Google’s misleading security claims to the government raise serious questions

Posted by David Howard
Corporate Vice President & Deputy General Counsel

Last Friday afternoon, I learned that a batch of court documents had been unsealed and had revealed one particularly striking development: the United States Department of Justice had rejected Google’s claim that Google Apps for Government, Google’s cloud-based suite for government customers, has been certified under the Federal Information Security Management Act (FISMA). Given the number of times that Google has touted this claim, this was no small development.

How did this all come about? Last year, the Department of the Interior selected Microsoft offerings for its new cloud-based email system. In October, Google responded by suing the Government. As a result, the work of engineers and IT professionals was replaced, at least temporarily, by filings by lawyers. This meant significant delay for the Department of the Interior, which was trying to save millions of dollars and upgrade the email services for its 88,000 employees. Google announced its lawsuit with a proclamation of support for “open competition.” It then touted the security benefits of Google Apps for Government. Google filed a motion for a preliminary injunction telling the court three times in a single document (see pages 18, 29, & 37), that Google Apps for Government is certified under FISMA.

Google has repeated this statement in many other places as well. Indeed, for several months and as recently as this morning, Google’s website states, “Google Apps for Government – now with FISMA certification.” And as if that’s not sufficient, Google goes farther on another webpage and states "Google Apps for Government is certified and accredited under the Federal Information Security Management Act (FISMA)."

I’ll be the first to grant that FISMA certification amounts to something. The Act creates a process for federal agencies to accredit and certify the security of information management systems like e-mail, so FISMA-certification suggests that a particular solution has proven that it has met an adequate level of security for a specific need.

So imagine my surprise on Friday afternoon when, after some delay, some of the court papers were unsealed, at least in part. There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ’s brief says (on page 13) “On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.”

This revelation was apparently as striking to the lawyers at the Department of Justice as it was to me. The Justice Department brief states “We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court’s attention.”

The Justice Department acknowledges that the General Services Administration (GSA) had certified a different Google offering, Google Apps Premier, for its own particular use under FISMA last July. As the DOJ’s brief explains, “However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government.” Lest there be any doubt about the situation, the brief adds, “To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.” Backing all this up are five attachments to the brief devoted to this issue, two of which unfortunately remain redacted at this stage of the proceeding.

As I read all this on Friday, my first reaction was that perhaps something positive could come out of Google’s lawsuit. For months a number of people have been asking for details about Google’s FISMA certification. To put it charitably, because of Google’s unwillingness to provide answers, the facts have remained opaque. As a result of the lawsuit, it looks like we finally are beginning to get some answers.

As I thought about this further, my second reaction was to wonder what Google is thinking as it continues to claim that Google Apps for Government has FISMA certification. I don’t pretend to have all the answers and I acknowledge that there are frequently two sides to a story. But what is the other side of the story in this instance?

Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government. If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?

Nor does it seem likely that Google believes that the two offerings are so similar that the differences simply won’t matter to people. After all, if the facts are so good, why persist in telling a fiction? Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government. Instead, Google has continued to state that Google Apps for Government has FISMA certification itself.

So why did Google tell governments and the public that Google Apps for Government was FISMA certified even before it had applied for that certification? We’ll have to wait for Google to tell us what they were thinking, but I do believe that one thing is evident. When it comes to security, the facts matter. As the Justice Department pointed out in its brief, Google’s initial FISMA certification for Google Apps Premier applied only to the infrastructure set-up and security needs of the General Services Administration. As the DOJ pointed out in its brief (on page 10), the Department of Interior concluded that it “had only a low tolerance for risk” given “its responsibility to manage sensitive information such as Indian trust data and law enforcement data.” Google may not like the Interior Department’s approach, but it certainly seems reasonable.

While we wait for Google to provide its side of the story, perhaps it’s time to ask another question: at the very least, isn’t it past time for Google to issue a correction on its website? The Department of Justice has concluded squarely that Google Apps for Government does not have FISMA certification.

Open competition should involve accurate competition. It’s time for Google to stop telling governments something that is not true.