Saturday, January 29, 2011

Dealing with privacy in the cloud: the European Data Protective Directive

Yesterday, Friday 28 January 2011, it was Data Privacy Day, an international celebration of the dignity of the individual expressed through personal information.
What a coincidence, the day before I was invited by my dear friend Paolo Balboni to take part in "The Expert Panel on Cloud Computing and the Protection of Personal Data". Considering my critical attitude of a tester towards software and the knowledge of user-centric webprotocols like UMA and OpenID Paolo thought I should have my say here.
I had to be in Amsterdam for another meeting, so I gladly accepted the invitation.
What's it all about then?

The Istituto Italiano Privacy (IIP) together with the European Privacy Association (EPA) have organized "The Expert Panel on Cloud Computing and the Protection of Personal Data"
The IIP together with the EPA published a working paper titled ‘Cloud Computing and the Protection of Personal Data: Privacy and the Global Web, Risks and Resources for the Citizens of the Internet’.
IIP and EPA are aware of the on-going debate on privacy and cloud computing in the Netherlands. Therefore, they want to share their pan-European experience on the matter with the panel and learn about the Dutch experience.
Through presentations it became clear both IIP and IPO want to make a position paper, based on the input from the panel and their working paper to address the issues of all parties involved in Cloud Computing and Privacy in Europe.
This is a very hard nut to crack, because the European Community consists of many different countries with different laws and different privacy regulators.
However, there is the Data Protection Directive (off. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), a European Union directive which regulates the processing of personal data within the European Union. All members of the European Union must follow this Directive and implement it in their Privacy Policy.
But what happens when a non-European Community cloud provider is not following the Data Protection Directive? Can he be caught?
No, he can't be caught if the cloud provider, as a data controller, is not based in Europe and not using equipment in the EU.
Hm, data controller, what's that and are there other data parties?
A data controller, according to the Data Protection Directive, is the one who determines purposes and means of the processing of personal data (art. 2d) and there is also a Data processor, who processes personal data on behalf of the controller (art. 2e).
See where I'm going? In cloud computing it remains quite unclear who's the data controller and processor, and the Data Protection Directive is not clear in this yet.
Another privacy issue addressed in the panel discussion is the transfer of data outside the EU.
A EU-customer has no idea or control of where its data is located and fears its data subject rights are not guaranteed.

These are privacy issues to be dealt with.
Therefore the Directive 95/46/EC is under revision to address also the issues of Cloud Computing.
ENISA published a study recently, dealing with the legal and security issues of cloud computing and the CAMM project will deliver in 2011 a new business barometer for the quality of the security profiles of the Cloud Service Providers.

And then there will be the IIP/EPA Position Paper, aimed at addressing concrete data protection issues and suggestions of solutions for a sustainable privacy-friendly cloud framework.
Input from cloud vendors is very much appreciated here.


Interesting times ahead for who's interested in the protection of personal data in the EU.

This post was mainly about solutions for privacy in policies, my next post will be about the privacy solutions the cloud vendors apply at this time.

Sunday, January 16, 2011

Testing UMA means testing controlling an individual's online data by himself!

One of the reasons I joined the UMA-WG, was that I wanted to be involved in a project right from the specs and not when it is time for systemtesting. Next to that, the concept of UMA fascinates me and worth making me sweat!
The active discussions we have about the testability of the specs inspire me to improve my work as a systemtester.
The implementations of UMA can be in legious domains: enterprise, government, education, e-commerce etc. etc.
This makes it a project where IT-architects from different domains can work together making user stories and use cases and improve this user centric authorization protocol.
Yes, we also have OpenID and OAuth, but, IMFO, OpenID is for authenticating the user and OAuth for authorizing it.
UMA let an individual control the authorization of data sharing and service access made between online services on the individual's behalf, as a layer on OAuth. It doesn't involve the authentication, but is very much dependent on OAuth and its possible changes, which are very much monitored by the UMA-WG.

A few years ago I started this blog, because I wanted to share my thoughts on testing SaaS and identity. The latter, because, IMFO, testers were mixing up authentication and authorization, which is disturbing, because it are important elements of web2.0, online user-interactivity.
With OpenID I started, but UMA drives me more because it is fresh, very user-centric and can be interoperable with OpenID through OpenID/AB, melting two of my favorite testsubjects (authentication and authorization) in one.

I wait for the day I can test an online user-interface (say banking :-) ) where an individual, with the help of the UMA-protocol, can control the data he or she wants to share with third parties, on the individual's behalf.

Something worth sweating for!