Has anyone evaluated the privacy policies offered by cloud computing services used by libraries? What kinds of data are libraries sharing in the cloud? If patron records, does disclosure comport with state law? Some states, like California allow disclosure "by a person acting within the scope of his or her duties within the administration of the library." This is used as the justification sometimes for disclosing overdue records to collection agencies. A big difference there, however, is that the law in California (and some other states) excludes records of fines collected by the library from privacy protections.
Thanks for distinguishing a google docs style cloud from a shared (rented) server. In both cases, the policy and practices of the third parties are at issue. Accidental disclosure (which we see outside the library world on a daily basis) is the first concern. Amiable compliance with informal requests for data i.e. from state/federal law enforcement or intelligence agencies is the second concern. Compliance with formal requests is the third concern - some states require court orders (not merely subpoenas that are not signed off by a judge) before patron data can be disclosed. ISPs are notorious for turning over data routinely upon the issuance of subpoenas. Are the cloud computing services bound by contract (and cognizant) to patron privacy protections that can be stiffer than protections of other types of data?
Posted by: Mary | March 03, 2010 at 09:57 AM
What do you mean by "sharing" and "cloud"?
"Cloud computing" has a number of definitions. In one sense, "the cloud" replaces our personal computers, allowing us to access applications (eg Google Docs) on the internet. In another sense, "the cloud" replaces our servers, allowing us to rent or otherwise make use of someone else's infrastructure (ie Amazon EC2 or Rackspace).
In the first case, if the library stores records in a cloud application, is it "sharing"? Google Docs has a nifty feature where a survey can be stored in a spreadsheet, for example. Is just using that service "sharing", or would the results have to be public?
In the second case, lets say a library was utilizing a cloud service to run its integrated library system. Is just using the cloud service "sharing"? If so, how is it different than simply contracting for hosting services?
Some features of the second kind of "cloud computing" I think are relevant here are redundancy and the sharing of equipment. A cloud service will typically store more than one copy of your data, using redundancy to improve reliability. In order for this to work, clients of cloud services share equipment with other clients, including to store data. This poses the same security risks as locally hosted data: someone with malicious intent can get at it if you aren't careful.
I don't think that 'sharing' vis a vis 'cloud' is any different than any other kind of sharing, unless, as you imply, there are red flags in the service providers' policies and practices themselves.
Posted by: caleb tucker-raymond | March 03, 2010 at 09:22 AM