It was a spreadsheet that I created at the request of my client to track business-related information, including account info and passwords for things like their Twitter and POS system. In other words, the spreadsheet contained the same sort of information that many, many businesses and individuals store in their Drives. I gave the document a name that included the phrase “password directory” and also created an accompanying form, which included a field named “password,” to allow my client to continue updating the spreadsheet.
I suggested to my client that we store the document offline, thinking at worst a hacker could get a hold of it, but my client assured me they weren’t concerned about the risk, having created similar documents in the past with no problems.
I’ll say here that I’m generally a cautious person when it comes to the Internet. I have a specific account that I use for online purchases. I don’t sign up for anything through Facebook. I use Little Snitch to try to control what data I do let loose. In other words, I’ve always tried to control what I put out. I just didn’t think to worry about getting it back.
I do not know what specific aspects of the spreadsheet triggered the lock out. I don’t know because Google never even told me that the spreadsheet was the reason why my account was disabled wholesale. When I did regain access to my account, I saw the spreadsheet was locked down, I requested access to it, and Google Docs sent me this email:
Thank you for your patience. A further review has found that your item,”[password directory],” violates our Terms of Service. If you still believe this is in error, please click here [link to an appeal form] to provide additional supporting details.
The Google Docs team
Assuming it was the spreadsheet that started it all, my best guess is that creating the spreadsheet constituted the “unauthorized publishing of people’s private and confidential information“–defined as data “such as credit card numbers, Social Security numbers, driver’s and other license numbers, or any other information that is not publicly accessible” in the product-specific policies, though not the terms of service. The data in my spreadsheet was not any of the above. It was maybe, “any other information that is not publicly accessible,” but that’s awfully broad. Also, I didn’t “publish” anything in the conventional sense of the word (the term is not defined). This lack of transparency is as unsettling to you as it is to me.
Also, as other writers have already pointed out, Google’s terms allow it to “use” anything you send through or store on its servers. This means Google can, and apparently does, scan your data. In fact, their terms of service state: “We may review content to determine whether it is illegal or violates our policies, and we may remove or refuse to display content that we reasonably believe violates our policies or the law. But that does not necessarily mean that we review content, so please don’t assume that we do.” A truly impressive display of verbal jujitsu if I ever saw one. Here’s another one: “We spend hundreds of millions of dollars every year on security, and employ world-renowned experts in data security to keep your information safe….[W]hen it comes to the information you share with Google, you’re in control.”
Maybe my experience was a glitch in the product design, an edge case. It seems odd I received no notices prior to the one stating that my account had been disabled. But if you read that notice carefully, you’ll see Google reserves the right to “terminate your account, for any reason, with or without notice,” even though the terms of service don’t contain similarly unequivocal language.
And lest you think all this was because I didn’t pay for Google’s services, the terms laying out Google’s unreserved right to disable accounts, whether paid or free, are effectively the same. All this is not to say Google’s terms are unique or even especially harsh in the cloud computing age. All this is to say, we as users, from individuals to businesses to governments, are relying on the false presumption that Google and companies like it are service providers in the sense we’re used to.
My experience may be the necessary consequence of the contractual relationships that define our market economy, but personal responsibility can only take us so far. Maybe regulation based on an existing regulatory regime is the answer, or maybe we need to devise an entirely new one. Maybe Google and others like it will respond to our call for more reliable services, more opportunities to opt out, and actual customer service, out of the good of their business-savvy hearts.
Regardless, I believe we should expect more transparency and responsiveness from the businesses that have moved beyond selling things to selling our data, and along the way, inserted themselves into vital roles in our lives. For now, we’re just users–easily discarded.
Update. 3/29/13. I’ve been trying to figure out why so many of us could have gotten the wrong impression.