FTC questions cloud-computing security

WASHINGTON--Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good.

"We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs.

The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction.

To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers.

The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored.

With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that of the financial sector.

"I predict we are going to experience something very similar with respect to privacy within the emerging information economy," Rotenberg said. "We are going to realize we allowed very similar complex transactions to occur between nontransparent organizations, and we will pay."

Later on Tuesday, EPIC asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar, and the company's other Web apps until government-approved "safeguards are verifiably established."

FTC Commissioner Harbour said at Tuesday's conference that it would be preferable if more than one large company such as Google were responsible for storing personal data.

"I see a lot of overlap between competition analysis and security," she said.

Jane Horvath, senior policy counsel for Google, said "privacy by design is ingrained in our culture, and security is one of our fundamental design principles."

If customers do not feel their data is secure in Google products, nothing prohibits them from transferring their data elsewhere, she said.

"Cloud computing is a very new market place," Horvath said. "As more and more services become available, there will be more and more providers entering this market."

Furthermore, said Kristin Lovejoy, IBM's director of governance and risk management strategy, companies that lease server space from companies like Google to launch their own applications are ultimately responsible for security standards. She also said a large-scale cloud model is easier to secure than a heterogeneous data center.

The cloud-computing sector would benefit, Lovejoy said, from standards similar to the PCI Security Standards, which were formed by major credit card companies to regulate payment account data security.

"We could define for the commercial sector a set of simplistic foundational controls, give them the ability to understand what they must do, and then build on top of that," she said.

In the industry's current state, "we don't know what we need to do, we don't know what we need to protect," Lovejoy said. "The technologies are there but not able to fully help us."

She said IBM is currently developing technology to allow individuals to create profiles to share with third parties, giving consumers the ability to manage elements of their identity. However, she said there is not enough R&D funding for such technology.

"There needs to be innovation around the technologies which push choice to the individuals," Lovejoy said.

While the FTC did not comment directly on any regulatory actions or changes in policy, international regulators said they plan to examine the implications of cloud computing on data security and privacy. The Organization for Economic Co-operation and Development should broach the subject of cloud computing at a meeting in Paris in October, said Michael Donohue, the privacy and information security administrator for the OECD.

This May, the European Union will launch a broad consultation on whether it should consider revising the 1995 data protection directive, said Hana Pechackova, the justice liberty security directorate general for the European Commission.

"We cannot pretend the technologies are the same as they were in 1995," Pechackova said. "Cloud computing and new business models are really challenging our systems. We've heard that the directive may be outdated, but we do not want to step back from our basic principles."

Currently, around 90 percent of organizations in the EU do not engage in transfers of data outside the region, said Billy Hawkes, Ireland's data protection commissioner. Cloud computing is very likely to change that, however.