The federal Chief Information Officers Council has released a report (pdf) detailing recommendations for a cloud computing privacy framework. Cloud computing is when you upload, store and access your data at an online service owned or operated by others. Millions of consumers use cloud computing services such as Web-based e-mail, online photo or video databases, or Internet calendar services.
The lack of control of your data is a substantial problem, as is the question of the physical location of the data and which country’s laws your personal information are subject to. (Read a previous post for more on the privacy issues connected with cloud computing.)
In “Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies,” the federal CIOs say:
While [cloud computing] provides a flexible solution for complex information technology needs, cloud computing poses additional privacy challenges to those using the “cloud.” Federal agencies need to be aware of the significant privacy concerns associated with the cloud computing environment where [personally identifiable information (PII) ] will be stored on a server that is not owned or controlled by the Federal government. That solution may result in holding or processing data without complying with Federal privacy requirements in a multi-jurisdictional environment. The framework below provides guidance on the privacy considerations posed by moving computer systems that contain PII to a Cloud Computing Provider (CCP). […]
Summary of the Privacy Risks Posed by Some Cloud Computing Platforms
The need to maintain the rights established by the Privacy Act of 1974 and the E-Government Act of 2002, including clearly defined uses for the information Federal agencies collect, rules governing retention, agreements controlling internal and external sharing and disclosure, and procedures governing notice, access, redress, and security.
Once an agency chooses a CCP to collect and store information, the individual is no longer providing information solely to the government, but also to a third party who is not necessarily bound by the same laws and regulations. The government and CCP must agree to strictly adhere to the Privacy Act to ensure the protection and safety of the information.
- The permitted use for the information the CCP collected from the Federal agency may not be clearly defined in the Terms of Service/Contract, enabling the CCP to analyze or search the data for its own purposes or to sell to third parties.
- The data could become an asset in bankruptcy, particularly if the Terms of Service or contract do not include retention limits.
- Depending on the location of the CCP’s servers or data centers, the CCP might allow or be required to permit certain local or foreign law enforcement authorities to search its data pursuant to a court order, subpoena, or informal request that would not meet the standards of the Privacy Act of 1974.
- The individual providing the information has no notice that explains that his or her information is being stored on a server not owned or controlled by the U.S. Government. Thus, when the individual person attempts to access his or her data, he or she is unable to do so and is left without proper redress.
- The data stored by the CCP is breached and the CCP does not inform the government or any of the individuals affected by the incident.
- The CCP improperly implements Federal security requirements (i.e., finds them cost-prohibitive or cumbersome) and thus inadvertently allows the data it is storing in the cloud to be viewed by unauthorized viewers.
- The CCP fails to keep access records that allow agencies to conduct audits to determine who has accessed the data.
- The Federal government cannot access the data to perform necessary audits. The data has been moved to a different country and a different server and the government suffers a loss in reputation and trust.
- The Federal government fails to keep an up-to-date copy of its data. The CCP accidentally loses all of the government’s data and does not have a back up.
The CIOs also list recommendations:
Agencies should include the Senior Agency Official for Privacy (SAOP) or his or her appropriate designees early in the development process to ensure that agencies recognize the privacy rights of individuals and identify and address the potential risks when using cloud computing. The SAOP or other delegated privacy staff should be part of the board or committee that will evaluate information moving information to the cloud, the proposed service delivery model, the CCP’s proposal before a contract award takes place, and all other areas of concern mentioned in this paper. Agencies should weigh the security threats and opportunities that are present for public, private, and community clouds when PII is involved. As with many technological innovations, cloud computing presents challenges and possible rewards for Federal agencies. Cloud computing can be a cost-saving and efficient option for Federal agencies when agencies properly recognize the rights of individuals and identify and address the potential risks.