Amazon Cloud Faces Heat for Storing Biometric Data



Sundar Pichai, Google CEO and newly appointed CEO of Alphabet (GOOG) (GOOGL), made some interesting comments at the Google Cloud Next event in April. Pichai talked about how enterprises could benefit from the use of cloud tech. He indicated that companies can drastically improve business functions across divisions by storing data on the cloud instead of on-premises data centers. This potential may be one reason Gartner estimated in April that the cloud IaaS (infrastructure-as-a-service) market’s value could reach around $49 billion in 2020.

Article continues below advertisement

It is true that with the help of cloud data storage, enterprises could do wonders to improve their operational efficiency. But in April, Pichai did not seem to foresee a potential clash with regulators. How would regulators react if cloud technology were used to store non-business information such as personal health records and biometric data online? Now, cloud leaders are about to face another bout with regulators, which could end with new data protection laws being drafted in 2020.

Amazon Web Services under the biometric scanner for cloud storage

Amazon Web Services (AMZN) is facing a class-action lawsuit in Illinois for providing cloud infrastructure services to facilitate biometric data storage on its servers. Reuters was the first to report the news on November 20. GeekWire did a followup story and discussed the suit at length. The lawsuit has claimed a violation of BIPA (the Biometric Information Protection Act).

According to BIPA statutes in Illinois, every business enterprise should draft a policy outlining such information collection and when data will be decommissioned. GeekWire reports the lawsuit against AWS claims the cloud service provider did not write such a policy, but “obtained and stored” the information as part of its service contract. Although the number of unique personal identifiers stored on AWS servers is unclear, the lawsuit is seeking a penalty for each violation. The plaintiffs are demanding $5,000 for every willful infringement and $1,000 for each negligent violation.

These penalties in Illinois could make a minor dent in Amazon’s billion-dollar business. But that sum isn’t the only thing at stake. We may end up undervaluing a very useful technology because of poor management decisions.

Article continues below advertisement

Amazon and AWS spinoff nowhere in sight

When asked in a CNBC interview about AWS spinning off in 2020, CEO Andy Jassy made it clear that there were no such plans, saying, “I would be shocked if that was the case.” Jassy said that AWS will continue to work on improving its features and capabilities, and there’s no need to split the company.

And I agree on this point. Why bother splitting up something with a high yield and potential? I don’t think Jeff Bezos would approve of a spin-off without added benefits. Additionally, removing AWS numbers from Amazon’s financial statements could skew its financial ratios, dragging down its stock.

HIPAA and Google patient data migration to the cloud

HIPAA (the Health Insurance Portability and Accountability Act) governs US patients’ personal health data. This regulation came under focus when news broke about Project Nightingale. Google is working with healthcare provider Ascension to migrate health data to cloud platforms. Since Google also generates revenue from targeted ad campaigns, many people feared a possible breach of trust. What if Google were to use this information to target ads to patients? However, Google categorically stated that it would not resort to such action. The company is also willing to cooperate in any federal probe.

Article continues below advertisement

A HIPAA Journal post on AWS compliance has made an interesting statement: “no software or cloud service can ever be truly HIPAA compliant.” Therefore, a cloud service provider could follow guidelines, yet data could still be exposed on the cloud. Cloud storage platforms provide easy access to users anywhere, on the go. Any mix-up with users’ security permissions or configuration could make data vulnerable.

What the lawsuit could mean

BIPA rules don’t specify how long data should be kept on the cloud before being destroyed. Shouldn’t there be a defined period? Even more importantly, the nature of the data needs to be considered. If you classify financial information such as credit card details and online banking passwords as code red, how would you classify fingerprint data? The theft of identifiers such as retina scans and fingerprints could have devastating effects.

In fraudulent transactions through your credit card, card providers can intervene by issuing a new card number, and insurance companies or banks can offer some form of financial protection. But what if the stolen data is your identity? You can’t change your fingerprints. There could be no recourse whatsoever. This lawsuit could be critical in determining how we store personal data on the cloud.


More From Market Realist