What can users do?
Companies and individuals who have or are considering moving to the cloud should take certain precautions to address privacy and security concerns.
- Form a service level agreement (SLA) with cloud computing service provider to store data in the continental United States to eliminate potential privacy and security issues related to foreign government officials potentially gaining access to sensitive data.
- Request cloud computing service provider to segregate company’s data from other customers’/companies’ data
- Encrypt data and limit access to decryption keys
- Require background checks and security clearances for key employees
- Address data breach liability
- Limit the service provider’s right to process company’s data only for the purposes described in the contract
- Involve all departments (e.g., IT, legal, information security, and all of the relevant business groups) when developing contracts with cloud computing services
In 2009, The World Privacy Forum made several recommendations concerning cloud computing which included the following for organization’s considering the use of cloud computing:
- Ensure that the cloud service provider gives adequate notice before complying with a subpoena to allow time to move to quash if necessary.
- Be aware of any information indicating the cloud provider reserves the right to use, disclose, or publicize user information.
Cloud Computing Privacy Tips for Consumers, Business, and Government: http://www.worldprivacyforum.org/pdf/WPF_Cloud_Tips_fs.pdf
Additional Resources on Cloud Computing Self-Regulation and Best Practices
- The World Privacy Forum's Cloud Computing Privacy Tips
- InfoWorld article: "Is Cloud Computing Inherently Evil?"
- Electronic Privacy Information Center's section on privacy in cloud computing
- Demand your dotRights campaign (run by the ACLU of Northern California)
- World Privacy Forum articles on Cloud Computing and Privacy