Reasonable. Expectation. Of. Privacy.
This morning, my RSS feed reader is chock-full of posts about privacy. Because my interests, as reflected in my reader content, are law and technology, you can bet that the discussions center around law and legal matters on the internet. From questions regarding whether the use of Gmail for your law practice constitutes violation of ethical rules governing client confidentiality, to lawsuits by Facebook users against Facebook for violating their privacy, to new federal regulations requiring health care providers to notify individuals when their health information is breached, questions abound regarding the degree to which you can lock down or expect to lock down your information.
The gifts the internet has to offer are compelling and the price nearly unbeatable. It is difficult for any business, particularly a solo or small business, to ignore the allure of cloud computing with free, highly developed services and applicatinos like Gmail, Open Office, on-line storage sites and web-syncronized clipping services like Evernote. These tools make it simple to move, store, organize, send and manipulate information.
What is cloud computing, you ask? Apparently this is a valid question – many engage in it on a daily basis without even realizing it. John Foley at InformationWeek has come up with a seven-part definition of the term:
Off-site. A basic principle of cloud computing is that you’re accessing IT resources that are in a data center that’s not your own. That means you don’t buy the servers and storage, someone else does. So-called private clouds are the exception, but forget them for this discussion.
Virtual. IT resources in the cloud can be assembled with drag-and-drop ease. Employing virtualization, cloud service providers let you assemble software stacks of databases, Web servers, operating systems, storage, and networking, then manage them as virtual servers.
On demand. In the cloud, you can add and subtract resources, including number and type of processors, amount of memory, network bandwidth, gigabytes of storage, and 32-bit or 64-bit architectures. You can dial up when you need more, and dial down when you need less.
Subscription style. These tend to be month-to-month deals, often payable by credit card, rather than annual contacts. Amazon charges in intervals of 10 cents per hour for EC2.
Shared. For economies of scale (that’s what cloud computing is all about), many service providers use a multitenant architecture to squeeze workloads from multiple customers onto the same physical machines. It’s just one of the things that distinguish cloud computing from outsourcing and from hosted data centers.
Simple. Many of the cloud services providers — whether they specialize in application hosting, storage, or compute cycles — let you sign up and configure resources in a few minutes, using an interface that you don’t have to be a system administrator to understand.
Web based. Others might make this characteristic #1, but I put it last to make the point that there’s more to cloud computing than the Web. That said, it does involve browser access to hosted data and resources.
In other words, says Foley, cloud computing is on-demand access to virtualized IT resources that are housed outside of your own data center, shared by others, simple to use, paid for via subscription, and accessed over the Web.
So, with all of the benefits an on-line practice has to offer, why not look to the skies? It’s not as if the average citizen has the know-how and means to develop a social network with the reach of a Facebook by setting up their own servers, building applications and then inviting 300 million of their closest friends to connect, share and discuss. It is easy to see the benefits and even easier to don blinders with respect to the drawbacks.
There are drawbacks, of course, and privacy is a big player among them. Many points along the chain can expose or “leak.” First, your information may not necessarily be your own once it enters the cloud. Read the terms of service (“TOS”) carefully to see just who can get to it and what can be done with it by persons other than you. Next, the location of your information may not be all that easy to identify. David Navetta at InfoSec Compliance advises that “in a cloud environment, geography can lose all meaning.” Not only can your data be spread across services, it can be copied and stored in several locations. Data can even cross physical boundaries the original user never intended to cross. Because it is difficult to pinpoint where the data goes once it leaves the terminal, you realistically can have no concept of how secure that data may be. Thus, heightened obligations may be imposed on a business or practice using the cloud to ensure the security of cloud service providers based on a reasonable awareness of the risks.
On the flip side, security risks are not new and businesses are not completely unfamiliar with the concept. In many ways, humans have been breaking down privacy barriers for years on a societal level. One already can see a breakdown in traditional concepts of privacy in the manner in which people connect and share on the internet. And, like all areas of the law, privacy and security issues will morph as our lives become more virtual and our concepts of privacy change.
Do the benefits outweight the risks? First the risks must be quantified. The process of risk quantification is alive and well among tech experts, as well as in the courts and legislatures, as groups take up the cause and lawmakers grapple with the boundaries of protection. When in doubt, an attorney can always seek the advice of state ethics committees, but be prepared for answers that may not completely address the questions. With rapidly emerging technologies, any answer can become outdated before the ink has dried.
Then consider the benefits and efficiencies for your clients. Avoid misunderstandings by fully informing yourself and your clients of your process. Many clients may appreciate your considered approach to a modern practice and welcome the service improvements. Many clients also are cloud denizens and already well aware of the concerns. If not, then you can provide an additional service by advising them in this regard.
Bottom line? Don’t take privacy for granted on the internet, but don’t allow a fear of privacy breach to preclude consideration of on-line tools. Educate yourself fully on the global risks of the cloud and the particular limitations of your preferred services. Take all reasonable steps to disclose only what you intend to disclose. Read the TOS and, by all means, keep those drunken cocktail party pictures off your professional networking sites and Flickr.