Is My Information Safe in The Cloud? (Part 2: Privacy)

PrivacyAnswering this question takes two steps: 1. Read the Privacy Policy and Terms of Service. 2. Read the Privacy Policy and Terms of Service AGAIN.

Individuals and businesses are generally free  to share personal information on themselves, customers, and employees with a cloud provider. Exceptions exist due to legal or professional obligations such as for a lawyer, tax preparer, or  psychiatrist. However, once shared, the privacy and confidentiality of your information is almost completely dependent on the terms of service and privacy policy established by the cloud provider. Let’s look at Google Terms of Service as an example.

Google Terms of Service states that “When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

Whoa! Sounds terrible right? I’m certainly not going to put my Great American Novel manuscript on Google Drive or my feature film trailer on YouTube! Hold on a sec, Google then qualifies that license you are giving them this way: “You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.” OK that sounds good. “The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” OK that makes sense, in fact is probably essential for them to provide the service you want.

Whew! There is hope: “Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.” Kind of vague, but maybe I guess I can live with that.

Google’s Privacy Policy states that they collect information in two ways. Information you give us. For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.” and also Information we get from your use of our services. We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content.” Hmmm…

Whoopee! Looks like at least I have some control. “We do not share personal information with companies, organizations and individuals outside of Google unless… we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.” That actually sounds pretty fair.

Wait! And what is this? “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.” That is definitely a mixed bag. I don’t want SPAM but I also don’t want my private personal e-mails read.

Well Hell! Maybe I’ll just quit using Google altogether! In that case we find some good news: “You can stop using our Services at any time, although we’ll be sorry to see you go.” That’s nice and they also say: “We believe that you own your data and preserving your access to such data is important.” OK. But what if they break up with me first? “Google may also stop providing Services to you, or add or create new limits to our Services at any time.  If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service.”

I hope that example was instructive. And for the record I use Google products every day and believe their privacy policies are as good as most cloud service providers. But you should realize that understanding your privacy rights takes effort.  The State of California has a great article “How To Read A Privacy Policy”  that suggests you ask the following questions.

  • What personal information is collected?
  • How is the information collected?
  • Why is the information collected?
  • How is the information used?
  • Who will have access to the information?
  • What choices do you have?
  • Can you review or correct personal information?
  • What security measures are used to protect your personal information?
  • How long will the organization honor its privacy policy?
If you are not comfortable with the answers look for a different cloud app provider.

The reason you have to do all the work is that, unlike most of the rest of the world, the U.S. has primarily taken a “self-regulation” approach to privacy which In many ways has been an abject failure. This approach has been overlaid with a few sector based federal laws (financial services, e-mail spam, protection of children online, etc.) and a fragmented patchwork of state laws (data breach, policy disclosure, etc).

The top cop for protecting your privacy is the Federal Trade Commission (FTC), which sets policy and brings enforcement actions against advertising networks, information brokers, mobile app providers, online retails, search providers (Google), and social networks (Facebook). The FTC articulated Fair Information Practice Principles almost 40 years ago and in our modern age promotes a framework with 3 key practices: privacy by design, i.e. making privacy the default setting, giving consumers control by simplifying choice, and greater transparency by those entities that collect and use personal information. But without broad federal privacy legislation it is very possible we will see the End of Privacy. To see how close we are to that future already, take the ACLU (great, short, fun) privacy quiz that shows you how exposed your personal information really is.

To sum up I suggest you take the following 4 steps to protect your business and personal information.

Control your information. Only provide the minimum required information in any form or interaction. Configure your browser for “Do Not Track” and “Disable Cookies” where possible. Understand and set your privacy controls on every website and service you use. A good guide is here.

Control your devices. Treat your smartphone like the computer that it is and put the same level of controls on access. See my earlier blog post on Security for more.

Control your apps. Choose apps that have Terms of Service and Privacy Policies that you can live with. Also, watch out for the many add-on Apps that are provided by third party developers and might have different terms and policies than your primary Cloud App service provider. Don’t let mobile apps use location services without good cause.

Control your opt-outs. For your own personal information one of the best things you can do is to Opt-Out. The World Privacy Forum provides a guide on the top 10 Opt Outs. This is a fantastic list to allow you to be “let alone”, as Justice Brandeis termed it, both off-line and on-line. I highly recommend it.

Full disclosure, I wrote my Ph.D. dissertation on information privacy and how people’s attitudes and behaviors differ based on their generation. If you would like to know more you can access it here.

Is My Information Safe In The Cloud? (Part 1: Security)

Post 5 - SecurityAdopting a Cloud App means entrusting your information to someone else, and you need to know if that information is safe. There are obvious risks: Is it safe from hackers and malicious employees? Is it safe from natural disasters such as earthquakes or man-made ones such as bankruptcy? And maybe not so obvious ones: Will I be able to download my data in a usable format? Will I be able to delete it if I cancel my service? Will it be shared with law enforcement or litigants in a civil lawsuit without my knowledge? And most importantly what can I do to make sure my information is safe?

Keeping you data in the cloud magnifies some existing security threats and also creates some new ones. The well-respected Cloud Security Alliance detailed the “Notorious Nine”. But for creative entrepreneurs there are really only four main security threats.

1. Your Account is hijacked.

Account hijacking is when someone obtains your login credentials and passwords and is able to access your cloud-based account. A recent study by Experian found that login information for a Twitter account is worth more on the black market than a credit card number. Since people often reuse credentials and passwords, access to one account can lead to access on other accounts. Also the attacker can eavesdrop on your activities and those of your social circle. This is a threat specific to cloud-based software applications. Traditional software on your laptop required physical access to the device.

While this information is now targeted in hacker attacks (Sony Playstation), the tried and true methods of phishing, fraud, and spyware are still significant avenues (iCloud Nudes).

Protecting your login credentials is pretty straightforward: use different passwords for different accounts, create hard to guess passwords, don’t share sensitive information online, avoid public Wi-Fi, use https, etc. You have heard all of that before however the discipline required and the inconvenience involved means most people don’t do this very well. Here is a good guide on protecting yourself online and offline.

2 Your information is stolen.

“Data Breach” is when personal or sensitive information is stolen from the company storing it. You may envision a hacker or foreign government exploiting a vulnerability in the company’s firewall, but malicious employees and negligence account for about 59% of these incidents. A typical data breach law requires a notification letter be sent to those affected and in some cases identity theft protection services are offered.

Every week brings new data breach reports from companies such as Target, Home Depot, or Sony Pictures. But we only hear about them at all because individual states have enacted data breach notification laws. Starting with California in 2003 a patchwork of laws now exist in 47 states. And some industries, such as financial services, are covered by Federal data breach notification law.

Unfortunately for users of Cloud Apps this patchwork means your data may reside in a jurisdiction with strong, weak, or no regulation. In fact in some areas cloud services are specifically exempted from breach notifications. In this environment it is very difficult for a creative entrepreneur to independently verify that their data has been breached, so it comes down to trusting the cloud app provider to notify you.

3 Your information is lost.

“Data Loss” traditionally refers to the cloud service provider’s inability to provide you your data. To accommodate cloud-based apps I have segmented and expanded this definition to include three conditions that reduce or eliminate your ability to use your data: Loss of Access, Loss of Portability, and Loss of Identification. Let’s look at these in more detail.

Loss of access occurs when you are unable to access your data. This includes the traditional categories of data loss: accidental deletion by the service provider, damage to infrastructure from natural disasters, or inadequate backups. In addition this category should include loss of access to data due to the bankruptcy of the cloud service provider, failed system upgrades, end-of-life support for existing platforms or versions, and denial of service attacks.

Loss of Portability (also called Lock-In) occurs when you are unable to easily switch to a new cloud or non-cloud provider. Loss of Portability is often due to lack of adequate download utilities or use of proprietary file formats. For example you may have spent hundreds of hours entering, cleaning, and enhancing your customer information in a cloud-based Customer Relationship Management tool, only to find out that the only data you can download is a basic customer list. All of the meaningful information in that CRM system such as tasks, opportunities, quotes/orders, service requests, marketing activities, and the metadata relationships are unavailable to migrate to your new system without reentering all of this data. Proprietary file formats is another way that some cloud service providers keep you from going somewhere else.

Loss of Identification means you are unable to assert your rights to your data. This could happen for example if you were to lose an encryption key code or a physical key dongle. Loss of Identification can also happen due to the death or incapacitation of the user. In which case is a family member or business partner able to obtain full or limited access? Another example is if your cloud service provider subsumes your intellectual property rights such as to photos, movies or music on a social media website or books or screenplays on a reviews website. Also in this, admittedly somewhat eclectic, category is deletion of an account by the owner who later has second thoughts. Some cloud service providers place your account in a “quarantined” or suspended state for a period of time, with the ability to reactivate the account if you so choose.

 4 Your information is used against you or others.

This section briefly discusses the threat of your data being used against you or those close to you as a result of being accessed by law enforcement, government agencies, and litigants in civil lawsuits. I promise this is not the paranoid aluminum foil hat section. Read on.

Cloud data is different than local data. The Fourth Amendment prohibits unlawful search and seizure and requires a judge to grant a search warrant. Data on a user’s hard drive has the full protections of the Fourth Amendment, however data voluntarily transferred to a third party, in this case a cloud service provider, may lose this shield and be used in a number of potentially damaging ways.

With the revelations of Edward Snowden, it is clear that government agencies have the ability to monitor Internet traffic and data at internet service providers. It is a chilling Orwellian thought that a creative entrepreneur who was creating art, film, or software that might be counter to certain interests could be monitored through their electronic lives. For the vast majority of people and uses this is only a theoretical, not an actual, threat but one you should consider in your own situation.

A more common concern is that cloud data could easily be subpoenaed in a civil lawsuit. This might be in regards to a business related dispute with a client or vendor, but in the creative professions this could also be a dispute about intellectual property, royalty sharing, or digital assets. Companies are often required to comply with “eDiscovery” requests that force them to turn over e-mails and other electronic documents related to the civil dispute. If information is particularly sensitive the creative entrepreneur should have the highest level of control over that information and a cloud-based repository may not be appropriate.

How to choose a cloud provider that will keep your information safe?

There are two paths to finding a cloud service provider that will keep your information safe. The first is looking to see if your cloud service provider has information security certification such as ISO‐27001, has passed a security audit such as SSAE 16, or qualifies for seals such as those from TRUSTe. The second is asking key questions of your cloud service provider and evaluating the answers based on your situation. I suggest you do both.

The best source of questions I have found to ask your cloud provider comes from a group of thoughtful and distinguished industry experts at a retreat held by the Consumer Federation of America in 2010 that produced a document Consumer Protection in Cloud Computing Services: Recommendations for Best Practices that is available here, and from which I have reproduced the two relevant appendices below.

We come to the end of another post. Just to review this post discussed the 4 major Information Security threats facing creative entrepreneurs and how to select a trustworthy cloud service provider. A future post (Part 2)  will focus on the other side of the coin: Information Privacy.

The remainder of this post is derived from the Appendices in the Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing, November 30, 2010. Please download the full report, but for your convenience I have reproduced the 2 Appendices below. Find it at this web address: http://www.consumerfed.org/pdfs/Cloud-report-2010.pdf

Appendix A: Best Practices in Disclosure for Business‐to‐Consumer Services

*Answers to the questions provided are illustrative.

  1. What is the cloud service provider’s business model?
    1. “We charge consumers a fee for this service.”
    2. “We serve advertising based upon consumers’ interests in exchange for the service”
    3. “We analyze consumers’ information in order to serve advertising based upon their interests”
  2. What entity actually provides the cloud service?
    1. “We provide it directly”
    2. “We provide it directly, and use the following subcontractors…”
    3. “We subcontract all services to…”
  3. Is consumer content or transactional data shared? If so, with whom? What choice mechanisms are in place?
    1. “no”
    2. “Yes, we share information with affiliates, and you can opt out by X”
    3. “Yes, we share information with third parties, and you can opt out by X”
  4. Is consumer content or transaction data used for purposes not required for the technical operation of the service?
    1. “No”
    2. “Yes, we use content/transaction data to target advertisements”
  5. Is the provided service a private or public cloud?
    1. Private cloud: the service is provided by a single entity
    2. Public cloud: many consumers may be using the same service
  6. What data can the consumer export and in what format?
    1. The consumer can export all data that the user provides in standard formats, including csv, txt, xls.
    2. The consumer can export data only in proprietary formats
  7. Will users be notified of security breaches?
    1. Yes, according to the law of [jurisdiction]
  8. Will the consumer be promptly notified if there is a law enforcement or civil request for data about the consumer.
    1. Yes, if we are legally able to notify users.
    2. No
  9. In what jurisdiction are the data stored?
    1. [list of one or more countries]
    2. [indicate whether user or service has discretion to select storage locations]
  10. What jurisdictions’ laws govern the privacy and security aspects of the cloud providers’ services, and what is the relevant consumer protection authority?
  11. What procedures are followed when closing accounts?
    1. We will give consumers 30 days of access before closing their accounts for non-payment
    2. In the event of discontinuance of service, we will give consumers 30 days of access to extract data
  12. Who is responsible for consumer and privacy issues and what is their contact information?
    1. Name responsible employee and provide contact information

Appendix B: Sample Disclosure (from cloud service provider)

Our Business

We provide services to you for a fee.

We own and operate the equipment for this cloud service. 

Your Data

We do not share content or transactional data with third parties.

We only use content and transactional data for purposes required for the technical operation of the service.

You can export data uploaded and generated on this service in standard formats, including csv, txt, and xls.

If possible, we will notify you if another party requests data or information about your use of this service.

Our Cloud

Your service level is a private cloud, meaning that we are using a dedicated infrastructure for your services.

Our cloud operates in the following countries: the USA and Canada.

Our cloud services are governed by the laws of the USA and Canada and by the following regulators:

U.S. Federal Trade Commission Privacy Commissioner of Canada

Security

If we become aware of a security breach, we will inform you of it consistent with the law of California.

In January 2010, our service was certified as compliant with ISO‐27001/2 by our auditor.

Account Termination

In the event of a termination of our services, or nonpayment on your account, we will give you notice and 30 days to export data from our cloud. 

Contact Us

Our privacy and security contact is:

Joan A. Privacyofficer
1 Embarcadero Center
San Francisco, CA 94001
(415) 555‐1212 privacyofficer@cloudprovider.com