NNSquad - Network Neutrality Squad
[ NNSquad ] Trusting Your Friends -- and Trusting the Cloud
Trusting Your Friends -- and Trusting the Cloud http://lauren.vortex.com/archive/000733.html Greetings. Internet "cloud"-based services, both for data storage and as computing resources, are expanding rapidly, and have become a flash point of controversy among some persons in the computer science and privacy fraternities. On various discussion lists and forums, dialogues about the value and risks of "cloud computing" have devolved into name-calling and impassioned arguments about whether the term "cloud computing" itself is somehow misleading -- with suggestions that data storage services (where encryption is more easily applied by users) should be considered separately from remote computing services -- sometimes called "SaaS" (Software as a Service). I'm more interested in issues than word wars, so for now (despite the related complaints that I'll receive) I will continue to refer to this entire area as "cloud computing" -- "the cloud" for short. Some other time we can have a technical discussion of cloud computing's benefits and risks. But there are a couple of truths about the cloud that are in my opinion undeniable, and are too often lost amidst the forest of technical details. Realize this: The future of computing and communications will increasingly be Internet cloud-based. There is no escaping this truth. The complexity of the services that will be demanded by persons around the world will increasingly be impractical to provide wholly through traditional locally-based resources. Despite ever more encompassing attempts at automatic software updating regimes, many or most users' computers are in states of relatively poor (or even awful) security, and sport feeble or non-existent data backups, putting immense amounts of personal and business data at risk on users' local disks at any given time. And to expect non-technical users to somehow manage these ever more complicated computing devices, even with the help of increasingly complex updating environments, is becoming about as nonsensical as requiring that everyone be their own auto mechanic. That there are privacy and security challenges in the cloud is undeniable -- but research in these areas is proceeding rapidly and holds great promise. Laws that in some cases treat cloud-based user data as having fewer legal privacy protections than locally-based data are no longer tolerable and need to be harmonized so that user data gets the highest practicable level of legal privacy safeguards regardless of where that data resides at any given time ( http://bit.ly/dBPyBy [Digital Due Process] ). But for some who dislike the cloud, no amount of technical and legal assurances will ever suffice, simply because they have a fundamental distrust of remote services -- "We never *really* know what's going on in the cloud!" they say. And yet, do we really know everything going on in our local computers, even those of us who have spent our professional lives building these technologies? In most cases, the answer is no. Unless we've written every line of code ourselves, or have compiled every program personally from source code that we've inspected (and presumably understood!) line by line, there is a leap of faith involved in everything we do on these machines. For that matter, if you're of a conspiratorial bent, do you *really* know for sure what's going on in those CPU cores that run your computer? Have you inspected every line of microcode? Are you *positive* that something nefarious isn't going on deep within those busy chips?? More realistically, Ken Thompson -- co-creator of the UNIX Operating System itself -- noted in his 1984 paper "Reflections on Trusting Trust" ( http://bit.ly/drwkzx [Univ. of Waterloo] ), that you can't necessarily even depend on the compilers that you use being free of self-compiling malware and other subterfuge. What this all boils down to in the end is -- to paraphrase Bob Dylan -- You Gotta Trust Somebody. And in our modern world, you have to trust lots of somebodies at various levels or our entire technological civilization would simply grind to a halt. We certainly depend on trust in our personal lives. Even though that trust may turn out to be misplaced in particular instances, this doesn't change the fact that trust is fundamental to getting virtually anything done in our modern world. And trust isn't only a concept for individuals. Just as we trust our friends and lovers -- whose inner thoughts we can never truly know for sure -- we need to make decisions about trust related to technology as well. The fact that we can't know everything about every aspect of cloud computing services is ultimately just another nuance of the same sort of necessarily incomplete information with which we make every other trust decision in our lives. Ultimately, if you trust that a provider of cloud computing services is of good ethical standing, will defend your privacy rights against unreasonable intrusions, and provides services with a degree of security and reliability that you consider to be acceptable -- especially in contrast to what you can and do provide locally on your own machines, then an inability to personally inspect every aspect of operations in the cloud should not be an automatic deterrent to its use. Technical and standards advances are making the cloud even more attractive. For example, Open Source cloud standards ( http://bit.ly/aTByiA [New York Times] ) and efforts such as Google's "Data Liberation Front" ( http://bit.ly/aOIrk1 [Google Data Liberation] ) provide increasing levels of transparency and data portability. There are many factors to take into account when choosing cloud services -- just as there are in the process of making bosom buddies. There are no absolute guarantees -- there always risks in life, both today and tomorrow. But the various aspects of trust are key in both cases, and trust is possible without total knowledge of and control over the other parties involved. Like love, trust makes the world go 'round. --Lauren-- Lauren Weinstein (lauren@vortex.com) http://www.vortex.com/lauren Tel: +1 (818) 225-2800 Co-Founder, PFIR (People For Internet Responsibility): http://www.pfir.org Co-Founder, NNSquad (Network Neutrality Squad): http://www.nnsquad.org Founder, GCTIP (Global Coalition for Transparent Internet Performance): http://www.gctip.org Founder, PRIVACY Forum: http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com Twitter: https://twitter.com/laurenweinstein Google Buzz: http://bit.ly/lauren-buzz