Software as a Service: The Privacy Question

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

Those who frequent this space are probably already aware that I’m a big believer in the concept of Software-as-a-Service (if you just arrived, you can get some of the background here), the notion of delivering applications such as CRM, email, etc over the network rather than locally installed and managed rich client. In that, I’m no longer in the minority; while everyone knows and points to Google as a major player in the SaaS realm, if the ‘leaked’ Gates/Ozzie memos are to be believed even those with the most vested interest in protecting the rich client space, Microsoft, have seen the light. If Microsoft can get their minds around Software-as-a-Service, it’s smooth sailing ahead, right?

Maybe. But I’m beginning to think as much as network application providers are disrupting the shrinkwrapped application businesses, they may be just as disruptive to current legislation.

Let’s remember back to the launch of Google’s Gmail; amidst the near universal praise for the speed of the interface (not to mention the storage size), there came a great hue and cry about one particular aspect of the application: the scanning of email. The tradeoff here was essentially pretty simple: Google believed that by offering you a slick networked email client, for free, they’d earned the right to scan your email in an effort to serve you relevant advertising. More importantly, they reminded everyone, it wasn’t humans doing the scanning but machines. Such algorithmical entities did not deserve the same scrutiny that humans would, the argument went. And you know what? By and large, people were appeased. I was, as were a large percentage of my friends and family who began switching en masse from Hotmail, Yahoo, and other free email providers to Gmail.

Whether or not that sentiment was justified or not I think has yet to be decided, but at the present time I’m not aware of any incidents proving that Google is doing anything other than what they promised. But the underlying technical concept – the utilization of traffic through the network based application – could become an issue for purveyors of Software-as-a-Service as they become more mainstream.

I was reminded of this while reading Cindy Cohn’s comments here. She said in part:

From a privacy perspective, the question of whether Google’s future lies on the desktop (client-side) or server-side is incredibly important. If information about you is stored on your own computer, it’s generally not available to others unless they are able to hack your machine or serve legal process on you. In contrast, if information about you is stored on Google’s computers, the law generally treats it as Google’s, not yours.

Now I have no intention of telling you that the sky is falling, because it is clearly not. Thousands of customers and millions of consumers are using network applications every day with no issues with respect to intrusion and/or privacy issues. But to the best of my knowledge, the points Cindy raises are indeed valid – particularly with content here in the United States, thanks in large part to the abominable Patriot Act. No, the point here is not to be alarmist, but rather to build awareness.

It’s sort of a truism that power granted is power sure to be utilized, and in the case of SaaS that could be a very troubling thing for potential customers. For those of you in that business, it might behoove you to take a look at that problem now, before it affects one of your customers and becomes tomorrow’s big privacy news story.


  1. I’m not really sure this is a very important point for email (for CRM and the rest it surelly is but, for email and stuff like that, … let’s see
    – Google’s servers are (I hope) a lot better protected than the average Windows PC.
    – Resorting to law to get access to my data limits the access to a few powerfull organizations. The same organizations already send me credit application forms with my personal data already filled (like my ID card number). At least, in email, I have junk filters.
    Let’s face it, anyone that could force Google to give away my personal Data, probably already had that same data from 5 different locations (and I’m security sensitive). Google knows that to give away my Data for any other reason would make Microsoft’s (or pick your favorite Google competitor) field day.
    Of course that, if Google gave away my data, I would have another spammer anoying me, if my CRM hoster would do the same, it could kill my company. So, it’s pretty much the same old story, pros vs. cons, advantages vs. risk.
    About the law, that’s what bothers me the least. Independently of the law, google knows that to break the confidence of their customers would lead to ruin and, after all, laws change when the need is touching a large enough number of voters.

  2. Jaime: interesting points, particularly around the relative security of the data involved. while i would tend to agree somewhat, i’m not sure i buy the “independently of the law, google knows that to break the confidence of their customers would lead to ruin” argument, simply because Yahoo already turned over the name of one user to the Chinese gov’t and nobody really cared.

Leave a Reply

Your email address will not be published. Required fields are marked *