Privacy In the Cloud: Show Me The Money
By Craig Balding
Richard Stallman - the man that gave us GNU - doesn’t trust Cloud providers with his data and says you shouldn’t either. Richard believes we should store our private data on our own computers using ‘free’ (as in freedom) software. The ironic part for Richard is that a significant portion of the Cloud is powered by open source software which he indirectly created (think gcc).
Richard sees it as a question of control. Control is important but it isn’t the only variable. Rather, I see it as a question of control, competence and economics.
The quick rebuttal to Richards’ view is this: the average computer user is not as smart as you. Control is not the same as competence. Control is about exercising choice, not about requiring everyone in the world to develop sufficient skills to protect complex hardware and software systems (aka their computer) against ever increasing threats.
My view is that privacy is not ‘free’. It comes at a cost. Whether you run your own systems or rely on someone else to do it, there is a cost. There is cost in designing and implementing mechanisms to support privacy. Beyond upfront costs there are ongoing expenditures to ensure privacy is maintained e.g. maintaining access control lists, testing and applying security patches, data leakage prevention etc. None of these things are ‘free’.
If we agree that privacy costs money then how much is your privacy worth?
Stop for a second - think of a number…
Now did we all think of the same number?
The problem with a one size fits all approach to privacy is that we each place a different value on it.
Checking in on the EPIC site, I saw this:
A new report from Pew Internet and American Life Project indicates that “cloud computing” applications, such as web-based email and other web apps, are raising new privacy concerns. The report Use of Cloud Computing: Applications and Services found that 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web. At the same time, “users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware.” For example, 90% of respondents said that they “would be very concerned if the company at which their data were stored sold it to another party,” 80% say “they would be very concerned if companies used their photos or other data in marketing campaigns,” and 68% of “users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.”
What does that tell us?
The average (American) Internet user finds Cloud services convenient but has concerns about how their privacy might be affected by Cloud providers actions (duh!). The survey identifies a lack of awareness in how private data is used in some consumer based Cloud services (consistent with web advertising awareness surveys).
Unfortunately, the results of this survey are not very actionable. The survey doesn’t mention whether these are all ‘free’ Cloud services (we can only assume they are) or ask the respondents what their expectations of privacy are and how much they would be willing to pay for different privacy assurance levels.
On a sidenote, respondents were not asked if they had actually read the privacy agreement for the services they signed up to. But the providers know if they did or not… Or at least, they have the data to figure it out. At sign up time they can measure the time between displaying the privacy agreement and the user clicking ‘I accept’. If its just a few seconds then its pretty obvious there was more scrolling than reading going on. But I think we can probably guess the answer without the data ;-).
I believe we need to be able to link expectation of privacy with cost.
- How much are you willing to pay for privacy? What level of privacy assurance do you need?
- How much is your Cloud Provider paying to protect your privacy today? What privacy services could they reasonably offer if they had customers willing to pay? How might this compare with how you manage your private data on your home computer today?
The cynical view is that we expect privacy but don’t want to pay for it. Its a bit like uptime - there is a parallel universe out there, where internal IT departments allegedly meet their 99.999% uptime SLAs, but when Gmail goes down, the Sergey Brin witchcraft dolls come out.
From a provider perspective, the “cost” of privacy invariably gets bundled under that line item called ‘Information Security’. And don’t be fooled, the cost of privacy in reality is more than the salary of the person employed to be the privacy advocate (if there is one). If we can’t see how much our providers are spending on our privacy then how can we judge if they are spending enough? And what is enough? And what can I get if I’m willing to pay a little extra?
Personally, I would rather we get some transparency around privacy costs and assessment of offerings. However, without a sufficiently sized market of customers willing to pay for privacy assurance and Cloud Providers willing to be more open, I won’t hold my breath.
What about you? Would you be prepared to pay for privacy? Should providers be more transparent about what they do and don’t do and how they do it?