Proposed new cloud privacy rules could backfire

Tech firms and advocacy groups come together to seek new regulations -- that could turn out to be disastrous

Privacy advocacy groups and tech vendors -- the Electronic Frontier Foundation, the ACLU, eBay, Google, and Microsoft -- are urging Congress to revise privacy laws to regulate user information on the cloud. Ther vendors support the changes because they fear that without regulation and privacy guarantees, people could become uncomfortable with the cloud. While reasonable in concept, the ideas may not work.

The fact of the matter is that the United States has not updated its privacy laws since 1986. With the rapid rise of cloud computing and the fact that more and more sensitive data will be stored off-premise, many believe it's high time to revisit those rules to accommodate today's reality.

[ Fine-tune your network in two weeks -- for free! InfoWorld's Networking Boot Camp will help you double-check the fundamentals and show you how to optimize your infrastructure. The email classes start Monday, April 12, 2010. Sign up now! ]

But I always get a bit nervous when software specialists, now involved with the cloud, work with the government to create new laws. Here are a few of my issues.

First, regulations have a tendency to stultify innovation as providers make sure they adhere to these new and typically confusing rules. We've seen this issue with the financial reporting guidelines that began to appear earlier this decade, and the proposed cloud privacy laws will initially have similar results.

Second, any regulations that dictate privacy requirements and mechanisms will be outdated pretty much by the time they pass Congress. Other issues will arise, and unless there is a dedicated agency constantly updating the regulation, matters will quickly become dysfunctional -- but please don't create another dedicated agency for this!

Finally, it's a new world order in the cloud. These regulations won't extend to other countries. However, other countries will follow with their own regulations, which will make the situation even more onerous.

So what should be done? The real work needs to be carried out by industry, meaning cloud providers, IT pros, and users -- you and me. We need to come together around detailed requirements regarding privacy and security, and we have to stop writing conceptual white papers. This means setting lines in the sand around how data is encrypted at rest and in flight, what access controls needs to be in place, and detailed enabling standards to make all of this work together.

It's pretty simple, unless you get the government involved -- then expenses increase and productivity decreases.

This article, "Proposed new cloud privacy rules could backfire," originally appeared at InfoWorld.com. Read more of David Linthicum's Cloud Computing blog and follow the latest developments in cloud computing at InfoWorld.com.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform