Outsourcing I.T. to Google – Part I – The Concerns
A few months back I read a post by CEO Michael Hyatt on why he liked Gmail and why he was having his staff investigate switching their corporate email from Microsoft Exchange to Gmail. This sparked my interest from the perspective that if he would consider it, other CEOs and companies would probably give outsourcing I.T. to Google serious consideration as well.
I have been looking at Gmail and the other Google services for a completely different reasons, but I have to say that I agree with all his points. The only reason I can think of that you would not want Google to manage your corporate email would be control reasons. You no longer have physical control of the servers and functionality that house your email. This could be a problem for certain groups or businesses where privacy is extremely important as well as potential repercussions if the emails were to become public. Google states they give you complete control over your email on their system, but that statement is technically not completely truthful. Google also has access to your emails. Suppose an employee of Google read and extracted your emails. Sure Google would discipline and probably let the employee go assuming they could find out who was responsible, but what if the impact is large? What if for example, the emails of a women’s shelter using the Gmail service were published on the Internet? What about emails from a law firm concerning a sensitive and active court case were to be posted? Can you sue Google? And even if you are successful, it doesn’t change the impact of those emails becoming public. I have commented similar privacy implications before here.
The fact is when you outsource a service or function, you are giving up some control and security, no matter what any company tells you. It many cases it might be well worth the cost, but it is important to assume this risk consciously. Does anyone remember Hushmail? (They are still around). For years they boasted that even Hushmail could not read your email because it was encrypted in storage with PGP encryption. Without your passphrase or private key that you provide to connect to their service, decryption was not possible. A company using their service was being investigated by the DOJ. Despite, PGP, Hushmail was able to provide them with all the relevant emails of the company that were stored on the Hushmail servers. Yes, any company or citizen must comply with a court order, but technically they should not have been able to and they advertised this fact. I am not advocating not compling with a cout order, obviously that would be bad for any business. But, if a government can go to a outsourced company, provide a court order for a hosted companies email, documents, calendars, and part of the order is they are not to communicate any knowledge of or actions resulting from the court order, their hands are tied and you don’t know anything about it. If you host your own email at least they have to serve you with the court order so you know something is up. The applicable laws may be different too. Google servers are housed in the United States which I believe brings them under U.S. law. This could have implications as well.
