Privacy in the Cloud: Stand up for your Rights!

Do companies storing your data truly have your best interests in mind? With the Obama administration making it a priority to create a new "Privacy Bill of Rights" - it’s a question worth asking. Every time you upload your documents to the public cloud, you’re making a handshake deal with a group of strangers whose faces you can’t see. While IT departments of most cloud storage companies promise to save you labor and money in exchange for them storing and protecting your data, this agreement has some important loopholes that can no longer be overlooked.

The only indication of a cloud provider’s trustworthiness is usually a written guarantee containing ambiguous phrases such as “employees are prohibited from viewing the content of files you store in your … account.” This example, taken from Dropbox (News - Alert), indicates that that while employees aren’t supposed to see your content, they still can if they feel like breaking company protocol or if an authority like the governmental orders them to. Your privacy isn’t actually guaranteed.

Now is Not the Time for a Soft Stance on Privacy

Data breaches have skyrocketed. More than 368 million online records were compromised in 2011, the highest annual loss on record, according to the Data Breach Intelligence report by Risk Based Security . 76 percent of data breaches happened on the server level, with user devices, such as laptops and mobile devices, in second place, the Verizon RISK 2011 Data Breach Investigations Report found. Insiders and misuse of privileges were behind 17 percent of abuses, with “more incidents involving theft of classified information, intellectual property, and other sensitive organizational data than ever before.”

Some very public examples of this kind of theft happened last year. In early 2011, a former Microsoft (News - Alert) market development manager pilfered roughly 25,000 pages of confidential strategy documents and took them to his new employer, CRM rival Salesforce.com . Sony didn’t encrypt its users’ personal data, leaving an estimated 100 million users’ personal information free for the taking when its servers were repeatedly hacked.

Transparency is Key to Taking Privacy Seriously

Obama’s recent Consumer Privacy Bill of Rights states that:

Strong privacy protections … are critical to sustaining the trust that nurtures Internet commerce and fuels innovation. Trust means the companies and technical systems on which we depend meet our expectations for privacy, security, and reliability.

Yet who truly wants to admit that they’re putting user data at risk? “Simple, not terribly secure file sharing from anywhere” doesn’t make for a very good tag (News - Alert) line. In order to ensure proper protections for everybody, all companies who deal in user data, from cloud providers to search engines, must take the Privacy Bill of Rights to its word and give consumers the right “to easily understandable and accessible information about privacy and security practices.”

What Does True Privacy Look Like?

The key to resolving the privacy crisis is for companies to be completely transparent about their privacy policies. Users should easily be able to find and understand the answers to the following questions:

• Is the company collecting personally identifiable information? If so, why are they collecting it, when do they collect it, and how are they using it?
• When does the company’s website share personally-identifiable information with third parties, and why?
• Which non-identifiable information is the website tracking? How is it being used?
• Which national and international standards does the website comply with?

Cloud providers in particular should:

• Encrypt data locally before being uploaded to the cloud, as well as during transfer and storage. Most cloud providers only encrypt data when it reaches their servers.
• Never store plaintext versions of user passwords or encryption keys. That way, not even company employees can see user content, whether file sizes, folder names or user passwords. 
• Offer a two-factor authentication option for enhanced security.

These standards should apply to all devices and be set up in a way that doesn’t compromise performance. Syncing, sharing and backup should remain fast and intuitive, offering users the ease of use that attracted them to the cloud in the first place, but without the half-baked privacy policies.

Tackling the Privacy Problem: Clear Privacy Policies

If websites don’t adhere to high standards that respect and protect users, the privacy problem is only going to grow. More users will adopt the public cloud, while breaches and government requests — even Google (News - Alert) admitted in its most recent report that government removal requests were up 70 percent— continue to creep upwards.

Staying completely private and maintaining a service that users love isn’t rocket science. It just requires more effort and foresight than companies are currently employing. Only when companies finally begin to take privacy seriously will the Internet grow and advance, rather than stagnate in a pool of secrecy.