Is My Information Safe in The Cloud? (Part 2: Privacy)

PrivacyAnswering this question takes two steps: 1. Read the Privacy Policy and Terms of Service. 2. Read the Privacy Policy and Terms of Service AGAIN.

Individuals and businesses are generally free  to share personal information on themselves, customers, and employees with a cloud provider. Exceptions exist due to legal or professional obligations such as for a lawyer, tax preparer, or  psychiatrist. However, once shared, the privacy and confidentiality of your information is almost completely dependent on the terms of service and privacy policy established by the cloud provider. Let’s look at Google Terms of Service as an example.

Google Terms of Service states that “When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

Whoa! Sounds terrible right? I’m certainly not going to put my Great American Novel manuscript on Google Drive or my feature film trailer on YouTube! Hold on a sec, Google then qualifies that license you are giving them this way: “You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.” OK that sounds good. “The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” OK that makes sense, in fact is probably essential for them to provide the service you want.

Whew! There is hope: “Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.” Kind of vague, but maybe I guess I can live with that.

Google’s Privacy Policy states that they collect information in two ways. Information you give us. For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.” and also Information we get from your use of our services. We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content.” Hmmm…

Whoopee! Looks like at least I have some control. “We do not share personal information with companies, organizations and individuals outside of Google unless… we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.” That actually sounds pretty fair.

Wait! And what is this? “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.” That is definitely a mixed bag. I don’t want SPAM but I also don’t want my private personal e-mails read.

Well Hell! Maybe I’ll just quit using Google altogether! In that case we find some good news: “You can stop using our Services at any time, although we’ll be sorry to see you go.” That’s nice and they also say: “We believe that you own your data and preserving your access to such data is important.” OK. But what if they break up with me first? “Google may also stop providing Services to you, or add or create new limits to our Services at any time.  If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service.”

I hope that example was instructive. And for the record I use Google products every day and believe their privacy policies are as good as most cloud service providers. But you should realize that understanding your privacy rights takes effort.  The State of California has a great article “How To Read A Privacy Policy”  that suggests you ask the following questions.

  • What personal information is collected?
  • How is the information collected?
  • Why is the information collected?
  • How is the information used?
  • Who will have access to the information?
  • What choices do you have?
  • Can you review or correct personal information?
  • What security measures are used to protect your personal information?
  • How long will the organization honor its privacy policy?
If you are not comfortable with the answers look for a different cloud app provider.

The reason you have to do all the work is that, unlike most of the rest of the world, the U.S. has primarily taken a “self-regulation” approach to privacy which In many ways has been an abject failure. This approach has been overlaid with a few sector based federal laws (financial services, e-mail spam, protection of children online, etc.) and a fragmented patchwork of state laws (data breach, policy disclosure, etc).

The top cop for protecting your privacy is the Federal Trade Commission (FTC), which sets policy and brings enforcement actions against advertising networks, information brokers, mobile app providers, online retails, search providers (Google), and social networks (Facebook). The FTC articulated Fair Information Practice Principles almost 40 years ago and in our modern age promotes a framework with 3 key practices: privacy by design, i.e. making privacy the default setting, giving consumers control by simplifying choice, and greater transparency by those entities that collect and use personal information. But without broad federal privacy legislation it is very possible we will see the End of Privacy. To see how close we are to that future already, take the ACLU (great, short, fun) privacy quiz that shows you how exposed your personal information really is.

To sum up I suggest you take the following 4 steps to protect your business and personal information.

Control your information. Only provide the minimum required information in any form or interaction. Configure your browser for “Do Not Track” and “Disable Cookies” where possible. Understand and set your privacy controls on every website and service you use. A good guide is here.

Control your devices. Treat your smartphone like the computer that it is and put the same level of controls on access. See my earlier blog post on Security for more.

Control your apps. Choose apps that have Terms of Service and Privacy Policies that you can live with. Also, watch out for the many add-on Apps that are provided by third party developers and might have different terms and policies than your primary Cloud App service provider. Don’t let mobile apps use location services without good cause.

Control your opt-outs. For your own personal information one of the best things you can do is to Opt-Out. The World Privacy Forum provides a guide on the top 10 Opt Outs. This is a fantastic list to allow you to be “let alone”, as Justice Brandeis termed it, both off-line and on-line. I highly recommend it.

Full disclosure, I wrote my Ph.D. dissertation on information privacy and how people’s attitudes and behaviors differ based on their generation. If you would like to know more you can access it here.

Advertisements