Privacy

Adopting cloud computing can mean entrusting data to a third-party vendor. For agencies responsible for personally identifiable information or mission-critical applications, this raises a host of privacy concerns, chief among them the issue of data sovereignty and the question of determining appropriate government and commercial uses of private citizens’ data. This section of the SafeGov.org site analyzes the risks to privacy associated with cloud adoption and explores ongoing means to mitigate them.

Privacy and cybersecurity get political legs

Cameron F. Kerry, Brookings,  Wednesday, February 25, 2015

Seeing cybersecurity and privacy take center stage in recent months has been a striking turn. A week ago, I joined some 800 government and industry leaders mixed with Stanford students at the White House Summit on Cybersecurity and Consumer Protection, where President Obama signed an executive order to improve cyber threat information-sharing. He and other members of his administration renewed calls for legislation to encourage such sharing by providing liability protection and guarding how personal information is shared; and corporate executives made up an amen chorus for use of the National Institute of Standards and Technology (NIST) to manage cyber risk.

Google Agrees to Spot Checks by Italian Privacy Regulators

Alistair Barr and Sam Schechner, WSJ Digits,  Friday, February 20, 2015

A spokesman for the Italian authority said this is the first time in Europe that Google will be subject to regular checks to monitor progress. The regulator will get quarterly updates from Google and the ability to send a privacy officer for “on-the-spot checks” at Google’s Mountain View, Calif., offices. The regulator hasn’t decided yet how often it will visit the campus, the spokesman said. “It’s very troubling that Google needed the threat of legal action before it agreed to change its privacy policy to become more transparent about its data mining and profiling practices,” said Bradley Shear, an attorney specializing in privacy law. He questioned whether Google will voluntarily implement the same privacy measures elsewhere.

Global privacy standards mean nothing until governments step up

J. Peter Bruzzese, InfoWorld,  Wednesday, February 18, 2015

Microsoft recently announced it's the first major cloud provider to adopt the global cloud privacy standard developed by the International Organization for Standardization (ISO). Auditors verified that Microsoft Azure, Office 365, Dynamics CRM Online, and Intune conform to the standard (ISO 27018) designed to protect personally identifiable information (PII) in the cloud, addressing a fear that users and businesses share in many countries -- especially users, businesses, and governments in Europe. But what does that compliance really get you? ISO 27018 is a good starting point to protect personal data, as Microsoft has outlined. But Microsoft has to do whatever legal authorities tell it, so its protections are subject to governments' often secret and inconsistent interpretations of their authority.

Law Enforcement Access To Data Stored Abroad Act Introduced

Bradley Shear by Bradley Shear, Law Office of Bradley S. Shear
Tuesday, February 17, 2015

The passage of the LEADS Act is needed not only to better protect digital privacy, but also from a business perspective. According to The New York Times, the U.S. cloud computing industry may lose tens of billions of dollars in business because international companies and governments have lost confidence in U.S. technology companies due to the NSA surveillance programs that Edward Snowden exposed in 2013. Forrester Research has indicated that these losses could be as high as $180 billion dollars for U.S. based firms.

Safe Harbor's Final Reckoning May Begin Next Month

Sam Pfeifle, IAPP,  Tuesday, February 17, 2015

Late last week, Max Schrems, the Austrian law student who began Europe-v-Facebook and has seen his suit against the Irish DPA regarding Facebook's handling of his data forwarded all the way to the European Court of Justice, posted a somewhat cryptic tweet... Contacted directly, Schrems could only say that he'd been given a "heads up" from the courts and that he's bound by court rules that don't allow for public statements that might be construed as trying to influence public opinion around the case. As a refresher, at issue is whether U.S. intelligence programs, such as PRISM, which involve sharing by U.S. companies of EU citizen data with organizations like the NSA, violate the fundamental rights of those EU citizens. If the ECJ finds that they do, then Safe Harbor could be invalidated as a program for cross-border data transfer between the EU and U.S.

Google warns against expanding FBI hacking power

Cory Bennett, The Hill,  Tuesday, February 17, 2015

Google urged a small government rules committee to block a Department of Justice (DOJ) request that would expand the FBI’s ability to remotely collect electronic information in the U.S. and abroad. The DOJ filed its request last year to the little-known Advisory Committee on Criminal Rules. The department wants the committee to give judges the power to authorize warrants for electronic searches in multiple jurisdictions, or when investigators don’t know the physical location of a device. Such a move, Google said in comments filed to the committee, “substantively expands the government’s current authority,” and “raises a number of monumental and highly complex constitutional, legal and geopolitical concerns.” The tech giant’s comments put them on the side of civil liberties and privacy advocates, who appeared before the committee in November to strongly protest the proposal.

Google defends its use of data, points finger at governments

Business Cloud News,  Monday, February 16, 2015

Google’s senior vice president communications and public policy Rachel Whetstone has defended the company’s evolving strategy on collecting and managing personal data, but said governments need to reform how they seek data from private firms and one another. She also said Google’s progressive policy on encryption “requires governments to go through the proper legal channels” for customer data, and hit out at how governments secure data from one another and private firms across borders for law enforcement purposes including surveillance. “The MLAT process is too slow, too complicated and in need of reform,” she said. “Europe is leading the way here. We now need the US to follow suit.”

Microsoft beats rivals to certify under new public cloud security standard

Business Cloud News,  Monday, February 16, 2015

Microsoft has adopted a relatively new ISO standard that specifies measures to protect Personally Identifiable Information (PII) in public cloud environments. The company claims it is the first public cloud provider to do so. Microsoft, a huge advocate of regulatory reform around data privacy rights in the US, is currently embroiled in a court case that has seen the IT giant repeatedly challenge US District Court rulings compelling it to hand over email and contact information stored in its cloud platform in Ireland as part of a drug-trafficking trial. The company is currently supporting a number of recently introduced laws that seek to limit the reach of US courts over data stored in cloud services located outside the US.

Samsung Reveals Potential for Smart TVs to Eavesdrop

Youkyung Lee, AP/ABC News,  Tuesday, February 10, 2015

Watch what you say in your living room. Samsung's smart TV could be listening. And sharing. Voice recognition technology in the South Korean company's Internet connected TVs captures and transmits nearby conversations. The potential for TVs to eavesdrop is revealed in Samsung's smart TV privacy policy available on its website. "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition," the policy said.

Box hands cloud encryption keys over to its customers

Jon Brodkin, Ars Technica,  Tuesday, February 10, 2015

Today, Box says it has a new product that gets the job done. Called “Enterprise Key Management (EKM),” the service puts encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center. The Box service still must access customer’s data in order to enable sharing and collaboration, but EKM makes sure that only happens when the customer wants it to, Box says.