Comparing Terms of Service: Part 2 – Google Apps and Microsoft Office 365

In Part 1 of this comparison, I tackled three of the top cloud storage providers’ terms of service, pointing out some flaws and giving an overview. In Part 2, I’m examining the two behemoths of office productivity: Microsoft’s Office 365 and Google Apps.

Cloud Terms of Service

Google Apps

First, Google Apps is not Gmail, although Gmail is included with the Google Apps program suite. Google Apps users pay for their services, whereas users of Google’s free services do not.

Google unified its terms of service among all of its services on March 28, 2012. In my opinion, this was a great decision by Google, especially since the unified terms clarified a lot of questions.

Most of the complaints I hear about Google revolve around the never-ending question for advertising. Yes, Google scans data. No, Google does not own any of your information sent to its servers, nor will Google share the information with third parties.

I understand there’s a whole other argument of “Google’s too big” and “what if Google decides to take over the world,” but I believe we’re far closer to subversive government actions — some politics coming out — than we are to the “corporate espionage” of Google. I also believe that Google’s working to protect and secure your data, and that if the need arose, Google Apps users have a legitimate expectation of privacy (if such exists) that protects them from intrusion.

Of all the service providers, Google seems to have the most prolific statement on protecting confidential information:

Obligations. Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates’ employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates’ employees and agents in violation of this Section.

That’s a no ifs, ands, or buts kind of statement. In fact, Google’s committing itself to protect your data and information as you would (theoretically) protect your own data. That’s probably why Google Apps also has two-factor authentication, which your Apps administrator can require.

Similarly, Google shows that it’s committed to protecting, and assisting, when third parties request information:

Third Party Requests. Customer is responsible for responding to Third Party Requests. Google will, to the extent allowed by law and by the terms of the Third Party Request: (a) promptly notify Customer of its receipt of a Third Party Request; (b) comply with Customer’s reasonable requests regarding its efforts to oppose a Third Party Request; and (c) provide Customer with the information or tools required for Customer to respond to the Third Party Request. Customer will first seek to obtain the information required to respond to the Third Party Request on its own and will contact Google only if it cannot reasonably obtain such information.

And:

Required Disclosure. Each party may disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.

Google, because of its size, maintains data centers around the world. As such, Google Apps users consent to the transfer of their data to any one of the data centers:

As part of providing the Services Google may transfer, store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services Customer consents to this transfer, processing and storage of Customer Data.

I’m not a huge fan of this clause — I’d like to keep my data on American soil — but really, I  don’t care where the data’s held, as long as it’s protected. Hacks can occur on US soil just as easily as they could in some foreign territory. And let’s not even talk about the FBI and NSA spying on its own citizens and attorneys.

Oddly, Google doesn’t have an arbitration clause. You’ll settle any disputes in California, and that’s it. Pick the Federal or state court in Santa Clara. I thought for sure Google would have the arbitration and class action waiver clause.

The number one complaint from people is that “Google’s scanning your data.” Yes, Google will scan data to send out advertising. Fortunately, when you’re a Google Apps users, you can turn off advertising. Obviously, that doesn’t shut off the scanning, but the system isn’t actively retrieving information for your advertising. Unlike some people, I don’t freak out about the scanning; as they say, “scan happens.” I’m concerned about 2 things: 1. does the provider protect my data?; and 2, how will the provider alert me to issues? Google seems to offer the best solutions to me.

Of course, even with these protections, I’m not about to send highly confidential data into the cloud, regardless of the provider. Google Apps is my go-to recommendation for quick setup, easy access, and great functionality with Android.

Microsoft Office Online/Office 365

As Google’s Apps system expanded the number of online users, Microsoft quickly moved its superior Office modules into the cloud with the introduction of Office Online and Office 365. The Microsoft Services Agreement governs the use of the online Office products. The Agreement went into effect on October 19, 2012.

Microsoft in typical Microsoft fashion limits its liability with an arbitration clause; at least the Services Agreement notifies you of this fact in bold, capital letters on the top of the page.

Microsoft licenses its Office products for use on 5 computers and 5 devices,  and — this part was a little confusing to me — 1 person at a time may access the online service.

Microsoft disclaims ownership of any content created through its online service:

Who owns the content that I put on the services? Content includes anything you upload to, store on, or transmit through the services, such as data, documents, photos, video, music, email, and instant messages (“content”). Except for material that we license to you that may be incorporated into your own content (such as clip art), we do not claim ownership of the content you provide on the services. Your content remains your content, and you are responsible for it. We do not control, verify, pay for, or endorse the content that you and others make available on the services.

But, Microsoft includes this clause regarding use of the content:

What does Microsoft do with my content? When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services.

Presumably, Microsoft is using this information to improve its services, or sending it through spam and virus scanning, but I’m concerned anytime I “agree” to allow adaptation of my content. In case you’re wondering, Microsoft also uses an “automated” system to scan information:

 For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use. When processing your content, Microsoft takes steps to help preserve your privacy.

Oh, and don’t forget the part about “uploading information about your machine”:

Additionally, as part of the services, we may also automatically upload information about your machine, your use of the services and services performance.

I suspect that Microsoft’s processing the information in much the same was Google does, we’re just actively aware of Google’s efforts. Dang, I just failed at neutrality.

In my opinion, Microsoft scores low points when it comes to disclosing how it’s handling government data requests:

Does Microsoft disclose my personal information outside of Microsoft? You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as IP address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.

How does Microsoft respond to legal process? Similar to other providers of Internet services, Microsoft is served with legal demands and requests from law enforcement, government entities, and private litigants for content stored on our network. This information may relate to an alleged crime or civil matter and is usually requested pursuant to the normal legal process of the country or locality where the activity occurred. Microsoft may be obligated to comply with requests for your information or your content as part of such investigations or legal proceedings.

Those clauses are too vague for my liking, especially compared with Google’s proactive approach. Microsoft’s “good faith belief” is probably as trustworthy as the government’s “we’re here to help” statements.

Microsoft also doesn’t disclose where it’s storing your data — it’s a global corporation, after all — but I’m not particularly concerned, since protection is more important than place. Despite its reputation for OS bugs, I still trust Microsoft to produce a fairly secure product, and work hard to protect the information its entrusted with.

The grand finale

“The Cloud” conjures different meanings for different individuals, depending on your acceptance of the space. Hopefully, my two-part exploration of the cloud provider’s terms of service agreements gives a little more comfort to the sanctity of your data. Even though I performed an “exhaustive” analysis of the terms, it’s up to you to fully appreciate and accept the benefits and risks of cloud computing. That means reading and understanding the terms of the agreements you’re signing.

The more I realize my own data protection frailties, the more I’m inclined to trust my data security to a company that’s committed to implementing strong security and backup protocols. Model Rule 1.6 requires that attorneys reasonably protect their client’s confidential data. Knowing and using trusted data providers is the first step in maintaining adequate protocols. Remember though, there’s still a chasm between liability from the bar association and liability to a client, that’s why it’s important to follow additional protection protocols:

  1. Never transmit confidential client data (client information sheets, medical records, social security, etc.) to the cloud without including secondary protection measures (HTTPS, encryption, password, etc.).
  2. Back up data to a local system or storage device so you can look at it and say, “there’s my data.”
  3. Regularly test your local data backup to verify its integrity.
  4. Thoroughly examine any potential cloud storage provider; ask about encryption, direct technical support information, and other, similar policies.
  5. Utilize strong (15 character minimum) passwords and passphrases, and where possible, mandate two-factor authentication for all devices.
  6. Diligently and regularly review terms of service, privacy policies, and other service agreements of cloud providers.
  7. Request cloud providers provide end-to-end encryption and two-factor authentication for all devices and connections.
  8. Get help if anything is too difficult to understand.

Honestly, you need to find out all you can about the risks and rewards of cloud storage. I’m confident that the more information you have, the better you’ll feel about some particular providers, and cloud solutions in general.

Update: Here’s a link to Google Apps’ Service Level Agreement. This is an important element to analyze in your decision of one cloud suite over another.

4 Responses to Comparing Terms of Service: Part 2 – Google Apps and Microsoft Office 365

  1. This from IT World (January 13, 2014, 2:08 PM ), which is likely less biased than your analysis pertaining to privacy:

    Privacy differences
    One important consideration, when comparing Microsoft and Google products, has nothing to do with price or features. It has everything to do with privacy. Given recent revelations about our government snooping on anything that moves, the questions about corporate privacy and how companies such as Microsoft and Google will use your data have only become more pointed.

    Google’s privacy policy makes no bones about it: “We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content — like giving you more relevant search results and ads.” Yes, that means Google scans your mail and may even look at the contents of your files for information that’s used to serve up ads. There’s a more technical look in the Google Apps Security Whitepaper.

    Microsoft’s privacy policy takes a very different tack: “We use your data for just what you pay us for: to maintain and provide Office 365 and Dynamics CRM Online services. We make it our policy to not use your data for other purposes. While some data may be stored or processed on systems used for both consumer and business services, our business services are designed and operated separately from Microsoft’s consumer services. Microsoft does not scan emails or documents for advertising purposes.” While obviously Microsoft scans the contents of messages (and possibly files stored in SkyDrive) to protect against malware, we have Microsoft’s word that it doesn’t use the results of those scans for advertising.

    Both Microsoft and Google very explicitly explain that they may serve up your data in response to a properly filed subpoena. Both claim they will try to contact you if the situation arises, although they both are barred from notifying you should the subpoena involve certain governmental agencies.

Let's discuss this (you can use Markdown in your comment)

Jeff Taylor

I’m just an ordinary guy living an extraordinary life. I’m also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.