A California lawsuit suggests the government must take stronger steps to give protection to government data from data mining and user profiling by cloud service providers.

In the technology-rich world we are living in, it is important for everybody to appreciate how their data is processed and used. For the federal government, it’s arguably much more important, given the large amounts of sensitive citizen data it possesses and stores.

As we move to more sophisticated, data-driven technological environments equivalent to the cloud, it’s imperative that each one government entities become hypervigilant about with the intention that vendors are handling this knowledge appropriately. i’m not the primary person to claim this, and that i will definitely not be the last.

Recent disclosures in a California lawsuit have raised several red flags about how government data may be utilized by cloud vendors — particularly vendors with business models that rely heavily on advertising revenue and monetizing user data. The lawsuit alleges that Google violated federal and state wiretap and privacy laws by data mining the e-mail content of scholars who used Google’s Apps for Education and Google’s Gmail messaging service. US district judge Lucy Koh handed Google a victory last week by refusing to let the case proceed as a category action.

[Federal agencies are moving beyond the government’s 2010 Cloud First mandate. But are they ready for comes next? Read Cloud First: End Of The start For Federal Agencies?]

Though the lawsuit created a stir within the education community over privacy concerns, it also raises important questions for presidency administrators. Information revealed within the lawsuit means that public-sector users of certain cloud services, including the government, will not be shielded from systematic data mining and user profiling for advertising purposes in the event that they don’t have clear protections in place.

The potential streamlining and value-saving benefits of cloud computing have prompted the government to make adoption of cloud computing a high priority. With this in mind, we have to take appropriate measures to make certain the govt makes the transition to the cloud within the correct way, with data privacy and lawful data use as top concerns. If the govt. doesn’t implement these changes carefully, it faces the danger that sensitive data could be exposed, and people risks are just too high.

I speak from experience. Given my former position on the Office of Management and Budget, where i used to be answerable for the federal government’s IT, data security, and privacy policies, i think these issues are more important than ever. There are several foundational issues that government CIOs must address after they are watching securing, procuring, and drafting their cloud contracts.

These issues include:

• Clauses prohibiting unauthorized data use: All cloud service providers must make sure that their services use data only in ways in which are explicitly, contractually sanctioned, and people assurances needs to be guaranteed and written into the contract.
• A system to measure efficacy: Cloud service providers also should have a system for reporting at the efficacy of agency information security programs. That system should augment audit programs and validate the written assurances from cloud providers.
• Specific bring-your-own-device (BYOD) language: Agency CIOs and policy makers must rethink their security policies by restricting the sort and/or amount of labor that employees can perform on their smartphones unless adequate protections are in place, inclusive of digital rights management and powerful enterprise device management technologies. Additionally, it’s critical that agencies and industry develop efficient, technical solutions that enable federal workers to milk the benefit that these devices offer, while ensuring the safety of sensitive federal information.

This year, I co-authored a white paper discussing a few of these recommendations in greater detail. One conclusion I’ve reached in my research is that cloud vendors should be more transparent in regards to how they store, use, and monetize public-sector data — especially vendors with roots in advertising and the monetization of user data. And agencies needs to be more explicit of their contracts about data-mining practices.

Despite a lot of these voiced concerns, government entities don’t typically require any of the above recommendations or guidelines from cloud contractors.

From my experience working at federal agencies, I remember that altering the best way government entities procure services takes time and input from many stakeholders. However, I strongly believe our procurement process must include the categorical terms and prerequisites involving data use and ownership so as to address these issues in greater detail. If we wish to get cloud right, these guidelines should function the inspiration.

Find out how a central authority program is putting cloud computing at the fast track to raised security. Also inside the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Karen S. Evans spent nearly 28 years within the federal government, most recently as Administrator for E-Government and knowledge Technology on the Office of Management and Budget (OMB) in the Executive Office of the President (from 2003 to 2009), where she oversaw the … View Full Bio

More Insights