Privacy In the Cloud: Show Me The Money
Privacy is a lot like universal healthcare. Many agree its a good idea in concept, but few people want to pay for it.
Richard Stallman - the man that gave us GNU - doesn’t trust Cloud providers with his data and says you shouldn’t either. Richard believes we should store our private data on our own computers using ‘free’ (as in freedom) software. The ironic part for Richard is that a significant portion of the Cloud is powered by open source software which he indirectly created (think gcc).
Richard sees it as a question of control. Control is important but it isn’t the only variable. Rather, I see it as a question of control, competence and economics.
The quick rebuttal to Richards’ view is this: the average computer user is not as smart as you. Control is not the same as competence. Control is about exercising choice, not about requiring everyone in the world to develop sufficient skills to protect complex hardware and software systems (aka their computer) against ever increasing threats.
My view is that privacy is not ‘free’. It comes at a cost. Whether you run your own systems or rely on someone else to do it, there is a cost. There is cost in designing and implementing mechanisms to support privacy. Beyond upfront costs there are ongoing expenditures to ensure privacy is maintained e.g. maintaining access control lists, testing and applying security patches, data leakage prevention etc. None of these things are ‘free’.
If we agree that privacy costs money then how much is your privacy worth?
Stop for a second - think of a number…
Now did we all think of the same number?
The problem with a one size fits all approach to privacy is that we each place a different value on it.
Checking in on the EPIC site, I saw this:
A new report from Pew Internet and American Life Project indicates that “cloud computing” applications, such as web-based email and other web apps, are raising new privacy concerns. The report Use of Cloud Computing: Applications and Services found that 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web. At the same time, “users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware.” For example, 90% of respondents said that they “would be very concerned if the company at which their data were stored sold it to another party,” 80% say “they would be very concerned if companies used their photos or other data in marketing campaigns,” and 68% of “users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.”
What does that tell us?
The average (American) Internet user finds Cloud services convenient but has concerns about how their privacy might be affected by Cloud providers actions (duh!). The survey identifies a lack of awareness in how private data is used in some consumer based Cloud services (consistent with web advertising awareness surveys).
Unfortunately, the results of this survey are not very actionable. The survey doesn’t mention whether these are all ‘free’ Cloud services (we can only assume they are) or ask the respondents what their expectations of privacy are and how much they would be willing to pay for different privacy assurance levels.
On a sidenote, respondents were not asked if they had actually read the privacy agreement for the services they signed up to. But the providers know if they did or not… Or at least, they have the data to figure it out. At sign up time they can measure the time between displaying the privacy agreement and the user clicking ‘I accept’. If its just a few seconds then its pretty obvious there was more scrolling than reading going on. But I think we can probably guess the answer without the data ;-).
I believe we need to be able to link expectation of privacy with cost.
- How much are you willing to pay for privacy? What level of privacy assurance do you need?
- How much is your Cloud Provider paying to protect your privacy today? What privacy services could they reasonably offer if they had customers willing to pay? How might this compare with how you manage your private data on your home computer today?
The cynical view is that we expect privacy but don’t want to pay for it. Its a bit like uptime - there is a parallel universe out there, where internal IT departments allegedly meet their 99.999% uptime SLAs, but when Gmail goes down, the Sergey Brin witchcraft dolls come out.
From a provider perspective, the “cost” of privacy invariably gets bundled under that line item called ‘Information Security’. And don’t be fooled, the cost of privacy in reality is more than the salary of the person employed to be the privacy advocate (if there is one). If we can’t see how much our providers are spending on our privacy then how can we judge if they are spending enough? And what is enough? And what can I get if I’m willing to pay a little extra?
Personally, I would rather we get some transparency around privacy costs and assessment of offerings. However, without a sufficiently sized market of customers willing to pay for privacy assurance and Cloud Providers willing to be more open, I won’t hold my breath.
What about you? Would you be prepared to pay for privacy? Should providers be more transparent about what they do and don’t do and how they do it?
If you are curious about Cloud Computing and security, don’t miss out on future posts: subscribe by RSS or subscribe by email.
I agree with Richard Stallman - cloud computing is pure marketing hype. I find it amazing that companies and individuals make the conscious choice to ignore the advice of the likes of Richard Stallman and Larry Ellison.
One need only consider the following question:
Which computer is a more compelling target to a hacker?
- Jane Doe’s personal computer where she stores her financial information
- Amazon’s S3 server where thousands of businesses and individuals store their financial information
To a sophisticated hacker, the question is a simple one - break into one computer and gain access to one person’s data or break into one computer and gain access to the data of thousands of businesses and individuals.
Businesses and individuals who choose to operate in the cloud do so at their own peril. Unfortunately, they will not get the message until an incident occurs that is serious enough for them to call into question the wisdom of relinquishing control of their data to cloud service providers.
@Mike: thanks for the comment. Its not so much ignoring his advice but putting it up to the light of day and asking ‘is this practical for average Joe’. You and I may be able to protect our own machines but I have seen enough compromised machines (friends, family, customers) to know that expecting everyone to protect their own machines is not working. A paid-for service with enhanced protections would be a big step in the right direction. What is your solution for people that don’t have your skills?
I’ll counter: Should you have to explicitly pay for privacy? Do you have to explicitly pay for your constitutional rights? Perhaps indirectly (e.g. cost of courts, enforcement, etc.), but you expect them to be there in any activity you undertake. I (perhaps naively) expect privacy to be there, and to cover the costs indirectly. How those costs are incurred doesn’t really matter to me.
Is that a practical view? Perhaps, perhaps not. However, I think making privacy an optional service, and not a requirement of every online system is dangerous. Dangerous not only in terms my unprotected data being open to abuse, but also in terms of the precedence it sets up for other technology related human rights.
The cost of a car has risen in real dollars over the last few decades because of increasingly expensive “assumed” items, like airbags, anti-lock brakes and electronic control systems. If my online experience slowly gets more expensive over time because privacy requirements are mandated, I can live with that. Its just not as sexy as the car.
@James: thanks for dropping by - enjoying your blog. I believe that privacy is a right, but the implementation of privacy in information systems is a complex task that requires strong investment, skill sets, senior management commitment, privacy awareness and provable assurance. I may agree there should be minimum privacy standards, but the proof is in the pudding - there considerable variance in practical privacy implementations today. People don’t know what they are getting but assume they are getting privacy. I think we need to be able to differentiate privacy implementations but we need transparency for that. Plus I think we should have choice to have enhanced privacy services (i.e. greater assurance). I’m not arguing privacy should not be present - quite the opposite. Today the only way for people to compare offerings is to read all the privacy agreements (and who really does that for each and every service?). The problem is that whilst privacy statements are important, they are ultimately a list of commitments. How do we know if a company is delivering on them? I don’t want to wait for a breach to know my provider didn’t act in good faith on their privacy policy.
Thanks,
Craig
My solution for people who don’t have the skills to protect their own systems is to educate them about the real (not the perceived or the hyped) threat level that they face.
In my opinion, promoting cloud computing to the average Joe on the basis that their data is not secure on their own systems plays on the perceived fear that hackers are intent on compromising their machine and it plays to the hype that their data will somehow be safer if they turn it over to a cloud service provider.
One analogy to this would be telling people: “Driving can be risky! Don’t believe me - how many accidents did you see on the roads last month? If you don’t want to be involved an accident, then you’d better hire a limousine whenever you need to travel by car - you can’t possibly arrive safely if you drive yourself!”
Both of these scenarios are overblown and based on fear and hype.
I don’t know of a single business or person who has been the victim of a targeted over-the-wire attack on their own system. Small businesses and individuals are more likely to be victims of attacks that target no business or individual in particular.
Sophisticated hackers aren’t interested in targeting Joe’s Coffee Shop or Jane’s financial information. Hackers gain more by going after the data aggregators (cloud service providers, retailers, credit card processors). Think of the breach at DSW Shoes - the hackers targeted the aggregator’s systems - not the individual shopper’s systems. For this reason, my position is that the average Jane’s data is safer on her own system rather than on an aggregator’s system.
People should not succumb to the fear and hype surrounding cloud computing. Instead, they should strive to understand the true threat level that they as individuals face and utilize security methods that are appropriate to the risk.