25 Feb Does Cloud Computing Mean More Risks to Privacy?
New York Times, By SAUL HANSELL, February 23, 2009
Last week, we had a wave of panic roll through Facebook users as many realized that the site had changed its terms of service in a way that implied it might soon broadcast their most embarrassing photographs to parents, teachers, and prospective employers. On Monday, the World Privacy Forum released a report that says those fears are just the tip of the iceberg. As people and businesses take advantage of all sorts of Internet-based services, they may well find trade secrets in the hands of competitors, private medical records made public, and e-mail correspondence in the hands of government investigators without any prior notice. In the United States, information held by a company on your behalf — be it a bank, an e-mail provider or a social network — is often not protected as much as information a person keeps at home or a business stores in computers it owns. Sometimes that means that a government investigator, or even a lawyer in a civil lawsuit, can get access to records by simply using a subpoena rather than a search warrant, which requires more scrutiny by a court. In recent years, law enforcement officials and lawyers in fields ranging from divorce to employment disputes have learned how to subpoena e-mail to bolster their cases. The major e-mail providers receive dozens of these subpoenas a month and often they have no legal obligation to notify the account holder before they comply. Robert Gellman, a privacy lawyer who was the main author of the World Privacy Forum’s report, said he doesn’t know of any public cases of information disclosed from other sorts of cloud computing services, such as Google Docs, which lets people edit word processing and spreadsheet files online. But it’s only a matter of time before they do, he said, particularly if a service, like Google, becomes the dominant provider of cloud services. “The cops will love this,” he said. “They can go to a single place and get everybody’s documents.” The report also points out that much of what can happen to information in cloud computing services is governed by the user agreement for each service. Sometimes companies keep the rights to use information for other purposes, as Facebook did. Often they give themselves the right to change the user agreement at will. The report pointed out that many agreements simply don’t discuss some important issues, such as how information about third parties is treated: If, for example, a cloud provider reads the taglines of a user’s photographs and learns that a John Doe (who is not a user of the service) in one of the photos skis, the provider may then use or sell knowledge of John Doe’s skiing interest for marketing purposes. If not restricted, secondary use of documents, photographs or other information entrusted by a user to a cloud provider has broad potential to expand the use of information in ways the user did not anticipate. Another consequence of all this uncertainty is that a business that has an obligation to respect the privacy of some information — a law firm or hospital, for example — may be at risk of a lawsuit simply for using a cloud computing service, even if information is not leaked. Of course, laws vary by country, and services operating in some European countries must follow stricter standards to protect the privacy of users. But it is not always clear on the Internet where data is being kept and thus which laws apply. Congress dealt with this issue specifically for bank records with the Right to Financial Privacy Act of 1978, but the report notes that the law in the United States has not kept up with the way the Internet is being used. Most particularly, the Electronic Communications Privacy Act of 1986 has some very odd rules for e-mail. Messages you have not read are given more protection, for example, than messages you have. The report notes that the laws may need to be updated to clarify who has access to information on cloud-based services and clean up some of the more eccentric aspects of the current laws. Several members of Congress have suggested they may look at privacy legislation this year, so there could be a forum for these issues to be considered. “We have to decide whether, yes, you can store documents with a third party and have the same protection that you would if you had them yourself,” Mr. Gellman said. “Or will we continue to say you have no privacy interest in records held by a third party?” In the meantime, the report has a series of recommendations for businesses and consumers. It suggests, of course, looking carefully at the terms and conditions of any cloud computing service before using it. But one recommendation seems to stand out as the most prudent: “Don’t put anything in the cloud you wouldn’t want a competitor, your government or another government to see.”