US federal and international regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good.
"We need to be smarter about dealing with technology, and cloud computing is posing [a] risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs.
The FTC convened the two-day meeting in its offices in Washington, which follows a series of similar workshops held there on previous years on topics such as spam, privacy and behavioural advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices", meaning that if cloud computing is not unfair or deceptive, the FTC would be unlikely to have jurisdiction.
To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in datacentres that belong to a single entity rather than multiple datacentres.
The current panoply of laws at the state, national and international level have had insufficient results; FTC commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey in which 71 percent of organisations queried said they did not have an accurate inventory of where personal data for employees and customers is stored.
With data-management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center (Epic).
Already, problems of identity theft are skyrocketing, he said, and without more regulation, data-management services may experience a collapse analogous to that of the financial sector.
"I predict we are going to experience something very similar with respect to privacy within the emerging information economy," Rotenberg said. "We are going to realise we allowed very similar complex transactions to occur between non-transparent organisations, and we will pay."
Also on Tuesday, Epic asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar and the company's other web apps until government-approved "safeguards are verifiably established."
FTC commissioner Harbour said at Tuesday's conference that it would be preferable if more than one large company such as Google were responsible for storing personal data. "I see a lot of overlap between competition analysis and security," she said.
Jane Horvath, senior policy counsel for Google, said "privacy by design is ingrained in our culture, and security is one of our fundamental design principles". If customers do not feel their data is secure in Google products, nothing prohibits them from transferring their data elsewhere, she said.
"Cloud computing is a very new market place," Horvath said. "As more and more services become available, there will be more and more providers entering this market."
Furthermore, said Kristin Lovejoy, IBM's director of governance and risk management strategy, companies that lease server space from companies such as Google to launch their own applications are ultimately responsible for security standards. She also said a large-scale cloud model is easier to secure than a heterogeneous datacentre.
The cloud-computing sector would benefit, Lovejoy said, from standards similar to the PCI Security Standards, which were formed by major credit-card companies to regulate payment account data security.
"We could define for the commercial sector a set of simplistic foundational controls, give them the ability to understand what they must do, and then build on top of that," she said.
In the industry's current state, "we don't know what we need to do, we don't know what we need to protect", Lovejoy said. "The technologies are there but not able to fully help us."
She said IBM is currently developing technology to allow individuals to create profiles to share with third parties, giving consumers the ability to manage elements of their identity. However, she said there is not enough R&D funding for such technology.
"There needs to be innovation around the technologies which push choice to the individuals," Lovejoy said.
While the FTC did not comment directly on any regulatory actions or changes in policy, international regulators said they plan to examine the implications of cloud computing on data security and privacy. The Organization for Economic Co-operation and Development should broach the subject of cloud computing at a meeting in Paris in October, said Michael Donohue, the privacy and information security administrator for the OECD.
This May, the European Union will launch a broad consultation on whether it should consider revising the 1995 data protection directive, said Hana Pechackova, the justice liberty security directorate general for the European Commission.
"We cannot pretend the technologies are the same as they were in 1995," Pechackova said. "Cloud computing and new business models are really challenging our systems. We've heard that the directive may be outdated, but we do not want to step back from our basic principles."
Currently, around 90 percent of organisations in the EU do not engage in transfers of data outside the region, said Billy Hawkes, Ireland's data-protection commissioner. Cloud computing is very likely to change that, however.
