Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

TERENA Trusted Cloud Drive Pilot

Wednesday, May 30, 2012 - 22:45

[This article was originally written for the TERENA Conference blog]

TERENA's trusted cloud drive pilot seems to have come up with a good approach to privacy concerns involved in storing information in cloud services. The design splits the storage of the data itself from the metadata about it: metadata (in particular encryption keys) can be kept on a host in a trusted location; the contents of the files to be stored are then strongly encrypted and stored elsewhere, for example on a commercial cloud storage service. Since the contents are strongly encrypted, and the storage system doesn't have access to the keys needed to decrypt them, the storage system shouldn't be able to affect the confidentiality of the content (though it can obviously affect its availability). Clearly this doesn't work if you actually need to process information in the cloud, but for pure storage it looks like a good idea.

A paper by the Cloudlegal project seems to confirm that privacy law ought to recognise this protection, in particular by permitting the storage of the encrypted information outside the EEA. Unfortunately the current EU Data Protection Directive was passed in 1995, when geographical location seemed like a clear indication of privacy risk and other ways of mitigating that risk (such as encryption) were not envisaged. Different national regulators have since taken different views on the extent to which technology can be relied upon: in the UK the Information Commissioner allows data controllers to make their own assessments of the risk represented by exporting data from the EEA. He has also formally recognised encryption as a valuable security measure, so there seems a good chance that use of the TERENA model would be acceptable here. Unfortunately the wide range of views of different regulators and legislatures make it very unclear whether that would also be true across the rest of Europe. This feels like yet another test case for the proposed Data Protection Regulation.

Cloud computing
Privacy
Data Protection Regulation
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo

Comments

I'm not yet convinced by the trusted cloud drive concept, I think TERENA should have spent some time trying to get exisiting providers to support the differential features like Internet2 have been sucessfully doing. I think we can certainly learn a lot from their activities in these sort of areas. I'm not sure if the presentations from the Cisco Symposium are online, but the Internet 2 presentation is certainly worth watching!

Submitted by Matthew Cook on Thu, 2012-05-31 12:41