Finding Privacy in the Global Cloud

President Obama went to the FTC a few weeks ago to address ways to protect privacy and identity in what he called “a dizzying age” of new technologies.

One of the many new technologies changing the ways people interact with information is cloud computing. Whether it’s Jennifer Lawrence saving intimate photos to Apple’s iCloud, startups scaling up with Amazon Web services, or businesses and consumers moving their documents to Microsoft 365 or Google Docs, cloud computing is becoming a familiar part of our digital daily lives.

Cloud services offer benefits of large-scale computing, which include efficiency, scalability, security, and computing power, as well as ubiquitous access to data from an increasing variety of devices. But turning over data wholesale to someone else also comes with questions about privacy, confidentiality, security, and control.

As evidenced by Microsoft’s challenge to a U.S. government warrant for emails stored in a data center in Ireland, these questions also present challenges to traditional notions of sovereignty and territorial jurisdiction because global networks and cloud systems transcend national borders.

Last month I joined a roundtable discussion on these questions, “Big Data, Cloud Computing and Privacy: A Roundtable Discussion,” hosted by the Dewey Square Group in Washington. The panel was moderated by Peter Brown, President of the Identity Ecosystem Steering Group, which is the private sector organization that is leading the White House’s strategy on online trust. Other panelists were Deborah Hurley, a fellow of the Institute for Quantitative Social Science at Harvard University; Naomi Lefkowitz, Senior Privacy Policy Adviser of the National Institute of Standards and Technology of the Department of Commerce; and Ambassador Daniel A. Sepulveda, Deputy Assistant Secretary of the Department of State’s Bureau of Economic and Business Affairs, fresh from the plenipotentiary of the International Telecommunications Union in Bhusan.

We discussed questions such as: where is the data going? What will it be used for? How can consumers retain control of their data? Are current government standards and industry volunteer standards enough for protecting personal information in this era of big data? With powerful data aggregation, is it enough to limit protections to traditional categories of “personally identifiable information.”

An important effect of the explosion in data use is that an increasing proportion of data collection and use falls outside sectors that are covered by existing privacy laws. Even as rich data can yield information every bit as sensitive as what is contained in health or financial records, the increasing volume, velocity, and variety of data collection have made it impossible for individuals to exercise any meaningful control over most data about them. As the White House Big Data Task Force put it, “[unprecedented computational power and sophistication], most of which are not visible to the consumer, also create an asymmetry of power between those who hold the data and those who intentionally or inadvertently supply it.” This asymmetry is, by any definition, a market failure.

At the FTC, President Obama took a step to address this imbalance by announcing that his administration will soon release legislation to put into effect the Consumer Privacy Bill of rights first announced 2012 White House policy statement, Consumer Privacy in a Networked World,  The Consumer Privacy Bill of Rights articulated then affirmed globally-accepted privacy principles updated for the age of distributed devices, big data, and cloud computing. Applying these principles to specific sectors and issues is challenging because technology changes so fast and privacy depends so much on context. So the 2012 blueprint called for “multistakeholder” codes of conduct rather than government prescription to flesh out the Consumer Privacy Bill of Rights.

Our roundtable focused on one form of multistakeholder code of conduct: the new “code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” from the International Standards Organization, ISO 27018. This is the first strong privacy standard for the cloud. Providers that adopt this standard agree not use data for their own purposes such as marketing, to provide transparency about who processes customers’ data, to return or dispose of data of customers who leave the service, and to undergo third-party verification for compliance.

Deborah Hurley and others pointed out that standards like these are useful because they can be adopted across jurisdictions and establish predictability for providers and customers. Customers can value statements about a provider’s privacy guarantees and expect that those guarantees are supported. The ISO 20718 standard allows consumers to choose a cloud service provider based on its guarantees certain privacy protections, generating competition based on privacy offerings. They may help to level the marketplace.

The standard also helps to restore trust in American cloud service providers. Our roundtable explored the beating the U.S. brand took internationally in the wake of the Snowden disclosures.  Standards are one part of the solution.

There is much more work to be done on privacy standards. As NIST’s Naomi Lefkowitz pointed out, when that agency convened stakeholders to develop a cybersecurity framework, it found that security had a foundation to work from but that the privacy discussion was not as mature.  NIST’s work to add privacy to the framework is ongoing. In the auto industry, 19 manufacturers put together a comprehensive set of standards, practice guidelines, and FAQs for consumers on data the manufacturers collect from computerized vehicles. The Commerce Department’s NTIA convened development of a code of conduct for mobile applications in 2013 [link] and has begun a similar process for facial recognition technology. These industry and public-private initiatives help to fill the gaps in the legal framework for U.S. privacy protection. They would get a boost from enacting the Consumer Privacy Bill of Rights into law.