Privacy and security concerns are coming together to form another question mark over the IT industry, including cloud computing and big data. In order to properly assess these concerns, it is useful to begin by considering different ways to think about privacy and security. At the risk of some simplification, consider three alternatives that range from weak to strong privacy protections. Starting at the weak end, one can view privacy and security as tradable commodities. We believe in the right to be left alone and to feel secure but are willing to give up some of the protections afforded in order to achieve other goals. This increasingly includes the decision to trade some of our privacy and security to live in the cloud by posting on Facebook or Twitter and downloading videos from Apple’s iCloud. For the ability to do these things, we risk losing some of our identity to hackers or giving up information about ourselves, including the content of our postings or the profile established by our purchases, to the companies that provide the service, as well as to outside parties that purchase information about us from Facebook, Twitter, and Apple. Sometimes the deal with a cloud provider is not clear. I know a person who, after letting her Facebook friends know about a serious illness, began receiving ads for “bucket lists.” Of course, she wasn’t looking for a bucket list when she gave up some of her privacy in order to let friends know about her health issue. Nor was the person who started receiving ads for multiple sclerosis support services after doing an online search of sites devoted to the condition (Singer 2013). The outcome is not always this offensive, but it can also be worse, as when innocent online searches for pressure cookers and backpacks led to a home visit from six members of a terrorism task force, who, we soon learned, regularly check on people whose use of the Internet provokes suspicion (Bump 2013). Whether the deal is clear or not, in this first view, privacy and security are among the several things we desire, and we make choices about them in the context of other things we want.
In the middle of the continuum, privacy and security are no longer tradable commodities; rather, they are untradable values that define a citizen’s right to be left alone and secure from violations. From this perspective, there is no trade-off in money, services, or goods because privacy and security are not commodities. Rather they are rights to freedom from identity loss and from physical or mental violation. Seen from this point of view, law and custom should protect the right to be left alone, which cannot be taken away without violating a right of citizenship and therefore cannot be traded for money, goods, or services. When Google, Amazon, or Microsoft tracks us, we lose some of our privacy. What we appear to get in return is actually unrelated to privacy. It is a service provided by the company for which we might or might not pay. But since, from this point of view, privacy is not a commodity, we cannot use it as a currency. When we agree to a website’s “privacy policy,” we are actually only accepting that we know about its privacy violation policy. We rely on government to protect this citizenship right, and when it allows corporations to diminish our privacy, or when government itself takes away our privacy and security, it is failing to uphold a fundamental right.
Both of these approaches provide useful ways of thinking about privacy and security. But they are weak in conveying a sense of what privacy and security do for us or why we should care deeply about them. For that we turn to a third perspective that tries to address these points as it provides the foundation for the strongest private protection. According this view, privacy and security are significant means of providing the space, the breathing
room, or the buffer between our selves and the world that is necessary for self- development. They offer an essential space between the individual and the world, including those elements of the world that might benefit from taking, purchasing, or otherwise carrying out surveillance that violates this space and makes it more difficult to safely develop a self and an identity. In this reading, privacy violations are attacks on our capacity for self-development.
Dissatisfied with what they perceive as weak versions of privacy and security that fail to address why these values are important, a number of observers and scholars have adopted the self-development perspective. As writer Jathan Sadowski explains, “Since life and contexts are always changing, privacy cannot be reductively conceived as one specific type of thing. It is better understood as an important buffer that gives us space to develop an identity that is somewhat separate from the surveillance, judgment, and values of our society and culture” (2013). Scholars have deepened this view. For law professor Julie E. Cohen, it means “creating spaces for play and the work of self-making” (2013, 1911). For Woodrow Hartzog and Evan Selinger, privacy protection goes well beyond keeping businesses from gathering information about us for profit; privacy—or, in their terms, obscurity—is essential for democratic societies because it guards “autonomy, self- fulfillment, socialization, and relative freedom from the abuse of power” (2013). Finally, for Michael Lynch, privacy is essential for the growth of human autonomy; putting it in strong terms, he insists, “However we resolve these issues, we would do well to keep the connections between self, personhood and privacy in mind as we chew over the recent revelations about governmental access to Big Data. The underlying issue is not simply a matter of balancing convenience and liberty. To the extent we risk the loss of privacy we risk, in a very real sense, the loss of our very status as subjective, autonomous persons” (2013).
When Facebook develops tools, like the social search engine Graph Search, that combines pieces of our identity with third-party data and then markets this information to advertisers, it takes over the space of self-development, limits our breathing room to carry out the task of forming an identity, and lessens our ability to develop the autonomy necessary to live as citizens in a democratic society. It turns citizens into data points, commodifies their identifies, reduces democracy to another act of consumption, and leaves less room for genuine autonomy. Attacks on privacy and security are not just matters of trade or abstract rights; they diminish our psychological and social well-being, a point often submerged in debates about the impact of privacy legislation on commerce and politics.
Privacy is a perennial issue in communication, especially since the arrival of media technologies in the mid-nineteenth century. With the telegraph and then the telephone, people learned to trust strangers with their secrets. One way to build trust was to promise that messages would remain private and secure, even if that required close surveillance of those who worked the telegraph key and delivered messages, as well as those who took call requests at a switchboard. In the 1960s, as television was transitioning into cable and experiments in “interactive” video previewed a future of on-demand entertainment, people learned quickly, to the embarrassment of some, that the systems making it all possible also kept a record of the choices made. Later, the worry grew when video stores kept track of rentals, first of cassettes and then of DVDs. Questions arose regarding the public’s right to
know about a politician’s viewing habits, questions that could not feasibly be raised in the “rabbit-ear” broadcasting days. The Internet upped the ante by globalizing once largely local privacy and security issues.
Cloud computing is the next step—neither a simple extension nor a radical rupture in the challenges it poses for privacy and security. By definition the cloud raises serious concerns in these areas because it entails moving all data from relatively well-known settings where the home computer hard drive is under personal control or the computer at work stores data behind an employer’s firewall at an on-site data center. These certainly do not guarantee privacy and security, but the move to the cloud diminishes them further. It is one thing for a scholar to keep data on a laptop or portable hard drive or, to save space and money, on a university server. It is quite another to relocate data to the servers and data centers of businesses with whom nothing more is shared than an impersonal, customer-company relationship. There are many layers to the privacy and security problem with cloud computing, including growing opportunities to hack and steal data, incentives for companies to make commercial use of cloud data in various forms of surveillance capitalism, and opportunities for governments to use cloud data to track people within and beyond their borders and to apply their own laws to data originating outside their boundaries, giving rise to a surveillance state.
A headline on the Washington Post Ideas@Innovation blog wondered, “Is This the Year Everybody Gets Hacked?” After near-daily accounts of one hacker after another successfully attacking the sites of some of the biggest players in the cloud, it was hard to consider this hyperbole (Basulto 2013). After all, it was only February 21, 2013, and already Facebook, Twitter, and the once invulnerable Apple had been hacked. Four days later, as if in response to the question, hackers struck Microsoft. It is difficult to say what precisely the attackers were after, but experts agreed that they were probably looking for customer data or proprietary company information for which black market customers might pay top dollar to better tailor phishing attacks (M. Schwarz 2013). In April, the Twitter account of the Associated Press news service was hacked and a tweet posted announcing a White House bombing that had seriously injured President Barack Obama. In the ensuing brief panic, stock markets dove, and both Twitter and the Associated Press were left to issue major apologies and promises of solutions. This hack followed closely on the heels of similar attacks on the Twitter accounts of Burger King and Jeep (Romm 2013b).
Arguably the award for the biggest hacking story of the new year went to a February 19 report that China’s People’s Revolutionary Army was responsible for systematic hacking attacks directed against American corporations and government agencies. Attacks included the theft of terabytes of data from Coca-Cola, once involved in a feud with the government of China. Significant as this strike against the world’s leader in soft drinks was, security analysts believe that attackers care more about companies responsible for critical infrastructure projects, including electrical power grids, gas lines, and waterworks (Sanger, Barboza, and Perlroth 2013). A survey of U.S. companies with businesses in China concluded that about a fourth claimed to have been hacked (Reuters 2013b). Details remained murky, and it was reasonable to wonder about the connection between the proliferation of hacking reports and the U.S. government’s drive to pass controversial cyber-security legislation that itself raised privacy questions because it would increase
information-sharing between intelligence agencies and private companies (Finkle 2013). Furthermore, as two hacking experts note, “It’s good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state” (Raimondo 2013).
The United States was not just on the receiving end of cyber-attacks. Particularly notable was one it launched with Israel to send the malicious Stuxnet malware to disrupt Iran’s nuclear program. China also claimed that the United States was responsible for massive cyber-attacks on its computers and data centers, especially those containing sensitive military data. According to a spokesman for the defense ministry, China’s two main military websites are under constant attack from the United States: “Last year, the Chinese Defence Ministry website and Chinamil.com were attacked 144,000 times a month on average. Attacks originating in the U.S. accounted for 62.9 percent” (Hille and Thomas 2013). Moreover, China’s Huawei, a world leader in the provision of telecommunications equipment, which itself has been charged with stealing sensitive data in the United States, Australia, and Canada, maintains that its computers are attacked about 10,000 times a week (ibid.). For the People’s Daily, “In fact, it is America which is a real hackers’ empire worthy of this name” (ibid.). Indeed, given the connection revealed by Edward Snowden between Verizon and the National Security Agency (NSA), even Western experts wonder whether the special attention to Huawei is justified since we now know that at least one of America’s telecommunications giants has been directly involved in massive cyber-surveillance (Pilling 2013). Furthermore, Snowden’s contention that hacking attacks on Hong Kong and China have emanated from the United States for years did not help the American claim that China is the primary source of cyber-mischief (Lam 2013).
All of these attacks and counterattacks called the security of the cloud enough into question to lead some well-respected experts to argue against adopting cloud computing (Darrow 2013; Stapleton 2013). According to the Privacy Rights Clearinghouse, in the first two months of 2013, twenty-eight breaches attributed to hackers were made public, resulting in the loss of 117,000 data records (Gonsalves 2013). If hackers can steal data from some of the largest computer and social-media firms, the largest soft-drink company in the world, and vital infrastructure companies, then whose cloud data is safe? Indeed, among the many attacks reported in the winter of 2013, one that stood out made use of cloud computing facilities to launch a concerted attack against major U.S. banks. Here the major suspect was Iran, perhaps in retaliation for Stuxnet. However, the most interesting part of the tale was not the culprit but the means. Hackers mobilized the combined resources of several cloud data centers to create what one account called their own “private cloud,” from which they launched denial-of-service attacks that disrupted service for customers of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, and HSBC, among others (Perlroth and Hardy 2013).
These hacking attacks are just those publicly reported. Many others are known only to those affected because organizations do not want to call attention to their vulnerabilities or to those they believe are responsible. In fact, there is considerable debate in business and government about whether attacks should be revealed at all. As one expert argued, “This is just the tip of a vast iceberg, and the overwhelming majority of companies today are
terrified of talking too publicly about the issue, for fear of suffering stigma or sparking panic. That means it is tough for any outsider to get precise information about the overall scale of attacks” (Tett 2013). The culprits also vary considerably from individuals intent on demonstrating their prowess, to genuine thieves out to steal identities, company secrets, and money, to others who are looking to disable corporate systems and critical infrastructure (New York Times 2013b). Far from diminishing security threats, the move to the cloud increases them. That helps to explain why attacks on U.K. businesses went from two a day in 2010 to five hundred a day in 2012 (Robinson 2013). As one analyst explained, “All the vulnerabilities and security issues that on-premise, non-virtualized and non-cloud deployments have still remain in the cloud. All that cloud and virtualization does is enhance the potential risks by introducing virtualization software and potentially mass data breach issues, if an entire cloud provider’s infrastructure is breached” (Gonsalves 2013).
Compounding the problem of hacker attacks is that, for all the charges and countercharges, there is genuine uncertainty about where they come from and why. When it appeared that China was going after computers operated by the company that monitors more than half the oil and gas pipelines in the United States, the company set out to determine why they were doing it. Were they interested in bringing down a major piece of American infrastructure in the event of a military confrontation, or were they just trolling for secrets to pass on to China’s utilities? Six months after the attack, American officials claimed that they still did not know. The same was the case with attacks against five multinational energy companies in 2011. They appeared to come from China, but no one knows for sure and certainly not why. Moreover, U.S. security experts are uncertain about which is the bigger threat, China or Iran. The latter, they suspect, continues to work on retaliation for Stuxnet but lacks the technical sophistication of China. But no one knows whether either is a primary threat given the number of operations emanating from all over the world, including from within the United States (Perlroth, Sanger, and Schmidt 2013). Indeed, given the mountain of revelations about the NSA, it is reasonable to conclude that the major threat to the privacy of communication and information in the United States, and perhaps the world, is the electronic surveillance operations of the NSA, other U.S. intelligence agencies, the Pentagon, and their partners in the United Kingdom, Canada, Australia, and New Zealand (Bamford 2013).
More than external attacks violate privacy and security. The very act of maintaining these protections can bring down computers, a demonstration of the often repeated principle that complex systems fail because they are complex (Perrow 1999). In order to block unauthorized access to their cloud services, some companies deploy an https protocol, which requires regular renewal. In February 2013 Microsoft failed to renew the certificate to run its cloud service Azure, leading to a worldwide shutdown of its main cloud services. The embarrassing failure kept Azure users from accessing files stored in Microsoft’s data centers. Even after four hours, customers were still only able to see the statement “We apologize for any inconvenience this causes our customers” on the company website (Ribeiro 2013). In this case, systems set up to protect the privacy and security of cloud services led to a global crash. The Microsoft case demonstrates that even when armed to the teeth with security protection, cloud companies are not guaranteed to