Cloud computing, Policy, Privacy and empowering the user ..

BACKGROUND

It great to be invited to attend and participate in the State of the Net conference in Washington DC by Tim Lordon Director of the Internet Education Foundation who met me when I spoke at the EIF event at the European parliament . I would also like to thank MEP James Elles and Peter Linton – EIF for their support.

The timing of this event is significant coming just before the inauguration of the Obama presidency and Barack Obama’s belief that the Internet is way out of the recession. Considering this is a gathering of Government and Industry – I am going to focus on the issue of Policy for Cloud computing. So, here are my views .. Which builds on previous blogs but also focusses specifically on the issue of Policy(i.e. issues such as privacy and data protection) in relation to Cloud computing.

SYNOPSIS

1) Cloud computing will shift the emphasis to the service and the service level agreement.

2) It creates winners(I believe IBM, Amazon, Microsoft, Google, Mobile network operators + SIM) but will also impact negatively on some companies/entities whose brand may become invisible (for example – Oracle, Linux).

3) For customers and businesses, there remain many unanswered questions. The privacy and encryption of data – end to end – will become more important.

4) In practise, this means we may need to anonymise and encrypt data at the source (which is why the client for the cloud is important) so that it cannot be decrypted without the user’s permission. I have spoken about this before in Unharnessing collective intelligence: A business model for privacy on Mobile devices based on k-anonymity

5) Privacy and security at the client will be important – which means that Chrome(Google), Azure(Microsoft) and SIM(for network operators) strategies will be important.

6) I also believe that paid services will be important since people will realise the true ‘cost’ of free in terms of the loss of rights in the small print(it will need only a major high profile lawsuit involving a celebrity for that to become a mainstream topic of discussion)

7) When it comes to free services, users will want more control of their data and will want to control who sees it and under what rights in return for personalised services.

8) We need enlightened regulation and clarification of applicability of certain existing regulation.

WHEN DID YOU DRIFT INTO THE CLOUDS?

Firstly, I often ask people: When did you start using Cloud computing?

For most of us, that may be when we opened a Hotmail account. That was the case with me as well. However, we did not call it ‘Cloud computing’ – we called it ‘Webmail’. For me, the realization that I was using a different architecture came when I started following a company called SoonR. SoonR uses cloud computing to bridge the worlds of the Web and the Mobile Web – which is a topic of interest for me historically. Being a major user of Google applications and services like Mozy – I can say that I have been living ‘in the Cloud’ for some time now.

But first – we have to define what is the Cloud, Why Cloud Computing is significant and also we have to clear the mist around the Cloud :)

CLOUD – DEFINING AND CLEARING THE FOG

The best definition of Cloud computing I can get is the one I have adapted slightly from the Guardian: Cloud computing: Where IT capabilities(Software and Hardware) is delivered over the internet as you need it, rather than drawn from a desktop computer. Extending the Hotmail analogy, for many of us, that often means Cloud computing equals ‘Online and hosted outside your own server’. However, that is not necessarily so .. Because the idea is – instead of setting up your own architecture (hardware), you should be able to purchase it just like a Utility. In other words, it encompasses BOTH Hardware and Software as a service.

Of course this is also not new – since it similar to Bureau processing in the mainframe era but the proliferation of Broadband has made ideas we talked of a decade ago far more mainstream now and far more complex.

How complex? – we can see it from this example

Amazon, already a web retailing giant, is also a cloud computing pioneer. S3, launched in March 2006, behaves like an infinitely expandable hard drive. Developers can store and retrieve data without needing to worry about where it is physically located. “S3 now has 14bn objects and 30,000 transactions a second,” Jeff Barr of Amazon told a conference in London earlier this year. Later in 2006, S3 was joined by the Elastic Compute Cloud, or EC2, which lets users create virtual computers on the fly. “You build a structure called an AMI, an Amazon Machine Image, and on that AMI you put your operating system, your applications and any data that you would like,” Barr says. “You take that whole AMI, copy it to S3, then we can launch one, 10, 50, however many you like.” Amazon bills customers for virtual computers by the hour, and also charges for data storage and internet data transfer (amazon.com/aws).

Source: The Guardian

A more complete description of Cloud computing also at How stuff works – Which is in general an excellent resource. To make matters worse, Cloud computing also encompasses terms used before such as SAAS, Utility computing, web services for the cloud, platform as a service, managed services, service commerce platforms or Internet Integration

WHY ELLISON HATES THE CLOUD, AND STALLMAN TOO ..

Cloud computing changes the balance of power in the vendor(Software and hardware) community ..

In a widely publicised article, Larry Ellison – founder of Oracle corporation – criticised Cloud computing calling it meaningless. and Cloud computing is a trap warns Open source pioneer Richard Stallman

Both Ellison and Stallman have the same thing to fear from Cloud computing – it makes them commodities.

With the Cloud, all you care about is the Service(The Service level agreement). Once the customers(business or consumer) have a SLA, who cares what database it runs on or what Operating system it uses? Indeed Oracle embraced Cloud computing by deploying on Amazon EC2 and Google already runs it’s servers on Linux. So, the SLA is with Amazon(for the Oracle database) and with Google(for the Linux operating system). So, vendors like IBM, Microsoft, Google and Amazon will be the ones with the SLA(customer facing brands) at the expense of those who will be commoditised ..

Hence a change in the balance of power in the vendor community ..

POLICY ISSUES

But the effects range wider than the computing vendor community .. They affect consumers and businesses .. due to some key privacy/policy issues.

These range from

a) Who owns your data when it is Online?

b) What privileges does the provider have(for instance will you see advertisements against data)

c) What rights do governments have?

d) Can data be sold to third parties?

e) Can data be analysed by providers?

f) What happens to your data if the service is sold or terminated?

g) What about metadata for your data in the Cloud?

When I first read all these concerns – I thought that they were exaggerated. Surely, it is the same if your data is stored with you(inside your house or your company) as opposed to outside your house or company?

In other words, legally and from a privacy standpoint does it matter where the data is hosted?

Apparently it does .. And there in lies the problem and the policy discussion ..

There is an excellent presentation from Nat Torkington or O Reilly media on which I have drawn upon for this section. I recommend you also have a look at the presentation – Web meets world – Privacy and the future of the Cloud

The bottom line is:

In the USA(and similar legislation may apply in your local areas), there are two types of legislation – Constitutional rights/legislation – which are stronger and Statutory rights/legislation – which are relatively weaker. In practise, to intercept the same email kept on your home computer (as opposed to in the Cloud) – the Law enforcement authorities need to show probable cause since emails kept at home are protected by Constitutional rights. However, if the same email(or for that matter) any piece of data – is kept in the Cloud, then the law enforcement authorities need only a Court order – which is relatively easier to get. The solution is to anonymise and encrypt the data online so that it cannot be ‘released’ without the user’s permission.

This means you need to anonymise and encrypt ALL data at the Client side such that it cannot be decrypted without the user’s permission (we come back to this later).

Directive 2006/24/EC from the European Union relates to Data protection and data retention. But some states go even further. Denmark apparently wanted to know the source, time and destination of every packet! Our own British government (home secretary Jacqui Smith) wants to outsource tracking of everyone’s calls, emails, texts and internet use In the YouTube vs. Viacom lawsuit , the judge originally wanted individual IP addresses, clips viewed etc and this is quite apart from outright blunders like AOL releasing supposedly anonymised data search habits of users.

And we have not even touched the issue of who owns the metadata i.e. data about data in the Cloud and the usage and policies for metadata

In a nutshell, Privacy needs security. Outsourced systems and security (in the cloud) is a good idea. Alongwith it comes the issue of outsourced privacy of data which has many unknowns at the moment. Also, the measures undertaken by providers for protecting data are opaque and can never be foolproof. Governments also may be the cause of the problem in some cases.

IMPLICATIONS FOR PROVIDERS AND FOR POLICY MAKERS

Here are some thoughts, insights and views

a) Enlightened legislation is needed. Certainly clarification is needed on legislation which applies to data stored in the Cloud vs. the home

b) Outsourced security becomes someone else’s problem – outsourced privacy is ALWAYS our problem!

c) Most people don’t realise the issues. It will take only one high profile/ Celebrity divorce subpoena where they stored email in the Cloud(which was more accessible to the lawyers) as opposed to one on their own PC. At the moment, there IS such a case warshak vs. USA – but it is not high profile enough

d) Governments should think of ‘doable’ legislation. Certainly the UK and Denmark proposals are not practical.

e) Governments should be a part of the solution and not the problem

f) Cloud computing will shift the emphasis to the service and the service level agreement.

g) It creates winners (I believe IBM, Amazon, Microsoft, Google, Mobile network operators) but will also impact negatively on some companies/entities whose brand may become invisible (for example – Oracle, Linux).

h) For customers and businesses, there remain some unanswered questions. The privacy and encryption of data – end to end – will become more important.

i) In practise, this means we may need to anonymise and encrypt data at the source (which is why the client for the cloud is important) so that it cannot be decrypted without the user’s permission. I have spoken about this before in Unharnessing collective intelligence: A business model for privacy on Mobile devices based on k-anonymity

j) Privacy and security at the client will be important – which means that Chrome(Google), Azure(Microsoft) and SIM(for network operators) strategies will be important.

k) I also believe that paid services will be important since people will realise the true ‘cost’ of free in terms of the loss of rights in the small print(it will need only a major high profile lawsuit involving a celebrity for that to become a mainstream topic of discussion)

l) When it comes to free services, users will want more control of their data and will want to control who sees it and under what rights in return for personalised services.

m) We need enlightened regulation and clarification of applicability of certain existing regulation.

CONCLUSIONS

We live in interesting times!! But seriously .. There is a lot at stake here for everyone and I am looking forward to some interesting discussions ..