Feds appear committed to cloud computing; potential cost savings outweight security concerns

Federal Chief Information Officer Vivek Kundra stressed his belief that the federal government needs to get out of the business of building data centers and managing IT infrastructure, hardware, servers, and application software, and instead should embrace cloud computing and store agency data on servers hosted by companies that specialize in managing IT and securing hosted information. Kundra’s remarks came at an event hosted by the Brookings Institution, held in part to highlight the release of Brookings’ recently completed report, “Saving Money Through Cloud Computing,” which suggests that agencies that have moved to adopt the cloud model have realized savings of 25 to 50 percent in IT operations costs. With overall federal IT spending in excess of $76 billion, and a quarter or more of that spent on hardware, software, and file servers, the potential savings across the government certainly seem significant. Another theme expressed at the Brookings event was the suggestion that fears about physical, network, and data security for cloud computing may be misplaced, given that not all federal agencies have stellar track records in protecting the systems and data they manage themselves, and that major cloud service providers have huge incentives to keep their government customers’ data protected.

The cloud computing discussion seems to be ratcheting up a few notches this spring, as evidenced by the large crop of government and industry events focused on the topic. Later this month SYS-CON media will host a Cloud Computing Expo in New York City April 19-21, and the Interop show in Las Vegas at the end of the month will feature an Enterprise Cloud Summit on April 26. On the government-focused side, 1105 Government Information Group is hosting its 2010 Cloud Computing Conference and Exposition in Washington, DC May 3-4, and NIST will host a Cloud Summit on May 20 intended to accelerate the development of standards that will lead to initial specifications for federal cloud computing later in the summer.

Conspiracy theories alive and well on government’s role in health IT

In an otherwise unremarkable meeting of the Health IT Standards Committee on March 24, Dr. David Blumenthal, HHS’ National Coordinator for health IT, made public statements addressing and formally denying rumors that the Office of the National Coordinator’s (ONC) plans to use the National Information Exchange Model (NIEM) was really intended to enable government monitoring and control of electronic health information.When Blumenthal’s comments were first reported, it seemed like they were driven largely by fundamental misunderstandings of what NIEM is (and isn’t), but given the wide circulation of these suspicions about underlying motives for health IT standards adoption, among the press, industry blogs, and advocacy groups, perhaps a few clarifications are in order.

The primary concerns seem to fall into two main areas, separate but related to each other. First, because ONC leads government efforts in electronic health records adoption and health information exchange, government agencies are certainly among the participants seeking to get greater access to health record data. This seems to have led to a presumption that one of the purposes of widespread government-sponsored health information exchange is to make medical data on individuals available to government agencies, and it’s not just CMS we’re talking about, but intelligence-gathering agencies like the Justice Department, National Security Agency, and CIA. Given the federal government’s plan to implement monitoring and intrusion detection and prevention for all network traffic to and from government agencies through the Department of Homeland Security’s Einstein program, it’s not that hard to understand how some would make the leap to assume that the intelligence community will be looking at your health data. Second, the stated intention by ONC to document and publish health data exchange standards through the NIEM — an initiative originally started to facilitate information sharing in support of anti-terrorism activities by the Justice Department, DHS, and others — seems to have led to an assumption that if health data exchange standards are managed through NIEM, this will somehow enable information formatted using the standards to be secretly captured by or routed to intelligence gathering agencies.

There’s no getting around the fact that once large quantities of health data is stored in electronic format and made available for access among organizations that have a legitimate need to use it, is will be easier for personal health information to end up in more places than it is now, with paper-based storage or stovepiped electronic medical record databases. Privacy advocates such as the Patient Privacy Rights Foundation have pressed ONC to adopt standards, rules, and procedures that would mandate individual consent before health record data is shared with entities beyond the organization that maintains the record itself, and while not openly challenging Blumenthal’s assertion that data exchanges using ONC standards and services will not be shared with government agencies, would prefer a legally binding requirement rather than a promise. This makes sense on its face, but seems to imply that there is something new about the potential for disclosure-without-consent of health data to law enforcement or intelligence agencies, when such disclosures are explicitly allowed under the provisions of the Health Insurance Portability and Accountability Act (HIPAA, specifically 45 CFR §164.512(f) for law enforcement and §164.512(k)(2) for national security and intelligence activities). Such access under the current law requires appropriate and authorized use, so the only thing that would change under widespread adoption of electronic records is the ease of accessing the records online, rather than requesting them directly from the providers or other stewards holding the data now. These sorts of consent exceptions, including the core HIPAA purposes of treatment, payment, or administrative operations, exist for both paper and electronic health records.

The second of these objections is the one that’s really hard to fathom. NIEM is a collaborative initiative that produces domain-specific information exchange standards, and makes the schemas and corresponding documentation available to anyone who wants to use them. The “M” in “NIEM” is for model. It is not a system; it is not a record-keeping database; it does not store or transmit or process any records or messages formatted according to its standards; and no one who uses NIEM standards to format their own data for exchange sends that data to NIEM. NIEM standards are distributed as files in .csv, Excel, Access, XML, and other formats, not as executable programs. Suggesting that NIEM is a “Trojan horse” that will surreptitiously send data to government agencies without their knowledge demonstrates nothing so much as a basic misunderstanding of what NIEM does (or perhaps what a data standard is).

None of the preceding discussion is intended to diminish the valid concerns over individual privacy protections and control of personal health information. There is a general (and perhaps justified) lack of trust between patients and provides, insurance companies, and state and federal health agencies, particularly as to whether any of these entities will take the necessary measures to protect personal health information shared among them. ONC has not been able to resolve this lack of trust or mitigate the concerns underlying it, not least because current standards, processes, and services proposed for use by entities exchanging health information do not provide any mechanisms to ensure that use and disclosure of health data is always authorized and appropriate. Instead, legal agreements and frameworks have been put in place under which exchange participants agree in writing to access data for for permitted purposes, but in the absence of enforcement mechanisms, such agreements will do little to dispel the distrust many individuals feel about the organizations holding their health data.

Employee expectations of privacy in the workplace only improving in very specific contexts

With the current interest focused on revisiting the Electronic Communications Privacy Act (ECPA), including plans announced by members of both the House and Senate to initiate formal reviews of the 1986 law and the extent to which its provisions should be updated to reflect the modern state of communications technology, it seems like a good time to check on the state of privacy in the workplace. The baseline position is that companies have broad latitude when it comes to capturing and monitoring communication occurring in the workplace, especially when the communication uses company-owned or provided equipment and services. Assuming they follow the stipulations about electronic communications monitoring in ECPA, such as describing planned, potential, or actual monitoring activities and providing notification of them to employees, customers, partners, or others who will be subject to the monitoring, companies have the right to watch what’s happening within their own environments. Many states require companies to obtain consent of one or both (or all) parties to an electronic conversation before it can be monitored or recorded, but when it comes to employees, as long as the monitoring activity is provided to employees as a standard operating practice, employees are assumed to have given consent by virtue of agreeing to work for the company. The standard by which non-employees can be considered to have given consent varies somewhat by jurisdiction and type of communication, but in general, if the intent to monitor is disclosed up front, the continued participation by a party to the conversation is tantamount to consent. This is the primary driver between the familiar recorded declaration, “This call may be monitored or recorded for quality assurance purposes.” If you don’t want your interaction with a company recorded, presumably you hang up and send an email or write a letter instead.

So the starting assumption for employees would seem to be, you have no reasonable expectation of privacy in the workplace. Some recent well-publicized court cases have suggested that this statement is too absolute, and in fact employees may have some expectation of privacy for their personal communications, even when those communications take place using employer resources. While there is no intention to trivialize these victories for personal privacy, the rulings address very specific sets of facts, so may not be indicative of any significant retrenchment of employer’s rights to monitor employee communications. The cases are also instructive to both companies and their employees in terms of what expectations of privacy are likely to be considered “reasonable,” and clearly spell out the need for companies to be very explicit in writing policies governing employee behavior, communications, use of company systems and services, and their plans to monitor such behavior and enforce its policies. Perhaps the most remarkable implication of the cases recent argued and others cited as precedents within those decisions is that the Courts do not appear to hold individual employees accountable for having any knowledge of the functional or technical aspects of the electronic communication systems they use, whether that functionality is specific to their employer or a standard feature of widely used communications applications like email and text messaging.

In a case argued before the New Jersey Supreme Court in December and decided last week, employee Marina Stengart sued her former employer, Loving Care, for violating her right to privacy under attorney-client privilege when the company, using computer forensic analysis, recovered cached copied of emails between Stengart and her lawyer, who was helping Stengart in a lawsuit filed against Loving Care. The email communications used Stengart’s personal, password-protected Yahoo! email account, which she accessed using her employer-issued laptop from within Loving Care’s network environment. Stengart made no active attempt to store local copies of the emails; her intention seems to have been the opposite, and her low level of technical knowledge made her ignorant of the fact that web browsers routinely store copies of viewed web pages in a temporary cache on the computer running the browser. Because she didn’t know about the temporary file cache, she made no effort to clear the cache before returning the laptop to her employer upon leaving the company. The company searched the computer it had issued her looking specifically for information that could assist Loving Care in defending against Stengart’s lawsuit. The core question in the case that made it to the NJ Supreme Court is, by using a company-issued computer to access her web-based personal email account, did Stengart waive her attorney-client privilege? The court said she did not, and remanded the case back to the trial court to determine an appropriate remedy, finding that the company, when it realized the emails were communications between Stengart and her lawyer, should have immediately notified her attorney and either returned or destroyed the emails, rather than examining their content. Essentially, the case only addresses employee expectations of privacy for personal emails exchanged with an attorney; it says little about the privacy of personal communications in general.

Another closely watched case is Quon v. Arch Wireless, the appeal of which the U.S. Supreme Court is scheduled to hear as City of Ontario v. Quon on April 19. In Quon, the key issue again is what right an employer has to monitor the content of personal communications (in this case, text messages sent with a pager rather than emails) made by employees using company-issued equipment. The 9th Circuit Court ruled in favor of the employee (Quon) in this case, and found that the city had violated Quon’s 4th Amendment rights when it examined the content of his personal text messages. It also found the pager service provider (Arch Wireless) had violated the Stored Communications Act by giving the contents of the text messages to the employer. There are some specific facts in the Quon case that may limit the scope to which the ruling applies, whichever way the decision goes, including the fact that while the messaging device Quon used was issued by his employer, none of the communications traffic flowed through the communications systems or infrastructure owned by the employer, and that employees shared the usage cost for text messaging beyond a specified volume. The most directly relevant policy maintained by the employer also explicitly limits use of computers, email, and the Internet to official business, but the group with which Quon worked had a separately negotiated employee agreement under which employees could use the pagers for personal communication, although there is some contention as to whether Quon’s use went beyond the limited amount considered acceptable under the agreement. Also, given the sexual nature of some of the content and some of the cases cited as informative by the panel in Stengart, Quon may face a bigger hurdle than Stengart in arguing his messages should have remained private, since their content seems to violate the acceptable use policy of his employer. The employer in this case is a city police department, so the involvement of a government agency (even at a local level) also makes this case different than one involving a dispute between employees and a private employer. Among the issues the Court will consider is whether an employee can have a reasonable expectation of private for personal communications when no official privacy policy exists for the city-issued devices in question.

The ruling in Stengart is useful (it’s well worth reading the ruling itself; it’s only about a dozen pages) in a few areas beyond the narrow scope of the facts in this case. Chief Justice Rabner, in describing the reasoning and legal precedents for the court’s decision, provides a number of other cases that address secondary issues raised in the Stengart case, including the specificity required in company policies about personal use of company resources and monitoring of that use. Some of the cases cited involve (justifiable) company inspection of ostensibly private employee communications because of suspected criminal activity or violation of acceptable use policies, but neither of those situations apply to Stengart. Other cases also highlight the importance of addressing the extent to which the content associated with permitted Internet use will be monitored; while employees generally can claim no expectation of privacy when communicating using their employee email address and employer’s email server or system, the same does not apply for email communication conducted outside the company environment using a personal, rather than company, email address. The court suggested that individual expectations of privacy, even when communicating with an attorney, are less justified when the employee uses a company email system for the communication. A 2006 state court decision from Massachusetts was cited not only as a precedent that the default browser behavior of storing local temporary copies of web-based emails viewed using the browser is not sufficient on its own to invalidate attorney-client privilege, and also to suggest that employee expectations of privacy, even when using a company-issued computer, are somewhat greater if the communication takes place from home or another non-company location, such as a scenario when personal email is sent or received using a company laptop connected to a home network and ISP. The court also specifically noted that no matter how specific Loving Care’s policy might have been (in its actual form the court considered it ambiguous on how the company treated personal communications), no policy can override the compelling public policy interests supported by maintaining the privilege attached to attorney-client communications. This is another reason it is hard to generalize the findings in Stengart to other personal communication contexts — presumably similar findings in favor of individual privacy rights would only be made where the subject matter of the communication was explicitly a legally protected type of content.

As Stengart aptly illustrates, not all cases raise 4th Amendment issues, although there are many court cases and examples of criminal investigations that illustrate how the existence of probable cause in an investigation can and will override individual privacy protections, irrespective of company policies or legal requirements governing the treatment of certain types of personal information. There is of course a presumption in such 4th Amendment matters that the parties doing the investigation are acting appropriately in seeking to search for information and are in fact pursuing legitimate lines of investigation. A recent decision by the 11th Circuit Court illustrates one of the more egregious violations of this presumption, when an individual acting as a whistleblower on his employer was subjected to a search of his personal email by a local prosecutor who allegedly conspired with the employer and obtained a subpoena for the individual’s email records under false pretenses, and then used that information to falsify evidence in order to charge the whistleblower with burglary and assault, neither of which actually occurred. Despite the fact that the prosecutor’s actions are not in dispute, the 11th Circuit Court ruled that the individual’s 4th Amendment rights protecting against unreasonable search and seizure had not been violated. Last week the Electronic Frontier Foundation joined the counsel for the individual in asking the 11th Circuit panel to review several aspects of its ruling, which the EFF asserts did not follow the law.

While we can’t offer the sort of expert legal analysis on any of these cases that you might find from privacy lawyers like Hunton and Williams, there are some practical implications for both employers and employees that come out of the Stengart ruling. Following the logic the justices used in Stengart, employers should:

• Have explicit policies in place about whether personal use of company resources is permitted at all, and if it is, what limitations (if any) there are on such use
• Also spell out in explicit terms rights the employer asserts about use of and data stored within its computing and communications assets, network environment, and employer-provided services
• If the employer does or intends to monitor employee communications, say so, and include in the scope of the statement all forms of media and types of communication that are subject to monitoring
• Include statements about whether the contents of such communication will be examined and under what circumstances, recognizing that there may be certain types of content (attorney communications, including with internal counsel; health records; information about employees’ children, etc.) that may be legally protected in ways that trump the employer’s rights or desire to inspect the content
• If, in the course of following the stated policy, content is identified that falls into one of the categories of information protected by state or federal privacy laws, stop reading and don’t proceed further until checking with legal
• If there are valid reasons to prevent employee use of personal email from work (such as data loss prevention), implement measures to block access to web-based email
• Understand that the assertion of ownership or rights to monitor employee information does not apply the same way to communications conducted through third-party service providers, whether or not the employer pays for those third-party services
• Make sure that the policies and procedures put in place comply with all relevant legal requirements, with special attention on regulations covering monitoring and interception of communications and rights to access stored content such as messages, call logs, or transaction records

The list above is far from exhaustive, but assuming a company wants to proactively minimize the reasonable expectation of individual privacy in the workplace, these practices would be constructive to that end. While all employers must balance employee productivity, convenience, and trust with restrictions on employee behavior in the furtherance of their business interests, it appears that employers can establish the clearest legal standing by completely prohibiting personal communication using company systems and resources.

For their part, there are also steps individual employees can take to help ensure their personal communications remain private, and to minimize the chance of inadvertent personal information disclosure such as what happened with Stengart. These include:

• Read, understand, and follow your employer’s policies on personal use of employer-provided communications equipment and services, including definitions of acceptable use
• For any communications deemed sensitive by the employee, try not to use employer-provided resources to conduct those communications, even if policy says that you can
• If you do use your employer-provided devices for personal communications, try to conduct them when offsite, such as using your home ISP to connect devices to the Internet, so your communications traffic doesn’t flow through your employer’s services and network environment
• Don’t use employer-provided email for personal communications
• Learn enough about the tools you use (web browsers, email clients, messaging services) to understand whether local copies are being made of your activities “out in the Internet,” and if so, learn how to prevent local storage (such as using “private browsing” features) or remove the copies afterward (understanding that merely deleting a temporary file cache may not prevent the later retrieval of the cache’s content by a forensic analyst)
• If you leave an employer, when you return your laptop, pager, PDA, smartphone, or other device, remove all personal data from the device and “wipe clean” the storage media using a tool like Eraser on a computer or equivalent comprehensive data destruction available on many handheld devices
• The courts seem to believe that employee ignorance is no reason to diminish expectations of privacy, but this benefit only applies reliably for specially protected types of information, so don’t rely on ignorance — instead be well informed and aware of the security and privacy implications of your environment

NSA loses a round on warrantless wiretapping in federal court

A federal district court judge in San Francisco who has presided over several cases against the National Security Agency (NSA) and its now-defunct warrantless wiretapping program appears to have finally been presented sufficient direct evidence of such wiretapping to rule in favor of the plaintiff, and to hold the government liable for damages. The facts of this case were markedly different from previous, unsuccessful suits against the NSA, in that this time the plaintiffs were able to provide evidence that they specifically had been subjected to eavesdropping of their communications in a way that should have required a warrant, although none was obtained. Judge Vaughn Walker limited his ruling to the wiretaps used against the plaintiff, and did not address the legality (or lack thereof) of the NSA’s surveillance program overall. From a legal standpoint, the case may have been more relevant for Walker’s refusal to accept the government’s assertion that the case should be dismissed without considering the merits of the plaintiff’s claims in order to protect state secrets from potential disclosure in court. The state-secrets defense is a claim of executive power first asserted by the Bush administration and again put forward by the current Justice Department legal team. The government might have had an early indication of its poor chance of succeeding with a state-secrets argument, since the suit had previously survived such a challenge when the plaintiffs received an inadvertently disclosed confidential call record from the NSA that revealed the government’s eavesdropping of the plaintiff’s communications. While the ruling probably represents a small victory for those who continue to argue that the NSA should be called to account for its activities, the specific details in this case are troubling on their own, inasmuch as they demonstrate the government’s apparent right to withhold relevant direct evidence if it hides it under a shield of national security.

Next law up for revision may be ECPA

Citing the drastic changes in the technological landscape since the law was first passed, a coalition of tech industry heavyweights has launched an effort to persuade Congress to update or revise the Electronic Communications Privacy Act (ECPA). The cooperative effort of the “Digital Due Process” coalition is notable for the inclusion of major privacy advocacy organizations as well, including the American Civil Liberties Union (ACLU), Center for Democracy and Technology (CDT), and the Electronic Frontier Foundation (EFF). The ECPA is among the primary federal wiretapping statutes, as it prohibits interception and disclosure of “wire, or or electronic communications” both during communication activities and in storage. Despite the use of the phrase “electronic communications” it has primarily been used in the context of privacy protections for telephone and email, and one of the goals of the coalition is to extend the sort of protections in ECPA to a wider range of modern technologies, including mobile phones and the Internet. The technology vendors seem primarily interested in both simplifying the language in the law and extending its privacy protections to emerging information access and computing models like cloud computing and mobile devices. Among the primary objectives for the privacy advocates in the group are:

• Privacy of communications and documents you store in the cloud
• Protection against secret tracking of your location through mobile devices
• Strengthen protections against secret monitoring of communications over the telephone or the Internet
• Limit the amount of data the government can access for investigative purposes unless it is related to a specific criminal suspect

While no government endorsement of the coalition’s aims has been made, Sen. Arlen Specter of Pennsylvania called publicly this week for an extension of federal wiretapping laws like ECPA to cover the online photographic and video surveillance, such as the use of webcams. The primary driver behind Specter’s statements is the ongoing investigation of the alleged incidents in the Lower Merion (PA) school district where school network administrators remotely activated webcams in laptop computers issued to students and used the cameras to record students without their knowledge or consent (and without probable cause). The motivations are quite different but the message is the same:  a law written nearly 25 years ago before the advent of the Internet cannot effectively be used to regulate communication using current technology unless the law is changed to keep pace with the technology.

Update 1:
It seems that when you get a coalition like this together, people in Washington take notice quickly. In a press release dated March 30, House Representatives John Conyers, Jerrold Nadler, and Robert Scott announced their intention to lead House consideration of reforms to ECPA, working through the Judiciary Committee, which Conyers chairs.

Update 2:
On Friday, April 2, Senate Judiciary Committee Chair Patrick Leahy announced that he will also take up consideration of ECPA in the Senate.