Google’s misleading security claims to the government raise serious questions

Posted by David Howard
Corporate Vice President & Deputy General Counsel

Last Friday afternoon, I learned that a batch of court documents had been unsealed and had revealed one particularly striking development: the United States Department of Justice had rejected Google’s claim that Google Apps for Government, Google’s cloud-based suite for government customers, has been certified under the Federal Information Security Management Act (FISMA). Given the number of times that Google has touted this claim, this was no small development.

How did this all come about? Last year, the Department of the Interior selected Microsoft offerings for its new cloud-based email system. In October, Google responded by suing the Government. As a result, the work of engineers and IT professionals was replaced, at least temporarily, by filings by lawyers. This meant significant delay for the Department of the Interior, which was trying to save millions of dollars and upgrade the email services for its 88,000 employees. Google announced its lawsuit with a proclamation of support for “open competition.” It then touted the security benefits of Google Apps for Government. Google filed a motion for a preliminary injunction telling the court three times in a single document (see pages 18, 29, & 37), that Google Apps for Government is certified under FISMA.

Google has repeated this statement in many other places as well. Indeed, for several months and as recently as this morning, Google’s website states, “Google Apps for Government – now with FISMA certification.” And as if that’s not sufficient, Google goes farther on another webpage and states "Google Apps for Government is certified and accredited under the Federal Information Security Management Act (FISMA)."

I’ll be the first to grant that FISMA certification amounts to something. The Act creates a process for federal agencies to accredit and certify the security of information management systems like e-mail, so FISMA-certification suggests that a particular solution has proven that it has met an adequate level of security for a specific need.

So imagine my surprise on Friday afternoon when, after some delay, some of the court papers were unsealed, at least in part. There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ’s brief says (on page 13) “On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.”

This revelation was apparently as striking to the lawyers at the Department of Justice as it was to me. The Justice Department brief states “We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court’s attention.”

The Justice Department acknowledges that the General Services Administration (GSA) had certified a different Google offering, Google Apps Premier, for its own particular use under FISMA last July. As the DOJ’s brief explains, “However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government.” Lest there be any doubt about the situation, the brief adds, “To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.” Backing all this up are five attachments to the brief devoted to this issue, two of which unfortunately remain redacted at this stage of the proceeding.

As I read all this on Friday, my first reaction was that perhaps something positive could come out of Google’s lawsuit. For months a number of people have been asking for details about Google’s FISMA certification. To put it charitably, because of Google’s unwillingness to provide answers, the facts have remained opaque. As a result of the lawsuit, it looks like we finally are beginning to get some answers.

As I thought about this further, my second reaction was to wonder what Google is thinking as it continues to claim that Google Apps for Government has FISMA certification. I don’t pretend to have all the answers and I acknowledge that there are frequently two sides to a story. But what is the other side of the story in this instance?

Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government. If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?

Nor does it seem likely that Google believes that the two offerings are so similar that the differences simply won’t matter to people. After all, if the facts are so good, why persist in telling a fiction? Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government. Instead, Google has continued to state that Google Apps for Government has FISMA certification itself.

So why did Google tell governments and the public that Google Apps for Government was FISMA certified even before it had applied for that certification? We’ll have to wait for Google to tell us what they were thinking, but I do believe that one thing is evident. When it comes to security, the facts matter. As the Justice Department pointed out in its brief, Google’s initial FISMA certification for Google Apps Premier applied only to the infrastructure set-up and security needs of the General Services Administration. As the DOJ pointed out in its brief (on page 10), the Department of Interior concluded that it “had only a low tolerance for risk” given “its responsibility to manage sensitive information such as Indian trust data and law enforcement data.” Google may not like the Interior Department’s approach, but it certainly seems reasonable.

While we wait for Google to provide its side of the story, perhaps it’s time to ask another question: at the very least, isn’t it past time for Google to issue a correction on its website? The Department of Justice has concluded squarely that Google Apps for Government does not have FISMA certification.

Open competition should involve accurate competition. It’s time for Google to stop telling governments something that is not true.

Comments

  • Anonymous
    January 01, 2003
    Google Apps is FISMA-Certified. Stop throwing FUD Microsoft and fanboys www.google.com/.../trust.html

  • Anonymous
    January 01, 2003
    There are a lot of government execs who can benefit from the facts presented.

  • Anonymous
    April 11, 2011
    Sorry, Microsoft calling Google out on security issues holds no water with me. I realize part of your corporate duties is to spread FUD, which is being admirably accomplished by your proxies suing Google's proxies over Android. But for those of us in the tech world with a pair of open eyes and a brain can see right through it.

  • Anonymous
    April 11, 2011
    @Not buying it This is not about calling out Google on security issues. This is about calling out Google for lying to the US government and using false advertising to promote their Google Apps for Government product.

  • Anonymous
    April 11, 2011
    For those of us who have dealt with Google in an enterprise environment over the past 5 years, this sort of smug, disingenuous behavior comes as no surprise. Reminds me a lot of dealing with Microsoft in 97.

  • Anonymous
    April 11, 2011
    The comment has been removed

  • Anonymous
    April 11, 2011
    There's only one thing you need to remember about Microsoft: it's a trap. They routinely fund front companies to cause legal troubles for competitors and structure their entire business model around trapping their customers. Plus, their products and services are generally just buggy and insecure.

  • Anonymous
    April 11, 2011
    Wow Microsoft, you guys are awesome sarcasm. So basically Google's App suite that has less security than their government App suite has FISMA certification but Microsoft's does not. Wow you guys really caught em' on that one sarcasm. So maybe the government should use the only product that is FISMA certified, Google Apps. I think the lawyers run Microsoft now. P.S. I love how you wrote at the end "open competition should involve accurate competition. It's time for Google to stop telling governments something that is not true". Are you guys for real? You might as well just write "look out everybody the Google-BoogeyMan is going to come out of your closet at night and steal all your information". Is it "open competition" if only Microsoft products are available for government contracts?

  • Anonymous
    April 11, 2011
    ... and Google say 'do no evil' - really! It's black and white - either it was FISMA certified or not - it appears not.

  • Anonymous
    April 11, 2011
    The comment has been removed

  • Anonymous
    April 11, 2011
    The comment has been removed

  • Anonymous
    April 11, 2011
    "In addition, the Microsoft cloud infrastructure (GFS) has received Federal Information Security Management Act (FISMA) Authorization to Operate (ATO)." - excerpt from www.microsoft.com/.../bpos

  • Anonymous
    April 11, 2011
    This is what happens when your Corp is getting clouted in every department and you have poor showing in the market place. You start throwing FUD around in an attempt to make yourself look better ( SCO vs Linux anyone? ).

  • Anonymous
    April 11, 2011
    I'm on Google side, even with a few million lies, I'd still trust them over anything MS says or does. I hope the very worst for Microsoft.

  • Anonymous
    April 11, 2011
    Seems to be a bit too much anti-MS comment here when Google are the ones in the wrong (this time). I have heard no denial from Google saying they are wrong and it IS certified which is the moot point here.

  • Anonymous
    April 11, 2011
    Perhaps Google were hoping to sell the product THEN get it certified. I'm with the govt on this one and if it was not certified it's the end of the story. Plus (side issue) I'm a bit nervous that Google knows a bit too much about everyone already.

  • Anonymous
    April 11, 2011
    "I hope the very worst for Microsoft" -- Really? They employ over 88,000 people, and so really? Is it ok if one company allows untruths to propagate in order to gain a sale? In 25 years of dealing with them I've NEVER known MS to lie to us and I trust them with our data compared with some others. Anyone worth their weight in salt who has worked in the IT field for a few years would likely agree that Microsoft is pretty serious about security. Sure there are bugs that pop up which could have some serious ramifications if left unaddressed, but they generally provide a workaround, patch them quickly and give a reasonable disclosure about it. Understand that my intention is not to knock the competition, but in cases like this where it appears a competitor is gaining an unfair advantage by not making an issue clear (FISMA issue), then MS (or anyone else for that matter) has every right to say something.

  • Anonymous
    April 11, 2011
    TL;DR:  Microsoft is afraid of Google -- very afraid.

  • Anonymous
    April 11, 2011
    Yes I agree, especially considering that Google is a master of the art of marketing and perception, whereas Microsoft is, well,, Microsoft.

  • Anonymous
    April 11, 2011
    IE 9 sure looks a lot like Firefox 4.  Microsoft rips off just about everyone these days.

  • Anonymous
    April 11, 2011
    The comment has been removed

  • Anonymous
    April 11, 2011
    I thought my gmail messages are in trusted hands. I can't trust your statements any more my favorite Google.

  • Anonymous
    April 11, 2011
    The comment has been removed

  • Anonymous
    April 11, 2011
    FYI: FISMA is NOT..REPEAT NOT..a Certification!!

  • Anonymous
    April 11, 2011
    While MS certainly is not beyond reproach for problems in the past, those are not the issue here. The issue is also not whether Google spies on people. And it is not whether Google claims to "do no evil". (This they do NOT claim, by the way: their corporate claim is, "don't BE evil". This is substantially different from "don't DO evil." Think about it: they can do it without being it. Google does know evil.) Google's false claim to FISMA certification is the issue. Whether it is MS who pointed it out, or whether it is the DOJ, or someone else, shouldn't matter. Google should be held to account!

  • Anonymous
    April 11, 2011
    Microsoft doing what it does best. SPREADING FUD. Nothing new really.

  • Anonymous
    April 11, 2011
    This has little to do with taking sides. Google is claiming that one system should be considered FISMA compliant because another system that is similar apparently received an ATO (which designates FISMA compliance). However, that is not how FISMA compliance works. Each system has to be separately reviewed with all of the requisite documentation and risk assessments. Additionally, DOI is under no obligation to honor an ATO from any other agency. Google will have a difficult time proving its case. Laura Taylor, Certified FISMA Compliance Practitioner (CFCP) Chair, CFCP Exam Advisory Board (FISMA Center) Author of FISMA Certification & Accreditation Handbook CEO Relevant Technologies

  • Anonymous
    April 11, 2011
    @Laura Taylor. From Wikipedia: In July 2010, Google Apps for Government was the first cloud computing collaboration platform to received the FISMA certification. This approval will make it easier for United States based governmental agencies or groups to evaluate and adopt Google Apps for use within their organizations. Google Apps for Government includes all of the applications in the company's Google Apps Premier Edition (GAPE) suite, including Gmail, Google Docs, Google Calendar and Postini security services. The collaboration platform, which Google hosts in its servers and provisions over the Web, will run government agencies $50 per user per year, or the same as GAPE for non-governmental customers. en.wikipedia.org/.../FISMA

  • Anonymous
    April 12, 2011
    For those who call this post M$ FUD without having properly read the the claims, here is what the US Gov documents say. The last sentence is pretty clear about Google! On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO, and this Court, it appears that Google‟s Google Apps for Government does not have FISMA certification. […] We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court‟s attention. According to the GSA, Google‟s Google Apps Premier received FISMA certification on July 21, 2010. However, Google intends to offer Google Apps for Government as a more restrictive version of its product and, Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government. […] To be clear, in the view of GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.

  • Anonymous
    April 12, 2011
    The comment has been removed

  • Anonymous
    April 12, 2011
    Have you already forgotten the OOXML ISO unpleasant events? If so, please let me remember you: www.wired.com/.../ooxml_vote And if you don't see any relation with these events, think harder.

  • Anonymous
    April 12, 2011
    This post shows how M$ operates in vain.  In most users' minds, M$ is already an untrustworthy company that it has no position to criticize others. Even though M$ can bribe or bully its way to its advantage, temporarily, it eventually will be proved wrong and bad.

  • Anonymous
    April 12, 2011
    The comment has been removed

  • Anonymous
    April 12, 2011
    The comment has been removed

  • Anonymous
    April 12, 2011
    Microsoft is struggling and is having to result to legal attacks. Hey guys ... wake up! Build a better product and people and government will want to buy it. Right now it seems that your company is sadly ... fading away.

  • Anonymous
    April 13, 2011
    @leoplan Before you quote chapter and verse from Wikipedia to make a point perhaps it would be advisable to check the origin of the information to satisfy yourself of it's veracity.  If you go back to your Wikipedia link, click on the source reference and you'll find the online press article that your Wikipedia quotation is based on.  If you read this article you will clearly see that the information presented is "according to Google". So on this basis, your point is what?

  • Anonymous
    April 13, 2011
    Having actually spent a day examining the whole GSA FISMA packet we came to the conclusion that it DID encompass what is now Google Apps for Government. Obviously so did GSA.  Now that Microsoft is rebranding BPOS as 365 I wonder if they will have the same issue, is any BPOS accrediation encompass 365?  Don't know the answer, but there is a lot of mudslinging going on here...

  • Anonymous
    April 13, 2011
    too bad M$ didnt spend its money on its products rather than attacking competitors and startups.. Programmers are cheaper than lawyers anyway. Maybe they should hire a guy that ensures that they keep the settings in the same place in the next version of windows. sometimes i wonder if microsoft uses windows internally..

  • Anonymous
    April 13, 2011
    The comment has been removed

  • Anonymous
    April 14, 2011
    googleenterprise.blogspot.com/.../truth-about-google-apps-and-fisma.html

  • Anonymous
    April 14, 2011
    While I'm sure that Microsoft feels compelled to raise this FISMA issue, and they're probably technically correct, wouldn't it be better to focus on their own FISMA certification effort rather than "calling out" Google? That said, apparently the City of Los Angeles is also expressing concerns(www.latimes.com/.../la-fi-google-email-20110414,0,6531667.story)

  • Anonymous
    April 14, 2011
    The comment has been removed

  • Anonymous
    April 14, 2011
    Groklaw: Microsoft Cloud Services Aren't FISMA Certified www.groklaw.net/article.php Posted by David Howeird Corporate FUDeputy General Counsel

  • Anonymous
    April 15, 2011
    The comment has been removed

  • Anonymous
    April 15, 2011
    Pure lies : Google Apps for Business is FISMA == Google Apps for Government. Its only fair competiton when MS wins right, just like the past 25 years, right. Pls MS, dont talk about open competition, it sounds bad from your mouth.

  • Anonymous
    April 16, 2011
    google needs to stop lying to people. Who knows how many other things they are lying about? What gets me even more irked is that their website still says that they have FISMA certification! What I don't get is, first, could google be sued or something for lying to the government? second, why they're still going after the contract. BTW: Does Microsoft's solution have FISMA certification? @Koen really? I mean, look at it. Google apps for buisiness is not Google apps for government. Google will admit that. If it was the same, why is google applying for a FISMA certification for Google Apps for Government? PS to u: dont say "pls" it's "plz" if u really want to talk like that.

  • Anonymous
    April 16, 2011
    google needs to stop lying to people. Who knows how many other things they are lying about? What gets me even more irked is that their website still says that they have FISMA certification! What I don't get is, first, could google be sued or something for lying to the government? second, why they're still going after the contract. BTW: Does Microsoft's solution have FISMA certification? @Koen really? I mean, look at it. Google apps for buisiness is not Google apps for government. Google will admit that. If it was the same, why is google applying for a FISMA certification for Google Apps for Government? PS to u: dont say "pls" it's "plz" if u really want to talk like that.

  • Anonymous
    April 16, 2011
    Just to highlight what @John pointed out, read the documents. these are government documents, not ur "M$ FUD," so shutup and read them. they clearly say "To be clear, in the view of GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government. "

  • Anonymous
    April 16, 2011
    @Joel B, microsoft never claimed they were, like Google. They didn't lie about it, Google did. simple as pie! That reminds me im hungry...

  • Anonymous
    April 16, 2011
    The comment has been removed

  • Anonymous
    April 17, 2011
    Hey Microsoft, are you planning on apologizing for this defamation any time soon? "The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification," the GSA said in a statement to Business Insider. www.businessinsider.com/dear-microsoft-you-owe-google-an-apology-2011-4 It is becoming extremely clear that this was a PR move to harvest distrust in Google. Like usual Microsoft takes the low road.

  • Anonymous
    September 27, 2011
    The comment has been removed

  • Anonymous
    February 01, 2012
    Please look at your own flaws (in Windows, IE, etc), instead of others.

  • Anonymous
    February 09, 2012
    "it appears that Google’s Google Apps for Government does not have FISMA certification". Who cares about this. We are not all USA-ans. In fact, I'm proud not to be.

  • Anonymous
    February 23, 2012
    Pants on fire....today's news...Sears is doomed....next weeks'...MSFT is doomed....