What Facebook and the CLOUD Act mean for cloud privacy


Enterprises have enough to worry about with the data breaches that seem to occur each week, but now you’re learning that social networking systems are gathering and using all sorts of data about everyone. Not only information about you, your friends, and your family, but your peers and employees. Some of that information was not knowingly provided to them. Now the (the Clarifying Lawful Overseas Use of Data Act) has become law to let law enforcement gather your corporate data from servers overseas.

Given this climate, my inbox has been filled with questions from cloud users asking if they should be worried about privacy in the cloud.

There are a few circumstances here to consider.

First, Facebook, Twitter, YouTube, and other social networks are not clouds. They have privacy policies that, for the most part, let them gather data as they wish. Membership is free, so if you don’t like their policies, don’t join their social networks.

But the bigger issue is that Facebook (at least) let others gather user data, and it did not control the use of that data. This is not really a breach, but a flaw in the system. That particular flaw is supposedly closed now, but if you think this issue is localized to a single instance, you’re in for a few more surprises down the road.

Second, the CLOUD Act updated a 1986 law, and now let law enforcement to grab data from overseas servers upon request. This was passed with few questions as part of the $1.3 trillion bill to continue to fund the government that was approved by Congress last month.

So, back to the original question, should you have privacy concerns about the public cloud?

The privacy policies and service-level agreements (SLAs) involved in signing up with a public cloud provider are as different from those involved in signing up for a social network account as the privacy protections involved in signing a business lease vs. signing up for a frequent-flyer program. Just like the business lease company, if a cloud provider tried to gather data from its tenants without their knowledge and is subsequently caught, it will lose those tenants and its reputations and—once the lawsuits are settled—its business.

In fact, I trust data in public clouds more than I do data in private datacenters, where people walk by the server cage all day.

The new CLOUD Act is a bit disturbing. However, unless your enterprise expects to get the attention of law enforcement, it’s not going to affect your cloud privacy. But you can count on somebody or some company getting caught up in mistakes made by the government as a result of the CLOUD Act. It’s almost inevitable.

Scary world? Perhaps. As governments respond to privacy issues in sometime well-meaning but clumsy ways, you have to keep your eye on what’s best for your company and your company’s data. The public cloud is still the best alternative.