Privacy regulators need to carefully consider the needs of organizations as well as consumers and telecom carriers when they make policy in an era of cloud computing, says an executive with a network equipment maker.
“Enterprises will be big consumers of consumer and carrier technology in a way they’ve not been done before,” John Roese, senior vice-president and general manager of Huawei Technologies’ North American research centres, said in an interview Tuesday.
“If that happens the regulatory frameworks need to take into account that, for instance, a law passed to cover cybersecurity that only considered the actions of a carrier might inadvertently cause a huge problem that affects the operations of enterprises or governments.”
“We’re entering an era that where people are, where data lives how they access it and how they structure their entire information experience is going to look a lot different in the future than it looks today,” he said. “We have to pause and consider the fact that the regulatory frameworks might not be in line with how the economics and technology are evolving.”
“What are we trying to protect, and where are we trying to protect it? We have to ask that question in this new era.”
That was the message Roese gave to policy makers and telecom executives Tuesday in a speech at a conference in Ottawa staged by the Canadian branch of the International Institute of Communications. He expanded on his theme in an interview.
To illustrate his point, he noted that many countries or agencies have regulations covering where financial institutions physically have to do backups of personal data. The purpose is to ensure that data doesn’t leave a country. However, in an era when cloud computing is increasing that may not make sense, he said. On the other hand, the ability to access the data may be entirely controllable by a regulator – for example, the data may be encrypted when it leaves the country, but the decryption keys may reside inside the country.
That should meet the spirit of the regulator’s needs, Roese said, while not forbidding the data be allowed into the cloud. But, he added, today it’s a question to be answered.
“As people look to this mobile, distributed, very virtualized environment we’re entering I think there’s a huge number of questions about where can things live? Which laws cover them? It is an absolute, or is it just a piece of the technology that’s potentially impacted by some of the regulatory frameworks? Or do we really need to re-think many of them?”
Another example is that carriers are beginning to develop cloud infrastructures for their internal operations, Roese said, including billing and customer subscription information. However, they will also likely use that same private cloud to run customer applications, Roese said, which will also include personal data. Before software-as-a-service, those streams of data would have been held in separate databases, or, perhaps separate data centres.
“We have to re-think what happens when the architecture changes,” Roese said.
Huawei has been talking about this with industry members and regulators for the past six months, he said. In fact, Roese dropped the idea into the hands of Canadian officials this week while he was in Ottawa.
“I’m not trying to be the omen of doom,” he added. “We still have plenty of time to do it the right way” because cloud computing is still in its early stages. But he wants the industry to understand cloud computing will have a major impact on privacy regulation.
Privacy isn’t dead, he emphasized, but it has to be re-thought.
“When was that last time you heard that Bell or Telus violated your privacy? It happens occasionally, I’m sure.” But, he argued, “you’re more concerned about Facebook and Google doing it. Yet the privacy frameworks in place are artifacts of when the carrier was the only place that had personal information on the Internet, and everything else was some application that lived at the edge.” But that has changed, he pointed out.