Microsoft pushing hard on privacy in the cloud

Whether due to clever marketing objectives or to its stated commitment to making privacy a core consideration for its products and services, there’s no denying Microsoft is emphasizing privacy across multiple dimensions. Taking center stage this week was a recommendation to Congress (articulated in a speech given January 20 at a Brookings Institute policy form on Cloud Computing) that new legislation is needed on cloud computing security and privacy. Microsoft went so far as to propose a name — the Cloud Computing Advancement Act — for the new legal framework the company says is needed, as well as to advocate revisions to existing privacy legislation including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. The speech offered justifications for explicit cloud computing regulation in the form of survey (commissioned by Microsoft) indicating a large majority of business leaders and consumers — even those enthusiastic about cloud computing’s potential — are concerned about data security and privacy in the cloud. Microsoft is also recommending a “truth in cloud computing” provision that would mandate more explicit disclosures by cloud service providers about the security and privacy measures they have in place. Cloud computing is currently the primary area of emphasis in Microsoft’s privacy advocacy directed at government officials and policymakers. Microsoft’s efforts illustrate one way in which private sector vendors with a stake in cloud computing are moving ahead on privacy, while in contrast federal government efforts to date have largely focused on clarifying definitions of cloud computing services and examining ways to securely use those services. Whether or not Congress decides to take Microsoft’s recommendations to heart, some additional direction to NIST to address privacy in the cloud might be reasonable.