Three of the hottest topics in IT are the cloud (let someone else do all the work while you reap the results), security (protect yourself from anyone who would damage your equipment, reputation or pocketbook) and privacy (make sure others mind their own business, not yours). But as users hand over more of their computing, storage and networking tasks to ever-larger companies, can security and privacy survive?
The Cloud: Centralization Versus Decentralization
One of the beauties of the Internet (and other computing technologies) is that it is a decentralizing force. Consider the case of music: the connectivity of the Internet means that musicians no longer need recording companies to deliver their art to the offices and living rooms of listeners. Fans can thus connect directly with musicians without going through the middle man of mega corporations. The same trend is influencing other areas as well, such as education. Even government schools are beginning to rely on resources such as the Khan Academy, and other online knowledge bases abound (such as MIT’s OpenCourseWare).
Contrast this decentralization with the results of an important economic driver of the cloud: larger scale means lower cost. Thus, the cloud relies heavily (although certainly not exclusively, at this point) on huge data centers run by large companies. Although the Internet is a decentralizing force, the ownership of the means of that decentralization is increasingly centralized. And mobile computing is a major driver of the cloud.
As users demand the ability to access their data from anywhere and at any time, the old desktop computing model increasingly fails to meet user requirements. Mobile devices usually run off of batteries, meaning they must conserve energy as much as possible to provide maximum operating time. So why not offload battery-draining tasks to someone else (i.e., to the cloud)? Furthermore, cloud-based data storage makes accessing user information easier: no longer does that access require physical presence at a particular device (such as a desktop computer), nor does it even require a particular device be on and connected to the Internet. Someone else (whoever that might be) stores the data and sends it to whatever device the user is operating at the time. The cloud is also a means of data backup, practical pay-as-you-go access to vast compute resources and expanded networking capabilities.
Although neither centralization nor decentralization per se is ideal, centralization poses certain dangers to both privacy and security that cannot be ignored. For instance, when the critical data of a large number of users is stored in one place (whether physically, logically or corporately), any party that wants to access that data has only one target, not many (which would be the case if everybody kept private data on their own desktop computers). Such parties might be hackers, IP thieves or even governments. On the other hand, centralized data repositories, owing to their scale, can implement stronger security measures. But one thing the history of computing technology has shown is that regardless of the security system, someone will eventually figure out a way around it.
Social networking sites—Facebook in particular—are goldmines of private information. And if you don’t think more individuals and organizations will try to exploit it, you’re not reading the news. For instance, ZDNet notes in a recent article (“Teacher’s aide fired for refusing to hand over Facebook password”) that increasingly, employers are reviewing Facebook pages as a means to learn about employees and potential employees—but even worse, some are demanding access to private (i.e., shared only among friends/contacts or even limited to the user alone) Facebook information. Next time you apply for a job, you may be asked to hand over your Facebook password. And lest you think that your government will protect you (it may or may not pass some kind of law, and it may or may not follow that law once it passes), the offender cited in the ZDNet article is an elementary school—a branch of government.
You could probably construct a really good conspiracy theory around Facebook. The CIA/NSA/name-your-alphabet-soup-federal-agency need not plant bugs in every home—it can just log on to Facebook to find out what you’re doing every minute. It has essentially outsourced to the population the task of spying on themselves and on each other. Maybe that’s farfetched, but the practical results are the same. The centralized, cloud-based resource (Facebook, in this case)—even though it connects people and provides a service in high demand—creates a great temptation to those who want to discover private information. And this quest need not even require attempts to breach security measures, particularly when users willingly hand over their passwords!
The same problems with centralization abound in other areas, such as medical data. Yes, arguments abound that making electronic medical records is important to saving lives; it’s easy to conceive of scenarios where fast access to records at another health-care provider, for example, can be the difference between life and death. Equally conceivable is that governments are intent on implementing electronic records for their own (probably less than savory) reasons.
Measures, Countermeasures and Counter-Countermeasures
Centralization of user data in large cloud data centers means that hackers (or any other party) have fewer targets in seeking to obtain the sensitive information of numerous users. Why steal wallets for credit card numbers when you can just hack PayPal or some similar site? Although such companies have the means to implement stronger security, someone will always—given enough time and motivation—find a means to circumvent those measures. In terms of security, centralization of compute and storage resources in the cloud isn’t necessarily superior to decentralization (into millions of desktop computers, for instance); each poses its own challenges.
Centralization and decentralization are two forces that are most beneficial to society when properly balanced. The Internet is a force for decentralization (of a variety of resources and goods) in an overly centralized society. But the cloud also raises some concerns, as large amounts of private data are stored by companies, creating prime targets for hackers, governments and others in search of confidential information. The increasing push on the part of employers to gain access to potential employees’ private Facebook accounts (not public posts and other information—private information protected by a password) illustrates this danger. Of course, one might argue that employers have the right to ask, employees have the right to refuse and it’s ultimately no one’s business. In some sense, that may be true.
But similar dilemmas can arise in the case of less voluntary interactions. What happens when the district attorney demands your Facebook password, or else you will face a slew of charges? (And who cares if they’re valid or not—you still have to pay a lawyer to defend yourself, so the DA at minimum has financial leverage over you.) Part of the problem is that not only does access to your Facebook account reveal your private data, it reveals the private data of your friends as well—meaning the DA can get to someone else through you. In light of such frightening scenarios, care is needed with regard to balancing the convenience and benefits of the cloud with the dangers that it poses via a centralization of resources. And striking the right balance may simply require years of trial and error.
Photo courtesy of opensourceway