Privacy, Free/Open Source, and the Cloud

Posted by Elonnai Hickok at Nov 22, 2010 07:35 AM |
A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture.

Introduction

Cloud computing, in basic terms,  is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers.  The access points facilitate the tailoring and delivering of targeted applications and services to consumers.  Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.

There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.”  Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.

Privacy Concerns:

 Though cloud computing can be a useful tool for  consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source.  Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national?   India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?

These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated?  If international law, who can access the tribunals, and which tribunals have this jurisdiction?  What if a person's data is replicated in two data centres in two different countries?  Are the data subject to scrutiny by the officials of all three?  Is there a remedy against abuse by any of them?  Does it matter whether the country in which the data centre resides does not require a warrant for government access?  And how will a consumer know any of that up front?  As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply?  For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.

How are privacy, free/open source, and the cloud related ?

Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual.  Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.

Is free/open software the solution?

 Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals.  Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code.  But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)?  Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.

Conclusion

 Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them.  Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base.  For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it,  and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is  not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries,  free/open source did not just enter into American society and immediately fix issues of  privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India.    Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology.  Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy.  As noted above, even if a person has access to code, he can protect data only to a certain extent.  Thus, he might think that he has created a privacy wall around information that actually is readily accessible.  In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.