Last Friday, President Obama led a White House cybersecurity and consumer protection event, hosted at Stanford University, that was intended to bring together many senior technology company executives. Notably absent were the CEO’s of Facebook, Google and Yahoo – maybe still bearing a grudge against the federal government for the latter’s reported intrusive information gathering and surveillance.
Refreshing on the other hand was to hear Apple CEO, Tim Cook make a clear statement about Apple’s own business practices: “We have a straightforward business model that’s based on selling the best products and services in the world, not on selling your data,” Cook is reported as saying. “We don’t sell advertisers any information from your email content, from your messages, or your Web browsing history.”
This is in stark contrast to the practices of Silicon Valley neighbor Google, whose GMail service was analyzed in detail last year by Jeff Gould during an ongoing class-action suit against the Mountain View giant.
What is difficult from a consumer point of view, however, is to know who or what to believe in this increasingly hot topic. Or, more precisely, to have a reference against which to judge the various statements made. This only serves to underline the importance of formally approved Standards, as I wrote about in December.
I don’t expect Google to demonstrate certified compliance with the ISO 27018 cloud privacy Standard any time soon. It would seem anathema to their core business model and mightily difficult to achieve given the way data gathering touches every aspect of its sprawling empire.
Despite the well-intentioned statements of its CEO, however, there is no evidence that Apple wishes to demonstrate conformance either. Apple takes a very haughty attitude to Standards in general and there is no reason to think that they would lower themselves to actually having to prove a claim here either – relying rather on their formidable marketing machine an enormous uncritical fan-base.
In December last year, Microsoft announced that their Azure cloud services had been certified as compliant. Hopefully others will follow. As I stated in December,
Common agreed Standards help the conversation by, at the very least, providing the right questions that should be asked by fiduciaries.
The value of many Standards can be as simple as knowing that they exist; knowing that they may be applicable; and knowing who to ask about whether they apply and are applied.
The ISO/IEC 27018 Standard exists; we know that it applies to privacy in cloud-based services and helps protect personal information; we also now know that large cloud service providers are starting to be certified as compliant. It’s nice to know that we don’t just have to take vendors’ word for it. We want to trust Tim Cook and others but having certified proof goes a long way: “Trust but verify”!