ISO 27018: Protecting privacy and national security too


In the late 1970s, Leonard Nimoy (RIP Mr. Spock) hosted a weekly television “documentary” called “In Search Of…,” in which he quested after Bigfoot, the Loch Ness Monster and other mythical creatures or phenomena. Nimoy’s mysterious quarry almost always eluded him.

Many, myself included, generally expect the same outcome for international privacy and IT security standards that enhance the national security of countries implementing them: they are myths. But ISO (the Geneva-based multinational International Organization for Standardization) may have managed just such a mythical feat with its first-of-its-kind standard 27018, formally entitled “Information technology — Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (ISO 27018).

Broad adoption of international standards around the globe, by governments and other public institutions and, critically, by cloud providers and other private companies, can have multiple benefits. First, broadly accepted standards produced by a process involving a wide variety of stakeholders foster trust in the adequacy, fairness and sustainability of such rules. Needless to say, trust and fairness, in particular, are top-tier issues in cloud computing today.

Second, consistency, predictability and legal certainty are enhanced when standards are accepted by the majority of governments around the world, as many ISO standards are. Finally, such broad acceptance fosters and makes more efficient cross-border trade and commerce. Although such standards are not, by themselves, legally enforceable, once implemented into strong contracts, they do become binding and, in any event, can set the standard of care in private litigation.

Adoption of ISO 27018 would bring additional specific benefits, including requiring public cloud PII processors (cloud providers) to: notify customers whose personal data they hold specifically where such data is stored and identify any subcontractors having access to it; establish data retention/deletion timeframes; and notify customers of data breaches. Even beyond these, there are two specific provisions of ISO 27018 that, properly implemented, could provide significant national security benefits to governments requiring them.

To comply with ISO 27018, cloud providers must ensure by contract that PII is “not used for the purposes of marketing and advertising without express consent” and that such “consent should not be a condition of receiving” a contracted-for service, such as cloud storage services, e-mail hosting and processing, or search and retrieval services. As I argued here, data mining for such purposes poses multiple threats to the security of law enforcement and intelligence officers and activities as well as, potentially, the integrity of government decisionmaking.

To the extent government customers require all cloud service providers to comply with ISO 27018, these prohibitions on advertising and marketing could substantially reduce security risks from governments’ use of the cloud. Part of this risk, however, comes not just from any actual marketing or advertising, but from cloud providers combining personal and other sensitive data across multiple customer accounts, mining such data for undisclosed purposes, and sharing the data with third parties, even if no marketing or advertising results. At least some cloud providers appear to have conducted such data mining in contexts in which they previously stated they do not use personal data for marketing or advertising.

ISO 27018 arguably prohibits such activities without consent by its terms because it requires cloud providers to “ensure that no PII is processed . . . for further purposes independent of the instructions of the cloud service customer.”

Unfortunately, ISO 27018 does not include more explicit prohibitory language, such as this limitation from the FBI Criminal Justice Information Standards: “The cloud provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.”

Implemented and enforced, with such an explicit limitation, by law enforcement, intelligence and other government agencies, ISO 27018 could enhance countries’ national security and possibly even the integrity of government decision making. If cloud providers are prohibited from data mining to create “mosaics” of personal and other sensitive information that could inadvertently reveal undercover government agent identities, patterns of law enforcement activity, or pending government decisions, the risk of inadvertent or intentional disclosure of such data is substantially reduced.

As I recommended in 2012, governments “considering deployment of cloud computing solutions should…demand government-specific agreements prohibiting data mining [and] …. insist that data-mining capabilities be technologically disabled from use against their data.” ISO 27018 now provides a standardized and straightforward way for governments to do just that and demonstrate in the process that, though rare, international standards that can enhance national security are not mythical.

Comments are closed.