Consumer data stored by cloud computing services should be regulated through a mix of government policies, consumer responsibility, and openness by the cloud providers, according to a panel of cloud companies and consumer advocates speaking at Thursday's privacy roundtable hosted by the Federal Trade Commission.
The panelists debated a variety of issues, including how much should consumers be aware of what happens to their data when it leaves their hands, especially if the cloud provider provisions some services through third parties.
Nicole Ozer, director of technology and civil liberties policy at the American Civil Liberties Union of Northern California, said her team's review of the privacy policies of some cloud providers found that some basic information was either lacking or vague.
Not Enough Clarity for End Users?
"Consumers don't have a clear understanding of who the companies are working with, where the companies are, or how their data is going to be used," Ozer said. For example, one cloud provider's policy states that it is able to use consumer data however it deemed appropriate for a "limited time" but it didn't specify how long that was.
Paul Schwartz, professor of law at the University of California at Berkeley warned against bombarding consumers with a volume of information that they may not be able to comprehend or manage. How useful would it be, for example, for cloud suppliers to share details of all their relationships with third parties that may access data?
Harriet Pearson, chief privacy officer at IBM used the example of how an employee's personal information is used by an organization's HR department. That information is sent out to multiple third parties, such as health insurance providers and their partners in order to provision services to the employee.
"What should HR do?" Pearson asked. "Should they provide to the employee a running track of all of the vendors they use? That's not practical."
"Do I really need to know all the partners of PayPal?" echoed Scott Shipman, chief privacy officer of eBay. He argued that even if consumers had that information, it would be difficult for small businesses to negotiate with big partners of large service providers on the use of personal data.
Where Does Cloud Providers' Responsibility End?
Lindsey Finch, global privacy counsel at Salesforce.com, said primary contractors should be on the hook for how consumer information is used by their partners. "The service provider needs to be accountable," said Finch. "(As a consumer) I can't imagine trying to ensure all of a service provider's contracts are updated. It's the original company that needs to ensure that policies are followed through."
She said Salesforce.com's contract with customers is that that it will only access customer data under certain circumstances.
Schwartz argued that command and control by the government may be the appropriate answer. Self regulation by the providers poses the risk that they may set up rules that suit only themselves.
The panelists also discussed "secondary use" - the use of consumer data that goes beyond what was agreed upon in the customer contract, perhaps by sharing the data with a third-party. Finch said companies are not always clear how the data is used in this way. Beth Givens, founder and director of Privacy Rights Clearinghouse, said that consumer should be given an opt-in option for their data to be used in this way.
Schwartz said the industry should be governed by mandatory guidelines from regulatory authorities and negotiated guidelines. Individual consumers should also be allowed to take class action lawsuits against suppliers who misuse their data.