[jessaustin]

I don't think Google would be too interested in providing that service, but I don't see why someone else couldn't do it. At some level though, a Google Docs that's restricted to the office or campus is strictly less useful than old-fashioned docs on your laptop's harddrive, edited by normal GUI editors. Would any user want to use that service?

In general, I think you have start mistrusting employees more, though. If an employee can't be trusted not to attach rightfully-secret data to email without heroic IT efforts to prevent that scenario, maybe that employee can't be entrusted with the data period. The old "firewall" method of implicitly trusting everyone on staff with pretty much everything is quite inappropriate for most business situations.

[rayiner]

It doesn't have to be restricted geographically--iDevices support VPN just fine after all.

And I think there is a disconnect between what users can be trusted to do in person, and what they can be trusted to do with computers. I don't think most users have a good mental model of how the cloud works, how it exposes data to third parties, etc. I imagine most people don't even realize that Google reads your e-mails and documents.

[jessaustin]

Just to clarify: are you more concerned about the Googlebot reading your documents to sell you consumer products than you are about employees attaching business or customer data to email or shared docs?

Because I'm operating with a much different threat model. Email is not and never has been secure. It is sent in plaintext unsecured from one unauthenticated mail server to the next. The moment the user attaches data to an email the game is over and we have lost. Sensitive data must be kept in systems that are designed to store sensitive data, and which do not have a "forward to my gmail account" feature. That's how IT can be relevant: provide that system. You might prompt the business to reclassify some formerly sensitive data as rubbish they're allowed to play with, but then their fingerprints will be all over the corpse.

[rayiner]

Uploading patient/client data to the cloud where a Google bot can read it is a breach of that patient/student's privacy. Blackberry email and the like can make email within the organization secure, and most teachers/doctors have the sense not to email sensitive documents to people outside the organization. However, most don't realize that emailing something to your gmail or uploading it to google docs is a problem. The mental model is still "this is private" even though Google is reading every word.

[jessaustin]

Maybe you've been subjected to more complete DLP systems than I have, but email "within the organization" is not and never will be "secure".

Every time I've seen customer demographic data emailed (although admittedly this hasn't been in the medical field), both the sender and the receiver have been employees (including myself) who weren't entitled to see that data. Organizations need to find more appropriate ways to collaborate, which don't needlessly expand the pool of people with access to sensitive data.

You seem to trust a pool of 100 people, even if they have acronyms following their names, more than you trust a search engine, to not share data in legally negligent ways. That seems ill-advised to me. If the Googlebot were generating lawsuits for breach of privacy we would have heard about them.

I don't think this sensitive customer data should be in Gmail, because I don't think it should be in any email system period.