Privacy in the clouds
Naturally, given my concern over privacy issues, I’m looking at cloud computing very closely. “Cloud computing” refers to your computer’s applications being run in a “cloud” ie on someone else’s server on the internet. So you don’t need to run apps on your computer or store data – it can all be stored on remote servers. So Google Docs is an example. You don’t have to upload wordprocessing software because Google Docs provides this for you. Flickr is another example. It’s a smart idea because you get on-demand access to supercomputer-level power for transmitting, storing and sharing data.
Now, you know what I’m going to say: when you hand over control of your information and personal data to someone else, cloud or otherwise, you are at risk. What you would potentially be storing on servers in the “cloud” is personal information such as emails, tax returns, customer records, health records, appointment calendars and so on.
The cloud provider needs to protect your data from hackers, internal breaches, marketing firms, let alone the Government who could come snooping along with a subpoena. And then I’d be asking: who really owns the data – you or the host of your data? Probably too, hapless users of cloud computing services would get hit with Google ads or other ad-targeting.
A Pew survey found that 69% of Americans use cloud computing – Google Docs, Adobe Photoshop, Flickr etc and 68% said they’d be pretty concerned if their personal data were analysed for targetted advertising purposes.
So the World Privacy Forum has just released a report that examines privacy and confidentiality issues within the cloud computing environment. The law often lags behind technology advances, which the report makes clear:
“Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users. The law badly trails technology, and the application of old law to new technology can be unpredictable. For example, current laws that protect electronic communications may or may not apply to cloud computing communications or they may apply differently to different aspects of cloud computing.”
If this isn’t scary enough, then consider what else the report says:
* When a person stores information with a third party (including a cloud computing provider), the information may have fewer or weaker privacy protections than when the information remains only in the possession of the person;
* Government agencies and private litigants may be able to obtain information from a third party more easily than from the original owner or creator of the content;
* Any information stored in the cloud eventually ends up on a physical machine owned by a particular company or person located in a specific country. That stored information may be subject to the laws of the country where the physical machine is located.
* Information in the cloud may have more than one legal location at the same time, with differing legal consequences. A cloud provider may, without notice to a user, move the user’s information from jurisdiction to jurisdiction, from provider to provider, or from machine to machine.
* Those risks may be magnified when the cloud provider has reserved the right to change its terms and policies at will.
I’ll blog more on privacy implications when I’ve digested the report. Meanwhile, the World Privacy Forum is also offering Cloud Computing Tips for consumers, business and Government.