Adopting cloud computing can mean entrusting data to a third-party vendor. For agencies responsible for personally identifiable information or mission-critical applications, this raises a host of privacy concerns, chief among them the issue of data sovereignty and the question of determining appropriate government and commercial uses of private citizens’ data. This section of the SafeGov.org site analyzes the risks to privacy associated with cloud adoption and explores ongoing means to mitigate them.
Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider. In many cases, however, these contracts fail to contain key protections of data. Because the consumer is not a direct party to these contracts and often cannot even have access to these contracts, the consumer is often powerless, and the consumer’s interests are often not adequately represented. In this short essay, we argue that there is a remedy in Section 5 of the Federal Trade Commission (FTC) Act that prohibits unfair and deceptive trade practices. Certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.
Monday, April 07, 2014
Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.
Tuesday, March 25, 2014
A California lawsuit suggests the federal government must take stronger steps to protect government data from data mining and user profiling by cloud service providers. In the technology-rich world we live in, it's critical for everyone to understand how their data is processed and used. For the government, it is arguably even more important, given the massive amounts of sensitive citizen data it possesses and stores.
Tuesday, February 18, 2014
In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.
Participants in this year's Consumer Electronics Show in Las Vegas learned that the Internet is not just for smartphones and tablets anymore. This year's show had smart ovens, cars and crockpots; cameras that take pictures automatically; and devices that track anything from your heart rate to how well you brush your teeth. This is what the technology community calls "the Internet of Things," and many believe it is where consumer technology is headed. Google does, too. That's why it spent $3 billion to acquire Nest's smart thermostats.
Friday, January 31, 2014
Wednesday, January 22, 2014
There is a great Hitchcock movie from years ago, “The man who knew too much.” I was thinking about that movie the other day as I read the numerous media articles about the vulnerability of cloud enabled appliances. From one initial article there was a huge cry related specifically to the apparent hacking of a refrigerator. The reason for the original outcry was the presence of one internet connected refrigerator on a published list of devices that had been “hacked.” In particular, this refrigerator was hosting a bot that was used to send SPAM messages.