Today, Microsoft's general counsel, in a rather explosive blog post, alleged that Google intentionally misrepresented Google Docs for Government as having certification and accreditation by FISMA (Federal Information Security Management Act). Apparently, an investigation by the Department of Justice has concluded that it didn't. This is a critical certification that Microsoft hasn't been able to complete for its government offering. Now this gets a bit more complex because Google does have this certification on Google Apps Premier, which is actually a less restrictive offering.
So what's the big deal? The big deal is that with governments, close enough is rarely good enough, as anyone who has had a building inspection has learned, and making a false representation in court papers can be extremely problematic. As a result, we suddenly have a call from a watchdog group for punitive action against Google. So, given these are potentially criminal actions, is anyone in jail?
Engineers Likely at Heart of Problem
The problem for any new company working with any government is it often doesn't have the experience needed to know that cutting corners just doesn't pay off. I am quite sure that someone in Google, likely an engineer, figured that logically, if you have a security certification on one product and develop another that is even more restrictive, the certification should apply to both.
Engineers in particular don't seem to understand that the world and governments in particular don't operate logically. Google is basically run by engineers and this suggests that conformance may be an increasing problem for it because of the way engineers think through issues like this. With governments, the rules actually don't have to make much sense.
I'm sure there are a lot of folks in Google who don't think this is a big deal. But submitting false documents to a government is very risky and can lead to criminal charges particularly if the enforcement body thinks the company is blowing them off. Google's response, in this blog post, appears to take the engineer line that if something is certified and something better is created from it, the better product is automatically certified as well. Self-certification without disclosure, regardless of how reasonable it may seem to the company doing it, is fraud and governments, particularly if they have been sued by the company exhibiting this behavior, are likely to be extremely punitive when this happens.
Google's Bad Habit
Google has developed a rather impressive habit of picking and choosing the rules it likes to follow. For stock analysts, Google has decided that it won't disclose its outlook even though that is a standard industry practice and Google likely does have an internal outlook. This practice, while hardly illegal, might have an adverse impact on Google's valuation because the financial analysts hate it and will likely take a more conservative view during a time of increasing revenues.
But that is minor compared to Google's view of software patents. It doesn't believe in them and therefore didn't secure Android with enough intellectual property to be able to indemnify its licensees. Thirty-seven lawsuits have resulted, as well as an unknown number of settlements like the one between HTC and Microsoft, which suggests that Microsoft may now be making a higher margin off of Android than any of its own products because it incurs no ongoing Android costs. Any attorney fees are likely recovered from those licensing the Android IP from them.
Wrapping up: Google Needs the Sense of a 16-year-old
A 16-year-old driver being pulled over for speeding knows you don't blow off the cop and tell him the speeding law is stupid. Yet if you look at Google's problems, particularly this latest one, it looks like that is what Google is actually doing. The right response is to apologize, pull down the incorrect information and get the certification prioritized, not argue that compliance should be at your own discretion. You don't get to pick and choose the laws or rules you follow and trying to do so generally leads to some really painful outcomes regardless of your personal wealth.
If Google wants to do business with corporations and governments, it has to adhere to a number of rules. If it doesn't want to adhere to the rules, then it should stay out of these markets. Right now, the people most at risk are the government employees who likely advocated the Google offerings and didn't catch that Google doesn't have the certification it says it has.
Vendors should realize that when they arbitrarily choose the rules to follow or ignore, they put their advocates at risk first, and firms that have a habit of putting advocates at risk tend to not keep those advocates for very long.