Local Rules and the Need for Online Privacy: Clearing Away the Clouds

PrivacyIf you’re debating the use of the cloud and offsite hosting, whether for backup, hosting virtual servers, or whatever, there is a lot more than just networking technology to worry about. Or rather, you may need to worry about the technology in ways that you didn’t expect.

The reason is differing local rules and the potential for culture clash, especially — but not only — in areas such as online privacy and regulatory compliance. Anyone responsible for the movement of data across national borders, whether on the WAN or in the cloud, needs to pay attention to these; indeed, you should probably be looking for the highest common denominator, not only because it is where we will all most probably end up but because it makes commercial sense.

Cloudy motives

As my friend Clive Longbottom pointed out here the other week, some Europeans have expressed considerable concern over the recent renewal of the snappily-named US Foreign Intelligence Surveillance Act Amendments Act. Among other things, this gives US government agencies warrantless access to data held on US-owned servers by pretty much anyone outside the US — foreigners, of course, have no Fourth Amendment rights against unreasonable searches and seizures. These powers may have been voted into fight crime and terrorism, but the fear is that they will also be abused by trusted insiders, hacked into by criminals, or used for economic and industrial espionage.

Of course, some European institutions have been aware for years now of the potential threat of this and the USA PATRIOT Act. It’s one reason why there are European-owned cloud providers guaranteeing European-based hosting. At a meeting a couple of years back, IBM UK executives admitted that it means they cannot offer IBM cloud services to some clients — instead, IBM refers such customers to European business partners who offer their own cloud hosting. Microsoft has said much the same, admitting that as a US-headquartered company, its servers in the EU would still be vulnerable to US government snooping.

Another side of online privacy is European legislation, in particular, the EU’s data protection rules. The EU views data protection as a fundamental right, an attitude that can be problematic for companies used to a more relaxed privacy regime — especially those for whom our personal data is primarily a better way to target advertising or sales. And the EU’s Safe Harbor treaty with the US means that EU rules can apply to data held in the US by US companies too.

Is privacy dead?

You might wonder whether we should worry about this at all in an age when many people believe that technology is making privacy obsolete, and when in survey after survey, a significant number of people will hand over a password or even an ATM PIN in return for a bar of chocolate and entry into a prize draw.

Privacy does matter though. Quite apart from the risks of identity theft at the individual level, there are also major commercial risks, ranging from the obvious ones such as theft of intellectual property and other commercial secrets to the use of confidential data in online frauds and scams.

And just because some companies working in the information economy regard our personal data as their stock in trade, that doesn’t mean things won’t change. Although the US is often seen from outside as laissez-faire on privacy, that is certainly not true across the board — the healthcare sector is extensively regulated by HIPAA for example, while the financial sector has rules such as Gramm-Leach-Bliley and the Fair Credit Reporting Act.

There are new rules and regulations coming up too. For instance, in many sectors, it is already considered good security policy to keep personally identifiable information (PII) data to a minimum and delete it when it is no longer needed, not least because this should limit your liabilities in case of a data breach. Similarly, anyone accepting credit cards must comply with the the PCI (Payment Card Industry) security standards, and one of the PCI’s key messages is “If you don’t need it, don’t store it!”

Designing for data protection

And then there are US proposals such as the (stalled) 2011 Kerry-McCain Commercial Privacy Bill of Rights and the privacy framework published last year by the FTC. Both of these call for limits on consumer data collection and retention, and the FTC also advises companies to design for data privacy and choice.

Some have expressed concern over these proposals, arguing that data is the lifeblood of the web and that they could stifle US innovation and growth. This assumes of course that EU regulation makes Europe unattractive to startups — an idea which may seem strange to the residents of London, Berlin, Barcelona and several other cities — and that it is regulation rather than any of a dozen other cultural or financial factors which leads European innovators to look across the Atlantic for growth.

The fact is, though, that these rules exist and they are not going away — most probably quite the opposite. Good data protection and privacy best practices will, therefore, be everyone’s business, so your networks and systems need to be specified and designed with that in mind: technology is key here, but it is also just the starting point.

Image credit: opensourceway (flickr) – CC-BY-SA