Securing Nebulous Privacy Rights in the Cloud
The cloud may be a blessing to global business, but it remains a major headache for sovereign states determined to protect its citizens’ privacy.
The swelling of the online data “cloud” is driving an info-privacy cold war between U.S. tech companies demanding freer movement of data in cyberspace, and European Union states that want the amorphous cloud better regulated. Is there a middle way?
In April 2010, the German government faced off with Facebook when the latter said it would sell its private user data to third parties. “What is private must stay private,” Ilse Aigner, the German minister of consumer protection, stated plainly in a letter to Facebook founder Mark Zuckerberg. “Unfortunately, Facebook ignores this principle.”
Most believed the social network behemoth immune to such criticism. For The Economist, Aigner’s “snarl at Mr. Zuckerberg” was a “shot [that] will not do much damage to Facebook.”
But these days, Facebook is in a lather over privacy, giving users greater control over their own data and projecting a policy of greater transparency on how the company uses private information. At its core, this reflects escalating tensions over data privacy in the age of cloud computing.
The standoff between Germany and Facebook hinges, in part, on the murky jurisdiction of the transnational data storage cloud, that nebulous cyber data storage space. The cloud is helping businesses big and small, as well as government, store, back up, and archive data cheaply, and to “virtualize” by accessing software.
Leading providers of cloud services — like Amazon, Salesforce, and Microsoft — look forward to massive expansion as most social media images, chat records, e-mails, even Web browsing histories, are swirling around in the cloud. It makes sense, since this data is stored in and accessed from warehouses full of servers — often in Asia or the United States — at much lower costs than building the hardware infrastructure locally. But as a result, a message sent between a computer in Hamburg to one in Dusseldorf could wind up on a server in California, while its response might end up in Mumbai. This is why the cloud confounds the issue of data sovereignty — it's hard to say which nation or jurisdiction rules over data at any one time.
Clouding the issue
Aigner and her peers across the European Union oppose the data mining of Facebook, Google, Microsoft, and company on moral grounds. But legally, the private user data stored in transnational clouds is often not covered under EU or German data privacy regulations.
One fix would be to host such clouds only in the EU — but that’s expensive and defeats the flexibility of remote storage. Furthermore, EU-based clouds controlled by U.S. tech companies are still, it seems, subject to U.S. laws.
This was highlighted in June when Microsoft warned it could not guarantee the sovereignty of its European customer data held in new Ireland-based cloud servers. If the U.S. government invoked provisions of the USA Patriot Act, Microsoft would be compelled both to hand data over to the U.S. authorities and keep the data transfer secret. This contravenes the EU Data Protection Directive of 2006, which requires organizations to inform users when personal information is disclosed.
While a number of agreements and directives are in place to ensure the transfer of data in the multinational cloud conforms to the privacy standards of the relevant sovereign states, such laws do not yet adequately regulate the ballooning and overlapping jurisdiction of the cloud. Microsoft could already transfer EU data to the U.S. under a “Safe Harbor” agreement meant to uphold the EU’s privacy tenets. The Patriot Act has effectively sunk that agreement.
“My concerns are about the storage of data in multiple jurisdictions and the lack of transparency about this and subsequently the lack of information on the jurisdictions itself,” said John Borking, a Netherlands-based lawyer. He consults on the benefits of privacy‐enhancing technologies instigated by the European Commission to prevent “unnecessary” or “undesired” processing of personal data.
Borking worries about cloud jurisdictions that may “create high risks” due to a lack of the rule of law or respect for international agreements, which could lead to a “misuse or unwanted disclosure” of personal data. He recommends that data clouds be certified as “privacy safe” and “information security safe” by independent organizations such as third-party certifier Europrise in Germany.
The gray areas of the cloud are particularly vexing for the Germans, who already had challenged the EU privacy directive for not being stringent enough, especially on the issue of retaining data from mobile phones.
“There’s a lot of pressure from the security agencies who want to have access to such data,” said Frank Rieger of the Chaos Computer Club, one of Germany’s most vocal data privacy lobbies. “Data retention has been on the wish list of security agencies worldwide since the mid-1990s, and after September 11 they got it.”
Data “retained” on a cloud where security is not foolproof, or legal jurisdiction is opaque, presents the potential for abuse. Thilo Weichert, leader of the Independent Centre for Privacy Protection in the German state of Schleswig-Holstein, has been on the front line of regulating the cloud — he had the Facebook “like” button banned in his state because it tracks and retains a log of user preferences, data that ends up on U.S.-run servers.
“Cloud computing must comply with data protection law,” Weichert told Miller-McCune. “As there is no valid data protection law in a lot of countries such as the U.S., it seems very difficult for U.S. companies to protect the right of informational self-determination in an adequate way."
The culture of privacy
As the European Union tries to agree on more expansive privacy laws to regulate data held in the cloud, Germany is taking action alone. In January, for example, Facebook was forced to allow German users to better shield their e-mail contacts from unwelcome advertisements and solicitations. Germany has been the only country to successfully demand that Google Street View allow citizens to exclude homes and businesses from the all-seeing photographic map service before it was launched. Germany is also trying to stop Google Analytics from over-retention of user browsing data.
More recently, the German state of Hamburg is threatening Facebook with legal action for not disabling its controversial biometric facial recognition software, which does not conform to German and EU privacy laws. In August, Facebook was told to delete all data collected by the image recognition application since the practice does not have the explicit consent of users. Facebook has so far refused to comply, but it did make some concessions, and in October it agreed to sign up to a voluntary code of conduct to protect private users' data across Germany.
Germany’s datenschutz, or data protection, movement is nothing new — Germans famously refused to commit personal data to its 1981 census, for example. Nor does this focus on privacy only come from the generation that remembers the infamous surveillance of East Germany’s Stasi secret police. Research shows that young Germans who were barely alive when the Stasi were creating intimate dossiers on ordinary Teutons are equally fearful of opening a Gmail account.
Britons and Americans, who rarely faced extreme consequences from data centralization, have a very different attitude. Very few objected to giving up detailed private data during the 2011 U.K. census, while U.S. voters acquiesced to the Patriot Act in the wake of 9/11.
Privacy can be good business
Global tech companies, many from the U.S., have argued that “over-protection” of private data limits the potential profit of global online businesses; intrusive national laws would hinder the data flow in the transnational cloud. This would be especially so in the world of Web 3.0, which builds on the social media of Web 2.0 by utilising intricate personal user data to drive online business. (To address this, some advocate universal laws to thus govern levels of privacy protection in the cloud.)
But some key North American regulators appearing at the Web 2.0 Summit in San Francisco in October told the big tech players that respecting user privacy will improve business.
Anne Cavoukian, information and privacy commissioner in Ontario, Canada, and a global advocate for “Privacy by Design,” said building privacy protections into products can harness more usable information by involving consumers and gaining their trust.
“[Don’t] collect data you don't need that's unrelated to the functionality of your app,” David Vladeck, director of the U.S. Federal Trade Commission’s Bureau of Consumer Protection, warned at the summit.
Such sentiments have also been heard in Washington, D.C. “A ‘we don’t care about privacy’ attitude from the United States would create major risks for American jobs, exports, and businesses … including cloud computing,” said Peter P. Swire, senior fellow at the Center for American Progress, testifying before the House Energy and Commerce Committee in September.
Swire believes that a free-market and free-flow approach to the cloud can and must include strong EU-like privacy protections if U.S. cloud vendors want to prosper. Some countries could regard the U.S. as a “noncompliance zone,” he worries. “Foreign competitors could use the lack of U.S. privacy protections as an excuse for protectionism, and insist that information processing happen in their country and not in the United States.”
The European Commission lists only seven countries where protection standards comply with the EU Data Protection Act, and the U.S. could forfeit its place on that list if the Patriot Act torpedoes the Safe Harbor agreement when tested in court.
But Swire sees signs of growing maturity on privacy among U.S. big tech firms. Search engine giants Google, Microsoft, and Yahoo, for example, have agreed to limit the time they keep search history data identifiable — “this data was held indefinitely in a form that could be easily linked to an individual,” he noted. The search companies negotiated with European authorities and the FTC, agreeing to “anonymize” individual search histories after a few months.
“This sort of dialogue, prompted in many cases by privacy officials in Europe, is a far cry from the caricature one sometimes hears of regulation-mad agencies bent on destroying commerce,” Swire told the House committee. “Today, many sensible safeguards exist in the ‘self-regulated’ U.S. market at least in part due to the efforts of privacy officials in Europe.”
Indeed, Richard Allen, Facebook's director of European public policy, was even upbeat about signing a voluntary code of conduct to protect user data in Germany, calling it "a very effective way to protect the interests of internet users." The storm clouds might soon be clearing.