Cloud services raise security, privacy concerns, experts say

Changes in U.S. law and vendor agreements may still be needed to protect privacy, panelists say

A move toward more and more services in the cloud is inevitable, but vendors still need to focus on security, and the U.S. government needs to rewrite privacy laws to protect cloud customers, a group of experts said Tuesday.

Cloud computing will offer many benefits, including remote access to data, remote collaboration and reduced IT costs, said Greg Nojeim, senior counsel for the Center for Democracy and Technology. But cloud vendors, customers and U.S. policy makers still have "a lot of questions to work through," he said at a forum on cloud security and privacy at The Brookings Institution in Washington, D.C.

Nojeim called on the U.S. Congress to update the 24-year-old Electronic Communications Privacy Act (ECPA), which gives data stored on personal computers greater protection from law enforcement searches than data stored with third-party services. Law enforcement officials typically need to get a court-ordered warrant to search the hard drive on a PC, but need only a prosecutor- or investigator-issued subpoena to access data stored in the cloud, he said.

"The law shouldn't discriminate between the privacy of something I store locally and something I store remotely," he said.

Law enforcement agencies weren't represented on the Brookings panel, but the U.S. Department of Justice has argued that quick access to information by law enforcement agencies can stop crime and, in some cases, save lives.

Beyond legal questions, cloud vendors have several security issues to face, other panelists said. The security goals of customers may not match the priorities of cloud providers, said Alan Friedman, research director for the Center for Technology Innovation at Brookings and co-author of a new paper on cloud security. In addition, data privacy laws differ significantly between nations, and some U.S. cities have demanded that their providers store data only in the U.S. for security reasons, even though the European Union has stronger privacy protections for cloud users, he said.

U.S. government entities are "very concerned about other nation[s] accessing data, but still we're reluctant to adopt strong regulations, as the EU currently has," he said.

Friedman and Marjory Blumenthal, associate provost for academic affairs at Georgetown University and a longtime technology policy expert, also raised concerns about ambiguity in cloud computing agreements between vendors and customers. There's little legal precedence on enforcing promises made in the agreements, Friedman said.

Many cloud providers so far have claimed they are not responsible for the data stored on their service, Blumenthal said. The use of virtualization in cloud computing environments could also lead to data leaks between customers if the virtualization isn't done correctly, she said, and cloud providers will likely become tempting targets for cybercriminals.

"It's reasonable to expect that providers will be increasingly targeted by organized crime," she said.

But vendors will address many of the concerns about cloud computing because of increasing competition, said Harry Wingo, senior policy counsel at Google, a provider of cloud-based services. Vendors should be transparent with customers about how their data is stored and used, and they should allow customers to easily transport their data to other services, he said, but as long as those things happen, competition will drive improvements in cloud services.

Cloud vendors are beginning to look at new encryption and fraud detection techniques, Friedman said.

"Competition is going to allow a race to the top for security," he added. "We'd like to see security as a differentiated service."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Harry WingoThe Brookings InstitutionMarjory Blumenthalcloud computingGreg Nojeiminternetdata protectionprivacyGeorgetown UniversityAlan FriedmanGooglesecuritydata breachCenter for Democracy and Technology

More about CPA AustraliaDepartment of JusticeEUGoogleIDGWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts