“The Information Commissioner’s Office (ICO) has published guidelines to businesses today to underline that companies remain responsible for how personal data is looked after, even if they pass it to cloud network providers.”
Information Commissioner’s Office, 27th September 2012
In all honesty, this step is not an assuring one.
I have been involved with all forms of data for more than 20 years. Over those two decades I have seen how data was moved from private servers, to data providers, to data farms and now to cloud providers. The last one is the most dangerous of all providers. They claim security! They claim safety! Yet, it took only a little for Sony to lose millions of records. This resulted in a game of carefully phrased denials and contemplated messages on how to prevent this in the future. This is not about blaming Sony. This is about the fact that in many cases this is nothing more than a smoke screen where cyber criminals get more and more (and perhaps even easier) access to data. The organisations fighting them are massively underfunded, with little to no chance of making a dent into cyber criminal activities as Universities create new Wiki leaks creators on a daily base. “Germany May Buy Stolen Swiss Bank Account Data” (Bloomberg, Feb2). Is an interesting result. If stolen data can be acquired, there is every reason for cyber criminals to continue. So why keep on continuing on a path where more and more data could be stolen in an instance?
Which follows by the fact, that the law is not ready to deal with Cloud based criminal acts. For the most, even in the IT brain, there is less and less knowledge available on WHERE that data actually was. So the cloud environment will gain an increased amount of Victims, with less and less options to make reparations to the victims, and no one is left accountable, so prosecution becomes less likely to be successful.
So let’s look at the ICO guide (only a few points):
63. Security key. Sony had this issue. Millions of records were stolen. And as technology grows the danger will only increase. No matter how strong the security. Any code will get hacked. This world is like an exponential armistice race, with the good guys currently on the losing side.
65. The defense will be “It was secure at the time, and we have placed all the securities we could”. It’s a nice defense, and I cannot fault the provider, but the data will still be stolen. Are my thoughts valid? If we look at Torts law we get the response “Not insignificant”. With cyber-crime at present, will that ever be the case? If that is true, should we consider an issue where the provider could be regarded as ‘guilty by default’? Is that even fair?
69. Regarding the loss of security keys. These keys will be stored on another system. So once these systems get intruded upon, those keys can be compromised, and as such the data can be acquired.
70. The talk about accessing data anywhere, so even on home systems. This paper mentions that the customer needs to take steps. They are not taking them now, so later on, when the damage would be likely a lot larger, the Cloud provider is not responsible (which I can agree with). And the data is still accessed.
These are just a few points I looked at. Another article to take into consideration is “How Apple and Amazon Security Flaws Led to My Epic Hacking” (Wired, Aug 6th). This is not the greatest example; however consider that the practices and protocols of tech savvy companies like Apple and Amazon let to this, what chance do some of the Cloud customers have?
I am not against cloud solutions. I think that a cloud solution for applications could be a massive step forward in regards to managing applications on a larger scale. However, data, especially personal data is already too open, and cloud computing would currently make it worse (in my humble opinion).
I believe that cloud computing would be a solution in the future, but at present, as cyber-crimes go, we are nowhere near a cloud solution for personal and privacy sensitive data.