At TechCrunch, Jason Kincaid writes about the privacy problems associated with “cloud computing” (when you upload and store your data at an online service owned or operated by others). (The World Privacy Forum released a report (pdf) in February on cloud computing, “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” It’s one of the few reports to look closely at the issues.)
The Cloud is looming large, offering us ways to store and share our data in ways that were never before possible. We can effortlessly share our documents and photos with our families and friends, while maintaining control over their spread using powerful granular privacy controls. But it’s quickly becoming clear that the cloud isn’t ready for us. Because the services we rely on are letting us down with a frequency that is simply unacceptable.
I’ve been putting this post off for a while, mostly because I didn’t want to point to a single breach and call it a trend. But in only the last two months, we’ve covered at least three major web services that suffered security lapses tied to software bugs or scaling issues.
(In this case, “scaling issue” means coverage is expanded, but the service was unable to handle the expansion and problems arose. For example, if demand for a Web site increased by a factor of 10 and the Web site increased the number of servers also by a factor of 10 but still can’t meet the demand or handle the increased security risks because of design issues, then the site was unable to scale properly. Wikipedia has more info on scalability.)
When faced with such security lapses, most services try to downplay them by pointing out how few people (relatively speaking) were affected. In the case of the Google Docs issue, Google promptly explained that only .05% of all documents were wrongly shared. But when we’re talking about userbases of millions, even an apparently trivial percentage becomes significant, with thousands of people affected. […]
So why is this happening? There seems to be an accepted notion among many engineers that as their service scales, there is no way that it will be 100% secure. […] But that doesn’t mean that it’s acceptable for the service to wrongly share user data simply because of a bug. It’s the difference between having your bank apologize for losing your money because someone robbed it, and it telling you that the teller accidentally withdrew a few thousand dollars from your bank account and handed it to someone else. This sort of thing just can’t be happening.