Thursday, 3 April 2014

How private is your cloud data?

Last week it was reported in the media that Microsoft acknowledged they read the emails of a Hotmail user and not only that, they are entitled to do so under the terms of service. These are the same terms that cover other Microsoft services including Onedrive, Office365, Skype and IM.

The acknowledgement comes from the same company that has sustained pressure on Google in its marketing campaign “Scroogled” where Microsoft claims a key point of difference between its offering and gmail is the level of privacy. I don’t want to argue the relative merits of one software provider over another or even who is worse, however, I think there is concern when a company who has a long standing publicly stated position about privacy acknowledges it is reading private emails. In addition, Microsoft has not apologised as it claims the searches were legal and within the terms of service. Microsoft has, however, committed to improve its privacy policy and increase transparency in the process of accessing customer content.

Amongst the many concerns this raises, one would be the assurance of privacy of data stored in cloud services and offerings. It seems to me there may be a gap between how our privacy is marketed by providers and the how information may be treated (legally within the framework of the terms of service). The Microsoft case highlights the possibility of cloud providers accessing your content on their systems to pursue their own interests and no privacy should be assumed – which would shake some fundamental assumptions of cloud computing.

In recent years, a lot of progress has been made around cloud security and we are seeing strong adoption of moving critical systems into the cloud. The decision to do this is, of course, predicated on assumptions that the data is secure. The integrity of any cloud provider’s security, and customer data with that, is central to the business model and these companies take it very seriously. As such, in the vast majority of cases the standard terms of service and robust privacy statements are sufficient to protect privacy. However, when entering these agreements and entrusting third parties with your data careful consideration is required.

This is accentuated where you have multiple relationships with a cloud provider and how or if these services are segregated from a legal perspective. For example, if I am in dispute with my preferred cloud provider, it is only the terms of service and privacy statement that legally prevents them from accessing information from customer systems they host (emails, IM, financial information from hosted ERP or backups).
Key takeaway

While it is important to read the terms of service carefully and receive appropriate legal advice, it appears that we cannot take this seriously enough particularly where critical or sensitive data is involved. In many cases, it is now possible to engage cloud providers and negotiate enterprise agreements that cover the relationship, including privacy of information. I would recommend having this conversation with the cloud provider very early in any engagement.

Struan Hijner – Infrastructure Services Practice Manager