In the Information Age, data swirls around like a dust storm. You kick it up using a search engine and stir in more with every Tweet, every status update, and every email. With increasing use of “cloud computing,” where programs like Gmail and Flickr store and process data online, personal information can be everywhere and nowhere at the same time. By storing information in the cloud instead of on a personal computer, you can access files from anywhere with an internet connection and save yourself the hassle of dragging a laptop everywhere. This may mean greater convenience and mobility, but can come at a steep cost: the loss of privacy.
Last October, New York City decided to bring the benefits of cloud computing to 120 of its government agencies. Up to 100,000 city government workers will begin using an online version of Microsoft Office, meaning data will be stored on Microsoft servers instead of municipal hard drives. The move to cyberspace will save an estimated $50 million over the next five years and will expedite information sharing, editing and program updating.
New York City mayor Michael Bloomberg is trumpeting the potential advantages of the new plan, but what about the security of government data in Microsoft’s cloud?
“What you’re talking about is putting your information into the hands of a corporation,” said Tanya Forsheit, a data security lawyer at Info Law Group, a California legal firm focusing on information technology. She adds that
when you transfer information to a third-party, you also transfer the responsibility of protecting that information using the servers of a third party means you no longer have the ability to safeguard the information, as compared to if it were on your own servers.*
The past few months have shown that third-parties aren’t always good at keeping that information safe. Currently, the Federal Communications Commission is investigating the accidental collection of emails, passwords, and other personal information by Google’s Street View cars. Meanwhile, Facebook applications have transmitted names and personal information to advertisers. Even Microsoft got into trouble in February, when Hotmail users attempted to log into their emails but were shown other users’ inboxes by mistake.
“We don’t believe government agencies should be contracting out data storage into the cloud,” said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, a consumer group. “It’s not safe.”
Storing data on a server may be more risky than on a personal computer, said free software activist Richard Stallman. A personal computer can refuse incoming connections — sort of like a telephone that can make outgoing calls but doesn’t have to accept incoming calls, said Stallman. That’s how it protects itself from would-be hackers. A server’s job, on the other hand, is to accept remote connections in order to provide data and services. This provides opportunities for unauthorized visitors to gain access to sensitive information.
“If not done right, the cloud can be a problem,” said Mladen Vouk, a computer scientist at North Carolina State University. But if it’s done well, he continued, storing data in the cloud can be safer than storing it in a building, since you don’t have to worry about hard-drive crashes or a disgruntled employee walking off with data.
Methods of record-keeping, data storage, and security differ between clouds, and Microsoft and Bloomberg have not disclosed the terms of the agreement. That makes it difficult to engage in an informed discussion regarding the safety of the decision, said Chris Hoff, director of Cloud & Virtualization Solutions at Cisco Systems.
Such secrecy may be a defensive measure, said Meghan McAuley, director of CyberRiskPartners, a company that advises clients on the risks and rewards of cloud dependence. Los Angeles came under heavy criticism last year after publicly releasing its cloud agreement with Google, said McAuley. Security concerns from several of the city’s agencies, including the police department, have significantly delayed L.A.’s move to the cloud.
Eddie Borges, communications officer for New York City’s Department of Information Technology and Telecommunications, said the city has made security a top priority. “It’s not some mom-and-pop business — it’s Microsoft,” he said. “I’m sure if there were security problems, we’d be reading about it in the New York Times.”
Those who remember how Microsoft lost the personal information of nearly 1 million T-Mobile Sidekick phone users last year — including their contact numbers, pictures, and other important information — will perhaps feel less confident in Microsoft’s abilities. Consumer groups like the Privacy Rights Clearinghouse think it’s best for government bodies to wait until cloud computing has a proven track record of security.
Government use of the cloud is new, and several kinks still need to be worked out. “There’s no legal precedent for who’s responsible when something goes wrong in a cloud,” said McAuley. If Microsoft accidentally leaks secret government information the company won’t necessarily be held accountable, she said. Cisco’s Hoff thinks that items like liability can be negotiated in a contract, but guidelines that help federal, state, or city governments make the best security decisions are lacking and “watered-down.”
A security breach in Microsoft’s cloud could have severe consequences for the New York City government and its 8 million citizens, who don’t have the choice of opting-out of the contract. Therefore the government has a heightened responsibility to protect information, said McAuley. Citizens have a right to know which data and government functions are going into the cloud, she said, and how well the information is going to be protected.
“The city needs to be more clear about what this means for the citizens of New York,” she said.
* Correction (January 4th, 2010): The struck-through text incorrectly states that security for data stored in the cloud is always the responsibility of the cloud service provider. Security agreements are made on a case-by-case basis, between the cloud service provider and the client.