Last week it was reported in the media that Microsoft acknowledged they read the emails of a Hotmail user and not only that, they are entitled to do so under the terms of service. These are the same terms that cover other Microsoft services including Onedrive, Office365, Skype and IM.
Amongst the many concerns this raises, one would be the assurance of privacy of data stored in cloud services and offerings. It seems to me there may be a gap between how our privacy is marketed by providers and the how information may be treated (legally within the framework of the terms of service). The Microsoft case highlights the possibility of cloud providers accessing your content on their systems to pursue their own interests and no privacy should be assumed – which would shake some fundamental assumptions of cloud computing.
In recent years, a lot of progress has been made around cloud security and we are seeing strong adoption of moving critical systems into the cloud. The decision to do this is, of course, predicated on assumptions that the data is secure. The integrity of any cloud provider’s security, and customer data with that, is central to the business model and these companies take it very seriously. As such, in the vast majority of cases the standard terms of service and robust privacy statements are sufficient to protect privacy. However, when entering these agreements and entrusting third parties with your data careful consideration is required.
This is accentuated where you have multiple relationships with a cloud provider and how or if these services are segregated from a legal perspective. For example, if I am in dispute with my preferred cloud provider, it is only the terms of service and privacy statement that legally prevents them from accessing information from customer systems they host (emails, IM, financial information from hosted ERP or backups).
While it is important to read the terms of service carefully and receive appropriate legal advice, it appears that we cannot take this seriously enough particularly where critical or sensitive data is involved. In many cases, it is now possible to engage cloud providers and negotiate enterprise agreements that cover the relationship, including privacy of information. I would recommend having this conversation with the cloud provider very early in any engagement.
Struan Hijner – Infrastructure Services Practice Manager