FTC questions cloud-computing security

WASHINGTON--Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good.

"We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs.

The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction.

To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers.

The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored.

With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that of the financial sector.

"I predict we are going to experience something very similar with respect to privacy within the emerging information economy," Rotenberg said. "We are going to realize we allowed very similar complex transactions to occur between nontransparent organizations, and we will pay."

Later on Tuesday, EPIC asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar, and the company's other Web apps until government-approved "safeguards are verifiably established."

FTC Commissioner Harbour said at Tuesday's conference that it would be preferable if more than one large company such as Google were responsible for storing personal data.

"I see a lot of overlap between competition analysis and security," she said.

Jane Horvath, senior policy counsel for Google, said "privacy by design is ingrained in our culture, and security is one of our fundamental design principles."

If customers do not feel their data is secure in Google products, nothing prohibits them from transferring their data elsewhere, she said.

"Cloud computing is a very new market place," Horvath said. "As more and more services become available, there will be more and more providers entering this market."

Furthermore, said Kristin Lovejoy, IBM's director of governance and risk management strategy, companies that lease server space from companies like Google to launch their own applications are ultimately responsible for security standards. She also said a large-scale cloud model is easier to secure than a heterogeneous data center.

The cloud-computing sector would benefit, Lovejoy said, from standards similar to the PCI Security Standards, which were formed by major credit card companies to regulate payment account data security.

"We could define for the commercial sector a set of simplistic foundational controls, give them the ability to understand what they must do, and then build on top of that," she said.

In the industry's current state, "we don't know what we need to do, we don't know what we need to protect," Lovejoy said. "The technologies are there but not able to fully help us."

She said IBM is currently developing technology to allow individuals to create profiles to share with third parties, giving consumers the ability to manage elements of their identity. However, she said there is not enough R&D funding for such technology.

"There needs to be innovation around the technologies which push choice to the individuals," Lovejoy said.

While the FTC did not comment directly on any regulatory actions or changes in policy, international regulators said they plan to examine the implications of cloud computing on data security and privacy. The Organization for Economic Co-operation and Development should broach the subject of cloud computing at a meeting in Paris in October, said Michael Donohue, the privacy and information security administrator for the OECD.

This May, the European Union will launch a broad consultation on whether it should consider revising the 1995 data protection directive, said Hana Pechackova, the justice liberty security directorate general for the European Commission.

"We cannot pretend the technologies are the same as they were in 1995," Pechackova said. "Cloud computing and new business models are really challenging our systems. We've heard that the directive may be outdated, but we do not want to step back from our basic principles."

Currently, around 90 percent of organizations in the EU do not engage in transfers of data outside the region, said Billy Hawkes, Ireland's data protection commissioner. Cloud computing is very likely to change that, however.

[gerrrg]

I think the EPIC filing must be politically incentivized.

Google Doc's 220,000 accidental release of private documents pales into Heartland's 100 million exposed user financial data, but EPIC's website doesn't have a single peep out of that Heartland episode.

I ask any reasonable person: What scares you MORE, the accidental release of 220,000 documents into the open, or the release of 100 million users' financial information?

EPIC doesn't seem to have a problem with Microsoft's OS bugs that has allowed hundreds of thousands of computers to be turned into bots / zombies to launch DDOS attacks.

Something is extremely odd about EPIC's sudden interest in Google's cloud computing.

[ooprus]

I think the problem is most people don't really understand the implications of using advanced technology, so people WITHOUT a commercial agenda need to make appropriate techncial decisions on behalf of those people. Google is after all a commercial advertising organization and I totally trust them to do what's best for their stockholders, NOT what's best for the people who use their services.

The United States is based on checks and balances, and don't belive complex technology is exempt. Just look at the AIG mess for an example of how complex (math) technology withough sufficent oversight has damaged the economy. Technology is capable of tremendous advances in the quality of life on this planet, but it's also capable of serious destruction if used inappropriatly.

[screamapillar]

Well said. This is a world wide problem that requires a global solution. For too long and far too often techology jumps so far ahead of legislation and protections that we are forever playing a game of catch up. We need a set of legislated principles that are broad enough to protect with regularly updated guidelines. In Australia there is privacy legislation but it is so teethless that there are far too many workarounds and the penalties are outdated levels of fines that companies can budget for as part of the cost of business.

[selfkill]

"Later on Tuesday, EPIC asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar, and the company's other Web apps until government-approved 'safeguards are verifiably established.'"

Umm yeah, while we're at it, let's just turn off Google's search engine too. I'm sure this won't be a problem for the millions of people who use and rely on Google's services every day.

[nicmart]

It is maximum irony that the government, from which we have no privacy and which confiscates as much money as it wants from us, is our self-ordained privacy monitor. If Google, Microsoft, or Apple were to intrude on our privacy, the result would be irritating, but when the government does, the result is often life-destroying.

[screamapillar]

Yes, one must wonder particularly when many of the governments that are in power that clearly support corporations more than civilians, whether there is a conflict of interest in having them determine privacy constraints rather than an independent body.

[fdunn3]

As well they should be concerned about security of financial records in the cloud. They are vulnerable enough behind Intranet perimeter security.

Taking anything of this exposure to the cloud is ludicrous.