What is data privacy, and what are companies doing about it? Andy Hamilton, Managing Director of CompanyNet, looks at the issues and considers the implications for the cloud.
Data Privacy vs Data Security
During a number of conversations recently, I have been intrigued to discover that many people still mix up the issues of privacy and security when discussing the public cloud.
Using dictionary definitions this should not really be the case as both words have clear differentiation in their meanings. Perhaps one theory is that when thinking of data, it is still strongly associated with technology.
Additionally, losing data because of an IT issue has been the most prominent issue leading to a huge focus on backing up, redundancy, co-location and so on.
Since the formation of the huge on-line public cloud data centres that Amazon, Microsoft and others have developed, the fact is that the security of data has long since ceased to be a problem.
Many CIO’s have bought into the fact that their enterprise data is actually more secure in the cloud than their own in house data rooms, due to the massive investment in redundancy that the big cloud providers have delivered.
Having successfully dealt with the security of data, another much more problematic challenge has arisen, that of the “Sovereignty and Privacy” of the enterprise data.
Risk and Compliance departments are struggling with the concept of allowing enterprise, public sector, and customer data to be hosted in a public cloud.
Fuelled by horrendous exposure of activity by Sovereign States, such as the US, to access data without seeking permission.
Over the last few years this has had a very negative impact on the perception that our data is safe; not from loss through infrastructure failure but from prying eyes.
Long before the Public Cloud initiative Microsoft has been investing in Trustworthy Computing, actively infusing trust into each of their products.
Brendon Lynch , Microsoft’s chief privacy officer, says: “We come at privacy from the standpoint that trust is the foundation of the customer relationship.
We also believe it is in our strategic interest to ensure that our customers’ information is protected. We don’t just approach privacy from a legal compliance perspective.
For us, it’s about building, earning and retaining the trust of our customers.”
So, how does that trust aspiration begin to be delivered against the fallout from Edward Snowden’s revelations of NSA activity, whereby it is alleged that this US Government agency is accessing raw data streams, and taking other measures to intercept private information, without seeking judicial approval or otherwise going through normal channels?
Well firstly, for me, bring on Brad Smith Microsoft’s Senior VP and General Counsel who has been very publicly taking on the US government agencies of late.
His method has been to challenge the US courts every time Microsoft receive a demand from a government agency to supply private data held by Microsoft on behalf of a company.
These demands have come attached with a further requirement for Microsoft not to be allowed to contact the enterprise concerned, something which Smith has successfully challenged a number of times by arguing Microsoft’s constitutional rights are being ignored.
I believe this activity is crucial and fundamental to re-enforcing the trust that we must be allowed to develop that public cloud providers are proving that the trust placed in them is not just paper-thin or PR words.
Secondly, certainly for EU residents, Microsoft has successfully gained approval under the Article 29 Working Party of the EU Data Protection Directive. Essentially a working party form all 28 member states of the EU, investigated Microsoft’s contractual obligations towards customers for Data Privacy and transmission outside the EU and found them to be meeting EU requirements.
According to Bloomberg, “Under the EU Data Protection Directive (95/46/EC), personal data may be lawfully transmitted out of the European Economic Area only under limited circumstances, including where the European Commission finds a non-EU country’s law adequate to protect privacy.
The U.S. hasn’t been found by the commission to have adequate privacy protections; therefore U.S. companies such as Seattle-based Microsoft must utilize alternatives, such as the U.S.-EU “Safe Harbor” Program or binding corporate rules to move data out of the EEA.”
Brad Smith, again, was quick to announce the EU approval for Article 29: “This is an important week for the protection of our customers’ privacy.
The European Union’s data protection authorities have found that Microsoft’s enterprise cloud contracts meet the high standards of EU privacy law.
This ensures that our customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world.
However, again according to Bloomberg, “The Working Party took the opportunity of the Microsoft announcement, to “remind all cloud computing providers” that they have an obligation to ensure that their contracts comply with EU privacy law.
It pointed companies to the group’s cloud computing guidance released in July 2012.
This was an important step forward and something that allows Microsoft a degree of protection from any threat to remove or amend the existing Safe Harbour agreement between the EU and the USA which has increasingly become under pressure due in part to the NSA revelations.
Key points on Data Privacy vs Data Security
In summary, for now I see the following key points:
- Data Privacy and Sovereignty are key blockages to Public Cloud adoption by Enterprise.
- Microsoft certainly and others probably are taking this very seriously and working publicly to alleviate both the fact and the perception that Enterprise data is not protected.
- As these measures are further re-enforced and strengthened by Geo Location of data away from the USA, there will be a gradual and successful build-up of trust, this is essential for the future of Public Cloud computing.
This is a fascinating issue, and one that is currently of huge interest to us at CompanyNet, look out for further blogs on, and around this issue.
Can Data Really Be Private Anyway?
For many data security has long ceased to be a problem in the grand scheme of things. Instead, data privacy has become a primary focus for many people – or rather, how to keep data private.
For a long time these competing ideas seemed to be meshed together in an apparently unbreakable union. Quite simply, data security was the process for ensuring data privacy.
Therefore, as long as data was secure it was private, or at least it seemed that way.
However, in recent years these assumptions have been shaken and stirred somewhat, leaving us to challenge this old assumption and has brought data privacy to the fore, leaving the uncomfortable aftertaste lingering; is our data really private at all?
We live in an age of online surveillance; more than 45% of all websites use some form of analytics and scripting technology to gather personal data in order to understand our behaviour and mine information.
Google, for example, accesses data in private Gmail accounts; Facebook conducts secret experiments on its users, and cookies have ceased to be an afternoon treat.
The revelation that these actions take place has been surprising, perhaps, but it is the actions of NSA whistle-blower Edward Snowden regarding the mass surveillance in Europe by America and Britain that really began to challenge the order of things, and made us re-evaluate the real meaning of data privacy.
Until recently there has been no fine line between which data items should be private and which not. There was, perhaps, a tacit acceptance that only information the needed, or had been given permission, would be shared.
However, Edward Snowden’s expose has unravelled this assumption, making him a persona non grata with the US government in the process.
This might read in a slightly alarming manner, it is not nice to be reminded that Big Brother really is watching us (and reading our Christmas email to Aunt Muriel!) but there’s good news.
The events of the last two years have pushed the “Sovereignty of Privacy” to the top of agenda on a worldwide scale. Governments, and regulatory bodies in the EU and further afield are investing a lot of energy into defining what private data is, as well as what, and who, has the right to access it.
Right to be Forgotten
The recent “Right to be forgotten” debate comes after a string of changes to EU Data Protection Law and is the latest law to strengthen the power that individuals and companies have over their own personal information.
Following directly on from this ruling, Google has been given 18 months by the Italian data regulator to change how it handles and stores data.
Additionally significant reform of data protection laws has put the power firmly back into the hands of the individual. In 2012, a major reform of the EU legal framework on the protection of data was proposed.
These proposals are intended to strengthen individuals’ rights. For example, under EU law, personal data can only be gathered legally under strict conditions and for a legitimate purpose. Furthermore organisations which manage personal data must protect it from misuse.
Simply put, users are no longer prepared to leave the power to access private information open to outside sources and EU law has recognised this.
Microsofts Position on Data Privacy
It is not just regulators that have begun to change their attitude to data privacy. Companies like Microsoft are actively trying to make services, like their cloud offering, safe from prying eyes (or at least those without clearance).
The company is the first enterprise cloud provider to receive approval from the EU data protection authorities which is, as Dervish Tayyip, Assistant General Counsel at Microsoft said, “An important development for our customers at a number of different levels.”
By acknowledging that Microsoft’s contractual commitments meet the requirements of EU’s “model clauses”, Europe’s privacy regulators have essentially said that data stored on the Microsoft cloud is subject to the EU’s privacy standard no matter where the data is actually located.
Significantly Microsoft has also taken the fight for data privacy a step further. As mentioned in the previous blog, Brad Smith, Microsoft’s Senior VP and General Counsel has publicly taken on the US courts in their demand for access to foreign data.
He stated his opinion explicitly, in an article for the Wall Street Journal last week, “Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail.
This means, in our view, that the U.S. government can obtain emails only subject to full legal protections of the Constitution’s Fourth Amendment.”
Undoubtedly there is far more to be said on the issue of data privacy. As the right to access private data wrangles it way through both the European and American courts we are sure to see more changes brought into place, but the message at the moment seems crystal clear…no person or company should be forced to give access to data, everyone has the right to online privacy.