European Governments Staying Out of the Cloud

Providers of cloud services in Europe are having problems selling to some of their biggest potential customers: national governments.
Concerns that data collected by government agencies could ultimately be sold to third parties has prompted some entities to postpone efforts to move their databases to the cloud, making Europe a far less promising market for such services than the United States.
In October, the House of Lords in Britain delayed a plan to let government agencies combine their databases to improve voter registration rolls. Some had already moved data to the cloud, and mixing information with the cloud-based databases was considered too risky.
“In the end, the House of Lords basically decided to take a go-slow approach,” said Lord Reid, a member of the chamber.
The fears may be well-founded. According to SafeGov, a Washington-based group that advises governments on cloud services, the privacy policies of companies like Microsoft and Google do not precisely lay out how they would protect government data from being sifted for information on individuals, which is particularly valuable to advertisers and other marketers.
SafeGov is urging both companies to pledge publicly not to mine government data and to include clauses binding them to that promise in their contracts. Microsoft and Google, in statements, insist they have done so, but questions persist.
“We have spent a lot of time looking at the privacy policies of the cloud providers in the public sector,” said Jeff Gould, an expert for SafeGov and the chief executive and research director of Peerstone Group, an information technology consultancy. “Our conclusion is that some of them have policies that whether by design or accident, allow them to conduct data mining of user information for purposes not related to the public-sector mission.”
That uncertainly has some European governments seeking extra assurance before moving their data onto the cloud.
In September, the Norwegian data protection regulator, Datatilsynet, allowed two cities, Narvik and Moss, to use Google Apps and Microsoft’s Office 365, but only if the companies stipulated they would refrain from mining data. The towns must also arrange independent audits to ensure that the information is handled properly.
In the United States, a range of American companies, including Lockheed Martin, I.B.M., Oracle, General Dynamics, Northrop Grumman, Google, and Microsoft, are now serving government agencies.
The U.S. government will spend $4.7 billion on cloud computing services and associated infrastructure in 2013, according to Market Research Media, which is based in San Francisco. By 2018, annual spending on cloud services will grow to $10 billion, or about 11 percent of U.S. government spending on information technology, the firm estimates.
Breaking into the government market is “a dream” of any information technology firm, said Daniel Miller, an analyst with Market Research Media. “Microsoft and Amazon are there with just a tip of one leg. Google is only making inroads. Why would these companies compromise years of hard work for some mythical and doubtful mining benefits?”
Concerns in Europe over the sanctity of public data in the cloud surfaced in October after the data protection regulator in France, CNIL, criticized what it said were inadequacies in Google’s privacy policy. The agency criticized Google’s practice of tying together data on individuals from across its services, which the regulator said could be mined for commercial purposes. Google has said its policy conforms to European law.
But the regulator’s warning will put skittish European governments even more on edge, said Lord Reid, who served as Britain’s home, defense and Northern Ireland secretaries under Prime Minister Tony Blair. Lord Reid is also a principal for the Chertoff Group, a Washington-based consulting firm set up by the former U.S. secretary of homeland security, Michael Chertoff.
“I think there has been a recognition that the cloud offers great efficiencies,” Lord Reid said. “There has also been an awareness of the vulnerabilities and potential misuses.”
Karen Evans, the chief information officer for the U.S. government from 2003-09, said most cloud service companies had been reluctant to give ironclad, verifiable guarantees that they were refraining from mining government data in the cloud. While there are stringent certification guidelines for companies that sell cloud services to the U.S. government, Ms. Evans said there lacked regular, independent auditing to make sure companies abided by the rules.
“If you ask, they all say they are meeting the government’s rules,” said Ms. Evans, who is a co-founder of SafeGov. “Microsoft says they are. Google says they are. You have everybody saying, ‘Yes, we are doing this.’ What you don’t have is a procedure in place to check every year.”
Representatives for Microsoft and Google said the companies were meeting the requirements in U.S. government contracts that protect the public’s data, and that each company inserted binding language in contracts that prohibited data mining.
“What goes in a contract is what matters,” said Stephen McGibbon, the Microsoft chief technology officer for Europe, the Middle East and Africa. He emphasized that Microsoft charged governments for the cloud services, and did not finance them through advertising.
Microsoft is “75 percent of the way” toward providing a trustworthy guarantee to government clients, said Mr. Gould of SafeGov. Microsoft has posted a statement on its Web site pledging to refrain from mining the data that government clients enter into its Office 365 cloud service.
But Mr. Gould said that was only a “marketing promise” that needed to be elevated into a legally binding privacy policy.
SafeGov is more critical of Google, saying the ad-driven nature of the company’s business carried more risks for governments, Mr. Gould said.
“The data mining business model accounts for 98 percent or more of their revenue,” he said. He added that SafeGov had no fundamental objection to Google’s approach but that there needed to be a clear line between advertising-supported services and services provided for a fee.
Google, in a statement, said its government cloud customers, which include the U.S. General Services Administration and the Lawrence Berkeley National Laboratory, have vouched for the integrity of its service and handling of data. But the company declined to state that its government contracts barred the company from mining data.
“Our government customers have refuted these false claims,” Google said in its statement. “Enterprise customers using Google Apps for Government have individual contracts that define how we handle and store their data. The confidentiality and security obligations provided in our contracts supersede the Google Privacy Policy.”
Dan Cruz, a spokesman for the U.S. General Services Administration, said the government’s contract with Google includes strong privacy controls.
“Not only are there strong security and privacy provisions in the contract, but G.S.A. assesses compliance through control testing and periodic audits,” Mr. Cruz said.
In reporting this article, the International Herald Tribune was provided with a memo asserting that many of SafeGov’s partners had direct or indirect business dealings with Microsoft.
Microsoft Government, the public sector arm of Microsoft, is listed as a SafeGov “partner” on the group’s Web site. Mr. Gould, the SafeGov expert, said he had served in the past as a consultant to Microsoft, but also to I.B.M., S.A.P. and Oracle, among others. The Chertoff Group, which where Lord Reid is a principal, is also a member of SafeGov.
Mr. Gould rejected the suggestion that SafeGov was a Microsoft front group, motivated by competitive reasons to criticize Google.
“Look, we have never made a secret that Microsoft is one of our partners, but SafeGov does not work directly or indirectly for Microsoft,” Mr. Gould said.
He noted that SafeGov was criticizing not just Google, but Microsoft, and to an extent, Facebook, which does not provide services to U.S. government agencies but is used informally by many schools.
The issue, he said, is that Microsoft and Google “have allowed a certain amount of ambiguity to creep into their public statements on the issue of data mining.”
“We think that both of them can and should correct the record,” Mr. Gould said, “and that doing so will not only not harm their business models, but will help public sector customers all over the world to have confidence that cloud computing is safe and reliable.”

0 yorum: