Report cites potential privacy gotchas in cloud computing

Computerworld - Companies looking to reduce their IT costs and complexity by tapping into cloud computing services should first make sure that they won't be stepping on any privacy land mines in the process, according to a report released this week by the World Privacy Forum.

The report runs counter to comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and "emotional." But the World Privacy Forum contends that while cloud-based application services offer benefits to companies, they also raise several issues that could pose significant risks to data privacy and confidentiality.

"There are a whole lot of companies out there that are not thinking about privacy" when they consider cloud computing, said Pam Dixon, executive director of the Cardiff, Calif.-based privacy advocacy group. "You shouldn't be putting consumer data in the cloud until you've done a thorough [privacy] review."

According to the World Privacy Forum's report (download PDF), the data stored in cloud-based systems includes customer records, tax and financial data, e-mails, health records, word processing documents, spreadsheets and PowerPoint presentations. The list of potential privacy issues cited in the report include the following:

Breaking the rules. Organizations could find themselves on the wrong side of privacy regulations if they aren't careful, the report said. For example, a federal agency that uses a cloud service to host personal data may be in violation of the Privacy Act of 1974, especially if it doesn't have provisions for protecting the data in its contract with the cloud provider, according to the report. In addition, it said, federal records management and disposal laws may limit the ability of agencies to store official records in the cloud.

Similarly, the privacy rules in federal laws such as HIPAA and the Gramm-Leach-Bliley Act restrict companies from disclosing personal health care or financial data to nonaffiliated third parties unless specific contractual arrangements have been put in place, the report said. In another example, it noted that IRS rules prohibit tax preparers from using third parties such as cloud service providers to host returns. "Companies could be loading data into the cloud illegally without their knowing it," Dixon said.

Surprises in the fine print. Companies need to understand that the data-disclosure terms and conditions set by cloud vendors and the storage and access rights they include in contracts can have a significant effect on privacy, the report claimed. And the privacy risks can be magnified, Dixon said, if a cloud vendor retains the ability to change its terms and policies at will. Users should make sure, she added, that they're protected against attempts by cloud providers to access or use data for any secondary purposes — for instance, using personal health information to deliver targeted marketing messages to consumers.

Lost protections. Storing data on cloud-based systems and accessing it via the Internet could have an impact on any legal protections afforded to the data, according to the report. For instance, it claimed that trade secrets and privileged lawyer-client information may not have the same level of protections when hosted on third-party servers as they do when stored internally.

Open doors on data. The report said that government agencies as well as parties involved in legal disputes may be able to more readily obtain data from a third party than from the owner of the information. For instance, laws such as the USA Patriot Act and the Electronic Communications Privacy Act give the federal government authority to compel disclosure of records held by cloud vendors, the report maintained, adding that many of the vendors are likely to have less incentive to resist such requests than the actual data owners do.