Is My Information Safe in The Cloud? (Part 2: Privacy)

PrivacyAnswering this question takes two steps: 1. Read the Privacy Policy and Terms of Service. 2. Read the Privacy Policy and Terms of Service AGAIN.

Individuals and businesses are generally free  to share personal information on themselves, customers, and employees with a cloud provider. Exceptions exist due to legal or professional obligations such as for a lawyer, tax preparer, or  psychiatrist. However, once shared, the privacy and confidentiality of your information is almost completely dependent on the terms of service and privacy policy established by the cloud provider. Let’s look at Google Terms of Service as an example.

Google Terms of Service states that “When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

Whoa! Sounds terrible right? I’m certainly not going to put my Great American Novel manuscript on Google Drive or my feature film trailer on YouTube! Hold on a sec, Google then qualifies that license you are giving them this way: “You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.” OK that sounds good. “The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” OK that makes sense, in fact is probably essential for them to provide the service you want.

Whew! There is hope: “Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.” Kind of vague, but maybe I guess I can live with that.

Google’s Privacy Policy states that they collect information in two ways. Information you give us. For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.” and also Information we get from your use of our services. We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content.” Hmmm…

Whoopee! Looks like at least I have some control. “We do not share personal information with companies, organizations and individuals outside of Google unless… we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.” That actually sounds pretty fair.

Wait! And what is this? “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.” That is definitely a mixed bag. I don’t want SPAM but I also don’t want my private personal e-mails read.

Well Hell! Maybe I’ll just quit using Google altogether! In that case we find some good news: “You can stop using our Services at any time, although we’ll be sorry to see you go.” That’s nice and they also say: “We believe that you own your data and preserving your access to such data is important.” OK. But what if they break up with me first? “Google may also stop providing Services to you, or add or create new limits to our Services at any time.  If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service.”

I hope that example was instructive. And for the record I use Google products every day and believe their privacy policies are as good as most cloud service providers. But you should realize that understanding your privacy rights takes effort.  The State of California has a great article “How To Read A Privacy Policy”  that suggests you ask the following questions.

  • What personal information is collected?
  • How is the information collected?
  • Why is the information collected?
  • How is the information used?
  • Who will have access to the information?
  • What choices do you have?
  • Can you review or correct personal information?
  • What security measures are used to protect your personal information?
  • How long will the organization honor its privacy policy?
If you are not comfortable with the answers look for a different cloud app provider.

The reason you have to do all the work is that, unlike most of the rest of the world, the U.S. has primarily taken a “self-regulation” approach to privacy which In many ways has been an abject failure. This approach has been overlaid with a few sector based federal laws (financial services, e-mail spam, protection of children online, etc.) and a fragmented patchwork of state laws (data breach, policy disclosure, etc).

The top cop for protecting your privacy is the Federal Trade Commission (FTC), which sets policy and brings enforcement actions against advertising networks, information brokers, mobile app providers, online retails, search providers (Google), and social networks (Facebook). The FTC articulated Fair Information Practice Principles almost 40 years ago and in our modern age promotes a framework with 3 key practices: privacy by design, i.e. making privacy the default setting, giving consumers control by simplifying choice, and greater transparency by those entities that collect and use personal information. But without broad federal privacy legislation it is very possible we will see the End of Privacy. To see how close we are to that future already, take the ACLU (great, short, fun) privacy quiz that shows you how exposed your personal information really is.

To sum up I suggest you take the following 4 steps to protect your business and personal information.

Control your information. Only provide the minimum required information in any form or interaction. Configure your browser for “Do Not Track” and “Disable Cookies” where possible. Understand and set your privacy controls on every website and service you use. A good guide is here.

Control your devices. Treat your smartphone like the computer that it is and put the same level of controls on access. See my earlier blog post on Security for more.

Control your apps. Choose apps that have Terms of Service and Privacy Policies that you can live with. Also, watch out for the many add-on Apps that are provided by third party developers and might have different terms and policies than your primary Cloud App service provider. Don’t let mobile apps use location services without good cause.

Control your opt-outs. For your own personal information one of the best things you can do is to Opt-Out. The World Privacy Forum provides a guide on the top 10 Opt Outs. This is a fantastic list to allow you to be “let alone”, as Justice Brandeis termed it, both off-line and on-line. I highly recommend it.

Full disclosure, I wrote my Ph.D. dissertation on information privacy and how people’s attitudes and behaviors differ based on their generation. If you would like to know more you can access it here.


Build Stronger Relationships with Nimble CRM

Featured Image“Traditional CRM doesn’t TELL you anything, YOU have to tell IT everything.” Jon Ferrara could not be more right, and his cloud-based Nimble CRM (Customer Relationship Management) goes a long way toward flipping this script. Some creatives may feel they don’t need to “sell” because they have representation such as agents, labels, publishers, studios doing that for them. But that game is changing, and regardless relationships are the key to success in a creative business. It’s who you know and who knows you. AND what they think of you.

Before we look at Nimble lets briefly review what creative entrepreneurs should be trying to achieve with a good relationship management system.

Keep a record of all your contacts. Sounds simple but most people don’t, and successful people do. At a minimum you should have a full and complete record of every client and prospective client. In addition, and depending on your industry, you should have a record of every agent, casting director, coach, director, game designer, industry executive, publisher, producer, studio head and everyone else that you have met, called, emailed, or written to. As you can see this is a very long list of people and even for someone starting out it is a lot of information to keep straight. Have a system. Yes you can use Gmail contacts or your phone’s address book or even index cards if that works for you. But post it notes and scraps of paper are not a system. Nimble costs $15 per month per user, which may be a deterrent to some creative entrepreneurs looking to keep costs as low as possible.

Have a complete single view of your contacts. In our social-media connected world it is not enough to have only a basic name, phone, e-mail, physical address, and type of business. You must also record addresses for websites, Facebook, Twitter, LinkedIn, Instagram, Soundcloud, Vimeo, etc., etc. And much of the most interesting and current information is embedded in these multiple social media streams. You might also keep track of activities such as attending an audition, booking a gig, sending a demo reel, providing a headshot, and follow-up activities. In most cases this information is spread across multiple applications, data formats, and is of varying levels of quality. For example you may have basic contact info in your iPhone address book, activity data in e-mail on Outlook, events on a Calendar App, and multiple separate social streams. This is the promise (not often delivered) of CRM: to have one place where you can see all of a customer’s information.

Avoid contacts falling into the “black hole”. Every day opportunities pass us by because we fail to follow up on them. Someone gives us their card, but we never call.  Someone else friends us on Facebook, but we never message them. That e-mail of a friend of a friend gets lost. We have a good conversation with someone who might help our career, but then six months go by and that relationship has “died on the vine”. Have a way of triggering reminders to stay in touch, what is sometimes called a “tickler” system. Remember also that it is a small world and a long career. The bartender you meet today may be directing a feature film a few years from now.

Focus on the relationships that matter.  Keeping up with people takes precious time away from you practicing and perfecting your craft. It is often true that most of our relationships are with our peers, people like ourselves. Actors know other actors. Graphic designers know other graphic designers. And it can be tempting to spend most of your time interacting with your peers. But growing your business and career means spending 80% of your time interacting with the 20% of the people who can help you get work. Have a way of tracking these most important relationships and give them the attention they deserve. If you contact only three people a day you will have maintained contact with over 1,000 people each year. A more than large enough group to create and sustain success, if it is the right 1,000 people.

Choose an appropriate scale of software. Traditional CRM systems are sold and implemented for managers and executives and are seldom much help to individual sales people. And creative entrepreneurs, often soloprenuers, do not need these cumbersome systems. You can trust me on this, I founded one of the leading CRM consulting firms and helped large companies such as Schlumberger, Raytheon Aircraft, Birkenstock USA, Kraft Foods, McAfee, and Starbucks implement technology to improve their customer relationships.

Nimble CEO Jon Ferrara basically created modern sales force automation with his much beloved GoldMine software in the 1990s. He has created Nimble with the same focus on improving the productivity of the individual with easy to use tools driven by powerful and innovative features. Let’s look at two of these features Nimble Magnifier and Nimble Signals.

Nimble Magnifier

The worst part of any contact management system is the drudgery of entering all the data. Nimble solves this problem by allowing you to simply hover over a contact name on any website (social sites work best) and the software automagically imports (or updates) all the information for that contact into your Nimble database. Once it has profile information from one site, say Facebook, it shows similar profiles on other social networks, like Twitter and LinkedIn, and asks you if it is the same person. In almost no time at all you have a rich, robust customer contact record that would have taken so long to enter manually you probably wouldn’t have bothered. From this sidebar you can mark the contact as Important, activate a stay in touch reminder, add notes, tasks, deals, and much more. All without opening up a separate app or cutting or pasting anything!

In the following screenshot  I am on my Facebook profile page and the Nimble plug-in is the sidebar on the right. I hover the mouse pointer over the banner and Nimble pulls all of the available information into a new contact record. This works even if you are not yet friends with this person, although if you are friends you get more data loaded.
Untitled 4

Nimble then asks if other social profiles are the same person. It is not perfect and for a common name like “Brian Johnson” you may end up with unhelpful suggestions. In this case Nimble suggests the Twitter profile for Brian Johnson the lead singer of AC/DC, but in my experience it is uncanny how often the correct profile is present in the first 3-5 matches displayed.
Untitled 6

Nimble Signals

The Nimble desktop app delivers on the single view of the customer we discussed earlier. It brings together a contact’s basic profile information, e-mail interactions, previous and scheduled tasks/events, shared connections, and a unified social media stream into a single contextual history. This is incredibly valuable when you have not interacted with a contact for a period of time. You can slip into their social stream and find reasons to engage them on topics that are current and fresh to them (a recent award or project) and remind them of interactions you had in the past (an audition or job). This places your interaction into the context of your customer’s life without being intrusive.  Read more about this concept of “Social Selling” that here or here.

In the following screenshots  I am using the Nimble desktop app and reviewing the information of my business partner Angela Grayden. From this main contact screen you can easily add an activity (task, calendar event, touch), send a message (E-mail,Twitter, Facebook), add a note, create a “deal”, or attach a file (dropbox or google drive) without leaving the main page. You can also see the contacts social networks and a “Smart Summary”.
The tabs at the bottom of the main screen show an incredible wealth of information. The Pending and History Tab shows E-Mail messages, calendar events, tasks, notes and more. The Social Tab (displayed below)  shows the unified social media stream of the contacts activities. The Shared Connections Tab shows your relationship to this contact.
The Signals tab allows you to view and filter “social signals” such as retweets, likes, comments, new connections, birthdays, and job changes for all of your contacts or just those contacts you have marked “important”. These are all natural opportunities for engagement with the people who can help you grow your career. Nimble will also send you a daily summary showing you the most important signals you should act on each day. Also much, but certainly not all, of this contact information is available on your smartphone via the recently released Nimble Mobile App.
So to paraphrase and flip the statement made by Jon Ferrara at the beginning of this post: “Nimble CRM asks you to tell it very little, and then it tells you a great number of things you don’t already know.”

Just to review: we looked at how relationship management can help creative entrepreneurs, demonstrated how you can easily grab data from a social site using the Nimble CRM Plug-in, and how you can gaining insights from Nimble Signals.  Next week we will return to the topic of Is Your Information Safe In The Cloud? with Part 2: Information Privacy.

The Scorecard

Scorecard Large

Is My Information Safe In The Cloud? (Part 1: Security)

Post 5 - SecurityAdopting a Cloud App means entrusting your information to someone else, and you need to know if that information is safe. There are obvious risks: Is it safe from hackers and malicious employees? Is it safe from natural disasters such as earthquakes or man-made ones such as bankruptcy? And maybe not so obvious ones: Will I be able to download my data in a usable format? Will I be able to delete it if I cancel my service? Will it be shared with law enforcement or litigants in a civil lawsuit without my knowledge? And most importantly what can I do to make sure my information is safe?

Keeping you data in the cloud magnifies some existing security threats and also creates some new ones. The well-respected Cloud Security Alliance detailed the “Notorious Nine”. But for creative entrepreneurs there are really only four main security threats.

1. Your Account is hijacked.

Account hijacking is when someone obtains your login credentials and passwords and is able to access your cloud-based account. A recent study by Experian found that login information for a Twitter account is worth more on the black market than a credit card number. Since people often reuse credentials and passwords, access to one account can lead to access on other accounts. Also the attacker can eavesdrop on your activities and those of your social circle. This is a threat specific to cloud-based software applications. Traditional software on your laptop required physical access to the device.

While this information is now targeted in hacker attacks (Sony Playstation), the tried and true methods of phishing, fraud, and spyware are still significant avenues (iCloud Nudes).

Protecting your login credentials is pretty straightforward: use different passwords for different accounts, create hard to guess passwords, don’t share sensitive information online, avoid public Wi-Fi, use https, etc. You have heard all of that before however the discipline required and the inconvenience involved means most people don’t do this very well. Here is a good guide on protecting yourself online and offline.

2 Your information is stolen.

“Data Breach” is when personal or sensitive information is stolen from the company storing it. You may envision a hacker or foreign government exploiting a vulnerability in the company’s firewall, but malicious employees and negligence account for about 59% of these incidents. A typical data breach law requires a notification letter be sent to those affected and in some cases identity theft protection services are offered.

Every week brings new data breach reports from companies such as Target, Home Depot, or Sony Pictures. But we only hear about them at all because individual states have enacted data breach notification laws. Starting with California in 2003 a patchwork of laws now exist in 47 states. And some industries, such as financial services, are covered by Federal data breach notification law.

Unfortunately for users of Cloud Apps this patchwork means your data may reside in a jurisdiction with strong, weak, or no regulation. In fact in some areas cloud services are specifically exempted from breach notifications. In this environment it is very difficult for a creative entrepreneur to independently verify that their data has been breached, so it comes down to trusting the cloud app provider to notify you.

3 Your information is lost.

“Data Loss” traditionally refers to the cloud service provider’s inability to provide you your data. To accommodate cloud-based apps I have segmented and expanded this definition to include three conditions that reduce or eliminate your ability to use your data: Loss of Access, Loss of Portability, and Loss of Identification. Let’s look at these in more detail.

Loss of access occurs when you are unable to access your data. This includes the traditional categories of data loss: accidental deletion by the service provider, damage to infrastructure from natural disasters, or inadequate backups. In addition this category should include loss of access to data due to the bankruptcy of the cloud service provider, failed system upgrades, end-of-life support for existing platforms or versions, and denial of service attacks.

Loss of Portability (also called Lock-In) occurs when you are unable to easily switch to a new cloud or non-cloud provider. Loss of Portability is often due to lack of adequate download utilities or use of proprietary file formats. For example you may have spent hundreds of hours entering, cleaning, and enhancing your customer information in a cloud-based Customer Relationship Management tool, only to find out that the only data you can download is a basic customer list. All of the meaningful information in that CRM system such as tasks, opportunities, quotes/orders, service requests, marketing activities, and the metadata relationships are unavailable to migrate to your new system without reentering all of this data. Proprietary file formats is another way that some cloud service providers keep you from going somewhere else.

Loss of Identification means you are unable to assert your rights to your data. This could happen for example if you were to lose an encryption key code or a physical key dongle. Loss of Identification can also happen due to the death or incapacitation of the user. In which case is a family member or business partner able to obtain full or limited access? Another example is if your cloud service provider subsumes your intellectual property rights such as to photos, movies or music on a social media website or books or screenplays on a reviews website. Also in this, admittedly somewhat eclectic, category is deletion of an account by the owner who later has second thoughts. Some cloud service providers place your account in a “quarantined” or suspended state for a period of time, with the ability to reactivate the account if you so choose.

 4 Your information is used against you or others.

This section briefly discusses the threat of your data being used against you or those close to you as a result of being accessed by law enforcement, government agencies, and litigants in civil lawsuits. I promise this is not the paranoid aluminum foil hat section. Read on.

Cloud data is different than local data. The Fourth Amendment prohibits unlawful search and seizure and requires a judge to grant a search warrant. Data on a user’s hard drive has the full protections of the Fourth Amendment, however data voluntarily transferred to a third party, in this case a cloud service provider, may lose this shield and be used in a number of potentially damaging ways.

With the revelations of Edward Snowden, it is clear that government agencies have the ability to monitor Internet traffic and data at internet service providers. It is a chilling Orwellian thought that a creative entrepreneur who was creating art, film, or software that might be counter to certain interests could be monitored through their electronic lives. For the vast majority of people and uses this is only a theoretical, not an actual, threat but one you should consider in your own situation.

A more common concern is that cloud data could easily be subpoenaed in a civil lawsuit. This might be in regards to a business related dispute with a client or vendor, but in the creative professions this could also be a dispute about intellectual property, royalty sharing, or digital assets. Companies are often required to comply with “eDiscovery” requests that force them to turn over e-mails and other electronic documents related to the civil dispute. If information is particularly sensitive the creative entrepreneur should have the highest level of control over that information and a cloud-based repository may not be appropriate.

How to choose a cloud provider that will keep your information safe?

There are two paths to finding a cloud service provider that will keep your information safe. The first is looking to see if your cloud service provider has information security certification such as ISO‐27001, has passed a security audit such as SSAE 16, or qualifies for seals such as those from TRUSTe. The second is asking key questions of your cloud service provider and evaluating the answers based on your situation. I suggest you do both.

The best source of questions I have found to ask your cloud provider comes from a group of thoughtful and distinguished industry experts at a retreat held by the Consumer Federation of America in 2010 that produced a document Consumer Protection in Cloud Computing Services: Recommendations for Best Practices that is available here, and from which I have reproduced the two relevant appendices below.

We come to the end of another post. Just to review this post discussed the 4 major Information Security threats facing creative entrepreneurs and how to select a trustworthy cloud service provider. A future post (Part 2)  will focus on the other side of the coin: Information Privacy.

The remainder of this post is derived from the Appendices in the Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing, November 30, 2010. Please download the full report, but for your convenience I have reproduced the 2 Appendices below. Find it at this web address:

Appendix A: Best Practices in Disclosure for Business‐to‐Consumer Services

*Answers to the questions provided are illustrative.

  1. What is the cloud service provider’s business model?
    1. “We charge consumers a fee for this service.”
    2. “We serve advertising based upon consumers’ interests in exchange for the service”
    3. “We analyze consumers’ information in order to serve advertising based upon their interests”
  2. What entity actually provides the cloud service?
    1. “We provide it directly”
    2. “We provide it directly, and use the following subcontractors…”
    3. “We subcontract all services to…”
  3. Is consumer content or transactional data shared? If so, with whom? What choice mechanisms are in place?
    1. “no”
    2. “Yes, we share information with affiliates, and you can opt out by X”
    3. “Yes, we share information with third parties, and you can opt out by X”
  4. Is consumer content or transaction data used for purposes not required for the technical operation of the service?
    1. “No”
    2. “Yes, we use content/transaction data to target advertisements”
  5. Is the provided service a private or public cloud?
    1. Private cloud: the service is provided by a single entity
    2. Public cloud: many consumers may be using the same service
  6. What data can the consumer export and in what format?
    1. The consumer can export all data that the user provides in standard formats, including csv, txt, xls.
    2. The consumer can export data only in proprietary formats
  7. Will users be notified of security breaches?
    1. Yes, according to the law of [jurisdiction]
  8. Will the consumer be promptly notified if there is a law enforcement or civil request for data about the consumer.
    1. Yes, if we are legally able to notify users.
    2. No
  9. In what jurisdiction are the data stored?
    1. [list of one or more countries]
    2. [indicate whether user or service has discretion to select storage locations]
  10. What jurisdictions’ laws govern the privacy and security aspects of the cloud providers’ services, and what is the relevant consumer protection authority?
  11. What procedures are followed when closing accounts?
    1. We will give consumers 30 days of access before closing their accounts for non-payment
    2. In the event of discontinuance of service, we will give consumers 30 days of access to extract data
  12. Who is responsible for consumer and privacy issues and what is their contact information?
    1. Name responsible employee and provide contact information

Appendix B: Sample Disclosure (from cloud service provider)

Our Business

We provide services to you for a fee.

We own and operate the equipment for this cloud service. 

Your Data

We do not share content or transactional data with third parties.

We only use content and transactional data for purposes required for the technical operation of the service.

You can export data uploaded and generated on this service in standard formats, including csv, txt, and xls.

If possible, we will notify you if another party requests data or information about your use of this service.

Our Cloud

Your service level is a private cloud, meaning that we are using a dedicated infrastructure for your services.

Our cloud operates in the following countries: the USA and Canada.

Our cloud services are governed by the laws of the USA and Canada and by the following regulators:

U.S. Federal Trade Commission Privacy Commissioner of Canada


If we become aware of a security breach, we will inform you of it consistent with the law of California.

In January 2010, our service was certified as compliant with ISO‐27001/2 by our auditor.

Account Termination

In the event of a termination of our services, or nonpayment on your account, we will give you notice and 30 days to export data from our cloud. 

Contact Us

Our privacy and security contact is:

Joan A. Privacyofficer
1 Embarcadero Center
San Francisco, CA 94001
(415) 555‐1212