Years ago, we did not trust cloud service providers, or we trusted them only when we had no choice. Then, consumers started using web-mail and other such services, and finally companies also moved into replacing their own IT with cloud applications. By now, we trust our service providers sufficiently, for the most part. We model our risks, we consider the benefits, and we usually decide that it’s worth it. But often enough, our trust in service providers still does not cause us the necessary warm and fuzzy feeling that is required for us to hand off all our data to the cloud and live a truly digital life. As it seems, thinking you are secure is one thing, and feeling you are sufficiently secure, even with your most critical data, is something else.
What do we do for now? – Use the cloud, but not for everything…
The journey to trust in the cloud
Moving into Cloud services required a change in the perception of trust. You used to trust what you could see. If it’s on your network, and you define the controls protecting it, then it was secure. If it was on someone else’s network, and he would define the controls to protect it for you, then it was, well, questionable. Why would you trust someone else with your data? Trusting someone else’s infrastructure with your data was something you did only if you had no other choice.
The first ones to adopt software-as-a-service were the consumers. For ordinary people, “no choice” applies quite quickly when it comes to basic IT services, even as basic as e-mail and shared calendars, let alone instant-messaging. Until there was web-mail (Hotmail, Gmail, etc.) most people did not have personal e-mail at all. Today still, a family that wants to share a calendar has not too many options other than using Google Calendar or equivalent.
Companies were slower to adopt the cloud, as they had a choice. Their Exchange server worked quite well for e-mail and calendaring, file servers allowed sharing documents, and in general, a company with even a single IT guy could establish its own set of collaboration services, without reaching out to external service providers. I remember, even as late as 2010, most people in an enterprise environment could not comprehend how a decent organization will ever consider moving its entire e-mail system to Office365, to be hosted by Microsoft. E-mail is used as a transport for corporate data at the highest confidentiality levels; hosting this e-mail outside the organization seemed to many as carelessness at best.
But security is always about trade-offs. Hosting e-mail with a service provider was not the approach favored by security people, but outsourcing the massive headache called IT did sound appealing all-in-all. And so, in 2020 we see many large companies happily entrusting Microsoft O365 with their e-mail, documents, calendars, instant messaging, video calls, and anything O365 offers.
It’s probably safe to say that in both the personal space and the enterprise space, cloud service providers won. Most people cannot manage their own IT, and even if they could – they rather not. Enterprises can manage their own IT, and often manage some of it, but many enterprises, like individuals, also rather spend their energy elsewhere. And what about security? Some say it’s not that bad; those cloud service providers invest much in securing the data they are entrusted with, and often do a better job than your average corporate IT. As for individuals – most of those have long lost the sense of appreciation for privacy anyway. Many were born into a world where Facebook and Google know all about them anyway, and were never educated to comprehend that alternatives could exist and that the Internet was actually born distributed.
However, even though the security and privacy thresholds are met for most users of cloud services, there is a yet higher threshold that is harder to meet, and it is that of the WAFF. WAFF stands for “Warm and Fuzzy Feeling", and in our context means the feeling of safety and comfort one has when using Information Technology tools. I argue that in certain cases, even though our security expectations are allegedly met, some sense of comfort with the cloud is still missing, and this impacts the level to which our life can become entirely digital.
What is the difference between WAFF (that is, your feeling of comfort) and security? – Your WAFF threshold is not based on any tangible threat model; it has an imaginary one which is not entirely based on facts, and hence is sometimes harder to satisfy. When you keep your work records on a computer, say on a cloud service, you consider the need for security. You imagine the threats to the data, the likelihood and impact of compromise, and after giving it some thought, you are likely to consider that for the type of data you put in, and in return for the features you get, the risk is worthy. You follow the same semi-scientific process for most personal uses as well. Years ago, I could not imagine how I could ever entrust services like TripCase with my itineraries. Who’s business is it when and where I’m travelling? It took me several years to realize that my journey leaves traces everywhere anyway, those particular pieces of data are ones of little privacy value anyway, and getting alerts whenever a flight is delayed was a worthy cause. So I opted in, and I just avoid putting sensitive details, as meeting agendas or names, in the notes. Security is a cost-benefit (or: risk-benefit) exercise; we knew that.
This logic of threat modelling, or risk-assessment, is great for evaluating security, or privacy, but not necessarily for feeling the WAFF, i.e., the warm and fuzzy feeling you have knowing that certain data is properly safeguarded. As opposed to the cold assessment you do on security or privacy, warm fuzzy feelings do not follow a rigid logic; either you feel comfortable or not, and you cannot always explain it. Levels of comfort obviously depend on real threats and mitigation, but with wider margins and less objectivity. To illustrate the difference, think of a scenario in which you put some data at risk of exposure, such as by leaving it written on a paper note on your desk, or by saving it on EverNote. Now, compare your feelings about risking this data when corporate secrets are involved to where personal embarrassment is involved. In the former case, you would do a brief risk-assessment: how likely is it that someone will find that note? What sense will he be able to make of it? In the latter case, you may not even carry out this logical exercise – you will either not risk the data, or you will risk the data and feel uncomfortable about it regardless of what the real risk is.
Many situations of risking data, such as by storing it in the cloud, or even by storing it at all, fall between those two bars: your analytic mind can build the case for the risk being worthy, but the bar of feeling absolutely comfortable about it often remains unmet. But the data is often put at risk anyway, for two reasons: First, people are so used to putting data at those types of risks, that their sense of comfort is often too easy to reach. I am astonished each time I hear of celebs losing their nude photos through their cloud accounts; really, what were they thinking? Second, that feeling of discomfort with risking data is less commonly associated with non-personal data; with such data, like data your employer entrusts you with, you carry out the usual threat modelling logic or simply do what corporate policies require.
For the most part, when it comes to private information which one really cares about, either one doesn’t risk it, or (s)he feels uncomfortable risking it. The implication is less intimacy with one’s IT.
Why should we care? How is our digital life affected by our occasionally feeling uncomfortable storing data in the cloud?
It matters because any feeling of discomfort affects the level of intimacy we feel towards our IT, which implies on how we use IT. Computers are all around us, not just in the workplace. I used to carry a pen in my pocket at all times; I no longer do that. I used to carry a small micro-cassette recorder when going to exhibitions, for taking notes; I no longer have one. I used to call my family at certain times just to know how they are; I don’t need this now, as we have an instant-messaging channel that’s never silent for more than a few hours in a row. I used to have a paper diary, and I used to have a paper Rolodex with cards and little notes with comments on people I met; I don’t even know where it is now.
All my life’s data is now in my IT, and for that to properly work – I need to feel comfortable with it.
I use some cloud services, like the aforementioned TripCase, but for some other needs I use self-hosted systems. Why? Because I cannot afford to lose the intimacy I have with IT that is required for living a truly digital life. At work I have local project notebooks where I write comments that I would never write on my personal area in Slack. With my close family I use an instant messaging platform which is self-hosted, and where I “speak” more freely than over WhatsApp. What do I say on my own platform which I would not say on WhatsApp? I honestly don’t know, and perhaps there is not even a single such thing, but communication does feel different and more free where it’s not reliant on people and systems I cannot even count.
My company may feel okay with all e-mails on O365, and I feel okay with my itinerary in TripCase, but real comfort with my digital life requires not just feeling “okay". It requires a level of intimacy that allows me to keep no secrets from computers, because there are no other places for information other than in computers.
But what works for me does not work for all. Most people will not deploy their own systems and can only use tools made accessible for them. In a future post we can try uncovering possible remediation for this situation. And if you think that a solution could be yet another privacy certification scheme with a long acronym for cloud service providers, then I’m afraid you’re missing the point…