On Monday, the World Privacy Forum released a report that says those fears are just the tip of the iceberg. As people and businesses take advantage of all sorts of Internet-based services, they may well find trade secrets in the hands of competitors, private medical records made public, and e-mail correspondence in the hands of government investigators without any prior notice.
In the United States, information held by a company on your behalf — be it a bank, an e-mail provider or a social network — is often not protected as much as information a person keeps at home or a business stores in computers it owns. Sometimes that means that a government investigator, or even a lawyer in a civil lawsuit, can get access to records by simply using a subpoena rather than a search warrant, which requires more scrutiny by a court.
In recent years, law enforcement officials and lawyers in fields ranging from divorce to employment disputes have learned how to subpoena e-mail to bolster their cases. The major e-mail providers receive dozens of these subpoenas a month and often they have no legal obligation to notify the account holder before they comply.
Robert Gellman, a privacy lawyer who was the main author of the World Privacy Forum’s report, said he doesn’t know of any public cases of information disclosed from other sorts of cloud computing services, such as Google Docs, which lets people edit word processing and spreadsheet files online. But it’s only a matter of time before they do, he said, particularly if a service, like Google, becomes the dominant provider of cloud services.
“The cops will love this,” he said. “They can go to a single place and get everybody’s documents.”
The report also points out that much of what can happen to information in cloud computing services is governed by the user agreement for each service. Sometimes companies keep the rights to use information for other purposes, as Facebook did. Often they give themselves the right to change the user agreement at will. The report pointed out that many agreements simply don’t discuss some important issues, such as how information about third parties is treated:
If, for example, a cloud provider reads the taglines of a user’s photographs and learns that a John Doe (who is not a user of the service) in one of the photos skis, the provider may then use or sell knowledge of John Doe’s skiing interest for marketing purposes. If not restricted, secondary use of documents, photographs or other information entrusted by a user to a cloud provider has broad potential to expand the use of information in ways the user did not anticipate.
Another consequence of all this uncertainty is that a business that has an obligation to respect the privacy of some information — a law firm or hospital, for example — may be at risk of a lawsuit simply for using a cloud computing service, even if information is not leaked.
Of course, laws vary by country, and services operating in some European countries must follow stricter standards to protect the privacy of users. But it is not always clear on the Internet where data is being kept and thus which laws apply.
Congress dealt with this issue specifically for bank records with the Right to Financial Privacy Act of 1978, but the report notes that the law in the United States has not kept up with the way the Internet is being used. Most particularly, the Electronic Communications Privacy Act of 1986 has some very odd rules for e-mail. Messages you have not read are given more protection, for example, than messages you have.
The report notes that the laws may need to be updated to clarify who has access to information on cloud-based services and clean up some of the more eccentric aspects of the current laws.
One recommendation seems to stand out as the most prudent: “Don’t put anything in the cloud you wouldn’t want a competitor, your government or another government to see.”
__________
Full article: http://bits.blogs.nytimes.com/2009/02/23/does-cloud-computing-mean-more-risks-to-privacy/
