Lately, there has been increased focus on “cloud computing” (when you upload, store and access your data at an online service owned or operated by others). The Hill reports that the Federal Trade Commission is examining the possible threats to data privacy and security connected with cloud computing services. The FTC detailed its interest in a filing with the Federal Communications Commission.
“For example, the ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities not originally intended or understood by consumers,” the FTC says in its filing.
In an article titled, “Security in the Ether,” MIT Technology Review’s David Talbot talks about the challenge cloud computing providers have to overcome; they have to prove to consumers that the data entrusted to them will be kept secure.
In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it […] They hired some virtual machines to serve as targets and others to serve as attackers–and tried to get both groups hosted on the same servers at Amazon’s data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars. While they didn’t actually steal data, the researchers said that such theft was theoretically possible. And they demonstrated how the very advantages of cloud computing–ease of access, affordability, centralization, and flexibility–could give rise to new kinds of insecurity. […]
Cloud computing actually poses several separate but related security risks. Not only could stored data be stolen by hackers or lost to breakdowns, but a cloud provider might mishandle data–or be forced to give it up in response to a subpoena.
The issue of privacy and cloud computing is important, because millions of consumers use cloud computing services such as Web-based e-mail, online photo or video databases, or Internet calendar services. And governments are beginning to use the services, too. In October, the Los Angeles City Council voted unanimously to outsource its e-mail system and other internet services to Google. In L.A.’s $7.25 million plan (pdf), “The migration would make Google, which hosts the servers running the applications, responsible for retaining and protecting sensitive health care and litigation data along with criminal and drug investigation records.” Google said in December that the city had begun switching 34,000 employees to the company’s cloud services.
Consumers are using cloud services in a variety of ways. In a September 2008 report, the Pew Internet and American Life Project discussed a survey about consumers’ use of cloud computing services. Pew found that 69 percent of online users have done at least one and 40 percent of online users have done at least two of these six activities: (1) Use webmail; (2) Store personal photos online; (3) Use online applications, such as Google Documents or Adobe Photoshop Express; (4) Store personal videos online; (5) Pay to store computer files online; and (6) Back up hard drives to an online site.
And consumers have questions and concerns about their data privacy on cloud computing services. Pew found that “users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware,” and 68 percent of users “of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.”
There already have been examples of privacy and security problems with cloud services provider Google. In March 2009, it was revealed, “Google discovered a privacy glitch that inappropriately shared access to a small fraction of word-processing and presentation documents stored on the company’s online Google Docs service.” Though the technical problem was fixed, customers’ sensitive data was exposed, and consumers had no control over the security situation. In July, A hacker was able break into a Twitter employee’s e-mail account and through that was able to get to confidential business documents that were stored on the business version of Google Apps.
The lack of control is a substantial problem. In May, security expert Bruce Schneier explained: “For the most part, your online data is not under your control. Cloud computing and software as a service exacerbate this problem even more. Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you’re relying on that company to keep your data private. If you use Google Docs, you’re relying on Google.”
Another important privacy question involves the fact that the physical location of the “in the cloud” server where the data is housed could be in any country and subject to the laws of the host country, which could be less protective of the data than the United States’ laws.
For more information: The World Privacy Forum released a report (pdf) last year on cloud computing, “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” The National Institute of Standards and Technology has a site about cloud computing. Last year, in a New York Times op-ed, Harvard Law Professor Jonathan Zittrain also wrote about privacy and cloud computing, noting that the cloud “comes with real dangers.”