Privacy, Identity, and Cloud Computing

It seems as though most computer users would like privacy and information security while having convenient access to interlinked computing services both on-premises and in the cloud. In this instance, the cloud is a metaphor for the Internet, which can be used as the delivery vehicle for computing services and the storage of information. Advocates of cloud computing are faced with two major problems, that is, in addition to the usual problem of transferring one’s resources from one operational environment to another. The first of the major problems is the ongoing feeling that we are experiencing the “déjà vu all over again” syndrome. Many of us have gone through an avalanche of new technological advances intended as solutions to our administrative and operational problems – at least, the ones involving management and information systems. Some of the technical innovations we have experienced include scalable main-frame computers, advanced operating systems, time sharing, client/server, online systems, mini computers, personal computers, artificial intelligence, hand-held computers, the Internet and the World Wide Web, mobile computers, social networking, and by the time this paper is published, there will no doubt be several more entries to add to the list. So one has reason to be skeptical of someone writing that cloud computing is worthy of serious attention. Of course, we think it is, for obvious reasons. The second major issue is privacy, and it stems from the fact that with cloud computing, data and programs are stored off-premises and managed by a service provider. When a third party gets a hold of your data, who knows what is going to happen to it. Many proponents of cloud computing conveniently characterize it as analogous to the electric utility. The basic idea is that the private generators of the twentieth century were replaced by the electricity grids of today without undue concern. It is easy to imagine, however, that the measurement of electricity usage would have been of concern to some people in the early 1900s. Although similar in some respects, cloud computing is different in one important way. The cloud will typically handle information, which is the basic unit of exchange, about which security and privacy are of paramount concern. With electricity, there is no interest in individual electrons. With information, the key issues are identity, security, and privacy. The side issues are one’s inherent identity attributes (such as age, gender, and race), accountability (for online computing activities), and anonymity (in order to preserve free speech and other forms of behavior for the parties involved). The main consideration may turn out to be a matter of control, because from an organizational perspective, control over information has historically been with the organization that creates or maintains it. From a personal perspective, on the other hand, a person should have the wherewithal to control their identity and the release of information about themselves, and in the latter case, a precise determination of to whom it is released and for what reason.. Who owns the data? Is it the person about whom the data pertains? Is it the organization that prototypically manages the data? Or, is it the cloud provider that physically stores the data somewhere out in cyberspace? Consider your financial information. Is it your property or is it your bank’s business property? We will try to provide a perspective on this important issue in the following sections. Privacy issues are not fundamentally caused by cloud computing, but they are exacerbated by employing the technology for economic benefit. To put it as diplomatically as possible, if a business employs cloud computing to save money on its IT bill, should it be allowed to do so at the “privacy” expense of its customers?