Friday, July 8, 2011

Why is my information vulnerable in the public cloud?


Free, public cloud based services have been around for a while.  Microsoft’s Hotmail, Google’s Gmail and Docs, News Corp’s Myspace and so on, have all been offering free and user friendly cloud based software that most anyone can use.  Along with any cloud service come the issues of security and privacy.  How do these organizations go about treating your private information and for what purposes are they using it? How secure are these free services that have so many members storing all this information? What is the common practice when law enforcement or some other government entity asks them for access to your data?

Photo by digitalart
In his essay “Caught in the Cloud”, scholar and activist Chris Soghoian rightly points out that these businesses aren’t charities.  News Corp and Microsoft aren’t in the habit of spending large amounts of money on servers and resources so that millions of users may enjoy free service.  The primary manner in which these companies make money is through the organization and sale of their users’ private data.  

For example, when we write e-mails in Gmail, all the text we type is sent through one of Google’s algorithms.  That algorithm spits out data and tells Google how to intelligently advertise to us based on the contents of our conversation.  So if I’m e-mailing a friend for class notes from the Intellectual Property law class I didn’t show up to, I may see ad’s for higher legal education, online copyright protection services or even patent drafters.  Google’s algorithm intelligently determines what ads will hit home with me by analyzing all of my communications.  The same process applies to Google Docs.

Naturally, this type of targeted, consumer specific advertising (known as behavioral targeting) is worth a premium in comparison with randomly sending ads to Gmail subscribers hoping that they are appropriately targeted.  This is one of the primary ways in which Google not only makes up the costs of running it’s free cloud based offerings but turns a profit.

Microsoft uses similar behavioral targeting techniques with their Hotmail service.  Microsoft will analyze your search data.  In 2006, Chris Dobson, Microsoft’s global head of advertising sales told Seeking Alpha that Microsoft has increased its click-though rate by 76% since the implementation of behavioral targeting in its ad services.  

When you ask the average person how important it is to them that their data be secure online (specifically their private and intimate data like the content of their e-mails), they’ll generally reply by telling you it is very important.  However, one look at these public cloud services and one quickly realizes, people like to talk. 
Possibly the best and most widespread method to protect data is encryption.  When we log into our online banking sites, our sessions on those sites are encrypted for obvious reasons.  I doubt too many people would use an online banking service with security practices like Gmail or MySpace.  

Chris Soghoian explains that most cloud service providers have “Network Encryption” which essentially protects you as you log into your service.  They do not, however, have what is called “Data Encryption” which is what protects your information once it is already in the cloud.  Though Soghoian tells us that one of the main reasons for this is the total lack of awareness of the average consumer and the lack of consumer demand for encryption, I am of the belief that this is first and foremost a cost issue.  

Large public cloud providers do not implement data encryption because it is more resource intensive and would have the effect of slowing down the service (making things more costly for them).  Also, as we noted that these services make their money selling data for advertising, that data becomes a lot less valuable if not worthless if no one can understand it (because it’s encrypted).

This is a stark contrast with private cloud providers whose success very much hinges on the security and integrity of their network.  Medical service providers, large businesses, law firms and alike do not store their information in the public cloud for reasons of liability.  What insurance company will cover a law firm that was the victim of a data breach upon storing valuable client information on Google Docs?  Such a move would be monumentally foolish for any entity needing to store private, sensitive or valuable information. 

Finally, what happens when law enforcement tries to compel one of these service providers to hand over your private information.  In many cases a warrant isn’t even required! For example, the Patriot Act allows law enforcement to ask for a court order and search your private data without ever informing you.  What’s more, through the use of what is called a “National Security Letter”, the Patriot Act allows the F.B.I. and other law enforcement agencies to access your data without any form of judicial hearing or oversight.  That means that the F.B.I. can look at your documents without establishing probable cause that your data is or may be useful to a criminal investigation.  These broad and sweeping powers have been the subject of much debate and the constitutionality of these measures (on 4th Amendment grounds) has been seriously called into question.  Perhaps this is the reality of online life in a post 9/11 world. 

There are, however, solutions to this problem.  As mentioned before, data encryption makes it so data, while stored in the cloud remains unintelligible.  It is only once it is decoded with the encryption key that it can be read again.  Some services do offer data encryption to their clients.  However, if the service provider is in possession of the encryption key, law enforcement can compel them to hand it over along with the data itself.  That isn’t the case if the user is the only person who possesses the encryption key.  In that event, a service provider can comply with the demand without actually exposing your information.  

People have been and will continue to use free cloud based services for e-mail and alike.  I’m not suggesting we all stop doing so.  That being said, I do believe that knowing how your data is (and can be) treated is important and should be in the back of everyone’s mind when clicking “I agree”.  You may decide that certain things are best left out of the cloud.

No comments:

Post a Comment