Cisco's Connect Cloud goof-up underscores IT cloud security concerns

IT raises fresh concerns around data privacy and security in cloud services after Cisco’s auto updates for Linksys routers forced users to sign up to the service and its terms.

A Cisco Linksys router update which connected customers’ routers to its Connect Cloud service without their knowledge and the company’s licensing terms around user data has recharged privacy and security concerns surrounding cloud services.

Cisco Systems Inc. rolled out a firmware update last week which connected customers’ Linksys Wi-Fi routers to its cloud service and required them to sign up for the service to manage their routers.

IT pros’ concerns increased further when they learnt that the Connect Cloud service could collect their personal data. Cisco’s original terms of service for Connect Cloud stated that the vendor will keep a track of their personal information such as network traffic, Internet history, and details of how they use the service.

“When I purchase a router, I expect it to function as a router, not as a sales agent for an additional service that I don't want,” said George Dinwiddie, the founder of iDIA Computing, LLC, a software development consulting firm, in Pasadena, MD. “I certainly do not want it to function as a man-in-the-middle attack, monitoring and reporting my Internet usage.”

Responding to widespread customer outrage, Cisco apologised and has since clarified that it only retains information that is necessary to sign up for and support the cloud service. Cisco said it will not push software updates to customers’ Linksys routers when the auto-update setting is turned off.

“Cisco does not track or store any personal information regarding a customer’s usage of the Internet,” Brent Wingo, vice president and general manager for Cisco Home Networking said on the company’s official blog.

“Cisco is committed to the privacy and security of our customers, and we will update our terms of service and related documentation as quickly as possible,” Wingo said.

Some experts applauded the move to withdraw the service quickly but added that it should have informed the customers beforehand.

“No one from Cisco asked the customers before releasing the auto-update,” Tony Lock, programme director at Freeform Dynamics Ltd., an IT research and analysis company, based in New Milton, UK.

Cloud security concerns endure

Cisco’s response has not quelled distrust of its cloud services, experts said.

“While Cisco may now promise that it will not do anything untoward, this auto-update fiasco makes it hard to trust that promise,” said Dinwiddie of iDIA Computing.

Trust is hard to build but easily broken. Using opt-out techniques rather than opt-in is a great trust breaker,” he added.

Dinwiddie has a Linksys router that is currently not in service. “I'll be installing open source firmware before putting it back in service,” he said.

One concern about the original default settings proposed by Cisco was what use Cisco might make of data such as browser history that it could collect, said Alan Woodward, professor in the department of computing at the University of Surrey in Guildford.

“This is an area that customers need to be very wary of when it comes to cloud-based computing,” Woodward said.

“Cisco is one amongst many who has introduced a cloud service with ‘terms of service’ that contain items that could be quite intrusive if misused,” he said.

However, companies probably do not deliberately set out to contrive a set of terms that would enable them to handle customers’ data in some malicious way, experts said. They saw the move more as a “blunder” rather than a deliberate ploy.

The legal teams behind these agreements tend to draft the terms so that they are “as broad as possible,” Woodward explained. 

“As ever the law of unintended consequences operates alongside the law of the land, and when you read some of these terms, you can see how data could be used in a way that can make customers quite unhappy,” he said. “Users would see it as an invasion of privacy.”

Due to customer fury, Cisco will probably offer its cloud service in a more customer-friendly manner, Lock added.

“As this is a one-off incident, users are not likely to stop trusting Cisco’s technology completely,” Lock said.

It is a case of the law catching up with the technology, Woodward said.

“Alongside that, those providing cloud services are beginning to understand that users value their data and their privacy, he said.

Other IT pros weren’t as forgiving.

“After this update, I'd never recommend a Cisco consumer network product to anyone,” said Robert Heron, a technologist who specialises in home theater components, design, and testing, on Twitter.

Others were also sceptical.

“I guess my next router won't be a Cisco or Linksys,” said Barry Dorrans, an IT security professionals and the author of the book – Beginning ASP.NET Security, also on Twitter.

When using cloud-based services, customers have to understand that different jurisdictions take very different attitudes to data, experts said. Once the data is on the cloud, it could physically rest in a jurisdiction that is quite different from the one it left. 

“The cloud always has a physical presence and the country in which that resides can make all the difference to how your precious data is viewed,” Woodward said. 

The EU has stringent regulations around how sensitive-data should be handled. “But, place that same data on the cloud and you cannot guarantee the same protection as the data may instantly be transported outside of the EU, and away from any legal protections that you may be used to,” Woodward said.

Read more on Cloud computing services