Lawsuit Raises Red Flags For Government Cloud Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cloud computing
02:25 PM
Karen S. Evans
Karen S. Evans
Connect Directly

Lawsuit Raises Red Flags For Government Cloud Users

A California lawsuit suggests the federal government must take stronger steps to protect government data from data mining and user profiling by cloud service providers.

In the technology-rich world we live in, it's critical for everyone to understand how their data is processed and used. For the government, it is arguably even more important, given the massive amounts of sensitive citizen data it possesses and stores.

As we move to more sophisticated, data-driven technological environments such as the cloud, it is imperative that all government entities become hypervigilant about making sure that vendors are handling this information appropriately. I am not the first person to say this, and I will certainly not be the last.

Recent disclosures in a California lawsuit have raised several red flags about how government data could be used by cloud vendors -- particularly vendors with business models that rely heavily on advertising revenue and monetizing user data. The lawsuit alleges that Google violated federal and state wiretap and privacy laws by data mining the email content of students who used Google's Apps for Education and Google's Gmail messaging service. US district judge Lucy Koh handed Google a victory last week by refusing to let the case proceed as a class action.

[Federal agencies are moving beyond the government's 2010 Cloud First mandate. But are they ready for comes next? Read Cloud First: End Of The Beginning For Federal Agencies?]

Though the lawsuit created a stir in the education community over privacy concerns, it also raises important questions for government administrators. Information revealed in the lawsuit suggests that public-sector users of certain cloud services, including the federal government, may not be protected from systematic data mining and user profiling for advertising purposes if they do not have clear protections in place.

Data mining practices raise fresh concerns among public-sectorgroups who increasingly rely on cloud services.(Image: Facebook connections on NOAA's Science on a Sphere.)
Data mining practices raise fresh concerns among public-sector
groups who increasingly rely on cloud services.
(Image: Facebook connections on NOAA's Science on a Sphere.)

The potential streamlining and cost-saving benefits of cloud computing have prompted the federal government to make adoption of cloud computing a high priority. With this in mind, we need to take appropriate measures to ensure the government makes the transition to the cloud in the correct way, with data privacy and lawful data use as top concerns. If the government does not implement these changes carefully, it faces the risk that sensitive data will be exposed, and those risks are simply too high.

I speak from experience. Given my former position at the Office of Management and Budget, where I was responsible for the federal government's IT, data security, and privacy policies, I believe these issues are more important than ever. There are several foundational issues that government CIOs must address when they are looking at securing, procuring, and drafting their cloud contracts.

These issues include:

  • Clauses prohibiting unauthorized data use: All cloud service providers must ensure that their services use data only in ways that are explicitly, contractually sanctioned, and those assurances must be guaranteed and written into the contract.
  • A system to measure efficacy: Cloud service providers also must have a system for reporting on the efficacy of agency information security programs. That system needs to augment audit programs and validate the written assurances from cloud providers.
  • Specific bring-your-own-device (BYOD) language: Agency CIOs and policy makers must rethink their security policies by restricting the type and/or amount of work that employees can perform on their smartphones unless adequate protections are in place, such as digital rights management and robust enterprise device management technologies. In addition, it is critical that agencies and industry develop efficient, technical solutions that enable federal workers to take advantage of the convenience that these devices offer, while ensuring the security of sensitive federal information.

This year, I co-authored a white paper discussing some of these recommendations in greater detail. One conclusion I've reached in my research is that cloud vendors need to be more transparent with regard to how they store, use, and monetize public-sector data -- especially vendors with roots in advertising and the monetization of user data. And agencies must be more explicit in their contracts about data-mining practices.

Despite all these voiced concerns, government entities do not typically require any of the above recommendations or guidelines from cloud contractors.

From my experience working at federal agencies, I understand that altering the way government entities procure services takes time and input from many stakeholders. However, I strongly believe our procurement process needs to include the specific terms and conditions related to data use and ownership in an effort to address these issues in greater detail. If we want to get cloud right, these guidelines should serve as the foundation.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Karen S. Evans spent nearly 28 years in the federal government, most recently as Administrator for E-Government and Information Technology at the Office of Management and Budget (OMB) within the Executive Office of the President (from 2003 to 2009), where she oversaw the ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/28/2014 | 3:38:08 PM
Re: Government contracts
J_Randt, thanks for catching that. That's right.  I meant most ...don't read
User Rank: Author
3/27/2014 | 5:12:43 PM
Government contracts
It's worth noting, the standard Terms of Service (or Terms of Use - which few most people agree to without ever reading) for most free social media products are incompatible with federal law, regulation, or practice. So GSA had to come up with a new set of contracts for agency employees to use, when signing up for sites like YouTube, or Facebook.  Here's a list of amended terms of service agreements from the General Services Administration.

It's also worth noting: the Office of Management and Budget in an April 4, 2013 memo, put agencies on notice that employees may be in violation of the Antideficiency Act by agreeing to open-ended terms of agreement for certain websites.


User Rank: Author
3/27/2014 | 4:57:32 PM
Re: Hope Floats (in the cloud)
Asksqn, you're right.  Judge Koh rejected the basis of the class action suit, more than the complaint itself.  Because few individuals (students in this case) are likely to gather the resources to fight Google on this, Google for all intents and purposes, is off the hook for now.  
User Rank: Author
3/25/2014 | 6:03:22 PM
Details in the case
For those interested in the details of the case, here are links to two declarations in support of Google's opposition to the plaintiff's case.

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll