Government // Cloud computing
Commentary
3/25/2014
02:25 PM
Karen S. Evans
Karen S. Evans
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Lawsuit Raises Red Flags For Government Cloud Users

A California lawsuit suggests the federal government must take stronger steps to protect government data from data mining and user profiling by cloud service providers.

In the technology-rich world we live in, it's critical for everyone to understand how their data is processed and used. For the government, it is arguably even more important, given the massive amounts of sensitive citizen data it possesses and stores.

As we move to more sophisticated, data-driven technological environments such as the cloud, it is imperative that all government entities become hypervigilant about making sure that vendors are handling this information appropriately. I am not the first person to say this, and I will certainly not be the last.

Recent disclosures in a California lawsuit have raised several red flags about how government data could be used by cloud vendors -- particularly vendors with business models that rely heavily on advertising revenue and monetizing user data. The lawsuit alleges that Google violated federal and state wiretap and privacy laws by data mining the email content of students who used Google's Apps for Education and Google's Gmail messaging service. US district judge Lucy Koh handed Google a victory last week by refusing to let the case proceed as a class action.

[Federal agencies are moving beyond the government's 2010 Cloud First mandate. But are they ready for comes next? Read Cloud First: End Of The Beginning For Federal Agencies?]

Though the lawsuit created a stir in the education community over privacy concerns, it also raises important questions for government administrators. Information revealed in the lawsuit suggests that public-sector users of certain cloud services, including the federal government, may not be protected from systematic data mining and user profiling for advertising purposes if they do not have clear protections in place.

Data mining practices raise fresh concerns among public-sectorgroups who increasingly rely on cloud services.(Image: Facebook connections on NOAA's Science on a Sphere.)
Data mining practices raise fresh concerns among public-sector
groups who increasingly rely on cloud services.
(Image: Facebook connections on NOAA's Science on a Sphere.)

The potential streamlining and cost-saving benefits of cloud computing have prompted the federal government to make adoption of cloud computing a high priority. With this in mind, we need to take appropriate measures to ensure the government makes the transition to the cloud in the correct way, with data privacy and lawful data use as top concerns. If the government does not implement these changes carefully, it faces the risk that sensitive data will be exposed, and those risks are simply too high.

I speak from experience. Given my former position at the Office of Management and Budget, where I was responsible for the federal government's IT, data security, and privacy policies, I believe these issues are more important than ever. There are several foundational issues that government CIOs must address when they are looking at securing, procuring, and drafting their cloud contracts.

These issues include:

  • Clauses prohibiting unauthorized data use: All cloud service providers must ensure that their services use data only in ways that are explicitly, contractually sanctioned, and those assurances must be guaranteed and written into the contract.
  • A system to measure efficacy: Cloud service providers also must have a system for reporting on the efficacy of agency information security programs. That system needs to augment audit programs and validate the written assurances from cloud providers.
  • Specific bring-your-own-device (BYOD) language: Agency CIOs and policy makers must rethink their security policies by restricting the type and/or amount of work that employees can perform on their smartphones unless adequate protections are in place, such as digital rights management and robust enterprise device management technologies. In addition, it is critical that agencies and industry develop efficient, technical solutions that enable federal workers to take advantage of the convenience that these devices offer, while ensuring the security of sensitive federal information.

This year, I co-authored a white paper discussing some of these recommendations in greater detail. One conclusion I've reached in my research is that cloud vendors need to be more transparent with regard to how they store, use, and monetize public-sector data -- especially vendors with roots in advertising and the monetization of user data. And agencies must be more explicit in their contracts about data-mining practices.

Despite all these voiced concerns, government entities do not typically require any of the above recommendations or guidelines from cloud contractors.

From my experience working at federal agencies, I understand that altering the way government entities procure services takes time and input from many stakeholders. However, I strongly believe our procurement process needs to include the specific terms and conditions related to data use and ownership in an effort to address these issues in greater detail. If we want to get cloud right, these guidelines should serve as the foundation.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Karen S. Evans spent nearly 28 years in the federal government, most recently as Administrator for E-Government and Information Technology at the Office of Management and Budget (OMB) within the Executive Office of the President (from 2003 to 2009), where she oversaw the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WKash
50%
50%
WKash,
User Rank: Author
3/25/2014 | 6:03:22 PM
Details in the case
For those interested in the details of the case, here are links to two declarations in support of Google's opposition to the plaintiff's case.

http://www.safegov.org/media/60266/google_gmail_litigation_-_declaration_of_kyle_c.wong.pdf
 
http://www.safegov.org/media/60263/google_gmail_litigation_-_declaration_of_brad_chin.pdf

 
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
3/26/2014 | 10:51:51 AM
Re: Details in the case
It's nice to see the push for clarification and responsibility when it comes not just to how data is used, but also how it is protected.  For the longest time we have seen SLAs that refuse to clarify exactly the responsibilities and controls that are in place to protect users and data, so this is definitely going to be a huge step in the right direction.
asksqn
50%
50%
asksqn,
User Rank: Ninja
3/27/2014 | 3:43:28 PM
Hope Floats (in the cloud)
The only reason the CA lawsuit was tossed because Judge Koh did not find the classes of plaintiffs (it was a class action suit) as "sufficiently cohesive," which is a fancy schmancy way of saying nice, try, but I'm letting Google off on a technicality.  That being said, the lawsuit may still proceed provided that counsel gets it act together and amends the complaint accordingly.  There may still be hope of calling out Google on illegally scanning email for key words yet.

 
WKash
50%
50%
WKash,
User Rank: Author
3/27/2014 | 4:57:32 PM
Re: Hope Floats (in the cloud)
Asksqn, you're right.  Judge Koh rejected the basis of the class action suit, more than the complaint itself.  Because few individuals (students in this case) are likely to gather the resources to fight Google on this, Google for all intents and purposes, is off the hook for now.  
WKash
50%
50%
WKash,
User Rank: Author
3/27/2014 | 5:12:43 PM
Government contracts
It's worth noting, the standard Terms of Service (or Terms of Use - which few most people agree to without ever reading) for most free social media products are incompatible with federal law, regulation, or practice. So GSA had to come up with a new set of contracts for agency employees to use, when signing up for sites like YouTube, or Facebook.  Here's a list of amended terms of service agreements from the General Services Administration.

It's also worth noting: the Office of Management and Budget in an April 4, 2013 memo, put agencies on notice that employees may be in violation of the Antideficiency Act by agreeing to open-ended terms of agreement for certain websites.

 

 
J_Brandt
50%
50%
J_Brandt,
User Rank: Ninja
3/28/2014 | 3:09:37 PM
Re: Government contracts
A most excellent set of points.  I think you mean to say ["most" (not few) people agree to without ever reading] for most free social media products are incompatible with federal law, regulation, or practice].
WKash
50%
50%
WKash,
User Rank: Author
3/28/2014 | 3:38:08 PM
Re: Government contracts
J_Randt, thanks for catching that. That's right.  I meant most ...don't read
Gov Cloud: Executive Initiatives, Enterprise Experience
Gov Cloud: Executive Initiatives, Enterprise Experience
In this report, we'll examine the use of cloud services by government IT, including the requirements, executive initiatives and service qualifications, and auditing and procurement programs that make government cloud adoption unlike that in the private sector.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.