Giving up control over data, applications requires transparency, trust
Workshop description: This workshop focused on privacy and security risks of services at user level and the policy implications of cloud computing on security, privacy and law enforcement. The objective was to discuss effective frameworks established to enable users to exercise control over and retention of their personal data when that data is stored and processed in remote servers owned by businesses. In 2008-2009, gatherings hosted by policy groups such as the U.S. Federal Trade Commission, the Ontario Privacy Commission, the Council of Europe and the Organisation for Economic Cooperation and Development have discussed the subject. Civil society groups are advocating for data protection laws, some business interests dispute that regulation is necessary, while law enforcement agencies highlight the challenges for investigating cybercrime and securing electronic evidence when the data is stored in the cloud.
Participants in the discussion included: Bruce Schneier, chief security technology officer for British Telecomm; Joseph Alhadeff, VP for global public policy for Oracle Corporation; Michael Thatcher, regional technology officer, MEA, Microsoft; Laurent Bernat, principal assistant with the Science, Technology and Industry branch of OECD; Alexander Seger, head of the department of Information Society and Action Against Crime for the Council of Europe; Simon Davies, director, Privacy International; Pamela Jones Harbour, commissioner, U.S. Federal Trade Commission; Guus Houttuin of the Council of Europe. The event was organized by Katitza Rodriguez, Electronic Privacy Information Center.
November 17, 2009 – Joseph Alhadeff of Oracle opened the session with a comprehensive background briefing on the definitions and qualities of cloud computing. He shared the NIST definition v15. “Cloud computing is a methodology by which you can access resources through the network, they can be scaled up or scaled down, and it is often a pay-as-you-go service.”
He said the idea originated in the days of time-sharing on mainframe computers 50 years ago. “Transparency and control is one of the areas with questions because it isn’t as easy to see where things are,” he said. “A cloud provider may be less distinct than a standard provider. Cloud in many ways is a matter of degree when it comes to policy issues.”
He explained some of the complexities involved in customer-cloud relationships. “A concern with users is how do you end a relationship, how do you avoid lock-in, how do you get data portability. This may become a strategic element of your business, it becomes part of the DNA of your company and that is a lot harder to disentangle.”
He suggested that people should assess the security and privacy provisions of cloud companies, whether the patches are up-to-date, corporate controls, mapping requirements and ecosystem accountability.
Bruce Schneier said it’s all about outsourcing. “My definition of cloud computing is your data on someone else’s hard drive,” he said. “These sources are what computing is going to be all about as we move forward. Fundamentally, computing is all about trust. We have to trust hardware, software and operating system vendors. The boundary is moved, so there is less control. You have to trust your vendor completely. You have to trust them for security, availability, reliability. There is the risk that the company disappears. There’s the risk of the company holding data hostage. There are political risks because now the data is moving through international borders. These are things we are going to have to address.”
He noted that in a market where trust matters you have a reputation-based market. “As we move further into these cloud models we are going to see a lot of reputation-based decisions,” he said.
Michael Thatcher, a regional manager for Microsoft, talked more about trust, then addressed the ways data moves in the cloud. “One of the areas I see as critical for us is how we handle the data flows, what are the agreements we abide by,” he explained. “There’s also the processing of the data and who’s controlling the processing of that data. And there are the variances in different jurisdictions and different industry associations.”
Alexander Seger of the Council of Europe focused on issues of law enforcement in cloud computing. “We need to have access to traffic data, need subscriber information, and experience shows us that such information helps us to prosecute criminals and bring them to court,” he said. “We have international cooperation and we can take urgent measures to assure the safety of data in other countries. If a person’s data is stored in another country there is probably a lower level of protection of rights. We need to give law enforcement the tools to protect us from cybercrime.”
The consumer issues raised by computing “in the cloud” were covered by Pamela Jones Harbour of the U.S. Federal Trade Commission. “The main theme I’d like to emphasize that while some of the issues are new many are the same as those we have been dealing with in other contexts,” she said. “Concerns over third-party control are there. Anyone with a PC and Internet access can harness the tremendous power of the cloud from anywhere on the planet. As the data zips around the globe the potential for unauthorized access is increased. Obligations of caretakers must be carefully spelled out.”
She said many Internet users do not understand how their content may be used. “Behavioral advertising and other uses are a concern,” she said. “Cloud computing raises these concerns and magnifies them. Consumers don’t understand that data may be sold to third parties or otherwise used for marketing purposes. The Federal Trade Commission recently introduced a roundtable series that will deal with today’s privacy challenges.”
She mentioned “notice and choice” frameworks as one potential alternative. The FTC is collecting information to help it consider policy decisions.
She said mobile security and general data security are important aspects to address. “As part of the competitive process consumers might see privacy and security protection as part of their decision, so market forces may be enough to assure that companies assure that protection,” she said.
She noted that the FTC policy on behavioral advertising is a good start.
Laurent Bernat of OECD said “cloud” is really a buzzword. “This is all about outsourcing,” he said. “Very often we cite the same applications when we talk about both cloud computing and Web 2.0. The cloud metaphor puts the emphasis on the business model on the service. We don’t know where the data is in cloud computing, and it does not matter because it is much cheaper, it is more efficient and it can be accessed from anywhere.”
He said if it is as cheap as it is, then it will be a serious trend. “Many of these benefits facilitate innovation,” he noted. “This is wonderful opportunity for development, enabling cheap access to resources. But of course there are issues. Security and privacy are on the list, and other points. The potential of cloud computing is significant, but security and privacy are key to effective cloud computing. Laws are local while the cloud is global. Saying the problems are not new does not help us to solve them efficiently. One key issue is the economics of cloud computing. How can policies turn security and privacy into an advantage to the market rather than a showstopper?”
Simon Davies of Privacy International noted that he and colleagues are putting together a document on cloud computing, and he said he has found “massive” jursdiction issues. “One of the concerns is the further you get from a source the more the accountability and transparency drop,” he said. “You can’t just gloss it over. We’re not going to get over this. The more complex the cloud becomes and the more complex the data flows the more security agencies are going to after classes of discovery. Revenue Canada went after eBay’s top sellers – the entire class of supersellers from eBay. You are going to see that trend the more cloud escalates. This is going to be a major problem. So I, as a consumer, I’m going to want to know where my data resides. You as a company are not going to want to know.”
He said there will be trouble ahead. “We think unless there can be means of accountability, transparency and redress, the cloud potentially has extraordinary danger for the rights of the consumer.”
Jean Marc Dinant of the Council of Europe talked about cloud traffic. “The problem on the web is that there is a big, big, dark cloud,” he said. “Traffic and content data are stored somewhere in the cloud, and the user isn’t aware.”
– Senior segment producer, Janna Anderson
Additional reporting by Andie Diemer, Eugene Daniel,
Shelley Russell, Drew Smith and Dan Anderson
Related information can be found at the following locations:
EPIC’s webpage on Cloud Computing.
Above the Clouds: A Berkeley View of Cloud Computing” (February 10, 2009)
Sun White Paper, “Introduction to Cloud Computing Architecture,” First Edition (June 2009)
CSISAC’s Comments on Cloud Computing: Portability, Competition, Innovation (October 14, 2009)