Lawsuit Raises Red Flags For Government Cloud Users

A California lawsuit suggests the federal government must take stronger steps to protect government data from data mining and user profiling by cloud service providers.

Karen S. Evans, National Director, US Cyber Challenge

March 25, 2014

4 Min Read
Data mining practices raise fresh concerns among public-sector<br />groups who increasingly rely on cloud services.<br />(Image: Facebook connections on NOAA's <a href="http://www.informationweek.com/government/cloud-computing/meet-noaas-unique-3d-weather-tool/d/d-id/1113020?image_number=4"target="new">Science on a Sphere</a>.)

In the technology-rich world we live in, it's critical for everyone to understand how their data is processed and used. For the government, it is arguably even more important, given the massive amounts of sensitive citizen data it possesses and stores.

As we move to more sophisticated, data-driven technological environments such as the cloud, it is imperative that all government entities become hypervigilant about making sure that vendors are handling this information appropriately. I am not the first person to say this, and I will certainly not be the last.

Recent disclosures in a California lawsuit have raised several red flags about how government data could be used by cloud vendors -- particularly vendors with business models that rely heavily on advertising revenue and monetizing user data. The lawsuit alleges that Google violated federal and state wiretap and privacy laws by data mining the email content of students who used Google's Apps for Education and Google's Gmail messaging service. US district judge Lucy Koh handed Google a victory last week by refusing to let the case proceed as a class action.

[Federal agencies are moving beyond the government's 2010 Cloud First mandate. But are they ready for comes next? Read Cloud First: End Of The Beginning For Federal Agencies?]

Though the lawsuit created a stir in the education community over privacy concerns, it also raises important questions for government administrators. Information revealed in the lawsuit suggests that public-sector users of certain cloud services, including the federal government, may not be protected from systematic data mining and user profiling for advertising purposes if they do not have clear protections in place.

The potential streamlining and cost-saving benefits of cloud computing have prompted the federal government to make adoption of cloud computing a high priority. With this in mind, we need to take appropriate measures to ensure the government makes the transition to the cloud in the correct way, with data privacy and lawful data use as top concerns. If the government does not implement these changes carefully, it faces the risk that sensitive data will be exposed, and those risks are simply too high.

I speak from experience. Given my former position at the Office of Management and Budget, where I was responsible for the federal government's IT, data security, and privacy policies, I believe these issues are more important than ever. There are several foundational issues that government CIOs must address when they are looking at securing, procuring, and drafting their cloud contracts.

These issues include:

  • Clauses prohibiting unauthorized data use: All cloud service providers must ensure that their services use data only in ways that are explicitly, contractually sanctioned, and those assurances must be guaranteed and written into the contract.

  • A system to measure efficacy: Cloud service providers also must have a system for reporting on the efficacy of agency information security programs. That system needs to augment audit programs and validate the written assurances from cloud providers.

  • Specific bring-your-own-device (BYOD) language: Agency CIOs and policy makers must rethink their security policies by restricting the type and/or amount of work that employees can perform on their smartphones unless adequate protections are in place, such as digital rights management and robust enterprise device management technologies. In addition, it is critical that agencies and industry develop efficient, technical solutions that enable federal workers to take advantage of the convenience that these devices offer, while ensuring the security of sensitive federal information.

This year, I co-authored a white paper discussing some of these recommendations in greater detail. One conclusion I've reached in my research is that cloud vendors need to be more transparent with regard to how they store, use, and monetize public-sector data -- especially vendors with roots in advertising and the monetization of user data. And agencies must be more explicit in their contracts about data-mining practices.

Despite all these voiced concerns, government entities do not typically require any of the above recommendations or guidelines from cloud contractors.

From my experience working at federal agencies, I understand that altering the way government entities procure services takes time and input from many stakeholders. However, I strongly believe our procurement process needs to include the specific terms and conditions related to data use and ownership in an effort to address these issues in greater detail. If we want to get cloud right, these guidelines should serve as the foundation.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

About the Author

Karen S. Evans

National Director, US Cyber Challenge

Karen S. Evans spent nearly 28 years in the federal government, most recently as Administrator for E-Government and Information Technology at the Office of Management and Budget (OMB) within the Executive Office of the President (from 2003 to 2009), where she oversaw the implementation of more than $70 billion in IT investments by federal agencies annually. She also oversaw the development of government-wide enterprise architecture, information sharing, and cybersecurity programs. She currently serves as the National Director for the US Cyber Challenge (USCC), the nationwide talent search and skills development program focused specifically on the cyber workforce. She recently co-authored the report "Staying Safe in Cyberspace: Cloud Security on the Horizon."

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights