Cloud services – a worrying trend 1

Caveat Emptor!    (Let the buyer beware!)

This small term has over the past 500 years been used to defend vendors from law-suits because they have sold goods that do not match the description they apply to them.  It was used because things that got complicated in a court had no easy fix, so Caveat Emptor was the “easy way out” for the judge and jury.

Caveat Emptor is the term we often see applied by the courts when deals go sour with used cars, houses in fact many other items.

Many contracts have get-out clauses (weasel clauses) which allow the seller to essentially walk-away from their moral liability with little more than a slap on the wrist.

The law itself has multiple twists and turns that only a commercial lawyer will be able to explain, no doubt at great cost.  There has been a recent push in the developed world to Caveat Venditor, where the liability is shifted to unscrupulous vendors who sell products not fit for purpose.

the upshot of it all of this is, that when it comes to software and services, it appears the rule of Caveat Emptor is very much alive, and none more so than in the use and supply of “Cloud Services”

I recently read in a privacy policy the following statement:

Your Personal Information may be disclosed:

To our third-party service providers that may provide services such as hosting of the Services, data analysis, IT services and infrastructure, customer service, e-mail delivery, auditing, payment processing and other similar services. Please note that we may use cloud service providers in connection with the hosting of the Services and the storage of Personal Information, and we may have limited or no opportunity or ability to impose contractual restrictions on these and other service providers.”

This effectively states that if you use the service, and put any personal information into the system, and the “Cloud Service” provider does not apply fully secure services for your personal information, and subsequently releases them, you have minimal rights under the “service” agreement to sue your provider.

What in fact the clause from your vendor is saying is that:

  • The 3rd party cloud service provider has bigger legal pockets that your service provider.
  • The 3rd party are calling the shots when it comes to “cloud service” offerings.
  • The 3rd party provider is not prepared to commit to your service provider that your personal information should be protected.
  • There is nothing your vendor feels they can do about it.

Can you protect your personal information?

The simple answer to this is “NO!”.   Ask any IT security expert as to whether a computer system can ever be made fully secure, and they will likely tell you something like:

“Data on a computer is only secure if the computer is turned off, sealed in a fire-safe, embedded in a 6 foot box of solid concrete and dropped to the bottom of the Mariana trench!”

Even then they couldn’t guarantee it.

So what can you do?  It may seem contradictory to the aim you are trying to achieve, but the solution is to ensure your “identity” is known, and properly managed by not only your software service vendor, but by all the parties involved in any transaction you perform online.

Your identity in this case is a token that is given to you, and you alone.  It does not define the real “you” but merely identifies that in online transactions this is the real “you”.  You identity should be able to tell anyone how much you earn, where you shop, what you eat for breakfast or where you take your holidays and what you though of them.

That information is your to keep safe or yours to publish.  What should be safe is the fact that it is you, and only you who choose, or not choose to publish.  This is where your online Identity comes in.

The Information Security world is awash with Identity Management, Access Management and Identity and Access Governance systems that could be used to protect your information.  They have been for nearly 10 years.

On the grand scheme of all things technology based to ensure that information, published by you is tagged with an ID token belonging to you, and associated with a release policy that you control.  That token and release policy can follow the information wherever it goes on the internet or corporate intranets.  The data can be encrypted so that even if it is accidentally released, without the token and a key it can’t be read.

We have implemented such systems for clients who are aware that their customers are the key to their wealth, ensure your online provider is one of them.

One thought on “Cloud services – a worrying trend

Comments are closed.