Extending the Principles to the Internet: a Way to Restore Trust

Home , Geist

THE PRINCIPLES GENERALLY ACCEPTED RECORDKEEPING PRINCIPLES Extending the Principles to the Internet: A Way to Restore Trust

By Julie Gable, CRM, CDIA, FAI

sonal data not only for more effec- aimed to keep the information- tive marketing, but also for more mining process under the compa- effective detection of potential ny’s control rather than the federal security threats. agency’s control. The key difference is that while Cloud service providers – and users freely give personal informa- the companies that use them via lmost from its inception, tion to social media sites, e-mail Internet connections to provide the Internet has spawned services, marketers, and other In- flexible processing for transac- Athorny, complex issues that ternet presences, they don’t neces- tions, communications, and stor- are not easily resolved. Matters sarily suspect that this personal age – have suffered huge reputa- such as online piracy of copyright- data can then be handed over to tional damage. Internationally, ed material, theft of trade secrets, federal investigators. That’s be- some countries have exploited the cybersecurity, and trans-border cause many people don’t realize NSA revelations to maintain that data transfer issues constantly that the background architecture those who fear their communica- confront governments, Internet for storing such data is the cloud. tions are being intercepted should service providers, businesses, in- not use services that go through dividuals, and watchdog groups. A Battle in the Cloud American servers. In recent weeks, the balance According to The State of Cloud In short, an atmosphere of of personal privacy and the need Storage 2013 Industry Report from deep mistrust has arisen that for national security have been storage vendor Nasuni, cloud stor- could prove damaging and costly the subject of high-profile news age providers put more than one to cloud service providers as well coverage. With revelations about exabyte of information – that’s as to any entity that collects cus- the U.S. National Security Admin- more than 1 billion gigabytes – un- tomer information in business-to- istration’s (NSA) electronic sur- der contract in the previous year. business or business-to-consumer veillance program called PRISM, With surprising revelations transactions. the parallels of data mining for about how large providers such marketing purposes and for sur- as Amazon, Microsoft, and Google, Principles Show Way Forward veillance purposes came into sharp have responded to federal war- Into this maelstrom steps Mi- focus. rants has come a public outcry. chael Geist, J.S.D., who believes Technology has given us the According to reports in The New that issues associated with cyber- ability to store vast amounts of York Times, some providers have mistrust are going to put pressure data cheaply. Now, with highly had teams of in-house experts points on the Generally Accepted sophisticated data analytics tools, charged with finding ways to co- Recordkeeping Principles® (Prin- it is possible to exploit stored per- operate with the NSA, a strategy ciples) and extend them in ways

40 SEPTEMBER/OCTOBER 2013 INFORMATIONMANAGEMENT

IM Sept. 2013BC.indd 40 8/27/13 1:54 PM that people may not have been thinking about up to now. michael Geist, J.S.D.: A Career Overview

Evaluating Service Providers Michael Geist, J.S.D., is a law professor at the In addition to using the Prin- University of Ottawa, where he holds the Canada ciples to measure the effectiveness Research Chair in Internet and E-commerce Law. of in-house records programs, or- He earned his doctorate in the science of law ganizations may come to use them degree from Columbia Law School in New York. as a means to judge the information management maturity of their Geist is an internationally syndicated columnist service providers. Going further, on technology law issues, has edited two books Geist believes the Principles and on Canadian copyright law, is the editor of several the Information Governance Ma- monthly technology law publications, and is the turity Model (Maturity Model) may author of a popular blog on Internet and intellectual property law issues. also provide a template for devising He serves on boards for CANARIE, the Canadian Legal Information Insti- solutions to restore trust. tute, the Privacy Commissioner of Canada, the Electronic Frontier Founda- Geist believes that companies tion, and the Open Society Institute. He has received numerous awards offering cloud-based services – and recognition for his work in the areas of intellectual freedom, policy whether e-mail, social media, voice leadership, and public leadership. over Internet protocol, applications, or storage – will face some hard times in the wake of the U.S. sur- Geist warns that “once the NSA formance and to see how Amazon, veillance scandals. Recent surveys has the information, the line up of Google, Microsoft and other pro- have shown that U.S. cloud provid- other agencies that want to use it viders could be judged in terms of ers could lose as much as 20% of runs right out the door. Drug en- information governance maturity.” the international market for these forcement, copyright infringement, services over the next three years. and other uses suddenly appear. Transparency Why? “Public trust is crucial The highest level national security The Principle of Transparency for service providers,” says Geist. purposes become a slippery slope will be essential to restoring trust. “The providers were functioning of something far different.” According to Geist, “It will no lon- in the hope that there wouldn’t ger be enough for these providers be a Snowden,” he says, referring Restoring Trust to say ‘here’s what we do,’ but rath- to NSA contract worker Edward According to Geist, the biggest er, ‘here is what we have done.’ Snowden, who leaked classified in- collectors of personal information Policies might include requiring formation about NSA surveillance in the private sector are scruti- a warrant for surveillance or law activities. nized by non-governmental orga- enforcement requests, telling us- Records and information man- nizations (NGOs) who bring citizen ers about government requests for agers will recognize this mind-set concerns to governments, advocate data, publishing guidelines for law as similar to the one that believed and monitor policies, and encour- enforcement, and being ready to (or wished) that electronic discov- age political participation through stand up and fight for their custom- ery would never be part of litigation provision of information. ers’ privacy rights.” and that a gentleman’s agreement One example is the Electronic Geist is a proponent of trans- that implied “if you don’t ask for Frontier Foundation. While NGOs parency reports that disclose re- our electronic records, we won’t ask may be the guardians of individual quests for user data and tell how for yours” would prevail. legal rights in a digital world, these the company has complied with “Google’s ‘don’t be evil’ mantra watchdogs may not have the tools these requests. “Up to now,” he is increasingly hard to reconcile,” needed to measure good steward- says, “most transparency has been Geist contends, when, “as a service ship of information. about the processes involved with provider organization, it becomes complying with data requests difficult to promise your customer Principles to Apply rather than with the actual actions that their data isn’t being disclosed Geist offers, “It is useful to be- themselves.” to agencies that are actually col- gin looking at what is important Geist believes that transparen- lecting it with your knowledge and from the perspective of ARMA’s cy reports foster public confidence permission.” Principles for recordkeeping per- in service providers. Steps will also

SEPTEMBER/OCTOBER 2013 INFORMATIONMANAGEMENT 41

IM Sept. 2013BC.indd 41 8/27/13 1:54 PM THE PRINCIPLES GENERALLY ACCEPTED RECORDKEEPING PRINCIPLES

likely have to be taken to demon- referred to at level five of the Ma- the type of business, the data col- strate that the provider functions turity Model, the idea that reten- lected, and the context in which at a transformational level of trans- tion is perceived holistically and it is used,” says Geist. “National parency, including a continuous is applied to all information in the governments must insure that the improvement program to ensure organization, not just to official Internet functions the way its us- that transparency is maintained records. Will consumers have the ers expect, and many countries over time. right to request that their data work together on how to do this.” As a global phenomenon, the Internet transcends geographic borders but is not necessarily free “Businesses that are regulated of political or cultural restrictions. Following the scandals, some have and have a high priority on questioned whether the US-led In- ternet Corporation for Assigned information security are Names and Numbers, more often referred to as ICANN, should continue as the governing model for under threat if they move to the Internet. A year ago, there was debate on whether a government- the cloud,” Geist says. led, United Nations-style model that would include countries such as Russia and China should have Accountability is not kept very long? Will it be control. Accountability is another key possible to actually comply with No doubt the line between na- element that has sometimes been this request? The answers remain tional security and Internet free- lacking, particularly where the to be seen. dom will continue to be debated. provider’s stated goals related to In a post-9/11 world, the emphasis accountability have not been met. Protection has been on security rather than “Greater oversight is a start,” says Protection for records and in- on privacy. Geist. “Many people think that ac- formation that are private, con- But Geist believes that the countability is not what it should fidential, privileged, or secret, of pendulum may swing back after be, particularly when elected of- course, is a huge concern. While Snowden, with Amazon, Google, ficials are not told the truth. This general businesses can have legal and Microsoft becoming far more means that NGOs – people invest- frameworks built on the privacy of vocal and trying to build on public ed in watching the watchers – are their own systems, moving to the concern for more privacy. not able to do so.” cloud provides another source of Meanwhile, proposed laws, Greater accountability would access with lower safeguards. such as the U.S. Cyber Intelli- likely have to be at the board level “Businesses that are regulated gence Sharing and Protection Act to have a truly transformational and have a high priority on infor- (CISPA), seek to allow more shar- effect. The Principles recommend mation security are under threat if ing of Internet traffic information a chief records or information gov- they move to the cloud,” Geist says. between the U.S. government and ernance officer who reports at the “Cloud-based models are based on technology companies. senior management level. public confidence in the level of How service companies deal security in the cloud vs. the level of with issues of balancing cyber- Retention security on network servers. With security and Internet freedom “Retention is another issue that the new revelations, cloud provid- going forward will be key. Geist is interesting,” notes Geist. “The ers just can’t make those claims contends that they will do best by ongoing ping-ponging of ‘how long anymore.” confronting the issues and using a retention period is enough’ will Clearly, there is much work the Principles to guide information get new momentum. The longer to be done. governance policies. END data is kept, the more susceptible it is to breaches or to government The Need to Collaborate Julie Gable, CRM, CDIA, FAI, can requests.” “Within normal businesses, be contacted at juliegable@verizon. This is the aspect of retention the answer to security varies by net. See her bio on page 47.

42 SEPTEMBER/OCTOBER 2013 INFORMATIONMANAGEMENT

IM Sept. 2013BC.indd 42 8/27/13 1:54 PM