? What gets me even more irked is that their website still says that they have FISMA certification! What I don't get is, first, could google be sued or something for lying to the government? second, why they're still going after the contract. BTW: Does Microsoft's solution have FISMA certification? @Koen really? I mean, look at it. Google apps for buisiness is not Google apps for government. Google will admit that. If it was the same, why is google applying for a FISMA certification for Google Apps for Government? PS to u: dont say "pls" it's "plz" if u really want to talk like that.

  47. Hello! Listn says:

    Just to highlight what @John pointed out, read the documents. these are government documents, not ur "M$ FUD," so shutup and read them. they clearly say "To be clear, in the view of GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government. "

  48. MSDIDNTLIE says:

    @Joel B, microsoft never claimed they were, like Google. They didn't lie about it, Google did. simple as pie! That reminds me im hungry…

  49. Really? GTFO says:

    It's clear as day. Google Apps for Government does not have FISMA certification. I don't need to hear ur BS about Google apps for buisiness and how it's less secure than government. GOOGLE APPS FOR GOVERNMENT DOES NOT HAVE FISMA CERTIFICATION, WHILE GOOGLE CLAIMS IT DOES.

  50. Kevin says:

    Hey Microsoft, are you planning on apologizing for this defamation any time soon?

    "The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification," the GSA said in a statement to Business Insider.

    http://www.businessinsider.com/dear-microsoft-you-owe-google-an-apology-2011-4

    It is becoming extremely clear that this was a PR move to harvest distrust in Google. Like usual Microsoft takes the low road.

  51. Choity says:

    Online Shopping Store to buy Daily essential and Digital electronic products Hydroponics (Deep water culture, Ebb and Flow, Drip system, Aeroponics, Mini system, Grow trays, Propagation & Cloning, Indoor grow Tents), Grow lights(Grow light kits, HPS lights, Metal halide grow lights, Fluorescent lamps, LED grow lights, Grow light, reflectors, HID grow lights, Grow light movers, Quality light meters, Lighting accessories ), Controllers (Lighting and power controllers, Temperature and humidity controllers, Operate fans, Multi-Function controllers, CO2 controllers and monitors, CO2 generators), Plan Care(Plant nutrients, Plant supplements, Grow media, Grow pots, buckets, and bags, pests, Leaf Trimmers), Water and Vent(Air filters and odor control, Water purifiers, Ventilation & fan, Air pumps, Water pumps and irrigation, Heat Exchangers, Dehumidifiers and Air Conditioners, Water Chillers, Test meters and PH control) etc. Free Shipping & Pay Cash on Delivery.

    Website: http://www.hydroponicsxl.com/

    Call us: 888-551-2685

    Best of the Luck

  52. Fabian says:

    Please look at your own flaws (in Windows, IE, etc), instead of others.

  53. Angel says:

    "it appears that Google’s Google Apps for Government does not have FISMA certification".

    Who cares about this. We are not all USA-ans. In fact, I'm proud not to be.

  54. Anon says:

    Pants on fire….today's news…Sears is doomed….next weeks'…MSFT is doomed….