In the interest of honesty I’ll start this post by saying I’m not a fan of FaceBook and never have been. This is based on two major things:
- If you and I don’t keep in touch through email or phone there is a reason for that. I have no desire to waste time being FaceBook poked by you, participating in your mafia war, or hearing about your interests and daily life.
- Constant issues with questionable or downright unacceptable privacy practices and user data/credential theft.
This post however is not that broad in scope, it’s all about what we can learn from FaceBook’s privacy failures and how we can apply that to information and services we decide to place on the web and in the cloud. I’m also not stating that FaceBook is in any way a cloud provider, the closest cloud definition FaceBook could be provided is FaaS (Failure as a Service.) That being said FaceBook is a web based service providing an online tool for things you used to do offline (remember the family address book and the yearly holiday card?)
Lately there has been a lot of buzz around FaceBook’s latest major privacy infringement, pushing/selling your data to 3rd party services in the interest of ‘enhancing your user experience.’ The main issue with what FaceBook has done is not the addition of services which may enhance your experience, or even the privacy sacrificed to get those enhancements, it’s about the way they pushed this using an ‘opt-out’ model, rather than an ‘opt-in’ model.
- Opt-in: A service or add-on that you must consciously choose to accept in order to gain it’s features, for example: ‘Would you like to turn on enhanced personalization features for our service (yes/no.)
- Opt-out: A service or add on that becomes enabled automatically and may or may not inform you.
If the advanced personalization features of FaceBook were actually a benefit to the end user than opt-in would have been the way to push them. FaceBook would have provided you a pop-up window detailing the benefits of the new service and the way in which it was done, and you would have happily accepted. Because the new features are really just a pretty face on a new way for FaceBook to profit from the information you store in your profile they chose an opt-out model and obscured the ability to disable the feature behind a complex non-documented privacy setting hierarchy that requires a PHD to navigate (the complexity of FaceBook’s privacy policy and options system has been well documented in several other posts, if you have a good link post it in the comments.)
Since this announcement several IT professionals, myself included have publicly deleted their accounts to spread awareness. The hope is that awareness makes it to the average end-user who has no clue about privacy dangers. From my perspective it’s even more important that this information reach children and teens and that they learn the issues with too much public data. Several young people will have a rude awakening when they sit across the desk from a manager during an interview and she/he turns their monitor around to show the job candidate a series of highly unprofessional blogs, pictures, videos, etc from FaceBook and other sites that are the reason the candidate won’t be getting the job. As a side note to that, marking your profile ‘private’ or deleting it won’t be of any use, FaceBook’s privacy settings won’t help and any information that touches the web can be retrieved in some way regardless of deletion (http://www.archive.org/index.php for instance.)
So what’s this got to do with cloud?
FaceBook is just one example of privacy and security concerns with placing data/information in web based services or moving services to the cloud. Another great example would be Gmail. When checking your Gmail through a web browser you’re presented with advertisements targeted at you based on email content. I’m actually a fan of this on the surface, I get non-intrusive text based ads that are typically somewhat relevant to me, this pays for the free service I’m using. Now if Google took that one step further and sold keyword lists from my email history to advertisers that would be a different story (I’m not saying they do or don’t, if I was aware that they did I would close my account publicly as well.) The same could be applied to cloud based business services such as SalesForce.com, if they started cross referencing your business data with other hosted companies and selling that it would be a major concern (again not saying they do or don’t.)
As you decide to use web based services, cloud based or not, for business and personal purposes you need to carefully assess how the data is encrypted, secured, backed up and used. You need to also be very aware of changes to the privacy policies and End User License Agreements (EULA.) This is no small task as these policies are typically lengthy and change frequently. In every case remember that being skeptical is your best tool. If I walked up to you on the street and told you that for just $100.00 I could teach you how to be a millionaire you’d laugh in my face, so why trust a company that says they can give you the world for $0.05 per Gigabyte?
Summary:
This is not intended as an anti-cloud rant, if you look around my blog you’ll see that I’m a definite endorser of cloud architectures in all shapes and forms. The concept here is that you need to carefully assess both what you move to the cloud and where you move it. Throughout the history of the data center we as an industry have had a tendency to make it work first and worry about security and privacy later. Fantastic security engineers and researchers are working hard to change this behavior, help them out. There is a saying in carpentry that you should always ‘measure twice, cut once’ apply the same to data center and cloud migration strategies.