For the London Free Press – July 12, 2010

Read this on Canoe

So-called ‘cloud computing’ can be valuable — but it can also come with risks

Cloud computing – essentially providing computer services over the Internet – is a growing trend.

Ontario’s privacy commissioner recently released a report dealing with privacy issues that arise from the cloud.

There are many definitions and debates over just what cloud computing is, but it entails storing your information and/or running software on computers belonging to others that you access over the Internet.

For example, instead of creating this column using word-processing software installed on a computer in my office and saving it here, it could be created and stored in the cloud from any computer using services such as Google Docs, or Microsoft Office Web apps.

It is a compelling model, as it can provide advantages in cost, simplicity, portability and scalability.

It can, though, pose issues around things like privacy, confidentiality, security, business continuity and disaster recovery. The importance of those issues vary depending on how the particular cloud product works, what it’s used it for, and how mission critical it is.

The privacy commissioner’s discussion paper – Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach – discusses relevant privacy issues.

The report discusses a variety of different models included in the term “cloud.”

The report sheds light on which types of risks are associated with different types of “clouds,” some of which are riskier than others from a privacy and security standpoint.

The decision to use cloud computing is one each individual or business must make bearing in mind the type and sensitivity of their information, how valuable that information might be and whether local copies can be saved.

Since the loss or compromise of sensitive data can be incredibly damaging to an organization, careful consideration is required.

It’s important for organizations to take time to review what type of cloud model they intend to use, and whether it’s adequate from various perspectives, including operational, cost, access and privacy.

The type of data stored by an organization may change over time. Organizations evolve and sensitivities change. Re-evaluation of an organization’s cloud model at regular intervals, or when major projects occur, will help ensure data is kept in an appropriate manner.

The bottom line is that it’s important for anyone using cloud-based services to understand how that particular service operates and what promises it makes concerning privacy, security and continuity of data. The importance of those factors will vary depending on the nature of the information involved, and how critical the service is to the user.

If it is not adequate, either negotiate to make it adequate, or go somewhere else.

This report, and a previous white paper entitled Privacy in the Clouds (both available on the web at ipc.on.ca) are helpful for potential users to understand and deal with privacy issues that arise from the cloud.

They are also useful to help anyone providing cloud-based services deal with privacy issues for their services.

Ideally, providers will design their services to be privacy-friendly from the outset – an approach the commissioner calls “privacy by design.”

The Canadian Privacy Commissioner just invited interested parties to file written submissions on privacy issues surrounding cloud computing.  Also for expressions of interest from anyone wanting to take part in a formal panel discussion in June.

Cloud computing - however one defines it - can be a compelling model, as it can provide advantages in cost, simplicity, and scalability.

It can though, pose issues around things like privacy, confidentiality, security of data, business continuity, and disaster recovery.  The importance of those issues varies depending on how the particular cloud product works, what you use it for, and how mission critical it is.

Fanshawe College is putting on an eMarketing conference March1st entitled “Turning Clicks into Customers“.   The keynote speaker is Mitch Joel, author of  Six Pixels of Separation”.

I’m speaking at a breakout session on “Legal Issues for a Digital World” .

I’ll be commenting on issues including copyright, cloud computing, the Streisand effect, and social media and privacy.   

There are several factors that make digital law different from analogue law.  As I’m putting my presentation together, I’m realizing that the concept of  practical obscurity plays a big role in explaining some of the differences.

That’s the title of my Slaw post for today.  It reads as follows.

The cloud computing, or software as a service model has compelling attributes – such as low cost, ease of use, and scalability. But the downside is that there are issues around the security, integrity, and longevity of both the data and the software behind it.

Google has taken a step in the right direction with its promise that any cloud application it provides will have as a prime directive the ability of the user to pack up their data and take it anywhere, including a competitor.

At least that helps solve the issue of the risk of losing data, as it makes it easier to keep a local backup.

Cory Doctorow has an article in the Guardian entitled Not every cloud has a silver lining that is worth a read.

Cloud computing is a current shiny object.  But its not for everyone, or every application.

The article starts with:

The tech press is full of people who want to tell you how completely awesome life is going to be when everything moves to “the cloud” – that is, when all your important storage, processing and other needs are handled by vast, professionally managed data-centres.

Then goes on to tell how and why the cloud is oversold.

BusinessWeek has an article entitled Busting Cloud Computing Myths that is a worthwhile read for anyone curious about cloud computing.   For example, there is just 1 cloud, and cloud computing always saves you money.

The ultimate conclusion is: “What’s the takeaway? That the cloud isn’t a magic wonderland of carefree computing, but a complex resource that requires understanding and hard work to manage correctly. And that’s no myth. “

For my perspectives on cloud computing, search “cloud” on my blog.

For the London Free Press

Read this on Canoe

TECHNOLOGY: Storing or sharing personal information on remote computers controlled by others is a common practice fraught with potential problems

Cloud computing is touted as the solution to many users’ problems — but is cloud computing itself a problem?

Cloud computing is not bad per se. But users must consider how they are using the technology, and whether contractually or practically, it provides them with enough control over their information.

Cloud computing has been a hot topic in recent months, stirring up strong feelings both from those who support the technology and those who distrust it.

In September 2008, Ontario Privacy Commissioner Ann Cavoukian weighed in on this issue in the white paper Privacy in the Clouds, which we discussed in a previous column (see canton.elegal.ca/ 2008/09/29/cloud-computing-presents-real-concerns-over-privacy-issues).

More recently, the World Privacy Forum released a report entitled Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing. It echoed Cavoukian’s concerns and found that, though the technology is not inherently bad, individual users must be conscious of the potential security and privacy implications and protect themselves accordingly.

The forum attempts to define cloud computing — a concept that almost defies definition — this way: “Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections.”

The forum emphasizes the far-reaching implications of cloud computing, which can be used for data-storage sites, video sites, tax-preparation sites, social-networking sites, photography sites and personal health record sites.

The danger of cloud computing comes from the digital footprints that individuals users may leave on the Internet with no idea of how that information is policed, used and distributed.

Various online activities, from sending e-mails and playing games to managing bank accounts and meeting people on social-networking sites, require people to fill out forms and provide personal information. This information can identify the individual and serve as a digital history of everywhere that person has been.

The forum report’s clear underlying message is that users must be diligent in understanding terms of service, how disclosing information to a cloud provider changes their privacy and confidentially rights in that information, and how remotely stored information may not have the legal protection it should have.

The forum also found many legal uncertainties that make it, “difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users.”

The report even suggests, “sharing information with a cloud provider may undermine legally recognized evidentiary privileges.”

Ultimately, the decision to use cloud computing is one each user will have to make, keeping in mind what they are using it for, how important their mission is, how sensitive the information is, who has it, and whether they can keep local copies of it.

CircleID has a post entitled Survey: Cloud Computing ‘No Hype’, But Fear of Security and Control Slowing Adoption which talks about a survey of IT executives on cloud computing.   The survey found that they feel the concept has advantages, but they are not keen to adopt it in the short term because they are concerned about the lack of control and security issues.

Not really a big surprise.   The post is a good summary of the business advantages and issues arisong from cloud computing.

That’s the title of my post on Slaw today.

It reads as follows:

We see the term “cloud computing” a lot these days. Its a term that’s hard to define – like Web 2.0. It essentially means having your software work “out there” somewhere, and/or your data reside “out there” somewhere – rather than on a computer in your own home or office. Think of it as commoditized outsourcing. The term is sometimes used to include SAAS and other concepts, and sometimes in a much more limited way. From a legal point of view, the issues and risks for using any flavour of cloud computing are the same – although the size of the risk and what one can do about it varies.

It is a popular topic, and hailed as the wave of the future and the beginning of the end of the desktop computer. On the other hand, Richard Stallman says cloud computing is a “trap” that is “worse than stupidity”, and Larry Ellison of Oracle says “It’s complete gibberish. It’s insane.” Of course, they both come at the topic with particular viewpoints and agendas.

It does offer some compelling business models. For a sole practictioner or small law office or mobile professional, it offers the possibility of always available computing resources and access to files at a fairly low cost. You don’t have to have a large IT infrastructure to support your practice. It lets others worry about things like hardware, software updates, security issues, and backup. The idea is that those “others” can do those things a lot better than you can, because its their business to deal with it.

On the other hand, we lose control over all that. That means we are dependant on others to ensure our data is secure, private, confidential, backed up and available. The consequences of losing all of one’s data because of some vendor issue can be massive.

Frankly, I have mixed feelings about it. The advantages are compelling. While it is a bit of the flavour of the month now, it is not going away, and will continue to mature. I have some control and trust issues over the cloud. To me it depends on what you are using it for, how mission critical it is, how sensitive the information is, who has it, and whether you can keep local copies.

My own blog is hosted on a third party site, but it is by nature public, so there is no confidential information to be concerned about. And it is set up to automatically send backup copies to me on a regular basis so if something goes wrong at the host, I can take it and set it up somewhere. And its not a mission critical system that prevents me from carrying on business or compromises client service if its not available for short periods.

If lawyers use the cloud to do mission critical work, we should go through the same diligence and documentation review we would do for a client entering an outsource deal. In other words, look at the reputation, history and health of the vendor. Ask about their service level promises, back-up, security, confidentiality safeguards. Ask if you can keep a local backup. And see what their agreement says. To the extent these are low cost commoditized services, it often won’t be worth the vendor’s time to negotiate changes to an agreement – but you can vote with your feet.

Here’s some things to read on the subject.

CBA National article including links to ABA articles on the topic. The National article takes a balanced approach to the issue.

My Free Press article from this week talking about the Ontario Privacy Commissioner’s thoughts on the cloud.

A CNET news article on Oracle’s Larry Ellison’s negative thoughts on the hype. Make sure you watch the video in that article that does a good job explaining what the cloud is and is not.

My blog post from yesterday referring to a Guardian article about Richard Stallman’s (founder of the Free Software foundation) negative thoughts on cloud computing.

An earlier post of mine on the pros and cons of cloud computing including links to a Gigaom post entitled 10 Reasons Enterprises Aren’t Ready to Trust the Cloud and Ernie the Attorney’s thoughts on his goal to operate in “ATM mode”. He wants to keep as much as possible in the cloud – largely based on his Katrina disruptions.

The Guardian published an article entitled Cloud computing is a trap, warns GNU founder Richard Stallman coincidentally on the same day as my Free Press article from yesterday on the topic.

Stallman is quoted as bluntly saying: “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign.”

“One reason you should not use web applications to do your computing is that you lose control,” he said. “It’s just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else’s web server, you’re defenceless. You’re putty in the hands of whoever developed that software.”

I admit to having some control and trust issues over the cloud.  To me it depends on what you are using it for, how mission critical it is, how sensitive the information is, who has it, and whether you can keep local copies.