The World Privacy Forum has released a new report (pdf) on cloud computing, “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” It’s one of the few reports I’ve seen that looks closely at the issues.

What is cloud computing? The Forum defines cloud computing as “involv[ing] the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections. Cloud computing services exist in many variations, including data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, and many more.”

One important finding in the report: “Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users. The law badly trails technology, and the application of old law to new technology can be unpredictable. For example, current laws that protect electronic communications may or may not apply to cloud computing communications or they may apply differently to different aspects of cloud computing.”

More on the issue from the report:

Generally, an individual is free to share his or her personal information with a cloud provider. For a business, disclosing the personal information of customers or employees, or other business information to a cloud provider is often unrestricted by law because no privacy law or other law applies. For example, privacy laws do not cover most marketing records in the United States. Even when privacy laws apply to particular categories of customer or employee information, disclosure to a cloud provider may not be restricted. Read more »

“A vast majority (80.1%) of web surfers are concerned about the online privacy of their personal information such as age, gender, income and web surfing habits,” according to an online survey by Burst Media. Notably, “older segments are much more likely than younger segments to say web sites track personally identifiable information.” The survey of more than 4,000 adults (age 18 and older) was conducted in December.

Among other findings:

Three out of five (61.9%) respondents say it is likely that a web site collects non-personally identifiable information (PII) – such as a visitor’s geographic location or type of Internet connection.

Based strictly on a description – advertisements more relevant to interest – only one-in-five (23.2%) respondents would not mind if non-personally identifiable information was collected if ads were better targeted.

“Advertisers must take concrete actions to mitigate consumers’ privacy concerns and at the same time continue to deliver their message as effectively as possible. In addition and as recently seen in the news flare up regarding Facebook’s privacy controversy, publishers need to be completely transparent about their privacy policies,” said Chuck Moran, VP of Marketing for Burst Media.

The Department of Homeland Security’s Data Privacy and Integrity Advisory Committee has released a draft agenda (see below) for a public meeting to be held on February 26, 2009 in Arlington, Va. (Here’s the original announcement.)

NOTE: Public comments to be distributed at the meeting and requests to make oral presentations are due today.

Draft Agenda
Department of Homeland Security
Data Privacy and Integrity Advisory Committee
Thursday, February 26, 2009

FULL COMMITTEE MEETING
Hilton Arlington and Towers (Ballston)
Galleries I and II
950 North Stafford Street
Arlington, VA  22203

Morning Session: Open to the Public  ‐ Galleries I & II
Please be seated by 8:45 a.m.  9:00 a.m. – 12:00 p.m.

DHS Privacy Office Update  9:00 a.m. – 9:30 a.m.

John W. Kropf
Acting Chief Privacy Officer
U.S. Department of Homeland Security

DHS Privacy Office International Activities Update  9:30 a.m. – 10:30 a.m. Read more »

The Express-Times has an interesting story about law enforcement officials circumventing privacy settings on social networking sites in order to gather data. I have written before about how data from social networking sites are being used in criminal trials. Such information has also been used against job applicants, applicants to colleges and graduate schools, and various current employees.

Every time one of these stories is published, I feel I must reiterate: Once data is published online, it is difficult to control who sees it and how the data is used, so be careful what you reveal. The Express-Times reports:

While administrators of social networking sites such as MySpace and Facebook require law enforcement officials to present them with subpoenas and court orders to obtain information, local police said that is rarely necessary. Read more »

“Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations,” reports CNet News. The two bills that have been introduced, S.436 and H.R.1076, are titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet SAFETY Act. A provision of the bill reads, “A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

Sen. John Cornyn (R-TX), Lamar Smith (R-TX), the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott held a press conference to announce the legislation. They urged the passage of the bills in order to protect children. CNet reports, “The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.”

Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on–but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.) [...] Read more »

The New York Times has an interesting story on privacy risks associated with third-party data collection, as exemplified by the case of Alex Rodriguez. The Yankees’ third baseman’s steroid use was recently revealed via data subpoenaed in a federal case.

The way Mr. Rodriguez’s positive steroid test result became public followed a path increasingly common in the computer age: third-party data collection. We are typically told that personal information is anonymously tracked for one reason — usually something abstract like making search results more accurate, recommending book titles or speeding traffic through the toll booths on the thruways. But it is then quickly converted into something traceable to an individual, and potentially life-changing.

In Mr. Rodriguez’s case, he participated in a 2003 survey of steroid use among Major League Baseball players. No names were to be revealed. Instead, the results were supposed to be used in aggregation — to determine if more than 5 percent of players were cheating — and the samples were then to be destroyed. Read more »