Cloud Computing's EPIC Problem

News Commentary. What the hell is Electronic Privacy Information Center's problem with cloud computing?

Yesterday, EPIC filed a complaint urging the Federal Trade Commission to "open an investigation into Google's Cloud Computing Services." EPIC is dissatisfied with Google security and the possibility of data breaches.

GOT A TIP OR RUMOR?

EPIC's problem is much bigger than Google, and the organization has gone down this cloud-services-squashing path before. In August 2001, EPIC filed a complaint against Microsoft's Passport service. A year letter, the FTC and Microsoft reached a settlement, and Passport was never the same. Microsoft abandoned its ambitious plans for the service as well as .NET My Services, previously called HailStorm.

Hangman Wants Google
Now EPIC wants Google's neck in the noose, because of last week's security breach that exposed 0.5 percent of Docs to unauthorized access. Let me ask: Are you worried? I get nausea over credit card and other breaches that expose social security and other account numbers. But Google Docs? Good riddance if someone wants to read the Google Doc poem, "Poo Poo Poodle's Last Poo on the Rug."

But EPIC does care and insists that weak Google security will get your identity stolen. Disconcerting: Close reading of the complaint suggests that all cloud computing services risk the organization's ire. From the 15-page legal filing:

The Google Docs Data Breach highlights the hazards of Google's inadequate security practices, as well as the risks of Cloud Computing Services generally. The recent growth of Cloud Computing Services signals an unprecedented shift of personal information from computers controlled by individuals to networks administered by corporations. Data breaches concerning Cloud Computing Services can result in great harm, which arises from the centralized nature of the services and large volume of information stored 'in the cloud.'

Past data breaches have resulted in serious consumer injury, including identity theft. As a result of the popularity of Cloud Computing Services, data breaches on these services pose a heightened risk of identity theft. The FTC should hold accountable the purveyors of Cloud Computing Services, particularly when service providers make repeated, unequivocal promises to consumers regarding information security.

You tell me, am I reading this wrong? Isn't Google just a means to an end for EPIC? The organization sees all cloud computing services as colanders, not stainless steel bowls.

EPIC's complaint is shockingly demanding. The organization wants to take away your Gmail. Among the demains for relief: "Enjoin Google from offering Cloud Computing Services until safeguards are verifiably established." EPIC also wants $5 million in a public fund for privacy research.

Bringing Down the HailStorm
EPIC fights many privacy battles, but none that have me cheering. What about you? In 2001, Microsoft was the big monopoly in town. Now it's Google. With European Union and FTC investigations of Passport as a backdrop in 2001-2002, EPIC aggressively pursued Microsoft and even challenged other cloud computing services. Examples:

• EPIC urges state attorney generals to take action against Passport; January 2002

 

• EPIC claims victory over HailStorm; April 2002

 

• EPIC asks FTC for greater Passport settlement concessions; September 2002

 

• EPIC challenges Amazon Booklist privacy; October 2002

 

• EPIC report dismisses P3P benefits. The technology was one of Internet Explorer 6.0's most important privacy features; November 2002.

There are many reasons why Microsoft abandoned its planned HailStorm suite of consumer services, but EPIC was one of the most important. Microsoft's early century mandate was settlement—to get rid of the legal problems left over from the Bill Gates era. In 2000, he stepped back his role to chairman, vacating the CEO's position to Steve Ballmer. The privacy attacks were too much trouble for the new leadership. Steve and Co. cut their losses.

I've long believed that Microsoft would have stuck to its Passport plans and quite possibly consumer cloud services, if not for EPIC's persistent meddling. Now EPIC is after Google, which shouldn't underestimate the organization's tenacity.

A Common 'Cloud' Problem
But Google's problem is Microsoft's, too, and potentially all cloud computing services. If FTC goes after Google, what precedent will come for other cloud computing vendors—with EPIC banging the drum for stricter oversight?

It needn't be said that a company with as many services as Google should protect customer privacy. Businesses and consumers can easily change search providers or use IMAP to switch e-mail providers. Most businesses have Office; they wouldn't consider switching to GAPE (Google Apps Premier Edition) if there were serious privacy or security problems. Google has plenty of customer conversion and retention reasons to keep information from leaking out. Last week's breach was tiny.

If there are problems, EPIC hasn't identified them. There is an inherent conflict of interest in Google's business model, because personal information, even if unidentified, is a marketable asset. Google collects lots of information that its AdWords and other analytics customers would want to use. The demographic and other data has even more value now, with recession sapping credit and spending and advertising dollars declining.

I would like to someday write the headline "EPIC Fails" about the Google complaint. I may not be able to, if the FTC opens an investigation. Cloud computing has reached a crucial juncture, and cloud services' appeal can only increase as the economy diminishes. Microsoft shouldn't see EPIC's complaint as opportunity for some competition-by-litigation payback. Azure Platform Services, Online Services (e.g., hosted Exchange and SharePoint) or Windows Live could be next.

Microsoft's MIX09 conference kicked off today in Las Vegas. The company unveiled many new tools for developing Web applications and services—the kind of stuff EPIC labels privacy "risks." Now would be a good time for Microsoft and/or its development partners to form a group dedicated to ensuring high standards for protecting cloud computing service customers' personal data.

Some developers will say there is no need. The pieces are already there. Many developers are already doing the necessary privacy and security work. Microsoft provides tools for writing what it calls managed code. The formation of a special group might not seem necessary to Microsoft or its developers. But it would announce their commitment to privacy and security and perhaps later help protect Microsoft developers from meddling regulators, should EPIC get its way with Google.