Yesterday, the New York Times published a letter to the editor submitted by Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC) entitled “Protecting Data Privacy.” The opinion piece provides a nice chronology of the attempts made over the past decade or so to persuade technology companies to do a better job of preserving data privacy through methods including data minimization, destruction, segregation, and encryption. These are all core privacy principles that I have implemented in previous jobs, and encouraged through my published research and client interactions.
But the conclusion of the opinion piece left me scratching my head. “Perhaps it is time to rethink the cloud computing model. The risks are too high. The safeguards are too weak. And the companies are not prepared to carry the responsibility of gathering so much user data.”
Rethink the cloud computing model? The horse has left the barn, the cat is out of the bag, take your pick of cliches but let’s be realistic. If we’re going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward.
- Cloud computing is far more pervasive than the average consumer or citizen can possibly realize. Thanks to both free and fee-driven providers and services like Amazon Web Services, Salesforce.com, and of course Google, the cloud is the foundation for how large segments of the global economy conduct business.
- The security features, controls, and personnel supporting these cloud services are far more advanced and skilled than many companies could achieve in-house. Think about it: their core function is to keep stuff safe and secure in the cloud. If they fail at it, they go out of business. For more on this, see “Managing Privacy Risks in the Public Cloud.”
- Even if we concede that no matter what security controls we put in place to try and protect privacy, the government will find a way around it, that doesn’t eliminate the need to protect legal, ethical, or moral business to business or business to consumer privacy concerns.
We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling. We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed. The expectations for notification when data is inappropriately accessed or exposed also need to be set. All of these factors combined will lead to better data privacy in a cloud-centric world, rather than starting over from scratch.