back to article Dutch government: Did we say 10 'high data protection risks' in Google Workspace block adoption? Make that 8

A Dutch government report identifying "10 high data protection risks" for users of Google Workspace, formerly known as G Suite, has been revised after Google's response, and now says eight high risk issues still remain. The study (available in English) was conducted by the Dutch Ministry of Justice and Security together with …

  1. TeeCee Gold badge
    WTF?

    ...block the use of consumer Google accounts in the Workspace environment...

    Bloody Hell! That was not only possible, but you actually couldn't prevent it? And corps used this shit? Have none of them ever heard of GDPR? You know, that piece of legislation where enabling the leak of corporate data to public accounts is an automatic "go directly to jail, do not collect £200" thing?

    1. Doctor Syntax Silver badge

      "Have none of them ever heard of GDPR?"

      Yes. This is what it's all about.

      Simple solution is for the clients to take the attitude You want the gig? Here's the terms. If you can't meet them don't apply. Come back when you can.

      If US suppliers can't or won't meet the terms it opens up an opportunity for European suppliers. If there are no alternative suppliers keep it in house until there are.

      1. needmorehare
        Thumb Up

        Too right, why not use well-maintained German options?

        Google Docs does not even allow you to encrypt file contents with a key that Google does not hold. It's a seriously bad choice for governments and industrial uses where sensitive PII is going to be stored there.

        Folks should instead use a solution like NextCloud. It is self-hostable, easy to maintain, support is readily available, source code has been subject to multiple audits over the years and the software itself is free as in beer and freedom. The company behind it is German, their software is designed with the GDPR in mind and it can integrate with Collabora Office Online to provide collaborative editing in a web browser. If one uses it alongside locally installed office software then automated end-to-end encryption provides an additional layer of protection Google doesn't.

        Even if one doesn't want to self-host, NextCloud has partners like Deutsche Telekom who can host the whole lot for you. Also, if NextCloud Gmbh folded tomorrow, one could always migrate to ownCloud Online, which is also German, has a similar codebase and is also actively maintained. Heck, there's even a Dutch partner called The Good Cloud available, so one could even keep data within their own borders and audit all patches to protect against sabotage!

        1. NATTtrash Silver badge

          Re: Too right, why not use well-maintained German options?

          "Heck, there's even a Dutch partner called The Good Cloud available, so one could even keep data within their own borders and audit all patches to protect against sabotage!"

          Indeed. And please don't forget, we're talking a government here. Not some some shoe string company where the boss has to do this her/ himself during the weekend. In some kind of way I keep being surprised by the "laziness" and "lack of insight" of these institutions. And then even more baffled by the indignation they then show when companies like MS use that to advance their own situation. Need a COVID app? Let's run to Google or Apple. Need a countries digital base? Oh, MS might be a bit iffy, and there is this thing about laws? So let's go to the other big commercial one that says "Trust us, and Bob's your uncle".

          Or would it be the "cheap" argument again? Why IT security is always something that the help desk guy has to do on the side? As we all know here...

  2. b0llchit Silver badge
    Big Brother

    Surprised?

    Summary: use cloud ==> you lost control

    That is the whole purpose. You are to be milked and to do so you are presented with legalese nobody can understand and is intertwined with every other aspect one does. Stop using that shit. Stop agreeing to this shit. Just say no. Shiny-Shiny is not good business for any user. It only benefits the seller.

    1. Peter2 Silver badge

      Re: Surprised?

      Not to mention that those agreements (and the price) can change at any time without notice leaving no alternative to agreeing or not having a functional work enviroment.

      1. Doctor Syntax Silver badge

        Re: Surprised?

        From the client's point of view don't sign an agreement that allows it. It's the client's money. It gives them the power to decide who gets it from amongst those who want it.

        1. needmorehare
          Facepalm

          The client doesn't understand though..

          Microsoft said it best until they became the very thing they criticised with Office 365. There are big, bad downsides to the cloud which don't exist for on-prem software.

          For starters, migrating between services isn't as simple as installing a replacement piece of software and opening your files in said software. You end up having to pay someone to migrate your stuff from one cloud service to another, as all your data needs to be migrated from one set of servers you don't own to another set of servers... that you don't own. That's assuming you even can, as not all SaaS uses open data formats.

          Then there's the training aspect. Cloud services change constantly. Skype for Business got replaced with Microsoft Teams and smaller organisations got forced over arbitrarily. Google Chat got replaced with Hangouts which got replaced with Duo and Meet; while Google Video got phased out for YouTube.

          Finally, you have security issues. Office 365 is a fantastic example of a cloud service which is demonstrably less reliable than running your own stuff. Even old fashioned Microsoft Small Business Servers were more stable and when mail was proxied through a queue-holding mail filtering service their services were more secure too. Nobody could easily phish their way into your mailbox, as an attacker needed internal network access via VPN (good luck exporting that device cert via phishing email) and they had no way to tell who your provider was with any certainty to know what to lie about. Nobody needed 2FA codes as desperately as they do now because only corporate devices could connect to the mail server or authenticate to network resources in the first place....

          The cloud has been an unmitigated disaster in a lot of cases. Folks only put up with it because big technology firms have colluded to cripple software so that cloud services are more of a necessity than they should be. Microsoft Office and Apple iWork both supported WebDAV until both companies wanted folks to use their cloud services, then they phased out support as quickly as they could. Then combine that with the eye-watering prices of on-prem software licenses. A 10 user physical dedicated Exchange email server license costs as much as 8 years worth of Exchange Online Plan 1 and that doesn't include hardware costs or labour rates. Once everyone is on-board with only cloud services, I predict the prices will begin to be ratcheted up and up and up until ownership is once again the far cheaper option.

  3. naive

    US patriot act still applies to all information hosted by US companies

    As far I know, all US based companies are obliged to hand over any data to the US government when asked.

    Strictly considered, cloud services offered by US based companies are thus not GDPR compliant.

    The whole report seems a great example of successful lobbying by MS, MS has a market share over 90% in the Dutch government IT, healthcare institutions and communal IT.

    Never seen such a report involving Azure, which is enthusiastically used by many hospitals and other health institutions.

    Maybe COVID might change this a bit, since MS has less opportunities to invite decision makers to technical conferences in Hawaii and other fine places.

    1. Anonymous Coward
      Anonymous Coward

      Re: US patriot act still applies to all information hosted by US companies

      As far I know, all US based companies are obliged to hand over any data to the US government when asked.

      Correct, and it's not just the Cloud Act 2018 that can be used to force them. To be honest, Safe Harbor and Privacy Shield were only ever trade agreement level fudges to continue to allow US companies to sell to EU customers in a vain attempt to avoid trade wars. The difference between the legal systems was far to great to make US privacy protection an actionable reality so the failure of Privacy Shield didn't come as a surprise to anyone with an understanding of the laws involved.

    2. Gordon 10 Silver badge

      Re: US patriot act still applies to all information hosted by US companies

      The difference is that MS have a history of fighting overreach of the Patriot act - at least for PR purposes and maybe genuinely as well - remember the whole bun fight over data stored in Azure Ireland?

      MS for all their faults grew out of enterprise services - its in their DnA.

      Google on the other hand has ad-broking in their DnA, ie whoring your personal data for profit.

      I know who I'd "trust but verify" in the enterprise use case.

      In this scenario MS are to some degree the lesser of two evils.

      1. nijam Silver badge

        Re: US patriot act still applies to all information hosted by US companies

        > MS for all their faults grew out of enterprise services - its in their DnA.

        No, MS grew out of a low-end desktop system, and it shows all the way through their half-baked "enterprise" services.

      2. Anonymous Coward
        Anonymous Coward

        Re: US patriot act still applies to all information hosted by US companies

        Hmm. Microsoft was actively involved in the creation of the Cloud Act 2018..

  4. 0laf Silver badge

    MS too

    365 is practically impossible to control properly too.

    The data snaffle isn't maybe quite as a bad as Google but everything else is.

    I'm more concerend about Google Classroom which my kid's school is forcing him to use. As well as likely snaffling any data he puts in, it's rubbish to use.

    1. Anonymous Coward
      Anonymous Coward

      Re: MS too

      Oh, there is something else that's very, very wrong with 365.

      It'll be fun to watch when that goes public.

    2. Anonymous Coward
      Anonymous Coward

      Re: MS too

      Given that Privacy Shield is dead, any organisational use of Google resources in Europe is likely to be in breach of GDPR/DPA (now separate), so it depends really on you if you want to make that an issue.

  5. Pascal Monett Silver badge
    Facepalm

    Well duh

    Why is there any surprise about this report ? It's Google, idiots, of course it's not in line with GDPR.

    And a government wanting to use a document management system managed by a US company ? Are they out of their minds ?

    You're a European government, set up your own servers and handle your own documents.

    You can use LibreOffice, it's good enough for government work.

  6. A.P. Veening Silver badge

    Google is damned lucky it wasn't the German government or any of its agencies doing the report, it would have been even more damning.

    1. Jellied Eel Silver badge

      I'd love to see a German investigation. But I like these weasel words-

      Bonamigo said that “we never use customer data or service data (such as usage activity) for ads targeting” and that “we only process Cloud customer data according to instructions set out in our customers’ agreements.”

      But we may trawl your IP and pass it to our M&A teams, other customers, competitors, government agencies, and good luck figuring out if you agreed to that given the combination of corporate & individual user agreements.

      I think it was a decade or more ago that my mind first got boggled by the security risks involved in corporates using Google or Microsoft cloud services. Or basically anything other than your own private cloud. And it's not hard to build or maintain those. I did have one client that did classified work for a government and wanted to use Google. Sadly I never got to see the response from their security approver, but hopefully it was along the lines of 'Are you nucking futs?'.

  7. Anonymous Coward
    Anonymous Coward

    WTF?

    “Google … explains that it does not provide certain personal data in reply to a data subject access request, because (i) it is impossible to reliably verify the identity of the data subject as that of the requester and (ii) in some cases such transparency would hurt Google’s efforts to protect the security of its systems,”

    Google is sounding more and more like government spooks every day.

    "We can't show you that because of (national) security"

  8. HoraceTheUnicorn

    What is and isn't G Suite

    Have used G Suite, or whatever it's called these days, a bit in a working setting. I get that being in G Suite "Gmail" and the Docs suite is supposedly "private" to the owning organisation and in theory not being data mined, but, what about, say, YouTube surfing in another tab on the same browser, or, indeed, general browsing for "new coffee machine"- i.e personal topic. Is that non G-Suite activity still being mined by the chocolate factory to sell ads?

    1. rg287 Silver badge

      Re: What is and isn't G Suite

      YouTube surfing in another tab on the same browser, or, indeed, general browsing for "new coffee machine"- i.e personal topic. Is that non G-Suite activity still being mined by the chocolate factory to sell ads?

      Things like YouTube and Google Search are connected into Google Workspaces (formerly GSuite) - corporates have youtube channels so you can assign permissions and users can interact with YouTube via their corporate ID. There's also an internal search functionality for documents within your organisation (along with some neat eDiscovery tools). If you're signed into your work account, you shouldn't treat anything in the same browser as "personal topics".

      Unfortunately, Google Workspaces will continue to be popular with SMEs because props to Google (the only credit I will give them) - there's one control panel to rule them all, unlike the *ahem* 179 different Microsoft Portals.

      Microsoft is an utter mess. Just consider their Plans and Pricing for MS Teams where they tell you that it's included with 365 Business Basic and Business Standard and E3, but omit Business Premium from the comparison table. If you go to the 365 Business page you can see the Premium, as well as 365 Apps which does not include Teams (despite the page header stating "Reimagine productivity with Microsoft 365 and Microsoft Teams").

      Microsoft do their best to prevent you ever comparing more than a subset of their plans, leaving people thinking "But I need something halfway between those two plans", which does in fact exist - but somewhere else.

      What Google have got right is having a single table, with easy onboarding and a single admin panel once you're in. And that's why Google will continue to hover up 5-20seat businesses with no full-time IT staff. It just works.

  9. Pseu Donyme

    In the general case ...

    ... of Google as a data processor I can't help but suspect that the plan might be to use nominally GDPR compliant* contracts between Google and EU data controllers as an end run around the GDPR: Google pretends to comply and the controller pretends to believe that while enjoying their free (or at least cheap) products and services (actually paid with the data of us EU plebs).

    * for certain values of 'compliant' (such as 'not quite in blatantly obvious violation')

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021