As governments move towards the cloud, they need to be wary of the possibility for significant adverse consequences. National security might be compromised, government integrity eroded and even the safety of public officials threatened, writes Paul Rosenzweig.
Paul Rosenzweig is a senior advisor at the Chertoff Group, a global firm that advises organisations on cyber security matters.
"Someday soon the European Commission will need to confront a growing problem – a potential threat to national security, governmental integrity and even the personal safety of government officials.
The threat, insidious in nature, is not posed by foreign nations. Instead the danger lies in the governments themselves and what they do (or more accurately, what they don’t do) to protect government data from exploitation.
The report concluded that the aggregation of data and the subsequent data analytics potentially intrudes on the private rights of European citizens. The report emphasises the need for rules prohibiting the combination of data across services and a requirement that customers be able to automatically anonymise their IP address.
Put another way, the data protection authorities concluded that Google should modify its practices to offer users “an improved control over the combination of data by simplifying and centralising the right to object (opt-out) and by allowing users to choose for which service their data are combined.”
According to the report, in the absence of those steps there would be inadequate protection of personal data for European citizens.
Its findings and conclusions raise equally troubling questions about decisions by governments worldwide to transition their services to the cloud.
The question is not, of course, limited to Google – but this recent data protection report offers a useful insight on the problem and shows how government data is ripe for illicit exploitation.
Any user who stores data in the cloud or uses cloud services and structures must be cognizant of how their service provider protects and stores their data and aware of how, if at all, the service provider can mine the cloud data for its own purposes. That’s true whether the user is an individual, a corporation, or a governmental institution.
Across the world governments are moving services to the cloud. In the United States this is called the “Cloud First” policy. In Europe, Digital Agenda Commissioner Neelie Kroes’ recently launched European Cloud Computing Strategy detailed a broad strategic vision for transitioning to cloud systems on an EU-wide scale.
The vision includes plans for improving interoperability standards; setting up lists of “trustworthy” cloud providers; taking a part in regulating how service level agreements should work; and creating a formalised structure for how governments and other public bodies in the region should procure in cloud services.
All to the good – the efficiencies of the cloud are of great value to governments, especially in these times of constrained resources.
But as governments move forward to the cloud they need to be wary of the possibility for significant adverse consequences. National security might be compromised; government integrity eroded and even the safety of public officials threatened.
How? Not by some outside enemy but rather through the analytical use to which their own data – voluntarily give up to the cloud – can be put.
Consider, as just one example of many, the Europol system – a widely regarded success in enhancing the sharing of information and data between and among the European Union’s many law enforcement authorities to prevent and combat all forms of serious international organised crime and terrorism.
The principal way in which it operates is through a computerised system linking the entire continent, which allows the input of, access to and analysis of data including criminal records, warrants and charging instruments.
As EU institutions like Europol move to cloud based services they need to be mindful of the security of this sensitive law enforcement data. Analytic queries might well disclose the existence of a confidential ongoing criminal investigation, for example.
If, as the data protection authorities have said, the use of pervasive analytics on the data of private citizens is problematic, then all the more so is it a challenge for the analytics that might be applied to government data.
The problem can, of course, be solved. Governments can demand that their cloud service providers refrain from analysing the data they collect. But awareness of this problem is only just now coming into focus.
The Commission would be wise to ensure that its many pan-European institutions are protected against indiscriminate data mining and analysis."