«
»

Privacy in the Clouds

By Markus Klems

Ann Cavoukian wrote a great paper: “Privacy in the Clouds. A White Paper on Privacy and Digital Identity: Implications for the Internet” [Source]

Informational self-determination in a cloud world

She starts with the definition of informational self-determination:

Informational self-determination refers to the ability of individuals to exercise personal control over the collection, use and disclosure of their personal information by others. It forms the basis of modern privacy laws and practices around the world.

Ann then gives an excellent overview of the power and promises of cloud computing:

  1. Limitless flexibility: distributing services in the cloud creates new opportunities to combine and customize them to more complex services (standardized interfaces assumed)
  2. Better reliability and security: the Internet will still work even if your hard drive crashes or your laptop was stolen (although there are concerns that the Internet might not)
  3. Enhanced collaboration
  4. Portability
  5. Simpler devices: storage and processing is done in the cloud, thus pushing thin client systems

The shift of private (and business) data into the cloud – i.e. the Web – where it is processed and stored raises new questions with respect to privacy and security. Ann argues that in the cloud world of tomorrow wider adoption of shared identity management services is needed (like OpenID). This is necessary due to the various challenges that ubiquitous computing poses, such as device-independent sign-on mechanisms. Moreover, by using a user-centric identity service the user gains control over his personal information, thus mitigating the risk of identity theft and fraud.

Creating a user-centric identity management infrastructure

The goal of a flexible, user-centric identity management infrastructure must be to allow the user to quickly determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be.

Do you trust the cloud?

Ann Cavoukian finally comes to the key question: how can we trust the people that hold our data in the cloud? She distinguishes four technological dimensions:

  1. Trust the data to behave: use privacy enhancing technologies to attach rights, conditions and preferences to the identity data
  2. Trust the personal device to interface and act on our behalf
  3. Trust the intelligent software agent to behave
  4. Trust intermediary identity providers to behave

Evidently the last point is most critical. Even if the intermediary gave us up-to-the-minute security and privacy status reports, we still could not be sure what he is really doing with our data. At this point it would have been interesting to discuss PKI/PMI and trust models, such as the Web of Trust.

This entry was posted on June 20, 2008 at 5:26 pm and is filed under cloud computing, privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Privacy in the Clouds”

  1. Cloud Computing Threat Model « Cloudy Times Says:
    October 5, 2008 at 11:26 am | Reply

    [...] to do your computing is that you lose control”. I have written about this topic in earlier blog posts, covering discussions about informational self-determination and user identity [...]

Leave a Reply