Friday 7 May 2010

Privacy and the Cloud

A friend pointed me at articles from the Privacy Commissioners of Canada and Ontario about cloud computing. They raise some interesting points. By and large they're good articles and raise points that you should consider.

I want to put a bit of context around them. I don't think the cloud should be dismissed because of privacy concerns, but I wouldn't blindly jump onto the cloud, either.

The article from the Privacy Commissioner of Canada had quite a few comments that weren't directly related to privacy, and I think some of them need to be looked at.

First, the Privacy Commissioner for Canada states that cloud computing can mean an on-going cost instead of one-time fee. But there is no such thing as a one-time fee in computing. Your computing gear lasts three to five years. You need to replace it, and you need to service it while you own it. It's much better in computing to convert your costs to a monthly cost, either by using the lease price, or by using the depreciation that your accountant would use.

Consumer lack of control refers to the challenge of moving from one cloud provider to another. For example, you want to take your blog from Blogger to Wordpress. It's an absolutely important point to consider with cloud computing. It's also an absolutely important point to consider when you use proprietary software (e.g. Microsoft) on your own equipment. There is a roughly equivalent amount of technical effort to switch to a different platform in either scenario.

In fact, technically you always have a way to get your data from a web site. The terms of service of the web site may prevent it, but technically you can do it. That's not always the case with a proprietary, in-house solution.


Compromising meaningful consent refers to the fact that the cloud tends towards a single provider of most services: Facebook, Google (for search), Twitter are all dominant in their sphere. However, twenty-five years of Microsoft wasn't exactly a world of diversity, either. Again, it's the monoculture that's undesirable, not the means by which we arrive at a monoculture.

Most of the Ontario Privacy Commissioner's paper is actually about identity. I am not by any means an expert on identity. I learned some interesting things from the Ontario Privacy Commissioner's paper.

One point I'd like to draw your attention to: Identity is impossible without the cloud, or at least the Internet. Most of the effective, practical identity mechanisms rely on an trusted third party. I believe the experts can demonstrate that this is required. You need the Internet to get to the trusted third party, and that third party is effectively a cloud service.

(What I mean by "practical" in the previous sentence is to rule out the public/private key approaches that work, but are too much of a pain for even most geeks to use.)


Finally, I want to step away from the privacy commissioners and talk about one aspect of the cloud debate: Many IT people are reluctant to embrace the cloud. Here is an example of IT backlash against the cloud. It's important to remember that IT jobs will disappear as users migrate to the cloud. If you work in a 4,000 person organization you probably have a couple of people working full-time to support Exchange (the back end of your e-mail system). If your organization used gmail, they wouldn't be needed.

What's that got to do with privacy? Well, it affects the cases that the IT experts bring forward. For example, you'll hear about the Chinese infiltration of gmail (attack on a cloud service), but you won't be reminded about the Chinese attacks on Tibetan nationalist and supporters, which was primarily about compromise people's personal computer.

I know that Google has way smarter people than me working on security, and they do it full time. I think I have a reasonably secure network, but I don't even have time to monitor it to see if I'm being compromised. Security and privacy will be a differentiating factor in the evolution of cloud providers. The market advantage will go to those who provide the level of privacy their customers desire.

In the proprietary, self-hosted world, security and privacy are usually the last thing that gets any resources, because the competitive pressures are always something else.

No comments: