Cloud computing has been with us for a while now, but it started just recently to draw attention to it, particularly because of the large scale Internet applications that client-oriented companies have built as services. Or what we now call SaaS, or software as a service.
The “while” I’m talking about started, presumably, when people woke up and said “hey, I think we’re in the web 2.0 period now”. It’s not something that someone suddenly invented, it’s the creation of many applications designed to improve the users’ experience on the web. Logically enough, corporate giants have followed the trend and implemented huge online apps that users could tap into and start sharing, posting and saving information. Just this month, Microsoft is launching the Microsoft Azure platform, while Amazon is already reaching its 2 year mark in the business of cloud computing with the Amazon Elastic Compute Cloud or EC2. Not to mention the Google apps engine, but we’ll talk about all these later.
From social networks to virtual servers for data storage, anything goes in the cloud. Unfortunately, it still goes in the cloud literally for government policies regarding this matter, in about every industrialized country there is.
Which is the fact that leads us to the main problem concerning the wide adoption of cloud computing services, meaning data security and privacy. Moreover, security against state invasion or abuse of authority. Data stored on cloud platforms should be protected against the state by state policies and updated legal frameworks. It took the US government about 100 years to adapt its legal provisions regarding privacy for phone conversations, so how much time should we expect to pass before virtual data is covered? Today, I came across a very interesting paper written by David A. Couillard, entitled “Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing”. As in the case of copyright laws, which have to include the new technologies for multimedia devices and formats, so must cloud computing be “internalized” through a set of legislative provisions.
Couillard states that, based on a reasonable-expectation-of-privacy, people can safely assume that their goods, in tangible or intangible form, are safe from public intrusion. Meaning that, if I place anything in an opaque container of any form, while not specifically locking it or taking any further measures for security, I still expect that the goods placed within the container to be private. Because the container hides them from public display, and the container is mine.
The problem that appears when we transfer the analogy to cloud computing, is that no one, or no user, really owns his or her part of the cloud. The cloud is not really mine, but I rent a part of it for keeping some personal information which concerns only myself. My landlord, or the cloud owner, must ask for permission to enter my space. As are the laws regulating the landlord-renter relation, in which the renter has certain rights unless agreed otherwise to his private space, so too must cloud owners give up their right of ownership for the space occupied in the cloud, on the duration of the contract between him and the cloud user. The actual physical space, still belongs to them, but they can not own whatever content users publish on clouds.
If courts and legal bodies universally acknowledge the right to privacy for information published on cloud servers worldwide, users will then have a much easier time externalizing, or outsourcing their applications, tools, networks and websites to cloud service providers. But this is not to say that governments can guarantee security from unauthorized access. For commercial users, it is a matter of considering and balancing the budget share saved by externalizing their business against the cost spent for extra security measures, like encryption methods. And in the light of the recent sophisticated attacks that originated from China, targeted at Western companies, private companies must ponder this balance a lot.
With Amazon’s Elastic Compute Cloud already in the business, followed by Microsoft’s Azure engine to be released next month, it is too early to predict with reasonable accuracy that cloud computing is the main solution for the online environment in the next couple of years. It might be reasonable to assume this for the distant future, though, but only if legal provisions will catch up to the technical innovations that are taking place right now.