[jonfw]

Many of us are the people making those risk assessments. What information would these IT security staff have that we don't?

It's no secret that a lot of companies don't have great information security.

I think that the fact that people are signing off on it just emphasizes how little some people care about information security.

[fixermark]

> What information would these IT security staff have that we don't?

The cost-benefit analysis of their individual industries and the risk tolerance of their companies.

[jonfw]

I'm talking about actual information about what Google does with their data.

The cost-benefit analysis and risk tolerance doesn't tell us about how much Google secures their privacy, it tells us about how much the company cares about their privacy/security.

[fixermark]

Google's entire privacy policy is laid out in (by the standards of other documents I've seen) very digestible language. https://policies.google.com/privacy#intro

Beyond that, it's a trust and a penalties-for-violating-policy exercise.

And I agree with you: you can probably tell volumes about how much a company cares about the risk factors based on who they trust. But I don't generally think companies are being ignorant placing their chips on Google---it's a big org with a lot to lose if something goes wrong. That gives it advantages over either smaller competitors or rolling one's own (factoring in that to match the security of a dedicated service's cloud offering while approaching the convenience of such an offering, you basically have to hire your own full-attack-surface-spectrum infosec team, and that's one more line item in a small company's budget).