Microsoft: Google lying to Government

If only they could get along. Today, a top Microsoft lawyer lashed out at Google over newly unsealed documents from a court case between the two companies. The court case was filed by Google against the United States government for unfairly favoring Microsoft in regards to their email solution choice.

According to NetworkWorld, Microsoft has lashed out due to the fact that Google appears to claim it has FISMA (Federal Information Security Mangement Act) certification, when it actually doesn't have the certification at all for its government Google Apps offerings. David Howard, Corporate Vice President & Deputy General Counsel for Microsoft said on his blog today that "FISMA certification amounts to something" and goes on to explain that "The Act creates a process for federal agencies to accredit and certify the security of information management systems like e-mail, so FISMA-certification suggests that a particular solution has proven that it has met an adequate level of security for a specific need."

Microsoft says that Google has been lying to the government, and the news came as a surprise to not only them, but to the Department of Justice too. Apparently, Google Apps Premier does have this certification already, but the Government version of Google Apps doesn't, yet Google continues to advertise it having it on their site (they still haven't bothered to take it down as of writing). Google is currently going through the motions of getting approval, apparently, and according to the Department of Justice, "Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government."

David Howard claims that Google has not answered enquiries over the last year for information about their FISMA certification, but says it is no mistake as the company had filed for a second FISMA certification recently. On top of this, Neowin uncovered Google actually stating it had the certification in a blogpost on the Official Google blog in August 2010.

Google Apps for Government is a tightly controlled version of it's "Premier" apps solution, which is "more secure" than traditional Google apps, which apparently was developed to meet FISMA certification. Google does not go into details on what they were required to change, but does say it had to change many back-end security features and protocols.

Google is yet to reply to the claims in the case, but its likely we'll be hearing much more in the near future.

Report a problem with article
Previous Story

Judge kills Winklevoss settlement appeal against Facebook

Next Story

Zune Pass: Microsoft's answer to piracy

41 Comments

Commenting is disabled on this article.

Everyone knows that Microsoft bribes its way into the procurement process. Look how they corrupted the ISO approval process, and that's just the tip of the iceberg for Microsoft practises.

And while we are on the subject, why hasn't Microsoft been broken up as a company yet? They can't be relied upon to stop abusing their desktop monopoly by themselves.

Microsoft is just better at covering up their lies. They've stolen source code licensed under the GPL; which wouldn't be an issue if they just gave credit to the authors and made the code available, but they don't and they pass it off as their own.

Source
http://www.withinwindows.com/2...es-in-microsoft-store-tool/

Microsoft Lies to Press and Congress About Cheap Labor
http://mydd.com/users/robert-o...osoft-lies-to-presscongress

Point is, almost everybody lies when it suits them, especially corporations. This one isn't too bad.

x9_ said,

That's exactly what they did, genius. Did you even read the link you posted?

To be honest not entirely. I googled the link cause' I remembered reading the story when it first broke. I was unaware they came out later and admitted it, my mistake.

Google's business suites are just flat out HORRIBLE. The client I work for set this up for their enterprise, and it was the biggest mistake they made. They thought it would be just like regular Gmail, but nothing works as it does in Gmail. Also so many security holes and errors and employee recors, files disappearing, etc.

Microsoft's BPOS suite just works as it's supposed to, and it all works seamlessly together. I couldnt stop laughing at the client's issues they've had for the past few months since switching to Google. I'm sure they'll switch to BPOS in no time.

The thought of them trying to convince the Gov't to switch to them would just cause them to collapse with all the problems and inefficiences they'll get.

j2006 said,
The thought of them trying to convince the Gov't to switch to them would just cause them to collapse with all the problems and inefficiences they'll get.

Ah-HA! Sinister plan is sinister.

j2006 said,
Google's business suites are just flat out HORRIBLE. The client I work for set this up for their enterprise, and it was the biggest mistake they made. They thought it would be just like regular Gmail, but nothing works as it does in Gmail. Also so many security holes and errors and employee recors, files disappearing, etc.

Microsoft's BPOS suite just works as it's supposed to, and it all works seamlessly together. I couldnt stop laughing at the client's issues they've had for the past few months since switching to Google. I'm sure they'll switch to BPOS in no time.

The thought of them trying to convince the Gov't to switch to them would just cause them to collapse with all the problems and inefficiences they'll get.

How does it not work like GMail. I've been using it for a long time, and everything works the same for me. I've also never had disappearing files.

You are comparing a paid app to a free/cheaper app depending on sector you are in. Microsoft has just fairly recently gotten their web apps to a comparable level. I quit using their Edu@Live stuff last year because the workflow sucked. I'm sure is has gotten better, but I'm not changing again for a while.

As for security, Microsoft has gotten MUCH better in recent years, but you can't say they have a spotless record either.

farmeunit said,

How does it not work like GMail. I've been using it for a long time, and everything works the same for me. I've also never had disappearing files.

You are comparing a paid app to a free/cheaper app depending on sector you are in. Microsoft has just fairly recently gotten their web apps to a comparable level. I quit using their Edu@Live stuff last year because the workflow sucked. I'm sure is has gotten better, but I'm not changing again for a while.

As for security, Microsoft has gotten MUCH better in recent years, but you can't say they have a spotless record either.

Well if you haven't had problems with missing files, it never happened then?

The more important question is why on earth do you trust Google with any data? You do realize they don't use many of the basic server storage mechanisms that even smaller companies have been using for over 10 years?

You do realize that any IT person at Google and pop open your data at any time and read everything from your documents to your email, and even pretend to be you?

Google servers are far from secure, and any employee that works with their data servers has full access to the data in human readable form. Go read the headlines from a year or two ago, when Google IT people were reading GMail accounts and accessing user data for their own purposes and for their friends. Can you imagine if a company wanted to gain access to your data and there is one out of 1,000s of Google employees that would be willing to acces and sell your information?

There is a reason a lot of corporations forbid the use of GMail specifically for this reason and the risk of leaks that could compromise intellectual property or even be used for insider trading purposes by Google employees that are less than honorable.

Microsoft actually run their own Exchange environment on JBOD, the same as GMail. The worlds changing, RAID is getting old technology now. Doesn't mean Google is less secure. Can you imagine if they lost someone's work/emails? It would be enough to hit the news and stop people buying the product.

I personally use Google Apps Standard (Free) but would like to move to something like BPOS as Google's integration with their own services as a Google Apps account is poor to say the least. I can't even buy a single app from the Android Market due to my account being a Google Apps account.

As for saying Google employees selling your data... why can't that be the same for MS? Pointless argument.

j2006 said,
Also so many security holes and errors and employee recors, files disappearing, etc.

They didn't just disappear they were stolen and sold to the highest bidder

SK[ said,]
As for saying Google employees selling your data... why can't that be the same for MS? Pointless argument.

Because a Microsoft employee has no way to access your data, a Google employee does. It is hard to sell something you cannot gain access to.

Here's an idea Google. Make a product that can compete with MS, and then maybe it will get selected. Until then, keep trying.

Taking the government to court is hardly going to win you any friends.

Nashy said,
Here's an idea Google. Make a product that can compete with MS, and then maybe it will get selected. Until then, keep trying.

Taking the government to court is hardly going to win you any friends.


+1 - probably a losing battle. Expecially when you lie.

Microsoft is making a huge investment in security, compliance and transparency as a key value of their cloud strategy.

I think this good for the consumer. Google will fire back, with a vengeance. Hopefully in terms of compliant service stack, and at a better price point than others.

Google's for traditional GMail, Docs, etc are not even close to the level of security required for most companies, let alone goverment needs.

It is strange they have a separate system for government use, and how little is known about it.

Why don't they offer the same level of security for all their services to both corporate and private individuals?

Right now if you have email, docs, or any other data sitting on a Google server, it is fully human accessible, meaning any Google IT person can literally read anything in your account. And this is just the first in many security issues with Google services.

Google is freaking silly to think they have the chops to meet the security requirements of high level or government installations, especially when their base model of what we know of basic security policies is below what companies considered standard 15 years ago.

FYI Microsoft's general and specific solutions are vastly more secure, and even if you are a basic consumer with hotmail or data stored in skydrive, your data is double encrypted and non-human accessible.

I am surprised that more people concerned about security, have no problem using Gmail or saving data in Google Docs or letting their Android sync their information to their servers.

thenetavenger said,
Right now if you have email, docs, or any other data sitting on a Google server, it is fully human accessible, meaning any Google IT person can literally read anything in your account. And this is just the first in many security issues with Google services.
The government knows this, because they use it to their advantage to spy on you. Example, when investigating you, they don't need a warrant for information held by 3rd parties. I think the email loophole might have gotten closed, but still. Documents? Probably still open. That's why cloud computing isn't taking off... because of the legalities.

cybertimber2008 said,
The government knows this, because they use it to their advantage to spy on you. Example, when investigating you, they don't need a warrant for information held by 3rd parties. I think the email loophole might have gotten closed, but still. Documents? Probably still open. That's why cloud computing isn't taking off... because of the legalities.

However if the data is non-human accessible, with or without a warrant, they still can't gain access to your information. Sure Microsoft could hand over a dual encrypted data chunk, but unless it is important enough to get assistance from the CIA to crack it, it is worthless.

More important than government access, what if an employee at Google is watching personal emails of key people that would tip them to stock purchases or sales? Or if you are involved a large business deal, and your competition could throw enough money to a Google employee to gain access to your email and docs and turn it over to them? It may not be common, but IS possible at Google, where it is IMPOSSIBLE at Microsoft.

It is the difference between leaving your personal information and data laying on the table at a starbucks and having your personal information and data in a locked safe in a armored truck sitting in front of a starbucks.

thenetavenger said,

More important than government access, what if an employee at Google is watching personal emails of key people that would tip them to stock purchases or sales? Or if you are involved a large business deal, and your competition could throw enough money to a Google employee to gain access to your email and docs and turn it over to them? It may not be common, but IS possible at Google, where it is IMPOSSIBLE at Microsoft.

How do you know it's impossible at Microsoft? At some level, someone at Microsoft either directly has, or is able to get access to your data. It would be extremely limited, or convoluted, but it must be possible. If not, then you can't reliably, and with confidence, run a production system at that sort of scale.

thenetavenger said,

However if the data is non-human accessible, with or without a warrant, they still can't gain access to your information. Sure Microsoft could hand over a dual encrypted data chunk, but unless it is important enough to get assistance from the CIA to crack it, it is worthless.

More important than government access, what if an employee at Google is watching personal emails of key people that would tip them to stock purchases or sales? Or if you are involved a large business deal, and your competition could throw enough money to a Google employee to gain access to your email and docs and turn it over to them? It may not be common, but IS possible at Google, where it is IMPOSSIBLE at Microsoft.

It is the difference between leaving your personal information and data laying on the table at a starbucks and having your personal information and data in a locked safe in a armored truck sitting in front of a starbucks.

First off, I'm not advocating either platform, just curious:
I've read what you posted, and it appears to be targeted towards Googles current offerings, do you know for certain that these security measures are currently NOT in place for the Google Apps for Government?

If so, I can certainly see a big problem... however, if they have 'fixed' or updated their security model (which at the moment seems pretty hush-hush) to better accommodate the needs of a government entity, then I would imagine they are a more viable competitor than you make them out to be, business ethics aside.

SaltLife said,

First off, I'm not advocating either platform, just curious:
I've read what you posted, and it appears to be targeted towards Googles current offerings, do you know for certain that these security measures are currently NOT in place for the Google Apps for Government?

If so, I can certainly see a big problem... however, if they have 'fixed' or updated their security model (which at the moment seems pretty hush-hush) to better accommodate the needs of a government entity, then I would imagine they are a more viable competitor than you make them out to be, business ethics aside.


It would still be cloud based wouldn't it? I wouldn't feel "safe" unless the government housed it themselves.

I shouldn't say that. I would feel a little safer if the government housed it themselves instead of paying somebody else to do it. To me it's a lot different if the government is paying somebody to store data and they lose it, compared to the government losing the data.

thenetavenger said,

Right now if you have email, docs, or any other data sitting on a Google server, it is fully human accessible, meaning any Google IT person can literally read anything in your account. And this is just the first in many security issues with Google services.

Same applies for all emails, documents, etc online. Even it is encrypted, someone with access can decrypt it. There is no such thing as data not being accessible by humans. When you send an email, whoever it is by, it gets stored in a database or file on the server. Regardless of whether you use Gmail, Hotmail or your ISP's email.

Whether those who access it are responsible enough to be accessing it or not is a different manner, but one that you always take a chance on whether it is Google, Microsoft, Twitter or even some random website.

If you are paranoid about Google reading your emails, you shouldn't have an email account. As for other data... best way to keep your privacy is to take care with what you share.

MrA said,

How do you know it's impossible at Microsoft? At some level, someone at Microsoft either directly has, or is able to get access to your data. It would be extremely limited, or convoluted, but it must be possible. If not, then you can't reliably, and with confidence, run a production system at that sort of scale.

My company has worked with the MSN data center and as well as some of the new server centers for Live specific content.

Even back in the MSN days when they only hosted Passport/LiveID and Hotmail any user data was encrypted using their GUID and along with an assitional key mechanism, then the stored data was additionally encrypted on the physical media using 256bit encryption.

So the data is sitting on a server, but is not viewable, nor even accessible, as it locked in a database that has its own security mechanisms on top of how the data is stored.

A limited set of functions are available to touch the user's account, as well as a few set of functions to touch the dual encrypted bits themselves.

So a Microsoft employee, even when assisting a user with their account or data, can only send off a queue request, that are very limited it what they can do, and are very tightly logged and monitored. The MS employee can't touch the bits, nor can they touch the user account (LiveID/Passport).

And this doesn't even dig into how Passport/LiveID works, and the authenication ties that are replicated to link access to services, where each link is dual authenicated for each service. (For example if the LiveID is linked to XBox Live, or Hotmail or both, etc.)

If you want to test this, call Microsoft for support with a LiveID issue, they have a set of things they can assist you with, and even with what limited things they can perform, they all require some form of user authorization.

For example, try closing a LiveID account, they can submit the account to be closed, but they cannot bypass the process of how this happens, that fires additional user confirmation, is loged, and then literally sits in the queue for 90days before the queue resolves and the account is removed.

The user confirmation process is also complex in that it fires through the linked email to the LiveID and/or a 'Trusted PC' that you have authorized to be safe to confirm or recover your LiveID account from. Which means that a Microsot employee would additionally have to have access to your linked email account, the test question answers, or literally go to your home and use your PC.


In contrast, the data sitting on the Google servers can be opened and viewed by Google employee as easy as you can open a file on your computer or sending a SQL command to the database.

Search, and you will find that even last September, this type of access became public and Google had to fire the employee as he was stalking and bribing a teenager. And if this wasn't exposed, no one outside of Google would ever have known; it also is not the only one, as there have been several firings of Google employees that were known publically.

From the incident last year, Google even reconfirmed that employees have access to data, and defended it as being essential to ensuring the proper operation of their systems, which is either a bad system or a lie.

From the September incident:

"We dismissed David Barksdale for breaking Google's strict internal privacy policies," Bill Coughran, senior vice president of engineering at Google, said in a statement. "We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls--for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly--which is why we take any breach so seriously."

One of the incidents mentioned by Gawker involved a 15-year-old boy Barksdale met at the technology group. When the boy refused to tell Barksdale the name of his new girlfriend, Barksdale accessed the boy's Google Voice calls logs and retrieved her name and phone number. He then harrassed the boy and threatened to call his girlfriend.


Fourjays said,

Same applies for all emails, documents, etc online. Even it is encrypted, someone with access can decrypt it. There is no such thing as data not being accessible by humans. When you send an email, whoever it is by, it gets stored in a database or file on the server. Regardless of whether you use Gmail, Hotmail or your ISP's email.

Whether those who access it are responsible enough to be accessing it or not is a different manner, but one that you always take a chance on whether it is Google, Microsoft, Twitter or even some random website.

If you are paranoid about Google reading your emails, you shouldn't have an email account. As for other data... best way to keep your privacy is to take care with what you share.

You are missing the point and conflating a term with a general notion of the term.

Human accessible, means that the data is able to be opened up by a human and viewed without the human having to have 'specific' authenication to the data.

At Google employees can literally look up anything from your GMail messages, to your Google Voice Message to your Documents without having your authentication to see the data, thus it is human accessible.

At Microsoft, the employee can only see that you have an account, and that data exists in your account, but the data is garbage to them as it is encrypted bits that needs your LiveID GUID and key in order to decrypt it to 'human readable'.

So they cannot access what you have stored unless they can use your credentials to sign into your account, which is virtually impossible to obtain.

It is like this, if you can click on a file or send out a SQL command and retrieve human readable information to data that is not personally yours, it is human-accessible, and this is how Google works, and admits this is how it works.

It would be easier for a hacker to break into your data by figuring out your LiveID signin and password than it would for a Microsoft employee to 'view your data'...

Thus, it is not human accessible aka readable EXCEPT by the owner of the information on Microsoft data servers.

This is basic, yet serious stuff, as there have been a lot of incidents of Google employees abusing this to spy on their girlfriends/boyfriends, or gain information to extort people, etc - and these stories are just the ones that were made public.

Google openly admits their data is viewable by their employees.

Do a quick search: Google employee fired

The first story you will find is creepy enough, as the Google employee accessed a teen's Google Voice chat logs with his girlfriend.

So much about Google " Do no Evil ?? " I think Lying is not evil?
The difference is at least Microsoft them self dont claim they are so righteous.

iwod said,
So much about Google " Do no Evil ?? " I think Lying is not evil?
The difference is at least Microsoft them self dont claim they are so righteous.

The greater good.

iwod said,
So much about Google " Do no Evil ?? " I think Lying is not evil?
The difference is at least Microsoft them self dont claim they are so righteous.

Well, they got a lot of people to believe them, which is the first step in a con operation.

I think they meant: "Do Know Evil"

hmmm whats the old saying of yeah that's it ... A little bit of bullshat goes a long way (and in googles case) along way to getting federal charges brought against them