The Canadian Privacy Commissioner just invited interested parties to file written submissions on privacy issues surrounding cloud computing.  Also for expressions of interest from anyone wanting to take part in a formal panel discussion in June.

Cloud computing - however one defines it - can be a compelling model, as it can provide advantages in cost, simplicity, and scalability.

It can though, pose issues around things like privacy, confidentiality, security of data, business continuity, and disaster recovery.  The importance of those issues varies depending on how the particular cloud product works, what you use it for, and how mission critical it is.

Fanshawe College is putting on an eMarketing conference March1st entitled “Turning Clicks into Customers“.   The keynote speaker is Mitch Joel, author of  Six Pixels of Separation”.

I’m speaking at a breakout session on “Legal Issues for a Digital World” .

I’ll be commenting on issues including copyright, cloud computing, the Streisand effect, and social media and privacy.   

There are several factors that make digital law different from analogue law.  As I’m putting my presentation together, I’m realizing that the concept of  practical obscurity plays a big role in explaining some of the differences.

That’s the title of my Slaw post for today.  It reads as follows.

The cloud computing, or software as a service model has compelling attributes – such as low cost, ease of use, and scalability. But the downside is that there are issues around the security, integrity, and longevity of both the data and the software behind it.

Google has taken a step in the right direction with its promise that any cloud application it provides will have as a prime directive the ability of the user to pack up their data and take it anywhere, including a competitor.

At least that helps solve the issue of the risk of losing data, as it makes it easier to keep a local backup.

Cory Doctorow has an article in the Guardian entitled Not every cloud has a silver lining that is worth a read.

Cloud computing is a current shiny object.  But its not for everyone, or every application.

The article starts with:

The tech press is full of people who want to tell you how completely awesome life is going to be when everything moves to “the cloud” – that is, when all your important storage, processing and other needs are handled by vast, professionally managed data-centres.

Then goes on to tell how and why the cloud is oversold.

BusinessWeek has an article entitled Busting Cloud Computing Myths that is a worthwhile read for anyone curious about cloud computing.   For example, there is just 1 cloud, and cloud computing always saves you money.

The ultimate conclusion is: “What’s the takeaway? That the cloud isn’t a magic wonderland of carefree computing, but a complex resource that requires understanding and hard work to manage correctly. And that’s no myth. “

For my perspectives on cloud computing, search “cloud” on my blog.

For the London Free Press

Read this on Canoe

TECHNOLOGY: Storing or sharing personal information on remote computers controlled by others is a common practice fraught with potential problems

Cloud computing is touted as the solution to many users’ problems — but is cloud computing itself a problem?

Cloud computing is not bad per se. But users must consider how they are using the technology, and whether contractually or practically, it provides them with enough control over their information.

Cloud computing has been a hot topic in recent months, stirring up strong feelings both from those who support the technology and those who distrust it.

In September 2008, Ontario Privacy Commissioner Ann Cavoukian weighed in on this issue in the white paper Privacy in the Clouds, which we discussed in a previous column (see canton.elegal.ca/ 2008/09/29/cloud-computing-presents-real-concerns-over-privacy-issues).

More recently, the World Privacy Forum released a report entitled Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing. It echoed Cavoukian’s concerns and found that, though the technology is not inherently bad, individual users must be conscious of the potential security and privacy implications and protect themselves accordingly.

The forum attempts to define cloud computing — a concept that almost defies definition — this way: “Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections.”

The forum emphasizes the far-reaching implications of cloud computing, which can be used for data-storage sites, video sites, tax-preparation sites, social-networking sites, photography sites and personal health record sites.

The danger of cloud computing comes from the digital footprints that individuals users may leave on the Internet with no idea of how that information is policed, used and distributed.

Various online activities, from sending e-mails and playing games to managing bank accounts and meeting people on social-networking sites, require people to fill out forms and provide personal information. This information can identify the individual and serve as a digital history of everywhere that person has been.

The forum report’s clear underlying message is that users must be diligent in understanding terms of service, how disclosing information to a cloud provider changes their privacy and confidentially rights in that information, and how remotely stored information may not have the legal protection it should have.

The forum also found many legal uncertainties that make it, “difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users.”

The report even suggests, “sharing information with a cloud provider may undermine legally recognized evidentiary privileges.”

Ultimately, the decision to use cloud computing is one each user will have to make, keeping in mind what they are using it for, how important their mission is, how sensitive the information is, who has it, and whether they can keep local copies of it.

CircleID has a post entitled Survey: Cloud Computing ‘No Hype’, But Fear of Security and Control Slowing Adoption which talks about a survey of IT executives on cloud computing.   The survey found that they feel the concept has advantages, but they are not keen to adopt it in the short term because they are concerned about the lack of control and security issues.

Not really a big surprise.   The post is a good summary of the business advantages and issues arisong from cloud computing.

That’s the title of my post on Slaw today.

It reads as follows:

We see the term “cloud computing” a lot these days. Its a term that’s hard to define – like Web 2.0. It essentially means having your software work “out there” somewhere, and/or your data reside “out there” somewhere – rather than on a computer in your own home or office. Think of it as commoditized outsourcing. The term is sometimes used to include SAAS and other concepts, and sometimes in a much more limited way. From a legal point of view, the issues and risks for using any flavour of cloud computing are the same – although the size of the risk and what one can do about it varies.

It is a popular topic, and hailed as the wave of the future and the beginning of the end of the desktop computer. On the other hand, Richard Stallman says cloud computing is a “trap” that is “worse than stupidity”, and Larry Ellison of Oracle says “It’s complete gibberish. It’s insane.” Of course, they both come at the topic with particular viewpoints and agendas.

It does offer some compelling business models. For a sole practictioner or small law office or mobile professional, it offers the possibility of always available computing resources and access to files at a fairly low cost. You don’t have to have a large IT infrastructure to support your practice. It lets others worry about things like hardware, software updates, security issues, and backup. The idea is that those “others” can do those things a lot better than you can, because its their business to deal with it.

On the other hand, we lose control over all that. That means we are dependant on others to ensure our data is secure, private, confidential, backed up and available. The consequences of losing all of one’s data because of some vendor issue can be massive.

Frankly, I have mixed feelings about it. The advantages are compelling. While it is a bit of the flavour of the month now, it is not going away, and will continue to mature. I have some control and trust issues over the cloud. To me it depends on what you are using it for, how mission critical it is, how sensitive the information is, who has it, and whether you can keep local copies.

My own blog is hosted on a third party site, but it is by nature public, so there is no confidential information to be concerned about. And it is set up to automatically send backup copies to me on a regular basis so if something goes wrong at the host, I can take it and set it up somewhere. And its not a mission critical system that prevents me from carrying on business or compromises client service if its not available for short periods.

If lawyers use the cloud to do mission critical work, we should go through the same diligence and documentation review we would do for a client entering an outsource deal. In other words, look at the reputation, history and health of the vendor. Ask about their service level promises, back-up, security, confidentiality safeguards. Ask if you can keep a local backup. And see what their agreement says. To the extent these are low cost commoditized services, it often won’t be worth the vendor’s time to negotiate changes to an agreement – but you can vote with your feet.

Here’s some things to read on the subject.

CBA National article including links to ABA articles on the topic. The National article takes a balanced approach to the issue.

My Free Press article from this week talking about the Ontario Privacy Commissioner’s thoughts on the cloud.

A CNET news article on Oracle’s Larry Ellison’s negative thoughts on the hype. Make sure you watch the video in that article that does a good job explaining what the cloud is and is not.

My blog post from yesterday referring to a Guardian article about Richard Stallman’s (founder of the Free Software foundation) negative thoughts on cloud computing.

An earlier post of mine on the pros and cons of cloud computing including links to a Gigaom post entitled 10 Reasons Enterprises Aren’t Ready to Trust the Cloud and Ernie the Attorney’s thoughts on his goal to operate in “ATM mode”. He wants to keep as much as possible in the cloud – largely based on his Katrina disruptions.

The Guardian published an article entitled Cloud computing is a trap, warns GNU founder Richard Stallman coincidentally on the same day as my Free Press article from yesterday on the topic.

Stallman is quoted as bluntly saying: “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign.”

“One reason you should not use web applications to do your computing is that you lose control,” he said. “It’s just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else’s web server, you’re defenceless. You’re putty in the hands of whoever developed that software.”

I admit to having some control and trust issues over the cloud.  To me it depends on what you are using it for, how mission critical it is, how sensitive the information is, who has it, and whether you can keep local copies. 

For the London Free Press – September 29, 2008

Read this on Canoe

We are moving into “cloud” computing, where users increasingly rely on data and software residing somewhere out there on the Internet.

That means we have little direct knowledge of, involvement with or control over the data or its location. And since that data inevitably includes personal information, it raises information security and privacy issues.

Use of the cloud has moved beyond e-mail such as Hotmail to include applications such as Google Apps for word-processing and social networking sites such as Facebook. And increasingly, it means our data is not only processed, but stored in cyberspace.

This is true for business as well as personal applications.

Cloud computing promises flexibility, better reliability and security, enhanced collaboration, portability and simpler devices. It lets Internet users use servers, storage systems and computing power in multiple locations.

But it also means leaving digital footprints all over the Internet, in places where we have no idea how information is policed.

Ontario Privacy Commissioner Ann Cavoukian weighed in on this issue in the recent white paper, Privacy in the Clouds.

“It will not be possible to realize the full potential of the next generation of the Internet or Cloud Computing without developing better ways of establishing digital identity and protecting privacy,” she wrote.

Cavoukian believes the answer is a flexible, user-centric identity management system with open standards and community-driven interoperability.

In other words, a system where we can log on to a tool that establishes who we are, then use it to identify us to services. We could then use services anonymously, or control how much the service knows about us to minimize risk of identity theft or fraud.

It would help eliminate the many logins and passwords that plague us today. A flexible system would take in any device reaching the Internet, such as Blackberries or game consoles.

A standard approach would also make it easier and cheaper for cloud service providers to authenticate its users, build trust in its privacy and security promises, and cut the risk of security breaches by limiting the personal information they keep.

Such services are starting to appear, but are not yet universally accepted.