What is your definition of personal?

Over at the Cloud Ramblings blog, John Mathon provides his list of Breakout MegaTrends that will explode in 2015.  There’s an entry in there about Personal Cloud rising to prominence.  Yay!  John and I often see eye to eye on our visions of the near future of computing and Personal Cloud is definitely huge in that future.  But it seems that once you get past the name “Personal Cloud,” our visions begin to diverge.  I’d like to explain how they diverge, why my vision is better, and beseech John and all the other pundits, analysts and trade journalists out there to adopt a slightly stricter interpretation of what, exactly, constitutes “personal.”

Personal Cloud versus “Personal” Cloud
My issue with John’s prediction for Personal Cloud is his conclusion that “in a couple years almost nobody will run applications on their desktop in a traditional model.”  He cites Microsoft’s migration from consumer desktop applications to cloud-based apps for personal use as an example.  The problem is, that example isn’t at all representative of Personal Cloud.  Unfortunately, it is not uncommon and there’s a ton of companies out there hijacking the term to market their Corporate Cloud for use by consumers.  They all call it Personal Cloud merely because it is offered for use by individual customers and it has personal data in it.

Fortunately, there are some companies making actual Personal Clouds.  Space Monkey provides bulk cloud storage where the data appears locally to be in plaintext but is encrypted on the local device and in the cloud.  Only the owner of the device can see the plaintext data.  Qredo is an emerging service that takes it a step further.  Qredo performs all the processing of the data locally and encrypts the data before storing it in the cloud as encrypted blobs.  LastPass uses this model and has been around for a while but it is a Personal Cloud of passwords only whereas Qredo is a Personal Cloud platform on which to build privacy-enhanced applications for any purpose.

Qualities of a Personal Cloud
Anything worthy of the term Personal Cloud has a few key features that make it personal.  Primary among these is that the first, and potentially only, beneficiary of the data in the personal Cloud is the owner of that Personal Cloud.  Personal means private by default and it means that the owner of the data is the ultimate arbitrator of who legitimately has access to it.

Any one of the following are clues that your cloud isn’t personal.  The majority of “Personal” Cloud providers and apps, including Microsoft, inflict most or all of these on their customer.

If your “Personal” Cloud vendor…

  • has plaintext access to all your data,
  • enjoys a revenue stream based on sales of that data or derivative data,
  • can withhold your access to your own data,
  • can prevent you from moving your data to another cloud provider,
  • exclusively controls the integrations with the data,
  • exclusively controls the functionality available with the data,
  • has terms of service that affect the data itself (as opposed to just the service),
  • has no provision for you to withhold permission for them to access your data for their own purposes,
  • imposes TOS allowing them to share your data with unnamed “affiliates” or “partners,”
  • can sell your data as an asset on dissolution of the company,

…then you are actually a personal user of a very Corporate cloud.

Like John, I believe Personal Cloud is in ascendance and will soon become a primary market segment in its own right.  But I think he and I have different ideas of what “personal” means.  Mine is that a Personal Cloud is personal in the same sense that your diary, painstakingly hand written in a fine leather bound Moleskine journal that you carry around with you, would be.  The digital implementation of that means your data is only ever rendered in plain text while in your possession and on your local device.  That leads me to the exact opposite of John’s conclusion that “in a couple years almost nobody will run applications on their desktop in a traditional model.”  To be truly personal, your device is the only place where the application can run.

Personal Cloud use case – your online diary
This is exactly how Qredo works and why I got involved with the company in the first place.  They get it.  Let’s say somebody offers a Qredo-enabled, online, cloud-powered journaling app.  You write your diary entry in the app and it is stored locally encrypted.  Because it is a cloud service, that data is also uploaded to the cloud but it is encrypted before it leaves your device.  Me and my colleagues at Qredo can never render your diary entry into plaintext and post your cat pictures to the Internet. If your furry pal is the next Grumpy Cat, his fate rests in your hands, mot mine.

Furthermore, the Qredo platform encrypts all the metadata as well so nobody can tell which Qredo app created the data or even that the data is a diary entry.  But since Qredo cares about privacy, we take it a step further.  The Qredo platform anonymizes the connection so that someone analyzing the database cannot tell which of the encrypted blobs of data belong to you or how much data you have stored.  To further defeat meta analysis, the data blobs are all chunked to uniform size so it is impossible to distinguish between, say, the text of an encyclopedia versus photographs of that encyclopedia.

Once you create your diary entry using the Qredo app, YOU are the only person who can access it.  Just like a physical journal.  Qredo’s approach to Personal Cloud is to provide a digital representation of a physical object that acts as much as possible like the physical thing it models, especially including your ability to keep it private.  Depending on the app requirements, the Qredo platform will provide additional functionality over and above that, such as cloud reliability and ubiquitous access, but will never sacrifice your privacy and control of your own data to do it.  The architecture prevents that possibility.

Personal” Cloud use case – your online diary
Because the alternative, and unfortunately pervasive, “Personal” (with quotes) Cloud implementation does sacrifice your privacy, describing its use case takes a bit longer.  Sorry.  But bear with me because the extent to which these differ is horrifying.  Analysts, pundits and other industry influencers who knowingly fail to differentiate between the two are doing us all a disservice.  If any of them are reading this, well now you know.  Please make that distinction going forward.

Many vendors use a definition of “Personal” Cloud that is apparently a little broader than mine and that is what John refers to in his post.  In that model if I’m the vendor and you are my “Personal” Cloud customer, I hold onto your virtual diary book.  To make entries, you call me up, enter your data over the web, or send it to me in emails.  On receipt of your data I record it into a journal that I hold on your behalf and I make redundant copies in multiple physical locations just in case one is damaged.

So far so good, right?  You never have to buy and manage your physical journal books again.  You can access your diary from anywhere and you can’t lose it.

Except there are aspects unrelated to your “Personal” Cloud user experience that you probably wouldn’t like if you thought about them – assuming you even know they are there.  For example, if some other corporation tells me something in your “Personal” Cloud infringes their intellectual property rights, I’ll delete that item of your content.  If that happens a few times, I’ll permanently lock you out and you will forever lose access to all your diary entries. Maybe you are a book critic and it was fair use, but the burden of proof for that is on you.  Us megacorporations gotta stick together.

When you signed up for my “Personal” Cloud service I told you up front that I would be charging all my corporate pals for information about your journaling habits in order to offset my cost for purchase and storage of the journal.  I don’t give them access to the actual entries but that’s the least of the data I have about you anyway.  They are more interested in the demographics of you and anyone you share content with, how often you enter data and access your diary, the topics that interest you both when you enter data and when you go back and reread it, and of course any mention of their names.  Also as part of the deal I insert advertisements so that when you access or share your diary entries the rendering of the ads is a prerequisite to rendering the content.  (That this exposes you to considerable risk is a dirty little secret we hope you never become aware of.)

In addition to me and my employees, there are many 3rd parties who will have access to your data.  If I outsource management of my data center, some other company’s sysadmins can see it.  If I host it at some cloud storage provider like Amazon, their employees can see it.  Yeah, I know I told you it is encrypted but I don’t have the resources to have an actual person enter the decryption key every time a server boots up.  So I store that key where the server can access it automatically and that means the hosting provider, sysadmins and anyone else with physical or root access to the server has it.  I do not vet the employees or run background checks or have any control over the people who the 3rd party allows to access your data, but they promise not to abuse that privilege.  Or at least their employer, my business partner, has made that promise so it’s all good.  Really.

Incidentally, I’m also running a flat, undifferentiated network with no internal firewalls so anyone with access to a network jack in any of my locations can see your data.  That includes the janitors, the plant watering service, delivery people, etc., all of whom are contracted to outside companies. Come to think of it, that probably includes all the service people in the buildings of my 3rd party business partners as well.  Not that any of them would ever improperly access your data or be coerced by someone else to do so.

Oh, and by the way, law enforcement has access to all your data as well.  You are probably a law abiding person and not the target of an investigation so no need to worry.  Of course, if your data is on the same server as some gun runner or drug lord, your diary entry about the most embarrassing incident in your life just might become part of the public record in his trial.  Whoops, my bad.  And since I let law enforcement fish around in your data, I’m obliged to restrict which topics you can write about in your diary.  We probably agree on the most egregious topics but I operate globally am subject to laws in many jurisdictions.  So if you disclose in your personal online diary that you are gay, or a drug user, or are HIV positive, or… well you get the idea, then it’s best that you do not travel into jurisdictions where the information in your “Personal” Cloud could get you jailed or killed.

In any case, as a feature of the service I won’t bother you with pesky notifications whenever some third party accesses your data.  Chances are it’s just law enforcement looking around for child porn or worse – pirated Disney content.  Occasionally that access is unauthorized but unless it becomes common knowledge I’m damned sure not reporting a breach to you or anyone else.  That kind of thing can damage my reputation.  Whatever it does to you is an acceptable loss as long as it can’t be traced back to me.  Fortunately, you use the same email address (and probably password) for all your online accounts so I may never have to disclose as the source of the breach.

If at some point you decide you want to go back to carrying your physical journal around and managing it yourself you can request your data from me, but I won’t simply give you the book I’m holding for you.  In fact, I’m not holding a book at all, I just made it look like I was and there’s nothing to physically give you.  Depending on the contract, you may find that I have made no provision whatsoever to export your data.  Sure, when you signed up I may have promised to be able to give you your data but the terms of service and privacy policy changed without notice and because you kept using the service you are now bound by the new ones.  I have a copy of the old TOS and Privacy Policy and will be happy to show you the clause where I told you to check the TOS and Privacy Policy pages for updates frequently and that you’d be bound by them.

If you are lucky you can export your data but I’ll charge you to do it.  This is law in many jurisdictions but, unlike law enforcement and other government agents, your only recourse is binding arbitration in my jurisdiction so I can afford to be really lax about compliance.  If I do reluctantly agree to give you your data you only get that which you specifically provided.  All of the metadata, derivative data, transactional data, psychographic data, correlated data matched from external sources, and anything else that I collected, compiled, refined or mined is exclusively my property, despite the fact that some of it may have been visible to you as part of the service and you became dependent on it.  If you anticipated that loss and thought you might capture some of my data using screen scraping or reverse engineering, or exceeding your authority as a user, check the TOS again.  Here in the US, that would be a violation of the terms and subject to DMCA anti-circumvention, which is a Federal offense.  Your data is ours but my data is mine.  Keep your mitts off.  You see, I really do understand privacy.  When it comes to my data, anyway.

In any case, after you cancel the service I’ll hang onto your data and continue to use it for my own purposes.  If you go back and read the TOS closely you may find I’ve designed the contract to protect your privacy only so long as you are my customer.  Once you terminate the relationship I share your data more freely and widely than ever and the increased volume of spam that arrives at your email inbox is just the tip of the iceberg.  The only person I don’t share your data with at this point is, well, you.

There is also the possibility that my company goes under.  Your best case scenario here is that I scrub all my hard drives first.  Not that I will.  More likely is that your data is the most valuable asset I have and if I can find a buyer for it I might just walk away with a bit of profit from my failed company.  My buyer walks away with all your diary entries, but that’s not my problem.

Market differentiation is essential
Hence my distinction between Personal Cloud versus “Personal” Cloud.  The two are alike in name only and one of them would have a hard time being more impersonal if it tried.  I understand why marketers want to use the term Personal Cloud for services that are anything but personal.  They are being deliberately manipulative, it’s that simple.  It is not an outright lie if the term isn’t defined authoritatively somewhere and there is some aspect of the service that justifies the use of the word “personal” in the description.  Microsoft’s Office 365 certainly qualifies as cloud.  But personal?  Hardly.

Going back to the hypothetical Qredo-enabled journaling app, the source of the privacy features is in the architecture.  The Qredo app, working through the Qredo platform layer, performs all of the processing and encryption on the local device.  The cloud is used for sync, redundancy, portability of the data, and enhanced services such as attestation.  Because the privacy features are enforced by the encryption and the underlying architecture, they cannot be turned off without breaking the platform.

Contrast this with the prevailing model in which your data is available to the cloud vendor.  Because your data and your metadata are key revenue generating assets in their business model there is no scenario in which you ever have anything close the level of privacy you had with the physical journal book.  Worse, the privacy that the vendor promises is enforced only by policy.  The complexity of rigorously enforcing that policy just within a single company means that any “Personal” Cloud app that achieves moderate success and Internet-scale growth places your data at high risk of exposure.  There are simply too many people with access and the data too valuable.

However, no company in this space, especially the smaller ones, owns and controls all their infrastructure these days.  Chances are that any and every “Personal” Cloud startup employs the services of at least half a dozen 3rd parties to host, process, collate, enrich, and back up your data.  If the only thing preventing abuse of your data by all the people with legitimate access to it is your app vendor’s policy, just how personal is that data anyway?

This is not a difference in degree.  It is not as though a “Personal” Cloud is somewhat less secure than a Personal Cloud.  The two architectures are completely different.  One is built to preserve your value to the vendor as a revenue-generating asset.  The other is built to preserve your privacy and does not generate revenue from access to your data.  One of these you want.  The other you should be wary of, if not downright terrified.  The thing is, how do you tell the difference?

When the analysis and reporting fails to make the distinction and lumps these together in the Personal Cloud category, the market is blinded and fails to make a differentiation.  But wouldn’t you as the consumer want the people you trust for news and analysis to present these as fundamentally different things?  And if we are to attach the term Personal Cloud to anything, which of these actually is deserving of the title? Is it really the one generating revenue from your “personal” data?  Of course not.

Given the difference in outcomes and the potential harm to the consumer, reporting on “Personal” Cloud as if it were indistinguishable from Personal Cloud borders on irresponsible.  With hard work and a little luck, someday doing so will violate truth in advertising laws and cross the line to illegal.

A plea for sanity
John, or for that matter any journalist or analyst who made it this far into the post, I implore you to adopt a slightly stricter standard in your application of the term Personal Cloud.  Please reserve it for things that actually deserve it.  There’s Qredo, LastPass and Space Monkey as already mentioned, but there are many other projects building not just privacy enhancing Personal Cloud software, but enhancing the hardware and infrastructure as well.  Surely after reading the post above you would agree that truly personal products deserve to be differentiated in the marketplace from those that are not.  Vendors who take the “personal” in Personal Cloud seriously deserve a chance.

But when influencers such as yourself do not make that quality of service distinction and confer the term Personal onto services that are anything but, it puts Personal Cloud vendors at a disadvantage.  Remember, they aren’t earning revenue off of your data so if you treat them the same as vendors who do you are rewarding security theater at the expense of actual security.  More importantly the people buying the devices and services who would place a market value on that distinction if they knew it was available are harmed by the omission, and these people are your constituents.  Don’t they deserve analysts and reporters who understand the difference between Personal Cloud and “Personal” Cloud and shine a light on it?

Qredo is in stealth mode as of this writing but we are preparing the web site for launch soon so I’ll include it in this section.  Links to all the companies mentioned in the post are provided below.  Project VRM’s Development page has a growing list of projects related to Personal Cloud so rather than list them all here, I’ll just link there.  (Yes, VRM is not Personal Cloud but the two overlap so much their list is directly useful here.)  I’ve also provided links to PDEC and Respect Network since they are some of the best sources for info and definitely understand the difference between “Personal” Cloud and Personal Cloud.

  • Personal Data Ecosystem Consortium (PDEC) is the trade group working to promote truly personal digital solutions and infrastructure.  They focus on standards, architecture and implementations. http://pde.cc
  • Respect Network is a trade group focused on the reputation and trustworthiness aspects of Personal Cloud apps and data. There’s some overlap with PDEC but it is more about a community of trust.  https://www.respectnetwork.com/
  • Qredo (Disclosure: I am the CTO) is a Personal Cloud implementation in which privacy, authenticity, integrity, and attestation of your data is provided by the platform and cannot be disabled by the application.  This makes building true Personal Cloud applications dead simple.  https://qredo.com
  • LastPass is a Personal Cloud of passwords in which encryption and architecture protect your data from the vendor or other 3rd parties.  https://www.lastpass.com
  • Space Monkey is a cloud storage system distributed across many personal devices.  The storage on each device is split in half with a portion dedicated to your data and a portion dedicated to hosting part of the distributed database.  Your data is only ever in plaintext when you render it and the parts of it that are backed up in the distributed database are encrypted locally before transmission to the cloud.  https://www.spacemonkey.com/
  • The development page from the VRM Wiki provides a list of products in the market or close to launch, many of which provide true privacy enhancing, user-controlled, crypto-enforced, Personal Cloud. http://cyber.law.harvard.edu/projectvrm/VRM_Development_Work
  • Bonus link: UBOS is a Linux distro for running server-side Personal Cloud apps on hardware you own.  In addition to whatever Personal Cloud functions the apps provide, with UBOS you have physical possession of the server and the data.  Mount a Space Monkey disk partition under it and you have the benefits of a local server and the resilience of the cloud.  That’s one hell of a platform for building Personal Cloud apps. http://ubos.net/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.