Federal cloud computing gets privacy nod from ACLU
Amid a growing push by the Obama administration to shutter money-sucking federal data centers, the American Civil Liberties Union says it is not nervous about the risk of privacy breaches from storing government records remotely in the cloud instead.
Outsourcing IT infrastructure and operations to third-party companies in the cloud, while potentially a money-saving gambit, means giving up control of data, security -- and privacy. But agencies are starting to get comfortable with remote-controlled computing. Security safeguards are in the works under the Federal Risk and Authorization Management Program, or FedRAMP. And privacy advocates don't seem to be standing in the way.
"Largely we haven't been as concerned about the privacy implications" of cloud computing, ACLU legislative counsel Chris Calabrese said. "The expert consensus is that, if handled properly, cloud computing can be more secure" than on-site maintenance.
Security upgrades are automatic in a centrally managed environment, because updates do not have to be installed on individual systems and cash-strapped agencies gain protections they couldn't otherwise afford by leasing server space from companies with stronger security, such as Amazon and Microsoft.
This week saw a flurry of activity on the cloud front, with the General Services Administration on Tuesday announcing it has become the first department to finish moving all its employees -- 17,000 email users -- to Google's professional Gmail suite. The same day, two industry groups released dueling recommendations for policymakers on how to expand the cloud marketplace. And on Wednesday, the chairman of the Senate's government information technology panel and the federal chief information officer were set to hold a summit on the rewards and hardships of cloud computing.
The administration says it will pocket $3 billion by winding down operations at 800 of the government's more than 2,000 data centers and logging on to cloud services instead.
Still, some civil liberties issues that involve Justice Department activities have yet to be settled.
One of ACLU's worries, which is shared by industry, stems from the legal uncertainty surrounding people's Fourth Amendment rights in the cloud. Outdated technology laws, mainly the 1986 Electronic Communications Privacy Act, are supposed to protect emails, telephone conversations and other electronic transmissions from wiretapping, but do not address government surveillance of private data stored on the Internet.
Civil liberties groups and private companies have called on Congress to amend ECPA so that government authorities cannot search through cloud-based data and communications without a warrant.
"Our concern is the need to update ECPA so that it treats cloud computing the same way your personal computing at home is treated," Calabrese said.
The TechAmerica Foundation, one of the business groups that issued proposals Tuesday, called reforming ECPA "critical to clarifying the legal conditions under which U.S. cloud providers and their customers will operate." Foundation officials also noted various organizations back the idea of aligning rules for government access to cloud-based data with rules for access to data stored in-house.
Firms also want the U.S. government to resolve conflicts with international partners over records stored in each other's data centers, especially disagreements with countries such as Europe that have tougher privacy restrictions.
"These discussions should build on existing agreements and arrangements with other nations (e.g., expedited Mutual Legal Assistance Treaties and bilateral and multilateral agreements)," TechAmerica wrote. Policies will "help overcome misunderstandings and confusion around the U.S. position on privacy; where uncertainty may be causing multinational and foreign organizations to avoid U.S.-based clouds or cloud computing altogether."
NEXT STORY: All of GSA's e-mail now in Google cloud