The Connected Web

A report just published by the World Privacy Forum spells out the risks to privacy and confidentiality posed by cloud computing. Written by privacy expert Robert Gellman, Privacy in the Clouds (PDF) explains the murky uncertainties surrounding what might happen to your data once it's stored in the cloud. The main problem is that the terms of service of most cloud providers fail to make any useful assurances about where your data will be stored and how its confidentiality will be protected. This leaves it wide open to potential threats.

As alluded to in my item last week on Data Protectionism, the main threat comes not from actions (or inaction) by the cloud provider (whose commercial reputation relies on keeping your data secure) but from other parties. The simple act of putting your data in the cloud often makes its confidentiality less reliable than if you had kept it under your own control, says the WPF:

"In its analysis and discussion of relevant laws, the report finds that both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. A cloud provider's terms of service, privacy policy, and location may significantly affect a user's privacy and confidentiality interests."

Some may draw the conclusion from this that cloud computing can never be trusted. I would argue for a far less draconian outcome. Cloud providers simply have to get their act together, as the report suggests: "If the cloud computing industry adopted better and clearer policies and practices, users would be better able to assess the privacy and confidentiality risks they face." It's up to the industry itself to understand the risks, contain them, and spell them out clearly to customers, ideally offering different levels of privacy and confidentiality assurances, priced according to what customers want and are prepared to pay for.