FTC to examine cloud computing privacy concerns

Published 7 January 2010

The FTC says it wants to examine potential threats to consumer privacy and data security posed by cloud computing services; David Vladeck, director of the FTC’s Bureau of Consumer Protection: “The ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers”

In a development likely to be closely watched by Google Inc., Amazon.com, Microsoft Corp., and other vendors, the Federal Trade Commission (FTC) is examining potential threats to consumer privacy and data security posed by cloud computing services.

Computerworld’s Jaikumar Vijayan writes that the agency will hold a roundtable session on 28 January, and another later this year,to gather information from industry stakeholders and to study ways of protecting consumer privacy in cloud environments.

The FTC plan was also detailed in a letter sent last month to the Federal Communications Commission (FCC). The letter was filed in response to a request for comment on a national broadband plan that is being drawn up by the FCC. In its letter, the FTC said it wants to be sure the FCC pays attention to technologies such as cloud computing and identity management in drawing up its plans.

The letter, signed by David Vladeck, director of the FTC’s Bureau of Consumer Protection, highlighted some of the cost benefits of cloud computing services but also expressed concerns at the associated risks. The letter, dated 9 December, was dug up by The Hill blog, which reported the story earlier this week.

The ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers,” Vladeck warned.

Vijayan writes that the FTC is also considering how businesses can strengthen identity management practices, such as user authentication and credentialing, to protect consumer privacy on the Internet, Vladeck wrote in his letter.

The roundtable scheduled for 28 January is the second the agency is holding on online privacy issues. The first one was held in December and focused on the risks associated with online information collection and use, behavioral advertising, consumer expectations relating to privacy on the Internet and the adequacy of legal mechanisms.

In addition to the daylong roundtable discussions on consumer privacy and data security in cloud environments, the FTC will also seek comments and original research on the topic from industry stakeholders, Vladeck said.

The FTC’s interest in cloud computing comes even as companies such as Google, Microsoft, Amazon, and social networking sites such as Facebook are rushing to offer an array of cloud-hosted applications for consumers. The trend has triggered alarm among privacy advocates who are concerned about increased consumer tracking and data collection by the service providers.

At the December roundtable many privacy advocacy groups called on the FTC to stop relying on industry privacy self-regulation. The groups asked the FTC instead to issue a comprehensive set of Fair Information Principles for the Internet for the digital era, and to abandon its previous notice and choice model for companies. Among those calling for such changes were the Center for Digital Democracy, the Electronic Privacy Information Center, the Consumer Federation of America and the World Privacy Forum.