A Privacy Clash in the Cloud?

A Privacy Clash in the Cloud?The cloud computing era is having many effects, but one of them deserves more attention than it is getting. The cloud is raising the stakes in a global struggle over privacy rights and data security.

Michael Chertoff, former head of Homeland Security (2005-2009) and now head of a global security and risk-management firm, notes that the cloud greatly expands the scope of privacy-rules disputes. Most immediately these dispute involves the US and EU.

EU justice commissioner Viviane Reding has put the European case firmly: "Companies who direct their services to European consumers should be subject to EU data protection laws." In an earlier era US firms could have avoided such complications by simply not entering the European market. But the public cloud is, if not inherently global, at least globally accessible unless specifically blocked.

Carving the cloud into national or regional sectors is at minimum technically challenging, and arguably a fundamental contraction. A partitioned cloud is no longer really the cloud. Chertoff sees possible outcomes ranging from a "race to the bottom" by cloud providers to a fragmentation of the Internet. He argues for the EU to hold off on enforcing its own standards until some common "Western" standard can be devised.

Privacy standards are the obverse of security standards. If privacy protections are slack, security protections will also be slack. For this reason, US firms concerned with their own data security may well ask themselves whether the current weak US privacy protections are really in their own interest.

Scooping up the maximum of personal Big Data may help some firms in targeting their advertisments to consumers. But are short-term marketing considerations worth the security costs of floating in a sea of uncontrolled confidential personal information? Is that a cloud we really want to live under?

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."