Making A Federal Case Over Cloud Computing

Something got Goliath’s attention. The Federal Trade Commission has gotten involved in an inquiry before the Federal Communications Commission into security and privacy issues surrounding cloud computing that may have wide-reaching ramifications for enterprise and business use of the Web and SaaS.

It all began with the realization that our national broadband access was seriously lacking. In response, several federal laws were passed to encourage broadband development and deployment. The FTC has a degree of jurisdiction over broadband deployment. In the initial inquiry, filed last June, the FCC summarized the underlying rationale as follows:

In the recently passed American Recovery and Reinvestment Act of 2009,’ the “stimulus” legislation, Congress charged the Department of Agriculture’s Rural Utilities Service and the Department of Commerce’s National Telecommunications and Information Administration with making grants and loans to expand broadband deployment and for other important broadband projects. Congress provided $7.2 billion for this effort-no small sum. But even this level of funding is insufficient to support broadband deployment. With this realization, the Recovery Act charges the Commission to create a national broadband plan. By February 17, 2010, the Commission must and will deliver to Congress a national broadband plan that seeks to ensure that every American has access to broadband capability and establishes clear benchmarks for meeting that goal.

Sounds great. However, under this docket number, as well as two others, the FCC sought further comment on how to deal with disclosure of “confidential” information between “eligible entities” and broadband service providers. In part:

We also seek comment on section 106(h)(2) of the BDIA, which requires eligible entities to treat “any matter that is a trade secret, commercial or financial information, or privileged or confidential, as a record not subject to public disclosure except as otherwise mutually agreed to by the broadband service provider and the eligible entity.” In particular, we seek comment on whether that section is self effectuating or whether the Commission should take any measures to ensure eligible entities’ compliance with section 106(h)(2). If parties believe that the Commission should adopt safeguards to ensure compliance with section 106(h)(2), then we ask that they describe with specificity the nature of their proposed safeguards.

After workshops on the broader issues surrounding broadband development, including its effect on the general economy, IT and productivity, the public comments began pouring in. The cast of commenting characters is impressive, and includes some high profile corporations, including Alcatel-Lucent, NPR, QUALCOMM, Walt Disney and Microsoft. Much of the information is confidential and not viewable by the public.

Now the FTC has commenced its investigation into privacy, security concerns, identity managements systems, log-ons and authentication, mobile computing, and social networking in the context of this broader discussion. A roundtable is scheduled to be held on January 28 on these issues.

How will this resolve? Before the likes of Amazon and Rackspace, big players in the cloud computing sector, start shaking in their boots, the long-term goal should actually benefit those interested in storing in the cloud and utilizing cloud services  and tools.  Remember my post yesterday about the Internet in 2020? The recent inquiry appears to be another piece in the larger puzzle of transforming the Internet into an entirely new experience. Safety and security issues are a significant part of that process.

While it is possible that the inquiry will expose present insecurities that may affect enterprise and business use of the cloud, my sense is that those insecurities should be exposed, examined, quantified, and, hopefully, eliminated. I applaud the FCC and FTC for getting that ball rolling. Hopefully, cloud providers and businesses using their services are employing the best available tech, and thus mitigating the potential liabiltiy for security breaches in the here and now. Down the road, security and best available technology in support of the cloud should be dramatically improved as the direct result of such comments, inquiries, and investigations.

Hat tip to ReadWrite Enterprise

In 20 Years, The Internet Will Get REALLY Interesting

I love reading smart peoples’ visions for the future. Especially when it involves technology, science, and our dear friend, the Internet. Check out some of the hopes, dreams, and goals shared by leading Internet engineers over at Networkworld, link here. Carolyn Duffy Marson reports on how these brainiacs are rethinking the entire architecture, with the hope of making internet access safer, reliable, and more widespread – reaching not only to the remote regions of this planet, but to other planets as well. Take THAT, ATT!

These scientists aren’t talking about terabytes, they are speaking in measures of exabytes of information. The research necessary to get us to the Brave New World of 2020 will be funded in part by the U.S.  Government (now there is a decent use of our tax dollars). From the article:

Indeed, the United States is building the world’s largest virtual network lab across 14 college campuses and two nationwide backbone networks so that it can engage thousands – perhaps millions – of end users in its experiments.

The motivation behind this massive research is the reality that the Internet is now so enmeshed into our business, financial, and personal lives that a failure from cyberattacks, insufficient networks, and huge data loads would be catastrophic. The Internet that carries out financial networks, our power grid, our government-to-citizen communications must not fail. The lack of security threatens this system and our brightest Internet minds are focused on protecting against the very real risks.

The article is a fascinating read and gets into the nuts and bolts of the research. For my purposes, the article is most interesting on two counts: first, the realization that our Internet experience will be vastly different in the short span of a decade and, second, that the powers-that-be realize just how hugely important this network is, how fundamental it will become, and how singularly important internet security and viability is to our international well-being.

Never mind our dreams for 2010: on to 2020 and the tech marvels that await!

Data Security & Compliance

LA CANADA, CA - AUGUST 05:  Customers shop at ...
Image by Getty Images via Daylife

I have notice a lot of attention paid lately to issues regarding data security and online privacy issues. Today, from a somewhat unlikely source, I read an article regarding some of the laws affecting how to handle data and privacy issues . David Perkins writes at the Insurance Journal about What to Know About Red Flags, Notification Laws and the Hi Tech Act. The article is not exhaustive, but it does offer a primer for the practitioner interested in where privacy laws are now and where they appear to be headed.

Perkins hits on the Hi-Tech Act, enacted as part of the Stimulus package, which establishes a federal layer of protection for patients. On the one hand, the Act mandates electronic transmission of more patient information, ostensibly to modernize the manipulation of medical information, while at the same time tightening up the notification process in the event of data breach.

Perkins also hits on a broad Massachusetts regulation enacted one year ago, 201 C.M.R. 17.00, which applies to persons anywhere who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Protections are expanded under the regulation and fines can be imposed. At least 44 states have enacted their own data privacy and notification laws and regulations, with mechanisms for fines and penalties.

The “Red Flags Rule” also applies broadly to “financial institutions” and “creditors” with “covered accounts” and addresses the establishment of identity theft protection programs.

Coming down the road is the Data Accountability and Trust Act, which appears imminent. The Act contains notice requirements when data breaches occur and sensitive information is tapped.

The article does not deal with the ethical burdens and additional losses occasioned by data breach in the context of a legal practice. Client confidences are akin to patient privacy; in the case of legal representation, the potential downside of a breach may implicate both the data privacy and notice rules and professional codes of ethics.

While much of the data privacy and notice area remains uncharted, it certainly helps to understand the legislated concerns and the mechanics of how our electronic systems operate in order to assess and address the potential risks.

Reblog this post [with Zemanta]

I’m Not Private. I’m Virtual.

An example of various cloud colors
Image via Wikipedia

Reasonable. Expectation. Of. Privacy.

This morning, my RSS feed reader is chock-full of posts about privacy. Because my interests, as reflected in my reader content, are law and technology, you can bet that the discussions center around law and legal matters on the internet. From questions regarding whether the use of Gmail for your law practice constitutes violation of ethical rules governing client confidentiality, to lawsuits by Facebook users against Facebook for violating their privacy, to new federal regulations requiring health care providers to notify individuals when their health information is breached, questions abound regarding the degree to which you can lock down or expect to lock down your information.

The gifts the internet has to offer are compelling and the price nearly unbeatable. It is difficult for any business, particularly a solo or small business, to ignore the allure of cloud computing with free, highly developed services and applicatinos like Gmail, Open Office, on-line storage sites and web-syncronized clipping services like Evernote. These tools make it simple to move, store, organize, send and manipulate information.

What is cloud computing, you ask? Apparently this is a valid question – many engage in it on a daily basis without even realizing it. John Foley at InformationWeek has come up with a seven-part definition of the term:

Off-site. A basic principle of cloud computing is that you’re accessing IT resources that are in a data center that’s not your own. That means you don’t buy the servers and storage, someone else does. So-called private clouds are the exception, but forget them for this discussion.

Virtual. IT resources in the cloud can be assembled with drag-and-drop ease. Employing virtualization, cloud service providers let you assemble software stacks of databases, Web servers, operating systems, storage, and networking, then manage them as virtual servers.

On demand. In the cloud, you can add and subtract resources, including number and type of processors, amount of memory, network bandwidth, gigabytes of storage, and 32-bit or 64-bit architectures. You can dial up when you need more, and dial down when you need less.

Subscription style. These tend to be month-to-month deals, often payable by credit card, rather than annual contacts. Amazon charges in intervals of 10 cents per hour for EC2.

Shared. For economies of scale (that’s what cloud computing is all about), many service providers use a multitenant architecture to squeeze workloads from multiple customers onto the same physical machines. It’s just one of the things that distinguish cloud computing from outsourcing and from hosted data centers.

Simple. Many of the cloud services providers — whether they specialize in application hosting, storage, or compute cycles — let you sign up and configure resources in a few minutes, using an interface that you don’t have to be a system administrator to understand.

Web based. Others might make this characteristic #1, but I put it last to make the point that there’s more to cloud computing than the Web. That said, it does involve browser access to hosted data and resources.

In other words, says Foley, cloud computing is on-demand access to virtualized IT resources that are housed outside of your own data center, shared by others, simple to use, paid for via subscription, and accessed over the Web.

So, with all of the benefits an on-line practice has to offer, why not look to the skies? It’s not as if the average citizen has the know-how and means to develop a social network with the reach of a Facebook by setting up their own servers, building applications and then inviting 300 million of their closest friends to connect, share and discuss.  It is easy to see the benefits and even easier to don blinders with respect to the drawbacks.

There are drawbacks, of course, and privacy is a big player among them. Many points along the chain can expose or “leak.” First, your information may not necessarily be your own once it enters the cloud. Read the terms of service (“TOS”) carefully to see just who can get to it and what can be done with it by persons other than you. Next, the location of your information may not be all that easy to identify. David Navetta at InfoSec Compliance advises that “in a cloud environment, geography can lose all meaning.” Not only can your data be spread across services, it can be copied and stored in several locations. Data can even cross physical boundaries the original user never intended to cross. Because it is difficult to pinpoint where the data goes once it leaves the terminal, you realistically can have no concept of how secure that data may be. Thus, heightened obligations may be imposed on a business or practice using the cloud to ensure the security of cloud service providers based on a reasonable awareness of the risks.

On the flip side, security risks are not new and businesses are not completely unfamiliar with the concept. In many ways, humans have been breaking down privacy barriers for years on a societal level.  One already can see a breakdown in traditional concepts of privacy in the manner in which people connect and share on the internet. And, like all areas of the law, privacy and security issues will morph as our lives become more virtual and our concepts of privacy change.

Do the benefits outweight the risks? First the risks must be quantified. The process of risk quantification is alive and well among tech experts, as well as in the courts and legislatures, as groups take up the cause and lawmakers grapple with the boundaries of protection. When in doubt, an attorney can always seek the advice of state ethics committees, but be prepared for answers that may not completely address the questions. With rapidly emerging technologies, any answer can become outdated before the ink has dried.

Then consider the benefits and efficiencies for your clients. Avoid misunderstandings by fully informing yourself and your clients of your process. Many clients may appreciate your considered approach to a modern practice and welcome the service improvements. Many clients also are cloud denizens and already well aware of the concerns. If not, then you can provide an additional service by advising them in this regard.

Bottom line? Don’t take privacy for granted on the internet, but don’t allow a fear of privacy breach to preclude consideration of on-line tools. Educate yourself fully on the global risks of the cloud and the particular limitations of your preferred services. Take all reasonable steps to disclose only what you intend to disclose. Read the TOS and, by all means, keep those drunken cocktail party pictures off your professional networking sites and Flickr.

Reblog this post [with Zemanta]

I'm Not Private. I'm Virtual.

An example of various cloud colors
Image via Wikipedia

Reasonable. Expectation. Of. Privacy.

This morning, my RSS feed reader is chock-full of posts about privacy. Because my interests, as reflected in my reader content, are law and technology, you can bet that the discussions center around law and legal matters on the internet. From questions regarding whether the use of Gmail for your law practice constitutes violation of ethical rules governing client confidentiality, to lawsuits by Facebook users against Facebook for violating their privacy, to new federal regulations requiring health care providers to notify individuals when their health information is breached, questions abound regarding the degree to which you can lock down or expect to lock down your information.

The gifts the internet has to offer are compelling and the price nearly unbeatable. It is difficult for any business, particularly a solo or small business, to ignore the allure of cloud computing with free, highly developed services and applicatinos like Gmail, Open Office, on-line storage sites and web-syncronized clipping services like Evernote. These tools make it simple to move, store, organize, send and manipulate information.

What is cloud computing, you ask? Apparently this is a valid question – many engage in it on a daily basis without even realizing it. John Foley at InformationWeek has come up with a seven-part definition of the term:

Off-site. A basic principle of cloud computing is that you’re accessing IT resources that are in a data center that’s not your own. That means you don’t buy the servers and storage, someone else does. So-called private clouds are the exception, but forget them for this discussion.

Virtual. IT resources in the cloud can be assembled with drag-and-drop ease. Employing virtualization, cloud service providers let you assemble software stacks of databases, Web servers, operating systems, storage, and networking, then manage them as virtual servers.

On demand. In the cloud, you can add and subtract resources, including number and type of processors, amount of memory, network bandwidth, gigabytes of storage, and 32-bit or 64-bit architectures. You can dial up when you need more, and dial down when you need less.

Subscription style. These tend to be month-to-month deals, often payable by credit card, rather than annual contacts. Amazon charges in intervals of 10 cents per hour for EC2.

Shared. For economies of scale (that’s what cloud computing is all about), many service providers use a multitenant architecture to squeeze workloads from multiple customers onto the same physical machines. It’s just one of the things that distinguish cloud computing from outsourcing and from hosted data centers.

Simple. Many of the cloud services providers — whether they specialize in application hosting, storage, or compute cycles — let you sign up and configure resources in a few minutes, using an interface that you don’t have to be a system administrator to understand.

Web based. Others might make this characteristic #1, but I put it last to make the point that there’s more to cloud computing than the Web. That said, it does involve browser access to hosted data and resources.

In other words, says Foley, cloud computing is on-demand access to virtualized IT resources that are housed outside of your own data center, shared by others, simple to use, paid for via subscription, and accessed over the Web.

So, with all of the benefits an on-line practice has to offer, why not look to the skies? It’s not as if the average citizen has the know-how and means to develop a social network with the reach of a Facebook by setting up their own servers, building applications and then inviting 300 million of their closest friends to connect, share and discuss.  It is easy to see the benefits and even easier to don blinders with respect to the drawbacks.

There are drawbacks, of course, and privacy is a big player among them. Many points along the chain can expose or “leak.” First, your information may not necessarily be your own once it enters the cloud. Read the terms of service (“TOS”) carefully to see just who can get to it and what can be done with it by persons other than you. Next, the location of your information may not be all that easy to identify. David Navetta at InfoSec Compliance advises that “in a cloud environment, geography can lose all meaning.” Not only can your data be spread across services, it can be copied and stored in several locations. Data can even cross physical boundaries the original user never intended to cross. Because it is difficult to pinpoint where the data goes once it leaves the terminal, you realistically can have no concept of how secure that data may be. Thus, heightened obligations may be imposed on a business or practice using the cloud to ensure the security of cloud service providers based on a reasonable awareness of the risks.

On the flip side, security risks are not new and businesses are not completely unfamiliar with the concept. In many ways, humans have been breaking down privacy barriers for years on a societal level.  One already can see a breakdown in traditional concepts of privacy in the manner in which people connect and share on the internet. And, like all areas of the law, privacy and security issues will morph as our lives become more virtual and our concepts of privacy change.

Do the benefits outweight the risks? First the risks must be quantified. The process of risk quantification is alive and well among tech experts, as well as in the courts and legislatures, as groups take up the cause and lawmakers grapple with the boundaries of protection. When in doubt, an attorney can always seek the advice of state ethics committees, but be prepared for answers that may not completely address the questions. With rapidly emerging technologies, any answer can become outdated before the ink has dried.

Then consider the benefits and efficiencies for your clients. Avoid misunderstandings by fully informing yourself and your clients of your process. Many clients may appreciate your considered approach to a modern practice and welcome the service improvements. Many clients also are cloud denizens and already well aware of the concerns. If not, then you can provide an additional service by advising them in this regard.

Bottom line? Don’t take privacy for granted on the internet, but don’t allow a fear of privacy breach to preclude consideration of on-line tools. Educate yourself fully on the global risks of the cloud and the particular limitations of your preferred services. Take all reasonable steps to disclose only what you intend to disclose. Read the TOS and, by all means, keep those drunken cocktail party pictures off your professional networking sites and Flickr.

Reblog this post [with Zemanta]

On-Line Transactions: Good. On-Line Insecure Transactions: Bad

ThiefIt is always nice when the hackers warn you that they are going to strike: next week, security researchers are planning on hacking into your “secure” transactions by intercepting data during an on-line transaction on a site allegedly protected by an SSL certificate.

The dirty deed will be taking place at the Black Hat Security conference in Los Vegas, reports Thomas Claburn at InformationWeek. According to the article, experts Mike Zusman, principal consultant at Intrepidus Group, and Alex Sotirov, an independent security researcher, have found and can exploit a weakness in the browser to conduct what is known as a “man in the middle” attack on sites protected by Extended Validation (EV) Secure Sockets Layer (SSL) certificates. This type of attack entails “sniffing” out the desired data as the data leaves the user’s browser or via what is called a “browser cache poisoning attack on EV SSL websites.

The browsers supporting EV SSL? Well, they include the most recent versions of Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Opera. I guess that means pretty much all of them.

What does it all mean? It means that while the Advocate advocates adopting the “free”-ly on-line model and the wonders that all of this great technology and access offers, we all, attorneys in particular, need to be mindful of the hazard these security breaches pose. Carefully consider the risks of sharing or storing sensitive data on-line at all times – you never know where the thieves are hiding, even Las Vegas!