It took me a while to piece together the events that may have led the FTC to initiate a series of "discussions" on cloud computing and privacy – a somewhat puzzling move for an agency historically concerned with various forms of fraud long after they have become commonplace. Why would the Federal Trade Commission get involved in an emerging technology space while it’s in formative stages? Do we really benefit for a government brokered discussion on how to secure the cloud in its infancy or is it mostly a whole lot of hand waving?
The rationale for these roundtables cited by David Vladeck, director of Bureau of Consumer Protection at FTC, seems shaky at best. 
The ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers.
Cloud computing may be a new term, but the model that makes it easiest to share data with others has been around for quite some time in the form of the most mature of cloud archetypes – Software-as-a-Service. Does subsuming SaaS under the cloud umbrella really make it so much dangerous than it was when this technology originally went mainstream? Certainly not.
To be fair, I am pragmatic enough to understand why a bureaucrat may want to attach their name to an exciting topic such as cloud computing. This is the sort of stuff that sweeping "track record" claims are made of, but the mechanics of FTC involvement into this matter are quite interesting, nevertheless.
Most of the recent articles  do not mention this, but these FTC roundtables appear to be a direct response to a complaint made by an organization called EPIC – Electronic Privacy Information Center. I’ve never paid much attention to his group, but apparently in addition to agitating for government oversight of cloud computing, EPIC also acts as a public watchdog over such obvious villains as Facebook and Google, famously asking the FTC to shut down most of Google Apps until (non-existent) government mandated security standards are enforced. Perhaps most amusing of all is that EPIC has as also earned a dubious distinction of being called a radical group by the Electronic Frontiers Foundation (EFF).
The FTC and EPIC seem to enjoy a rather symbiotic relationship, built on a series of nonsensical statements that ultimately lead to what constitutes an appearance of consumer protection action. EPIC gets the ball rolling with something along the lines of "I predict we are going to experience something very similar with respect to privacy within the emerging information economy. We are going to realize we allowed very similar complex transactions to occur between nontransparent organizations, and we will pay." The FTC is happy to oblige with something equally inane: "I see a lot of overlap between competition analysis and security". This inevitably paves the way for FTC to announce a whole series of roundtable discussions that will supposedly lay the foundation for cloud privacy and security.
Unsurprisingly, FTC paints the cloud privacy problem in very broad strokes and even the very definition of cloud computing is enough to call the seriousness of this inquiry into question:

Cloud computing, which is defined broadly as the provision of Internet-based computer services, allows businesses and consumers to use software and hardware located on remote computer networks operated by third parties

Translation: The Internet is a series of tubes, blah, blah, blah… and henceforth.
The problem with privacy concerns as framed by EPIC and the FTC is that they are hinged on a very superficial observation – cloud computing centralizes consumer data. While factually correct, it does not adequate communicate the risk posed by this concentration, nor does it deal with the fact that consumer data is often just as concentrated and less secure in private data centers. These data centers have historically suffered much more debilitating security flaws (ex: Acxiom) than what’s currently documented in cloud environments, delivered by service providers that treat security as a key business process.
EPIC appears to be more of a troll than an evil organization, nor are they entirely useless. Their fetishized obsession with HTTPS has forced Google to announce that Gmail will now be encrypted by default. Value of browser encryption is typically overblown and SSL would have done nothing to prevent the Aurora attacks, but it doesn’t hurt either.
Still, I can’t help but think that cloud computing should remain an industry concern for quite a while and no consumer really benefits from government involvement at this stage. Applying public pressure, rather than allowing market demand to shape security requirements will only produce the appearance of security, rather than a fundamental shift in how we protect our data today.
This is a topic for another post, but I firmly believe that over time cloud computing offers more security opportunities than risks. These opportunities can only be taken advantage of by cloud providers themselves, rather than enforced by organizations such as EPIC and FTC.
Reblog this post [with Zemanta]

Leave a Comment

Previous post:

Next post: