In December, the Federal Trade Commission (FTC) quietly submitted a comment to the Federal Communications Commission (FCC) on how broadband and portability of data relate to cloud computing. As reported by Kim Hart at The Hill, the FTC is now set to examine cloud computing security and privacy, with a privacy roundtable in Washington, D.C., Jan. 28. The topic of cloud computing security, in other words, will literally be on the table...
The FTC doesn't view the cloud in an entirely negative light. Vladeck wrote that "cloud computing has the potential to reduce the need for businesses and consumers to purchase, operate and maintain software and hardware themselves; it may be a less costly way for them to manage, store and use data."
That said, he also observed that "the ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers."
As reported by Stephanie Clifford in The New York Times, both the chairman of the FTC, Jon Leibowitz, and Vladeck have "signaled to Internet publishers and advertisers that they expect the commission to take a more active role in safeguarding consumer privacy." (Read the full comment from the FTC.)
The FTC has already signaled to businesses that the methods used to authenticate new and existing customers need to be strengthened. Following a data breach that affected more than 163,000 consumer records, the FTC won a settlement in 2006 of $10 million in civil penalties and $5 million in consumer redress from ChoicePoint Inc. for "poor data handling." The FTC is also pursuing HIPAA violations as a matter of consumer protection.
In his comment, Vladeck indicates that he believes many of the issues around cloud computing security and privacy "will be addressed through the roundtable discussions as well as through requests for comments and original research."
Ari Schwartz, chief operating officer of the Center for Democracy & Technology, said, "The question is how does deception and unfairness jurisdiction under Title 5 [of the FTC Act] apply to the use of data in the cloud. Traditionally, the rule of privacy has been under the deception area. You say you have to do something, you have to do it. You can't bury the disclosure. The commission has been given a hard time about their ability to bring unfairness cases because of their inability to show real consumer harm.
"Now, going into the cloud space, where it's unclear what consumer expectations are, what jurisdiction does this go under?" Schwartz asked. "How far under Fair Information Practices? Do they own data in the cloud? Does the provider have liability under the current FTC rules? What happens if there is a data breach?
"The answers to these questions just aren't clear. That's why they're investigating it. It would be just as surprising if the FTC had written a letter saying that they weren't investigating cloud computing privacy and security."
As any CIO tasked with addressing compliance requirements in cloud computing contracts knows, the terms of service from providers need to be closely compared with regulatory strictures applicable to the locations of data centers.
"Companies are worried about trans-border data flows because of the multidimensional nature of data," said Barbara Lawler, chief compliance officer at Intuit Inc., speaking at the FTC's privacy workshop in December. "Take the example of a data center. Many companies are consolidating. Most responsible companies have second or third data centers, often outside of the country. Data is in one place and many places at the same time. Data is never really at rest."
Data privacy laws vary from country to country. According to "Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing", a World Privacy Forum report, "A user's privacy and confidentiality risks vary significantly with the terms of service and privacy established by the cloud provider."
Precisely what the cloud is and how cloud computing security should be assured have been muddy issues for years now. The involvement of a federal regulator may bring more attention to the issues, although achieving clarity on either will be a challenge.12-09-2009 Federal Trade Commission Staff-Cloud-12-09