The privacy commissioner of Canada’s largest province has raised concerns about the use of third-parties to host data on the Internet, otherwise known as cloud computing, urging companies to adopt responsible identity management before it’s too late.
In a white paper published Wednesday, Ontario Information and Privacy Commissioner Ann Cavoukian discussed the changing landscape for individual information as software moves to Web-based services from companies such as Google, IBM or Amazon. The 30-page document provides an overview of cloud computing as well as the technological building blocks Cavoukian says are necessary to protect data from those who shouldn’t see it. These building blocks include identity management software based on open standards; federated identity so that registering their information for one service will mean they are recognized elsewhere; audit tools to track what happens to user data; and, policies that stipulate how information will be used in a cloud.
“User-centric private identity management in the Cloud is possible, even when users are no longer in direct possession of their personal data, or no longer in direct contact with the organization(s) that do possess it,” the paper says. “Inevitably, we must also have sufficient trust in those organizations that would supply and accept our identity credentials and our personally identifiable information.”
Cavoukian was presenting the white paper at a conference in Italy Wednesday and was not available for an interview. But cloud computing experts in Canada agreed that privacy and security of personal information is emerging as the most important hurdle vendors must jump in order to attract customers.
“For a lot of these services, especially the free ones, they’ll give you free access to use their environment, but in return you lose all access to what happens to your data,” said Reuven Cohen, principal with IT consulting firm Enomoly in Toronto.
Cohen suggested the term “geopolitical cloud” should be used to describe the kind of jurisdictional quandaries users could face, depending on the services they choose.
“In a lot of ways, you’re limited by the sort of political constraints different countries place on their data,” he said. “The U.S. and their Patriot Act is just one example.”
A number of members who belong to an online cloud computing discussion group were quick to respond to Cavoukian’s white paper when information about it was forwarded to them from ComputerWorld Canada.
“Perhaps it would be interesting to compare with technical and legal approaches and restrictions already in place for third party financial and medical information exchange. These are obviously dealing with ‘sensitive’ information, but arguably all personal information is sensitive to some degree,” said Marlon Pierce. “In addition to technical issues, Cloud computing introduces legal challenges as sensitive information can move across borders between countries with different applicable privacy laws.”
Mark Ashford, a consultant based in Toronto, said cloud computing was just a new version of an existing issue around privacy, not a new one.
“Back in the mid 90’s I worked on a disaster recovery plan for one of the major banks where client data would be removed from Canada, used, at a U.S. backup site, and then had to be repatriated each night. The repatriation was a Bank of Canada requirement at the time – it may still be,” he said. “Conventional Web hosts such as Bluegenesis operate in Canada, the U.S., and the UK. When we had that power outage a few years back, they told me all the Canadian sites were relocated to the U.S. data centre when it was apparent the outage would be more than a few hours. And load could be shared with the UK if necessary.”
Cavoukian’s white paper was presented at the First International Workshop on Identity in the Information Society.