For those who follow government computing trends, the biggest story of 2012 in the U.S. has been the accelerating adoption of cloud services by Federal agencies as well as by State and Local governments. This growth has been fostered in large part by the admirably proactive stance in favor of cloud taken by the White House’s Office of Management and Budget (OMB). It has also been propelled by the FedRAMP program, which streamlines the procedures used to vet the security features of commercial cloud solutions. At SafeGov we enthusiastically endorse this trend and look forward to the cost savings and improvements in citizen services it will bring to all levels of government.
But while U.S. government use of cloud services surges, U.S. regulators have paid relatively little attention to the emerging issue of data confidentiality in the cloud. The focus of Federal cloud standardization efforts such as the NIST requirements built into FedRAMP has been data security, not privacy and confidentiality. In Europe, however, the picture looks very different. The European public sector is approaching the cloud with caution: governments are keenly interested in the potential benefits, but have not yet issued the kind of top-down mandate for rapid migration that we’ve seen in the U.S. At the same time, European regulators are much further along the path toward a modernized regulatory regime for cloud computing.
Privacy advocates on both sides of the Atlantic have objected to this business model on the grounds that web users are not informed that they are being tracked in this manner and are not given the opportunity to opt out. We also note that the European DPAs asked Google to delay implementation of the policy until it could be investigated, but Google declined. SafeGov itself does not take a position on business models deployed by consumer advertising firms. We recognize that opinions on this difficult and sensitive question will differ. Web advertising (which does not necessarily require hidden user tracking) can be a healthy form of technological innovation that offers significant benefits to consumers.
However, our contributing experts have pointed out on many occasions that the kind of stealthy user profiling and systematic data mining of user content that has become the norm on the consumer web is absolutely unacceptable when performed in cloud services provided under contract to governments or schools. I believe that our experts who have spoken out on this issue are on solid ground. Imagine for example that a cloud provider decided to apply the same data mining algorithms it uses for consumer ad targeting to the email traffic of tens or hundreds of thousands of government users or school children. Even if no personal information of individual users was disclosed to advertisers, the power of these algorithms to identify trending topics and keywords in user content could be of immense economic value. In the case of sensitive government information, it could also represent a grave threat to the security of nations. It is for these reasons that SafeGov has called on all cloud service providers to create separate privacy policies for public sector users that expressly ban these practices.
In any case, observers can be confident that the debate on the topic of the confidentiality and safety of government data in the cloud is only just beginning. The CNIL’s findings on behalf of the Article 29 Working Party, whatever they are, will be only the first step in a long road. As Europe prepares a fundamental revision of its data protection and online privacy law, that road will ultimately lead to significant changes in the privacy practices and perhaps even in the business models of all web advertising firms that wish to do business in Europe. These changes will inevitably encompass the rules that govern the cloud services provided to European governments and schools. We hope that Europe’s Data Protection Authorities will recognize the need for dedicated privacy policies that guarantee users in these critical sectors of the European economy protection from the user profiling and data mining practices of the online consumer advertising industry.
Editor's note: This article also appeared on AOL Government.
 Commission Nationale de l'Informatique et des Libertés (“National Commission on Computing and Liberties”).
 See Question 47 in the CNIL’s second questionnaire addressed to Google (dated May 22, 2012).