Microsoft recently announced it's the first major cloud provider to adopt the global cloud privacy standard developed by the International Organization for Standardization (ISO). Auditors verified that Microsoft Azure, Office 365, Dynamics CRM Online, and Intune conform to the standard (ISO 27018) designed to protect personally identifiable information (PII) in the cloud, addressing a fear that users and businesses share in many countries -- especially users, businesses, and governments in Europe.
But what does that compliance really get you?
ISO 27018 is a good starting point to protect personal data, as Microsoft has outlined. But Microsoft has to do whatever legal authorities tell it, so its protections are subject to governments' often secret and inconsistent interpretations of their authority.
That's a sore point for companies such as Microsoft, who believe they are being asked to act as government agents and make judgments on what information to protect and from whom -- or satisfy conflicting demands from multiple governments.
Microsoft general counsel Brad Smith has argued that the appropriate way to find balance between privacy, free expression, and public safety is "through application of the rule of law rather than by asking private companies to make decisions about where to draw lines. ... The Internet and technology [industry] need to be subject to the law; they can't exist outside it."
He's absolutely right. It's not for Microsoft, Google, Apple, or any other private company to circumvent the law. Instead, politicians need to take fresh look at the existing legislation (in many cases, created in the 1980s or 1990s) and update them for modern times. As Smith says, "We need good laws that are designed to ensure that the global nature of the Internet is not sacrificed in the process."
Smith also argues that while national laws should stop at the water's edge (so one country's government can't access data stored in another, as the United States argues it has the right to do), there must be trans-Atlantic rules in place so that law enforcement agencies can work together to ensure both public safety and privacy adherence in a globalized world.
The fact is you cannot have it all. Public safety, freedom of speech, and data privacy are a tough set of issues to balance. But I believe it's doable, perhaps with a blend of new laws and new technology.
For example, remember the uproar when U.S. airports began scanning passengers and showing their digitally naked bodies on screen? That was a prime example of the clash between personal privacy and public safety. Ultimately, after the pubic outcry, the feds forced the scanner makers to show a cartoonlike outline of the scanned people, not their naked bodies, with any suspect materials on or in their bodies still highlighted.
It was a balanced blend, the kind that needs to be figured out in more areas -- but not by private companies like Microsoft. It's for governments and politicians to figure out.
However, both users and private companies may find it hard to trust those governments to find a balanced blend amid recent revelations. For example:
- The National Security Agency in the United States has spied in so many ways on people and companies via secret code on Web and cloud servers and even hard drives
- Britain's equivalent GCHQ has done the same
- European spy agencies have worked together to share the personal data they have surreptitiously collected
As a result, both people and companies -- especially abroad -- are nervous about trusting American companies with their data, even if not stored in the United States.
It's great that Microsoft has adopted ISO 27018 to protect personal information in its cloud services. But that protection is still subject to the whims of various governments, and there are no clear rules as to what protection is assured and in what circumstances.