Peter Fleischer of Google at the IIEA – Cloud can be good for Privacy

On Wednesday, the IIEA (The Insititute of International and European Affairs) hosted a key event in Dublin about the ongoing implications of Policy for the Cloud. Speaking were Peter Fleischer of Google  (Link to Blog) and Billy Hawkins, Data Protection Commissioner.

Click Video to play. Copyright and original video from the IIEA.

What I found heartening was  the praise that Peter and Google had for Ireland, the commissioners depth of knowledge and positivity about security in the cloud, and the extent of the crossover (although with healthy differences) between the views of the commercial and governmental speakers. My notes on Peter’s talk are below – my most important point to takeaway being that the Cloud, done right, can actually enhance privacy and transparency for users, compared to the status quo.

What does the Cloud mean for Google?

  • Physical architecture, number of different elements e.g. Data Centre, networks, software; These all tie into policy issues
  • Google has Data centre in Dublin ‘number of years’ – Irish cool climate has advantages here.
  • Cloud is a “Bunch of services” – focus until now consumer services , moving into the  Government and Business space – e.g. Google Apps.
  • Cloud can also been seen as a Platform, Social Networking sites and as different model of computing –  remote , only local need is a browser. This is a  fundamental paradigm shift from the past 20 years.
  • Chrome is Google providing a browser for the cloud environment, expect more developments in this regard.

Privacy in the cloud

  • Give users transparency and control
    • Cloud remote storage not inherent problem for privacy, given that it enables transparency not possible before with existing paper or scattered computer systems.
      • E.g. Previously theoretical rights to access data held by companies, now this is a real, enforceable rights. An example is Google account Dashboard - which shows all data that Google holds about you.
      • e.g. Google Ad Preferences; Google think that there is a demand for good, targeted Ad’s so they let you see, change your preferences , or you can opt out.
  • Needs predictable applicable law and standards
    • Law Still in flux; so many different theories of which law applies – is it determined by the location of the server, user or  corporation? What is the definition of equipment – actual server machine or cookie on users machine) ? In theory, everybody could claim jurisdiction over all clouds . How do companies know what to do?
  • Transparency and rules for Government access to user data.
    • Breach notification regimes; Need for clear and common thresholds for when breaches of security / user data need to be notified

Peter’s view on current Cloud Policy

  • Location of data as key but obsolete concept – prefers Canadian concept of organizational accountability. Historically data did have a physical component that no longer holds true. Location changes often due to backups or other Moves for efficiency purposes
  • Controller-processor model doesn’t fit – what not create one for the cloud?
    • E.g. Audit requirements on users of cloud services  – can the users ‘audit’ a cloud provider– are they expected to visit each and every data centre (and what would they see if they gained access?)
    • Replace with certification of compliance e.g. binding protocol for the cloud
  • Applicable law vague (“make use of equipment”) – what law should apply , who should apply it
    • Either agree global standards, or risk balkanization of the web.