In the technology-rich world we live in, it's critical for everyone to understand how their data is processed and used. For the government, it is arguably even more important, given the massive amounts of sensitive citizen data it possesses and stores.
As we move to more sophisticated, data-driven technological environments such as the cloud, it is imperative that all government entities become hypervigilant about making sure that vendors are handling this information appropriately. I am not the first person to say this, and I will certainly not be the last.
Recent disclosures in a California lawsuit have raised several red flags about how government data could be used by cloud vendors -- particularly vendors with business models that rely heavily on advertising revenue and monetizing user data. The lawsuit alleges that Google violated federal and state wiretap and privacy laws by data mining the email content of students who used Google's Apps for Education and Google's Gmail messaging service. US district judge Lucy Koh handed Google a victory last week by refusing to let the case proceed as a class action.
[Federal agencies are moving beyond the government's 2010 Cloud First mandate. But are they ready for comes next? Read Cloud First: End Of The Beginning For Federal Agencies?]
Though the lawsuit created a stir in the education community over privacy concerns, it also raises important questions for government administrators. Information revealed in the lawsuit suggests that public-sector users of certain cloud services, including the federal government, may not be protected from systematic data mining and user profiling for advertising purposes if they do not have clear protections in place.
The potential streamlining and cost-saving benefits of cloud computing have prompted the federal government to make adoption of cloud computing a high priority. With this in mind, we need to take appropriate measures to ensure the government makes the transition to the cloud in the correct way, with data privacy and lawful data use as top concerns. If the government does not implement these changes carefully, it faces the risk that sensitive data will be exposed, and those risks are simply too high.
I speak from experience. Given my former position at the Office of Management and Budget, where I was responsible for the federal government's IT, data security, and privacy policies, I believe these issues are more important than ever. There are several foundational issues that government CIOs must address when they are looking at securing, procuring, and drafting their cloud contracts.
These issues include:
- Clauses prohibiting unauthorized data use: All cloud service providers must ensure that their services use data only in ways that are explicitly, contractually sanctioned, and those assurances must be guaranteed and written into the contract.
- A system to measure efficacy: Cloud service providers also must have a system for reporting on the efficacy of agency information security programs. That system needs to augment audit programs and validate the written assurances from cloud providers.
- Specific bring-your-own-device (BYOD) language: Agency CIOs and policy makers must rethink their security policies by restricting the type and/or amount of work that employees can perform on their smartphones unless adequate protections are in place, such as digital rights management and robust enterprise device management technologies. In addition, it is critical that agencies and industry develop efficient, technical solutions that enable federal workers to take advantage of the convenience that these devices offer, while ensuring the security of sensitive federal information.
This year, I co-authored a white paper discussing some of these recommendations in greater detail. One conclusion I've reached in my research is that cloud vendors need to be more transparent with regard to how they store, use, and monetize public-sector data -- especially vendors with roots in advertising and the monetization of user data. And agencies must be more explicit in their contracts about data-mining practices.
Despite all these voiced concerns, government entities do not typically require any of the above recommendations or guidelines from cloud contractors.
From my experience working at federal agencies, I understand that altering the way government entities procure services takes time and input from many stakeholders. However, I strongly believe our procurement process needs to include the specific terms and conditions related to data use and ownership in an effort to address these issues in greater detail. If we want to get cloud right, these guidelines should serve as the foundation.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.