Google's Alleged Fraud Put Company and Advocates at Risk

Rob Enderle

Today, Microsoft's general counsel, in a rather explosive blog post, alleged that Google intentionally misrepresented Google Docs for Government as having certification and accreditation by FISMA (Federal Information Security Management Act). Apparently, an investigation by the Department of Justice has concluded that it didn't. This is a critical certification that Microsoft hasn't been able to complete for its government offering. Now this gets a bit more complex because Google does have this certification on Google Apps Premier, which is actually a less restrictive offering.

 

So what's the big deal? The big deal is that with governments, close enough is rarely good enough, as anyone who has had a building inspection has learned, and making a false representation in court papers can be extremely problematic. As a result, we suddenly have a call from a watchdog group for punitive action against Google. So, given these are potentially criminal actions, is anyone in jail?

 

Engineers Likely at Heart of Problem

 

The problem for any new company working with any government is it often doesn't have the experience needed to know that cutting corners just doesn't pay off. I am quite sure that someone in Google, likely an engineer, figured that logically, if you have a security certification on one product and develop another that is even more restrictive, the certification should apply to both.

 

Engineers in particular don't seem to understand that the world and governments in particular don't operate logically. Google is basically run by engineers and this suggests that conformance may be an increasing problem for it because of the way engineers think through issues like this. With governments, the rules actually don't have to make much sense.


 

I'm sure there are a lot of folks in Google who don't think this is a big deal. But submitting false documents to a government is very risky and can lead to criminal charges particularly if the enforcement body thinks the company is blowing them off. Google's response, in this blog post, appears to take the engineer line that if something is certified and something better is created from it, the better product is automatically certified as well. Self-certification without disclosure, regardless of how reasonable it may seem to the company doing it, is fraud and governments, particularly if they have been sued by the company exhibiting this behavior, are likely to be extremely punitive when this happens.

 

Google's Bad Habit

 

Google has developed a rather impressive habit of picking and choosing the rules it likes to follow. For stock analysts, Google has decided that it won't disclose its outlook even though that is a standard industry practice and Google likely does have an internal outlook. This practice, while hardly illegal, might have an adverse impact on Google's valuation because the financial analysts hate it and will likely take a more conservative view during a time of increasing revenues.

 

But that is minor compared to Google's view of software patents. It doesn't believe in them and therefore didn't secure Android with enough intellectual property to be able to indemnify its licensees. Thirty-seven lawsuits have resulted, as well as an unknown number of settlements like the one between HTC and Microsoft, which suggests that Microsoft may now be making a higher margin off of Android than any of its own products because it incurs no ongoing Android costs. Any attorney fees are likely recovered from those licensing the Android IP from them.

 

Most recently, Google was forced to adopt an enforced privacy policy by the FTC due to its unwillingness to adhere to privacy laws. Or, in other words, its lack of regard for rules is increasingly forcing the U.S. government to perform the role of babysitter to keep Google from straying from the legal path. And there is a new book coming out that talks about Google's ex-CEO trying to cover up political donations and trivializing privacy concerns.

 

Wrapping up: Google Needs the Sense of a 16-year-old

 

A 16-year-old driver being pulled over for speeding knows you don't blow off the cop and tell him the speeding law is stupid. Yet if you look at Google's problems, particularly this latest one, it looks like that is what Google is actually doing. The right response is to apologize, pull down the incorrect information and get the certification prioritized, not argue that compliance should be at your own discretion. You don't get to pick and choose the laws or rules you follow and trying to do so generally leads to some really painful outcomes regardless of your personal wealth.

 

If Google wants to do business with corporations and governments, it has to adhere to a number of rules. If it doesn't want to adhere to the rules, then it should stay out of these markets. Right now, the people most at risk are the government employees who likely advocated the Google offerings and didn't catch that Google doesn't have the certification it says it has.

 

Vendors should realize that when they arbitrarily choose the rules to follow or ignore, they put their advocates at risk first, and firms that have a habit of putting advocates at risk tend to not keep those advocates for very long.



Add Comment      Leave a comment on this blog post
Apr 19, 2011 5:02 AM Tim Wessels Tim Wessels  says:

Coming from a long-time vocal supporter of Microsoft, I'd expect nothing less in your criticism of Google.  However, it would be proper for you to acknowledge your association with Microsoft before you begin your criticism of Google as it is not coming from a "disinterested" point of view.

And the fact of the matter is the Federal government's GSA has stated that they are working with Google to certify the additional controls included in Google Apps Government Edition.

InfoSecurity.com reports the following:

The GSA apparently is backing up Google on the issue. In a statement quoted by Business Insider but not provided on GSA's website, the agency said: 'GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification.'

Microsoft's charge is just another battle in the "gotcha war" between the two companies.  If you really want to document arrogance, abusive and illegal business practices, I suggest a review of Microsoft's court trial proceedings (1998-2000) when the company was charged by the DOJ with violating the Sherman Antitrust Act.  Microsoft was found guilty by the Federal court judge presiding over the trial.

I don't recall at the time if you were making similar criticisms of Microsoft's corporate behavior.

Reply
Apr 19, 2011 8:16 AM Rob Enderle Rob Enderle  says: in response to Tim Wessels

Actually you'll find if you look back I wasn't a fan of Netscape coming to market half assed nor was I big supporter of Microsoft's "Scalability Day" or Windows NT when they over hyped it. 

Anyway let's go back a decade and see what I was writing back then:

http://www.informationweek.com/news/showArticle.jhtml?articleID=17000165

But the problem, as I pointed out, is Google's behavior put their advocates at risk.  They shouldn't have marketed FISMA support until they had it and the GSA quote is worded expertly to say Google's FISMA certification remains intact on Premier while they seek certification on thier Government version.  It never says Government is certified.   A lot of lawyers work for the government.  If Apps for Government was certified why not simply say that?   You must not work with many attornies. 

Reply
Apr 20, 2011 1:04 AM Rob Enderle Rob Enderle  says: in response to Tim Wessels

I don't follow.  If I go to the Google site it clearly says Google Apps for Government is FISMA certified when it isn't:  http://www.google.com/apps/intl/en/government/trust.html

The investigation on this is widening as eWeek reports:  http://www.eweek.com/c/a/Government-IT/Google-Apps-for-Government-Not-Yet-FISMA-Certified-GSA-495399/1/

Reply
Apr 20, 2011 1:30 AM Tim Wessels Tim Wessels  says: in response to Rob Enderle

Well, I'm afraid a "widening investigation" of nothing is going to produce nothing of interest.  The Google Website says what it says and the company is defending their understanding of what FISMA certification of Google Apps Premier Edition meant at the time it was granted last July with regard to their re-branding Google Apps Premier Edition as Google Apps Government Edition with the extended security controls. 

I think Nancy Gohring in NetWork World presented as clear a statement from Google as is possible at the moment regarding the matter.

http://tinyurl.com/3k5c9t4

I think this whole matter was dredged up by Microsoft after Google filed suit against the U.S. Department of the Interior (DOI) regarding their exclusion from a federal procurement process that appeared to be hard-wired for Microsoft's BPOS.  I think Google won an injunction against the DOI and that matters are still pending.

Personally, I think there will be almost no end to this conflict between Google and Microsoft in the short term.  Google has emerged as an IT services delivery powerhouse over the past 10 years while Microsoft has been bested in every new market by Apple and Google.  Oh sure, Microsoft still makes tons of money and half of its profits from Windows and Office, but even Mr. Ballmer can see the writing on the wall that those days are numbered.  So I expect Microsoft will keep up their efforts to derail the Google juggernaut by creating as much FUD about Google as possible.  Empires die hard.

Reply
Apr 20, 2011 2:13 AM Rob Enderle Rob Enderle  says: in response to Tim Wessels

So let's start by pointing out you were wrong in how they represented their certification.   I get you have an agenda but let's be honest on the points.  

Lying about certification is still fraud, and recall the DOJ pointed this out first.  Last time I checked it doesn't really matter that much whether you believe you did anything wrong, it matters whether the enforcement body believes it.   A lot of dancing here but the fact is they didn't have the certification on the version of the product they said was certified.   That's actually rather black and white.  

 

The fact you feel you have to dance to defend them points out the problem they have become for their advocates.  Drift over to LA County, Google's biggest reference account, and you'll find these advocates are an endangered species.   You are now an example of exactly the point I was trying to make. 

Reply
Apr 20, 2011 12:18 PM Tim Wessels Tim Wessels  says: in response to Rob Enderle

I read your "Big Company Disease" article and liked most of what you had to say about Microsoft's symptoms of the disease.

And eight years later, Microsoft still maintains a monopoly (over 70%) share of PC desktop operating systems, but is no longer strong-arming its OEM customers or threatening to cut-off the "air supply" of its competitors.  The bad news for Microsoft is PCs are not as important as they were eight years ago.

Leadership ossification is still a problem at Microsoft although there have been recent signs that Mr. Ballmer is cleaning house judging by numerous departure/retirement announcements in the wake of his "all in" position on the cloud last March.  The "talented Mr. Ozzie" also had some words of warning for Microsoft's senior management upon his departure last October. 

Microsoft's licensing program(s) are still an inscrutable mess that requires "going to school" to be able to decipher them, although Tony Scott, Microsoft's CIO, has moved this valuable company asset into the Windows Azure cloud.  This gives a little street cred to Mr. Ballmer's "all in" comment about the cloud.  In fact, all of the Microsoft.com web servers are in the Windows Azure cloud too.  Good to see Microsoft "eating its own dog food" when it comes to Azure.

Open Source is now established as a development environment that Microsoft has grudgingly accepted...no more yammering by Mr. Ballmer about how "Linux owes Microsoft" anymore.  And Linux, while not having done well on the PC desktop, is doing well in the premises and cloud server market and is doing very well in the smartphone and tablet markets as Google's Android.  Microsoft is being rapidly pushed aside in these valuable mobile markets and had to pay big bucks to Nokia to keep the Windows Phone 7 alive.

Microsoft's greed is now being tempered by the necessity to invest heavily in the cloud (90% of their R&D) where their success is not guaranteed.  We'll see just how good Office 365 is when it ships in July, but the announced pricing seems a bit greedy.  The old habits of Office pricing are hard to break.  If Microsoft's execs were really smart they would make the bet that Office 365 is going to be "insanely great" and put it out there at a price of $50/user/year and see if they can get millions of Office 356 paying customers in record time.

As for the flap over the FISMA certifications for Google Apps Premier and Government Editions, if you read the Google announcement from last summer carefully, Google does not make any claim that the Government Edition is FISMA certified, only the Premier Edition.  Now, it might be easy for the casual reader to get the impression that both the Premier and Government Editions achieved FISMA certification.  Did Google intentionally create the impression?  I don't know how you would prove that, but the Government Edition merely provides extended controls, which the government wanted in the first place, so I'm not getting my shorts in a knot over it and apparently neither is the GSA. 

As for lawyers, I don't work for any now but I had a few as clients back in the 1980s and early 1990s.

Reply
Apr 22, 2011 1:00 AM Rob Enderle Rob Enderle  says: in response to Tim Wessels

When a firm's only major reference account goes south it should, regardless of vendor, serve as a warning for everyone else.   If you were to do a major deal with them now and it went south wouldn't you appear to be neglegent given what is happening with LA?  That's why these things don't fail, the vendor can't afford the bad publicity.   It doesn't appear that Google has learned that thus their advocates are at risk.  In the end what makes an enterprise vendor different is they do a better job of protecting their advocates and buyers in large companies.  Google clearly isn't there yet. 

Reply
Apr 22, 2011 12:24 PM Tim Wessels Tim Wessels  says: in response to Rob Enderle

Well, here is the url to Google's Directory of Security blog post on the matter of "lying" about FISMA certification.  You can either believe him or not.

http://tinyurl.com/634zml8

I sincerely doubt that anyone at Google is going to be hauled before the bar of justice for "lying" or "fraud" over the FISMA certification for Google Apps.  Heck, we can't even get the U.S. Attorney General to bother prosecuting Wall Street criminals who have swindled and defrauded their customers and the government out of billions of dollars. 

I'm not "dancing" to defend Google and my "advocacy" is limited to my use of Google Apps Business Edition because it is a good value.  BTW, I  just signed up to participate in the Microsoft Office 365 public beta as it looks like a good time to take it for a spin.  I'd like to find out if it will be worth $6/user/month and up to use it.

As for the Google Apps migration project for the city of Los Angeles, 30 of 40 city departments have already been migrated from Novell's GroupWise to Google Apps.  And like any major software change in any large political environment, it is hard to keep the politicians from altering the deal in response to whomever is pressuring them.  I think this ComputerWorld article provides a pretty balanced report on the matter.

http://tinyurl.com/6e8vfua

It is obvious that we don't agree on much about this, so let's just say that we agree to disagree and leave it at that.

Thanks for the exchange of views.

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.