In a statement, Google said the new policy will not change existing contracts that define how it handles and stores data belonging to government users of its cloud services. "Enterprise customers using Google Apps for Government, Business or Education have individual contracts that define how we handle and store their data," Amit Singh, vice president of Google Enterprise said in a statement.
"As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," he said.
Singh was responding to concerns raised Wednesday by Karen Evans, former de facto federal CIO and administrator of e-government and IT at the White House Office of Management and Budget.
Google earlier this week announced that it was replacing separate privacy policies for each of its services with one universal policy. Under the policy, Google will combine user data from services like YouTube, Gmail and Google search and create a single merged profile for each user of its services. Google said the new policy is shorter, easier to understand and will allow the company to deliver better and more targeted services.
According to Evans and Gould, however, the's new policy will have a serious impact on the information collection practices and responsibilities for its GAFG service.
Gould said in an interview that the biggest problem involves GAFG use of technology that is optimized for things like indexing, ad tagging and data mining. The same functions that allow Google to do all sorts of user tracking and data consolidation on the consumer side, exist on its government applications as well, though it is unclear if they are always enabled, he said.
This sort of tracking and inference-making greatly heightens the risk of accidental data exposure and data leaks, he said. "Even though the risk might seem small for a single individual, when you multiply it by thousands of government users, the risk is much higher," he said.
"A government user does not want Google studying everything they do and drawing correlations about what they are doing. Basically Google should not be making inferences about them," Gould said.
Google maintains that individual contracts it has with GAFG customers clearly define what the company can and cannot do with customer data. Those contracts are unchanged by this week's announcement, the company said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is [email protected] .
Read more about privacy in Computerworld's Privacy Topic Center.