Shostack + Friends Blog Archive

 

The Price of Nothing and the Value of Everything

money-mattress.jpgIn the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version.

I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally tempted by the service for some of my own domains.

The Economist also thinks it’s a good idea, so much so that they slur us in IT security:

IT bosses tend to argue that web-based software is not secure. Their real fear, probably, is that web-based software will mean fewer jobs in corporate IT. But the trend will be hard to resist. Trusting the web with your software is not so very different from trusting the bank with your money, instead of keeping under the mattress at home.

There are several things to object to here. The first is the smug attack on the professionalism of corporate IT people. I find it all the more obnoxious for hiding behind the word “probably” which is one of the oldest rogue’s tricks in journalism. I won’t dwell on that too much, because it is unusual for The Economist to have such a lapse, and this one is forgivable because it is probably caused by the onset of tertiary syphilis in the responsible editor. (I’ll apologize for my counter-slur if a paper supporting the claim that the probability that “security” concerns are actually about budgets is greater than 0.5 is accepted at WEIS this year.)

The next thing to object to is the confusion between software and data. Email, and any concerns with it, are not about the software, they’re about the data. Anyone who has qualms about outsourcing to Google most likely has it about the data, not about the software.

Another confusion The Economist makes is between money and information. There are a number of differences between money and information, but one that is relevant here is that if my bank is robbed, I still have my money (which is one of many reasons why banks are better than mattresses). This is not true with information. If information is stolen, you can’t pull it back. Furthermore, Google isn’t going to insure or indemnify against information loss the way that governments and banks indemnify depositors. If an outsourcer gets broken into, it’s still my breach, and breaches are not cheap.

Not only are emails information, but they are corporate documents. They can be subpoenaed or discovered. I have no idea what would happen if I were in a lawsuit and Google were asked to turn my email that they host over. I would hope that Google would refuse, but what happens if a judge disagrees? Let us also not forget that any such dispute would happen in the US courts. It would also be subject to US national security laws, and these laws not only require your service provider to turn over your emails, but require them not to tell you about it. Additionally, some assert that emails lose their status as protected communications after they’ve been aged for 180 days. My eyebrow is raised, as I am an equal-opportunity cynic, but that’s hardly tin-foil-hat territory.

The last thing to remember is that despite what The Economist seems to think, rarely does one find a free lunch. Google does not offer email services for free. It sells them to you, and you pay by letting them use your data to sell adverts. Google’s payment is exactly the advertising value of scanning all your email. You may think it’s worth it, but you may not. I think this is something about which gentlebeings can disagree.

There are situations in which outsourcing one’s documents may make sense. If, for example, you’re a state university and your documents are ultimately the property of the taxpayers, then some of the security concerns go away. But not all of them. To get rid of the risks, an outsourcer would have to secure the data so that they can’t lose it or be compelled to release it. Unfortunately, that would most likely change the economics of the bargain and make it so that the outsourcer would be giving out a free lunch.

None of this means that outsourcing your domains to Google is a bad idea, it just means that there are costs, benefits, and risks. The cost of a Gmail-hosted domain is the value of the use of your information. This might be analogous to letting the bank use your money, and may be worth it. However, implying that managing your own information is like keeping your money in a mattress is wrong. It’s more like buying your own shares rather than letting a fund manager do it. It’s a tradeoff of many things: time, money, effort, etc. Surely an economist can understand the difference between saving and investing.