Does Cloud Computing Mean More Risks to Privacy?

By Saul Hansell

Last week, we had a wave of panic roll through Facebook users as many realized that the site had changed its terms of service in a way that implied it might soon broadcast their most embarrassing photographs to parents, teachers, and prospective employers.

Privacy

On Monday, the World Privacy Forum released a report that says those fears are just the tip of the iceberg. As people and businesses take advantage of all sorts of Internet-based services, they may well find trade secrets in the hands of competitors, private medical records made public, and e-mail correspondence in the hands of government investigators without any prior notice.

In the United States, information held by a company on your behalf — be it a bank, an e-mail provider or a social network — is often not protected as much as information a person keeps at home or a business stores in computers it owns. Sometimes that means that a government investigator, or even a lawyer in a civil lawsuit, can get access to records by simply using a subpoena rather than a search warrant, which requires more scrutiny by a court.

In recent years, law enforcement officials and lawyers in fields ranging from divorce to employment disputes have learned how to subpoena e-mail to bolster their cases. The major e-mail providers receive dozens of these subpoenas a month and often they have no legal obligation to notify the account holder before they comply.

Robert Gellman, a privacy lawyer who was the main author of the World Privacy Forum’s report, said he doesn’t know of any public cases of information disclosed from other sorts of cloud computing services, such as Google Docs, which lets people edit word processing and spreadsheet files online. But it’s only a matter of time before they do, he said, particularly if a service, like Google, becomes the dominant provider of cloud services.

“The cops will love this,” he said. “They can go to a single place and get everybody’s documents.”

The report also points out that much of what can happen to information in cloud computing services is governed by the user agreement for each service. Sometimes companies keep the rights to use information for other purposes, as Facebook did. Often they give themselves the right to change the user agreement at will. The report pointed out that many agreements simply don’t discuss some important issues, such as how information about third parties is treated:

If, for example, a cloud provider reads the taglines of a user’s photographs and learns that a John Doe (who is not a user of the service) in one of the photos skis, the provider may then use or sell knowledge of John Doe’s skiing interest for marketing purposes. If not restricted, secondary use of documents, photographs or other information entrusted by a user to a cloud provider has broad potential to expand the use of information in ways the user did not anticipate.

Another consequence of all this uncertainty is that a business that has an obligation to respect the privacy of some information — a law firm or hospital, for example — may be at risk of a lawsuit simply for using a cloud computing service, even if information is not leaked.

Of course, laws vary by country, and services operating in some European countries must follow stricter standards to protect the privacy of users. But it is not always clear on the Internet where data is being kept and thus which laws apply.

Congress dealt with this issue specifically for bank records with the Right to Financial Privacy Act of 1978, but the report notes that the law in the United States has not kept up with the way the Internet is being used. Most particularly, the Electronic Communications Privacy Act of 1986 has some very odd rules for e-mail. Messages you have not read are given more protection, for example, than messages you have.

The report notes that the laws may need to be updated to clarify who has access to information on cloud-based services and clean up some of the more eccentric aspects of the current laws. Several members of Congress have suggested they may look at privacy legislation this year, so there could be a forum for these issues to be considered.

“We have to decide whether, yes, you can store documents with a third party and have the same protection that you would if you had them yourself,” Mr. Gellman said. “Or will we continue to say you have no privacy interest in records held by a third party?”

In the meantime, the report has a series of recommendations for businesses and consumers. It suggests, of course, looking carefully at the terms and conditions of any cloud computing service before using it.

But one recommendation seems to stand out as the most prudent: “Don’t put anything in the cloud you wouldn’t want a competitor, your government or another government to see.”

Comments are no longer being accepted.

bob February 24, 2009 · 2:43 am

If you put it in the cloud, everyone can see it. If it’s important, keep it local on your computer.

Ajay February 24, 2009 · 6:23 am

While debate on privacy is good, it should not throttle online advertising,the lifeblood that enables technology to innovate and provide free services. Most people have been affected by off line breaches in data privacy as well- online data security has been much better in preventing “incidents”.

//www.decisionstats.com

BE February 24, 2009 · 8:11 am

No privacy in the cloud? Ya think? Really? Wow, that’s too bad. Isn’t this the headline everyone wrote in their heads when they first heard about cloud computing?

valencio February 24, 2009 · 10:49 am

I don’t see how cloud computing can be risky. Infact, the fragmentation of information may make it LESS risky..

Valencio
//www.ePostMailer.com

bonedog73 February 24, 2009 · 11:29 am

I’ve never understood how people can just give up their privacy for popularity. All these people with open Myspace pages and Facebook sites will one day regret they participated, either professionally or privately. Dont mix your private lives with your professional lives. Use an alias or something sheesh..

George Campbell February 24, 2009 · 2:50 pm

I have a really dull life. If anyone wants to paw through my google documents and learn my top secret method for getting people to volunteer for boring PTA committees, be my guest. Do I put anything substantial into the cloud? Of course not. Rather, it is a catalog of the mundane details of an average shmuck in Ohio in the early 21st century.

The biggest problem in today’s society is the enormous egos of people who think their lives are so very very important. They strut and preen across Facebook like some 19th century member of a European Royal family. Give me a break – most people’s entire online life wouldn’t interest a historian in the year 3000 even of they were the only source from the 21st century remaining after the big war.

Marcel Duchamp February 24, 2009 · 2:59 pm

Just remember what Fats Waller said, “Don’t give your right name. No No No…”

David, New Hampshire February 24, 2009 · 3:01 pm

Does Cloud Computing Mean More Risks to Privacy?

It doesn’t have to but it will.

Until the Constitution is amended to include both a right to privacy inherent in our very being as well as adequate protections to be afforded such a right, the corrupt culture of a recalcitrant Congress — obligated to the demands of every corporate lobbyist with a wad of money and a business interest in our everyday affairs — will continue unabated and likewise stymie each and every effort to protect the people’s interests instead of corporate America’s interests.

Lemony Orbetter February 24, 2009 · 3:05 pm

George (#6), one man’s ceiling is another man’s floor.

But it’s your life that people are walking on. You think you’re anonymous. Life’s good. People are honest. Nothing to hide.

Do you lock your doors at night? Do you own a gun? What on earth for?

Ray February 24, 2009 · 3:17 pm

Does Cloud Computing Mean More Risks to Privacy?

Duh. Yeah.

That’s like asking: Is fast food bad for us? That doesn’t keep us from ingesting it — even after it’s too late.

Othar Hugh Manati February 24, 2009 · 3:45 pm

One important thing to remember for personal users:

When you use any free service on the web (e.g., Google, Facebook, YouTube), you are *not* the customer. You are the *product* which is marketed to advertisers and others.

This is not necessarily a bad thing in most cases (after all, over-the-air TV is much the same model), but many people seem to miss this fact when, for instance, they express outrage at Facebook for privacy concerns. Despite Facebook relenting in this instance, it is always important to remember that you are not their paying customers and that they owe you nothing.

ecotopian February 24, 2009 · 3:49 pm

There was a very interesting piece about this on All Things Considered in August ’08:

//www.npr.org/templates/story/story.php?storyId=93841182

After I heard that, I vowed to put nothing in the cloud…ever.

Navin February 24, 2009 · 4:03 pm

I am concerned about the servers my company keeps than the protection that Google and Facebook offer. Cloud computing makes floating information subject to higher standards of protection than the servers that can be wrestled by supervisors, cops and judges; anyone, thinking otherwise are deluding themselves.

Charlestown February 24, 2009 · 4:35 pm

If you put your data into the hands of google, who indexes EVERY thing you do, including your email if you use gmail, the cloud=loss of privacy. However, Amazon, the true leader in this, DOESN’T force ads down your throat to use the CLOUD computing they sell, at very low cost AND your data is encrypted and remains yours, unlike google. Amazon’s cloud computing business, unlike google’s has no interconnection to their online commerce business. They are truly separate. We use them in my company and checked all this on site. Advertising based google services aren’t free, unless you put no value whatsoever on your buying patterns, etc.

Xavier February 24, 2009 · 6:27 pm

This article discusses very different technologies as though they were the same thing. Facebook, Google Apps and enterprise cloud computing are 3 very different “services”. Facebook and Google Apps are free services provided over the internet to you. You don’t have any security when using these services, including shttp which is what you get when you log onto your bank, Paypal or credit card company website. Facebook and Google clearly exist to commoditize your personal information that you reveal to them. So it should be no surprise that your privacy is practically nonexistent.
Cloud computing is a very nebulous term, no pun intended, but generally the idea is to securely deliver a discrete amount of computing resources to a company, with appropriate security and firewalls in place just as if it were in your own data center. There should be SLA’s and provisions if there is customer or personal data that gets intercepted – as exists under CA and other state laws requiring notification to consumers of customer data. You don’t get that with Facebook or GApps now do you?

Brian Capouch February 24, 2009 · 10:03 pm

The lack of security in the cloud is much ado about nothing. As one poster notes, most of what is written here is disingenuous because locally-stored data is subject to all sorts of security problems too.

In one environment where I have a presence, a number of people just left the so-called secure local environment and moved to Google docs, because everyone was aware that the company has the legal right to look at their email, their files on the server, etc., any time they want.

The modern online world isn’t directly mappable to the physical one. It’s natural that laws, customs, and business practices have lagged behind as use of the Internet has exploded.

But the folks stirring up such a fuss about cloud computing and privacy do a disservice to the unwashed masses when they imply that locally-stored data is per se more secure than data out in the cloud. There’s a lot of evidence that such an assertion is not true.

Sue McCarthy February 24, 2009 · 11:41 pm

Yes! It absolutely means that you give your information and data to another entity. Anyone with access to the cloud (with proper permissions, whether received legitimately or not and in any country on the planet including the most corrupt (i.e., India or communist countries like China, where there is no rule of law) will have access to that information and data. I’ve always thought that the cloud tech was overhyped and very risky… leaving data and information in the hands of a few powerful and wealthy corporations.

brutus February 24, 2009 · 11:45 pm

Agree with the last post. I don’ t think the author understands what cloud computing technology is, but rather uses the term to mean a specific type of service provided over the Internet.

Cloud computing can be used internal to a company and on a company’s internal network and thus be just as secure and private as any other technology.

AZ CPA February 25, 2009 · 5:15 pm

hmm…wonder if your CPA is using a free or low cost online backup service to store your accounting or tax records? would that be OK if it had strong encrypting?

Please discuss among yourselves while I do another tax return.

Doug February 27, 2009 · 6:47 pm

Brian Capouch – oh really? Provide your evidence that cloud data storage is more secure then local.

Tarry Singh March 1, 2009 · 11:48 am

No. In the Cloud, transparency will ensure that security and all that hush around hiding and concealing data would be gone.

On the contrary, I expect that a well-governed GRC policy will ensure that your data can only be screened if it’s NOT tagged/flagged for non-screening/viewing.

Tarry

Justin March 1, 2009 · 5:55 pm

I think there is a lot of misinformation regarding what Cloud Computing is and the risks that are involved. No matter what you do, there are risks of some kind, that’s the nature of business and life. But let’s be clear, cloud computing is anything that is not localized to a specific single machine. When you bank, PayPal, anything on a server (whether in your home, office or on the web) your email server is even a form of cloud computing when you get right down to it.

But what risks are there when you don’t put it in ‘the cloud’? Fire, theft, viruses, hacking into your computer that is ‘Online’ 24 hours a day through a broadband connection and basic simple data loss or corruption due to mechanical or software failures. Do you back your data up every day? Do you store it in more than one location? Are all the username and passwords to your computer and network secure? Then your data is no more secure locally than it is in the so called cloud!

Also, it is correct that many free services have TOS’s in place that allow them to use your data… well when it is being shared extensively to the public or to multiple users that have no real affiliation with each other, then there is no expectation of privacy. Those rules can also change whenever, especially if the TOS say’s they can or that your data doesn’t really belong to you any more. Do you read every TOS? You should.

Using something like Google Apps, does not mean you don’t have protections. Not only do they offer a free service, they have a paid service now too, that is designed for businesses and large institutions. It utilizes SSL (if you choose to or it can be forced to always use it), it has multiple back ups done regularly and it’s accessible anywhere.

Furthermore, a federal subpoena can be served to get your data, from anywhere, not just from another company. A warrant isn’t always necassary. Besides, the question here is always are we talking personal use or business?

As an individual you may have to do more to ensure your data is safe and backed up, but overall you are more protected in your home, because as an individual you have more rights. As to financial data… do you bank online? Then why would they need your computer records. Think about what you might keep at home on your computer or in a paper file, that is not already available at some company somewhere.

As a business, the rules change and whether it’s in the cloud or not, isn’t really relevant. A lawsuit or any other reason that the government or a lawsuit might have agains’t you can warrant a subpoena to produce records, whether in the cloud or not. Warrant’s aren’t needed.

So, is your data really more secure locally? Probably not. Is the cloud more secure? Perhaps, it reduces many risks, while maintaining others and making a few just more important to understand.

ricom August 26, 2009 · 7:32 pm

Cloud computing, the dynamic datacenter.

Cloud computing helps to increase the speed at which applications are deployed, helping to increase the pace of innovated networked computing. Service deployed applications; Cloud computing can be provided using an enterprise datacenter’s own servers, or it can be provided by a cloud provider that takes all of the capital risk of owning the infrastructure.

Cloud computing incorporates virtualization, data and application on-demand deployment, internet delivery of services, and open source software. Virtualization enables a dynamic datacenter where servers provide resources that are utilized as needed with resources changing dynamically in order to meet the needed workload.

The combination of virtual machines and virtual appliances used for server deployment objects is one of the key features of cloud computing. Additionally, company’s can merge a storage cloud that provides a virtualized storage platform and is managed through an API, or Web-based interfaces for file management, and application data deployments.

Layered Service providers offering pay-by-use cloud computing solutions can be adjacent to company’s equipment leases. Public clouds are run by third party service providers and applications from different customers are likely to be mixed together on the cloud’s servers, storage systems, and networks. Private clouds are built for the exclusive use of one client, providing the utmost control over data, security, and quality of service. Private clouds can also be built and managed by a company’s own IT administrator. Hybrid clouds combine both public and private cloud models which may be used to handle planned workload spikes, or storage clouds configuration.

The benefits of deploying applications using cloud computing include reducing run time and response time, minimizing the purchasing and deployment of physical infrastructure. Considerations for Energy efficiency, flexibility, simplified systems administration, pricing based on consumption, and most of all limiting the footprint of the datacenter. For further information on virtualized solutions: //www.shopricom.com