Data Retention; privacy; security; geo-location; mobility; government/law enforcement cooperation; transnational location issues: these are among the emerging cloud computing challenges in Internet Governance. Promoted by industry and government alike, “the cloud” seems to be the answer in providing emerging online services – addressing costs; access; diversity of infrastructure; reliability; and security. Yet its extremely distributed nature raises Internet governance questions. This workshop addressed the Internet governance questions facing cloud computing, including the emergence of the mobile cloud.
Details of the session:
The moderator for the session was Mike Nelson a professor at Georgetown University and research associate at CSC Leading Edge Forum. Panelists included:
- Jeff Brueggeman, vice president of public policy for AT&T
- Danny McPherson, chief security officer for Verisign, also a member of the Internet Architecture Board and ICANN’s Security and Stability Advisory Council
- Amie Stepanovich, national security counsel for the Electronic Privacy Information Center (EPIC)
- Marc Crandall, senior manager of global compliance, addressing security and privacy compliance concerns regarding cloud business offerings, for Google
- John Morris, general counsel and director of the “Internet Standards, Technology and Policy Project” for the Center for Democracy & Technology (CDT)
- Fred Whiteside, director of cybersecurity operations for the U.S. Department of Commerce, and National Institute of Standards and Technology Target Business Use Case Manager
- Jonathan Zuck, president of the Association for Competitive Technology (ACT)
Nelson said governments are happy to use the cloud for cross-border control because it is likely to enable government applications to work better, and it is likely to save money. But to assure such vital information is secure most people believe data has to stay within its country of origin.
“Tension between government controls on cross-border data flows are often caused by the desire for more privacy for citizens in their country versus the global cloud,” he said. “How do we get to a global cloud that is actually globalized, where data is allowed to move wherever it wants to and yet have the private assurances we’ve had in the past?”
There are many who believe location equals control, said Marc Crandall of Google. But that is not always the case when using a resource like the cloud.
“Location may not necessarily equal control,” Crandall said. “The thing about the cloud is location does not necessarily equal secure. Where something is located doesn’t make it any more or less secure.”
He said that governments should be more concerned about coming to agreements on security standardization and privacy approaches.
Jonathan Zuck, president of the Association for Competitive Technology, said people need to begin to focus on international citizenry in regard to the cloud. The cloud issues should not be related to where the cloud is located or whose cloud the consumers are using, but looking at a larger more competitive group of providers.
Yet where data is located can raise concerns about who has access to that information. If data is located in a country with little judicial review or few privacy regulations, will users’ information be at risk?
“There should be an emerging global standard,” said Jeff Brueggeman, vice president of public policy for AT&T. “As to privacy, we can improve international cooperation on cybersecurity and law enforcement so that there is more comfort over legitimate concerns that if the data is not stored can they go after a bad guy. But again we have to deal with real issues as well as setting up the right policies to help distinguish between legitimate concern and government overreaching.”
If there is a breach and private information has been hacked, as has been seen in recent attacks against Google and Sony, what should the companies do to be transparent but also uphold their legal obligations?
If an organization is hacked and information is stolen, but that’s not made known publicly, it could be a violation of fair disclosure, said Danny McPherson, chief security officer of Verisign.
“Lots of folks don’t share that type of information,” he said. “Every state or region or nation or union has different native laws and that is extremely problematic in that perspective.”
There are many times that information may not be classified but is of a private nature, such as trade agreements that would need to stay confidential, said Fred Whiteside, director of cybersecurity operations for the U.S. Department of Commerce. It is complex, he said, and as someone who hears many classified discussions on security breaches, he added that it would often be problematic for sensitive information to be made public.
Amie Stepanovich of the Electronic Privacy Information Center said businesses and industries should start worrying about encrypting the information before it is hacked instead of worrying about the cost-benefit analysis. “I think the benefit of data encryption is really worth it,” she said. “Its been proven again and again. Companies feel somehow they have to touch that burner to see if it’s hot before they move to that.”
Regardless, most panelists agreed that while the focus has been on the concerns and security issues surrounding the cloud, there are many benefits that should receive their due credit. “I think the fact we are all here is a testament to the cloud,” she said. “We wouldn’t be so concerned with the problems if we didn’t recognize so many benefits.”
– Anna Johnson
A selection of Twitter reports on this IGF-USA 2011 event:
Panel on cloud computing include representatives from ATT&T, Verisign, EPIC, Google, CDT, NIST and ACT. #IGF11-USA
“Cloud computing is something that has a lot of potential, but it is critical that the voice of civil society is included.” #IGF11-USA
Jeff Brueggeman, AT&T, notes that traditional gov. regulations could be a hindrance to development, but safety is a real concern. #IGF11-USA
“Privacy needs to be part of the innovation process, not something tacked on at the end.” -Morris, CDT #IGF11-USA
“We need to move toward an international understanding of what types of protections should be bestowed on cloud data.” #IGF11-USA
“We need to move away from a system where companies only encrypt data when they have a breach.” -Amie Stepanovich #IGF11-USA
“The question is not ‘how do we not forget the user?’ but ‘how do we remember the user?'” -Stepanovich #IGF11
The multimedia reporting team for Imagining the Internet at IGF-USA 2011 included the following Elon University students and alumni: Jeff Ackermann, Natalie Allison, Ronda Ataalla, Ashley Barnas, Joe Bruno, Kristen Case, Lianna Catino, Nicole Chadwick, Kellye Coleman, Colin Donohue, Steven Ebert, Jeff Flitter, Anna Johnson, Elizabeth Kantlehner, Melissa Kansky, Morgan Little, Brian Meyer, Julie Morse, Derek Scully, Rachel Southmayd, Katy Steele, Jeff Stern, Bethany Swanson and Carolyn VanBrocklin.