a central point for collection of information as it relates to cloud computing in the government
Cloud Computing Security
August 2, 2009 at 11:28 am #77040
From the NY Times OP-ED section
July 20, 2009
Lost in the Cloud
By JONATHAN ZITTRAIN
EARLIER this month Google announced a new operating system called Chrome. It’s meant to transform personal computers and handheld devices into single-purpose windows to the Web. This is part of a larger trend: Chrome moves us further away from running code and storing our information on our own PCs toward doing everything online — also known as in “the cloud” — using whatever device is at hand.
Many people consider this development to be as sensible and inevitable as the move from answering machines to voicemail. With your stuff in the cloud, it’s not a catastrophe to lose your laptop, any more than losing your glasses would permanently destroy your vision. In addition, as more and more of our information is gathered from and shared with others — through Facebook, MySpace or Twitter — having it all online can make a lot of sense.
The cloud, however, comes with real dangers.
Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)
Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.
Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.
The cloud can be even more dangerous abroad, as it makes it much easier for authoritarian regimes to spy on their citizens. The Chinese government has used the Chinese version of Skype instant messaging software to monitor text conversations and block undesirable words and phrases. It and other authoritarian regimes routinely monitor all Internet traffic — which, except for e-commerce and banking transactions, is rarely encrypted against prying eyes.
With a little effort and political will, we could solve these problems. Companies could be required under fair practices law to allow your data to be released back to you with just a click so that you can erase your digital footprints or simply take your business (and data) elsewhere. They could also be held to the promises they make about content sold through the cloud: If they sell you an e-book, they can’t take it back or make it less functional later. To increase security, companies that keep their data in the cloud could adopt safer Internet communications and password practices, including the use of biometrics like fingerprints to validate identity.
And some governments can be persuaded — or perhaps required by their independent judiciaries — to treat data entrusted to the cloud with the same level of privacy protection as data held personally. The Supreme Court declared in 1961 that a police search of a rented house for a whiskey still was a violation of the Fourth Amendment privacy rights of the tenant, even though the landlord had given permission for the search. Information stored in the cloud deserves similar safeguards.
But the most difficult challenge — both to grasp and to solve — of the cloud is its effect on our freedom to innovate. The crucial legacy of the personal computer is that anyone can write code for it and give or sell that code to you — and the vendors of the PC and its operating system have no more to say about it than your phone company does about which answering machine you decide to buy. Microsoft might want you to run Word and Internet Explorer, but those had better be good products or you’ll switch with a few mouse clicks to OpenOffice orFirefox.
Promoting competition is only the tip of the iceberg — there are also the thousands of applications so novel that they don’t yet compete with anything. These tend to be produced by tinkerers and hackers. Instant messaging, peer-to-peer file sharing and the Web itself all exist thanks to people out in left field, often writing for fun rather than money, who are able to tempt the rest of us to try out what they’ve done.
This freedom is at risk in the cloud, where the vendor of a platform has much more control over whether and how to let others write new software. Facebook allows outsiders to add functionality to the site but reserves the right to change that policy at any time, to charge a fee for applications, or to de-emphasize or eliminate apps that court controversy or that they simply don’t like. The iPhone’s outside apps act much more as if they’re in the cloud than on your phone: Apple can decide who gets to write code for your phone and which of those offerings will be allowed to run. The company has used this power in ways that Bill Gates never dreamed of when he was the king of Windows: Apple is reported to have censored e-book apps that contain controversial content, eliminated games with political overtones, and blocked uses for the phone that compete with the company’s products.
The market is churning through these issues. Amazon is offering a generic cloud-computing infrastructure so anyone can set up new software on a new Web site without gatekeeping by the likes of Facebook. Google’s Android platform is being used in a new generation of mobile phones with fewer restrictions on outside code. But the dynamics here are complicated. When we vest our activities and identities in one place in the cloud, it takes a lot of dissatisfaction for us to move. And many software developers who once would have been writing whatever they wanted for PCs are simply developing less adventurous, less subversive, less game-changing code under the watchful eyes of Facebook and Apple.
If the market settles into a handful of gated cloud communities whose proprietors control the availability of new code, the time may come to ensure that their platforms do not discriminate. Such a demand could take many forms, from an outright regulatory requirement to a more subtle set of incentives — tax breaks or liability relief — that nudge companies to maintain the kind of openness that earlier allowed them a level playing field on which they could lure users from competing, mighty incumbents.
We’ve only just begun to measure this problem, even as we fly directly into the cloud. That’s not a reason to turn around. But we must make sure the cloud does not hinder the creation of revolutionary software that, like the Web itself, can seem esoteric at first but utterly necessary later.
You must be logged in to reply to this topic.