Last week it was
reported in the media that Microsoft acknowledged they read the emails of a
Hotmail user and not only that, they are entitled to do so under the terms of
service. These are the same terms that cover other Microsoft services including
Onedrive, Office365, Skype and IM.
The acknowledgement comes from the same
company that has sustained pressure on Google in its marketing campaign “Scroogled”
where Microsoft claims a key point of difference between its offering and gmail
is the level of privacy. I don’t want to argue the relative merits of one
software provider over another or even who is worse, however, I think there is
concern when a company who has a long standing publicly stated position about
privacy acknowledges it is reading private emails. In addition, Microsoft has
not apologised as it claims the searches were legal and within the terms of
service. Microsoft has, however, committed to improve its privacy policy and
increase transparency in the process of accessing customer content.
Amongst the many concerns this raises, one
would be the assurance of privacy of data stored in cloud services and
offerings. It seems to me there may be a gap between how our privacy is
marketed by providers and the how information may be treated (legally within
the framework of the terms of service). The Microsoft case highlights the
possibility of cloud providers accessing your content on their systems to
pursue their own interests and no privacy should be assumed – which would shake
some fundamental assumptions of cloud computing.
In recent years, a lot of progress has been
made around cloud security and we are seeing strong adoption of moving critical
systems into the cloud. The decision to do this is, of course, predicated on
assumptions that the data is secure. The integrity of any cloud provider’s
security, and customer data with that, is central to the business model and
these companies take it very seriously. As such, in the vast majority of cases
the standard terms of service and robust privacy statements are sufficient to
protect privacy. However, when entering these agreements and entrusting third
parties with your data careful consideration is required.
This is accentuated where you have multiple
relationships with a cloud provider and how or if these services are segregated
from a legal perspective. For example, if I am in dispute with my preferred
cloud provider, it is only the terms of service and privacy statement that
legally prevents them from accessing information from customer systems they
host (emails, IM, financial information from hosted ERP or backups).
Key takeaway
While it is important to read the terms of
service carefully and receive appropriate legal advice, it appears that we
cannot take this seriously enough particularly where critical or sensitive data
is involved. In many cases, it is now possible to engage cloud providers and
negotiate enterprise agreements that cover the relationship, including privacy
of information. I would recommend having this conversation with the cloud
provider very early in any engagement.
No comments:
Post a Comment