Panel: Security, Privacy and Accountability
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the ICCP Technology Foresight Forum on Cloud Computing
October 14, 2009
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
While much of the discussion heard today has concentrated on the business of cloud computing – whether business models, technical implementation or security measures – I think it would be useful to draw our attention back to the individual.
Not the individual as a generic user or a stereotyped customer, but an individual as defined by the information available about them online: their personal information, their past choices on e-commerce sites, and the inferences drawn as a result of their behavior while online.
It is clear from today’s discussion that cloud computing remains an industry experiencing growing pains. Those among the audience responsible for developing cloud computing solutions can still find many things to debate, from costs to customer requirements to security options.
It shouldn’t be a surprise that the individual slowly being enveloped by this cloud can sometimes become confused about how his/her data is being managed and protected. This can apply to an individual creating an account with a free application served by cloud resources, like Gmail or Hotmail, or an individual generally unaware that their information is being stored in a cloud environment by a service provider.
In either circumstance, we have seen that some of these individuals to become angry if they discover their data has been exposed or even lost while stored on a cloud.
Not to mention if they become subject to legal proceedings as a result of their information being available on a cloud, whether as a result of surveillance, court-ordered disclosure, or more wide-ranging national security powers.
In each of these scenarios, the individual would likely feel their trust has been betrayed. The relationship they believed they had established with a service supplier delivered unexpected and unwanted consequences.
This is true even if there are no obvious economic or social consequences. It’s common for online users to gripe each and every time a service like Gmail or Twitter isn’t available ... even for a few minutes. And these are free services!
Clearly, some individuals will not accept copyright obligations, network stability or simple human error as justification for disruptions or loss in the cloud.
This new form of democratic consumerism challenges both corporations and range of regulatory traditions. An emerging segment of the marketplace and the electorate is demanding a rich continuous feed of free information, services and storage capacity.
Their initial tendency to trust the standards of operation for could phenomena like social networking sites can quickly turn to vociferous rejection and migration to a competitor if they feel their privacy or security are vulnerable.
To many of the same people, knowing their personal information – and other less sensitive data – is being transferred to third parties can be unsettling. Even where a relationship between the cloud service provider and third parties is governed by strong contractual commitments, it must be clearly explained to the individual.
This was evident during our recent investigation of Facebook. The popular social network was accused in a complaint of giving third party application providers virtually unrestricted access to the information available in a user’s profile.
Our investigation found that these are providers whose reliability is largely untested – and any testing process is certainly not transparent to Facebook members. As we spoke to members, they continued to be surprised that such access was available – especially since they believed the company had been taking steps to further protect their privacy.
In another current file, and in what some online users have seen as an unnecessarily cautious reaction to a largely popular cloud computing application, our Office has pursued a dialogue with Google about its Street View service.
From the moment we saw the first images available online in the United States two years ago, we have had questions about the consent, collection, and retention policies surrounding Street View images in Canada. While we continue to speak to Google about the service, we have seen movement on their part to address our concerns – and the law in our country.
I understand other national standards, such as those of Switzerland, raise issues of the application of data protection standards as well.
Importantly, while cloud computing allows services to be provided virtually anywhere around the globe, cloud service providers should not discount the rights held by users in different jurisdictions. In the case of Facebook, we established that the company was subject to our legislation, because of the 12 million Facebook users living in Canada.
The examples I have cited emphasize the necessity for the appropriate application of the fair information principles. Thankfully, many of the global data protection laws are built upon these principles, and impose similar requirements upon companies collecting personal information whether inside or outside the cloud.
In addition to the principles, corporate accountability for data is ingrained in Canada’s own private sector privacy legislation. This is evident when it comes to trans-border data flows. We have provided guidelines that clarify how we expect information to be treated when it crosses international borders – through contracts that ensure the privacy rights of Canadians are transferred alongside the information.
Accountability, rather than geographical limits, is the basic model for Canadian data protection. This model brings the advantages of flexibility and low compliance overhead for corporations whose profits derive from innovation. But accountability also means that use of Canadian’s personal information must meet Canadian legal standards, where ever in the cloud this may be happening.
I and my colleagues in the privacy community do not explicitly seek to slow innovation. We do, however, work diligently to ensure already established individual privacy rights are respected throughout many jurisdictions. Hence the importance of shared standards and cross-border enforcement.
We consider our work with the OECD, APEC and other private sector groups to be essential to the protection of these rights. Joint research and coordinated enforcement activities can all help establish a common baseline for privacy and data protection around the globe.
I am encouraged by recent commendable efforts to move towards a set of common global privacy standards, a movement which is happily gaining momentum.
I believe common privacy approaches, well communicated and appropriately enforced, will only encourage the growth of responsible cloud computing applications, innovation and competition, while furthering prosperity in our information economies.
- Date modified: