WASHINGTON--Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good.
"We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs.
The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction.
To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers.
The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored.
With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.
Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that of the financial sector.
"I predict we are going to experience something very similar with respect to privacy within the emerging information economy," Rotenberg said. "We are going to realize we allowed very similar complex transactions to occur between nontransparent organizations, and we will pay."
Later on Tuesday, EPIC asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar, and the company's other Web apps until government-approved "safeguards are verifiably established."
FTC Commissioner Harbour said at Tuesday's conference that it would be preferable if more than one large company such as Google were responsible for storing personal data.
"I see a lot of overlap between competition analysis and security," she said.
Jane Horvath, senior policy counsel for Google, said "privacy by design is ingrained in our culture, and security is one of our fundamental design principles."
If customers do not feel their data is secure in Google products, nothing prohibits them from transferring their data elsewhere, she said.
"Cloud computing is a very new market place," Horvath said. "As more and more services become available, there will be more and more providers entering this market."
Furthermore, said Kristin Lovejoy, IBM's director of governance and risk management strategy, companies that lease server space from companies like Google to launch their own applications are ultimately responsible for security standards. She also said a large-scale cloud model is easier to secure than a heterogeneous data center.
The cloud-computing sector would benefit, Lovejoy said, from standards similar to the PCI Security Standards, which were formed by major credit card companies to regulate payment account data security.
"We could define for the commercial sector a set of simplistic foundational controls, give them the ability to understand what they must do, and then build on top of that," she said.
In the industry's current state, "we don't know what we need to do, we don't know what we need to protect," Lovejoy said. "The technologies are there but not able to fully help us."
She said IBM is currently developing technology to allow individuals to create profiles to share with third parties, giving consumers the ability to manage elements of their identity. However, she said there is not enough R&D funding for such technology.
"There needs to be innovation around the technologies which push choice to the individuals," Lovejoy said.
While the FTC did not comment directly on any regulatory actions or changes in policy, international regulators said they plan to examine the implications of cloud computing on data security and privacy. The Organization for Economic Co-operation and Development should broach the subject of cloud computing at a meeting in Paris in October, said Michael Donohue, the privacy and information security administrator for the OECD.
This May, the European Union will launch a broad consultation on whether it should consider revising the 1995 data protection directive, said Hana Pechackova, the justice liberty security directorate general for the European Commission.
"We cannot pretend the technologies are the same as they were in 1995," Pechackova said. "Cloud computing and new business models are really challenging our systems. We've heard that the directive may be outdated, but we do not want to step back from our basic principles."
Currently, around 90 percent of organizations in the EU do not engage in transfers of data outside the region, said Billy Hawkes, Ireland's data protection commissioner. Cloud computing is very likely to change that, however.
A zealous band of pro-regulation privacy groups made a valiant effort a few days ago to convince the Feds to forcibly pull the plug on a new feature on the Ask.com search engine.
The groups, which include the Electronic Privacy Information Center and the Center for Digital Democracy, told the Federal Trade Commission on Saturday that a formal injunction was necessary to halt some supposedly pernicious practices on the part of Ask.com.
The only problem? Those supposedly pernicious practices don't actually exist.
Ask.com already had voluntarily changed the way it handled its new privacy feature weeks earlier. This self-appointed posse of liberal nonprofits, which also includes Consumer Action, was riding to bring to justice a problem that had long since vanished (and that's assuming it existed in the first place).
By way of background, this particular posse disagreed with the way Ask.com implemented a privacy feature called AskEraser. The idea is that instead of recording your search terms for a year or two the way other search engines do (see our survey from August), Ask.com was offering never to save them at all.
AskEraser is turned on or off by a link on Ask.com that changes the value of a cookie titled, reasonably enough, "askeraser." Originally, when AskEraser launched last month, the value of the cookie was set to the time that the service was activated.
Instead of applauding the idea as perhaps flawed but better than the status quo, EPIC et al. worked themselves into a state of high dudgeon. (These are the same groups that once claimed Google's Gmail service was illegal.) They sent a letter to Ask.com on December 19 saying the timestamp--down to the second, but not a fraction of a second--could be used as a kind of unique tracking number.
They had a point. If Ask.com encounters a thousand people signing up for AskEraser per second, the potential privacy intrusion is minimal (everyone has the same timestamp). If only one person per second signs up for AskEraser, however, the potential privacy intrusion is higher (the timestamp is unique).
Which is why Ask.com changed the cookie value in early January to be just "off" or "on"--meaning there's no longer the same kind of privacy issue. Unfortunately for the pro-regulatory privacy activists, they never actually checked before firing off their this-illegal-practice-must-be-halted missive on Saturday. It said that the FTC must:
- Order Ask.com to withdraw AskEraser from the marketplace.
- Order Ask.com to cease engaging in and unfair deceptive trade practices.
- Require Ask.com, as a condition of offering AskEraser in the future to:
a) Cease using the opt-out cookie
b) Cease creating a Persistent Identifier on customers
c) Provide meaningful notice if the service will be disabled...- Order Ask.com to delete all previously retained information, before the implementation of AskEraser.
- Order Ask.com to inform all current users of AskEraser, by prominent notice displayed on the Ask.com Web site, that they should delete the Ask.com AskEraser cookie.
And so on. Now, I admit that anyone can err. And in fact I've known the folks at EPIC to be careful, honest, and principled, even if I may disagree with them from time to time. I think this is an honest mistake.
But this episode is useful to note because it exposes how the Washington practice of advocacy groups using federal agencies to sabotage political enemies can be bereft of facts and logic. (From EPIC's perspective, this was supposed to be a no-lose situation: it's a win if AskEraser is taken off the market, and if the Republican-led FTC refuses to do so, the FTC and the Republican appointees can be slammed as insufficiently sensitive to "privacy interests.")
For his part, Ask.com spokesman Nicholas Graham told me on Tuesday:
EPIC's weekend filing regarding AskEraser is both flawed and unfortunate. It's unfortunate in the sense that Ask.com tried to engage in a constructive dialogue with the group last week, and was rebuffed. Privacy is an issue that demands collaboration and partnership between online companies and advocates, for the benefit of all consumers. Ask.com's relationship with the Center for Democracy & Technology is proof-positive of that.
EPIC's filing is flawed in the sense that the document they filed is factually inaccurate, and simply shows a fundamental misunderstanding of the functionality of our product. In addition, many of the issues they raise are outdated, while others are completely misguided from the outset, and others deal with changes that Ask.com already made to AskEraser weeks ago, and were subsequently posted publicly on our website.
EPIC Executive Director Marc Rotenberg replied to me in e-mail on Tuesday evening:
If Ask has now fixed the problem, (1) that means we were right, (2) they should have responded to our letter. But that doesn't solve the problem with opt-out cookies, which I think you will agree is a nutty approach that does not scale, i.e. it requires users to keep cookies for all the companies they don't want to be tracked by. Even the FTC should be able to see the problem.
Rotenberg is right that using opt-out cookies may not be the cleanest design technique. If I were coding it, I'd have created a special "ask.com/eraser" site--the same way Google set up its google.com/unclesam government search -- or a private.ask.com subdomain. No cookies would be needed.
Then again, I'm not privy to how Ask.com's software is designed and the trade-offs that would be involved. More to the point, probably, companies should have flexibility in how they try to offer new privacy features--and it's hardly clear that a bunch of permanent Washington insiders or FTC bureaucrats know more about scalable software engineering than, well, actual software engineers. As long as Ask.com is honest about what it's doing, and it seems to be in its FAQ, it should be allowed to keep on offering new features.
There's one more question worth asking: if EPIC and CDD and their ideological allies believed they had such a strong case, why not file an actual lawsuit instead of asking the FTC to undertake an investigation that would likely take half a year or more to complete?
After all, EPIC is staffed by attorneys, and their complaint to the FTC alleges that AskEraser is, beyond any doubt, "an unfair business practice." If true, that would violate state consumer protection laws, including California's section 17200, which says private attorneys may sue a company engaging in "unfair" business practices.
I think I know what the answer is. Judges have little patience for plaintiffs that waste their time. If this had been a lawsuit, a judge might well have fined EPIC et al. for wasting his time with frivolous claims, and its staff attorneys might even have been subject to individual sanctions.
Lawsuits, in other words, have risks. Firing off an inaccurate letter to the federal bureaucracy, on the other hand, merely results in the sender looking a little silly. The next time you see them complaining to the FTC about some alleged wrongdoing, remember these attorneys' odd reluctance to litigate.
- prev
- 1
- next
