Tuesday, July 27, 2010

privacy implications of cloud-based security

in my continuing efforts to get caught up on my rss feeds (i'll get there eventually) i came across an interesting post at the stopbadware blog about establishing expectations for av vendors. it raises some interesting concerns about data collection and lack of transparency / informed consent.

this is a tough call. recall that when trend bought hijack this and added a button to send the log to trend for analysis people went ape over the idea that it was sending data without informing the user (even though the behaviour seemed clear to me just by looking at what the UI stated).

all cloud-based security inherently is going to collect data and send it into the cloud - that's how you leverage the cloud for security. clearly there is the potential for a privacy violation if the vendor isn't careful and there is certainly room for people to assume there already is a privacy violation. some people are inevitably going to cry foul if you tell them that their security software is sending data into the cloud.

and yet on the other hand if you don't tell them then they can't make intelligent, informed decisions about whether they want to accept the risk associated with cloud-based security technologies and so may fall into a false sense of privacy (not unlike a false sense of security).

i'm a big fan of informed decisions - i think that given enough information, reasonable people will be able to make intelligent decisions and hopefully that works out in the vendor's favour (if they're doing enough to protect customer's privacy).

i think security vendors absolutely need to inform their users, and i think the failure to do so should be considered a badware sort of behaviour. i think the risk of backlash can be mostly mitigated by informing the user HOW their privacy is being protected in spite of the data collection (ie. exactly what data is being collected and how the data is being anonymized - maybe even let them audit the data being sent). assuming the vendor is doing an adequate job of protecting users' privacy, only unreasonable people should continue to have a problem in the face of such transparency - and there isn't really much you can do for unreasonable people. all cloud-based technologies involve data collection, so those unreasonable folks will simply have to learn to be reasonable or seek out one of the dwindling number of products that don't have any cloud-based components.