Privacy in the Clouds: Introduction and Summary of Findings

Report home | Read the report (PDF) | Next section

 

Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. A principal goal of this analysis is to identify privacy and confidentiality issues that may be of interest or concern to cloud computing participants. While the storage of user data on remote servers is not new, current emphasis on and expansion of cloud computing warrants a more careful look at its actual and potential privacy and confidentiality consequences.

Cloud Computing Today: Issues and Implications

A considerable amount of cloud computing technology is already being used and developed in various flavors (e.g., private, public, internal, external, and vertical).[1] Not all types of cloud computing raise the same privacy and confidentiality risks.[2] Some believe that much of the computing activity occurring today entirely on computers owned and controlled locally by users will shift to “the cloud” in the future. Whether this will turn out to be the case is uncertain and not especially important here. This analysis does not support or oppose cloud computing. The continuing development and maturation of cloud computing services is an undeniable reality.

The definitional borders of cloud computing are much debated today. For present purposes, cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections. Cloud computing services exist in many variations, including data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, and many more.

Any information stored locally on a computer could be stored in a cloud, including email, word processing documents, spreadsheets, videos, health records, photographs, tax or other financial information, business plans, PowerPoint presentations, accounting information, advertising campaigns, sales numbers, appointment calendars, address books, and more. The entire contents of a user’s storage device may be stored with a single cloud provider or with many cloud providers. Whenever an individual, a business, a government agency, or other entity shares information in the cloud, privacy or confidentiality questions may arise.

Some definitions of terms will help to clarify the discussion here:

  • A customer or potential customer of a cloud computing service is a user. The user may be an individual, business, government agency, or any other entity.
  • The organization that offers the cloud computing service is a cloud service provider, or cloud provider. A cloud provider may be an individual, a corporation or other business, a non-profit organization, a government agency or any other entity.
  • A cloud service provider is one type of third party that maintains information about, or on behalf of, another entity.

A typical information exchange in cloud computing occurs when a user shares information with the cloud provider. Can any and all information be legally shared in a cloud service? With cloud computing, many factors affect the answer to this fundamental question. The shortest answer to the question, however, is that for some information and for some users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared.

Generally, an individual is free to share his or her personal information with a cloud provider. For a business, disclosing the personal information of customers or employees, or other business information to a cloud provider is often unrestricted by law because no privacy law or other law applies. For example, privacy laws do not cover most marketing records in the United States. Even when privacy laws apply to particular categories of customer or employee information, disclosure to a cloud provider may not be restricted.

For a federal agency, various laws may have bearing on the decision to employ a cloud provider. For example, the Privacy Act of 1974[3] imposes standards for the collection, maintenance, use, and disclosure of personal information. The use of cloud computing for personal information held by a federal agency may violate the Privacy Act of 1974, especially if there is no contractual arrangement between the agency and the cloud provider. If a cloud provider offers services to the public on behalf of agencies, other Privacy Act requirements may apply, as may security obligations under various federal laws and policies. Federal record management and disposal laws may also be relevant.[4]

This document analyses and illustrates some of the key privacy and confidentiality consequences of cloud computing. No attempt is made to be comprehensive or to consider all potentially relevant laws. This document does not review state laws that may impose stronger or additional protections for personal information. The focus in this analysis is primarily on the privacy and confidentiality consequences of cloud providers located in the United States, with some discussion of international implications.

Findings

This analysis of cloud computing finds the following:

  • Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. This document identifies multiple and complex privacy and confidentiality issues that may be of interest or concern to cloud computing participants. While storage of user data on remote servers is not a new activity, the current emphasis on and expansion of cloud computing warrants a more careful look at the privacy and confidentiality consequences.
  • A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider. Those risks may be magnified when the cloud provider has reserved the right to change its terms and policies at will. The secondary use of a cloud computing user’s information by the cloud provider may violate laws under which the information was collected or are otherwise applicable to the original user. A cloud provider will also acquire transactional and relationship information that may itself be revealing or commercially valuable. For example, the sharing of information by two companies may signal a merger is under consideration. In some instances, only the provider’s policy will limit use of that information. Many users are likely not aware of the details set out in the terms of service for cloud providers or of the consequences of sharing information with a cloud provider.
  • For some types of information and some categories of cloud computing users, privacy and confidentiality rights, obligations, and status may change when a user discloses information to a cloud provider. Procedural or substantive barriers may prevent or limit the disclosure of some records to third parties, including cloud computing providers. For example, health record privacy laws may require a formal agreement before any sharing of records is lawful. Other privacy laws may flatly prohibit personal information sharing by some corporate or institutional users. Professional secrecy obligations, such as those imposed on lawyers, may not allow the sharing of client information. Sharing information with a cloud provider may undermine legally recognized evidentiary privileges. Records management and disposal laws may limit the ability of a government agency to use cloud computing for official records.
  • Disclosure and remote storage may have adverse consequences for the legal status of or protections for personal or business information. For example, a trade secret shared with a cloud provider may lose some of its legal protections. When a person stores information with a third party (including a cloud computing provider), the information may have fewer or weaker privacy protections than when the information remains only in the possession of the person. Government agencies and private litigants may be able to obtain information from a third party more easily than from the original owner or creator of the content. A cloud provider might even be compelled to scan or search user records to look for fugitives, missing children, copyright violations, and other information of interest to government or private parties. Remote storage may additionally undermine security or audit requirements.
  • The location of information in the cloud may have significant effects on the privacy and confidentiality protections of information and on the privacy obligations of those who process or store the information. Any information stored in the cloud eventually ends up on a physical machine owned by a particular company or person located in a specific country. That stored information may be subject to the laws of the country where the physical machine is located. For example, personal information that ends up maintained by a cloud provider in a European Union Member State could be subject permanently to European Union privacy laws.
  • Information in the cloud may have more than one legal location at the same time, with differing legal consequences. A cloud provider may, without notice to a user, move the user’s information from jurisdiction to jurisdiction, from provider to provider, or from machine to machine. The legal location of information placed in a cloud could be one or more places of business of the cloud provider, the location of the computer on which the information is stored, the location of a communication that transmits the information from user to provider and from provider to user, a location where the user has communicated or could communicate with the provider, and possibly other locations.
  • Laws could oblige a cloud provider to examine user records for evidence of criminal activity and other matters. Some jurisdictions in the United States require computer technicians to report to police or prosecutors evidence of child pornography that they find when repairing or otherwise servicing computers. To the extent that cloud computing places a diverse collection of user and business information in a single location, it may be tempting for governments to ask or require cloud providers to report on particular types of criminal or offensive behavior or to monitor activities of particular types of users (e.g., convicted sex offenders). Other possibilities include searching for missing children and for music or software copyright violations.
  • Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users. The law badly trails technology, and the application of old law to new technology can be unpredictable. For example, current laws that protect electronic communications may or may not apply to cloud computing communications or they may apply differently to different aspects of cloud computing.
  • Responses to the privacy and confidentiality risks of cloud computing include better policies and practices by cloud providers, changes to laws, and more vigilance by users. If the cloud computing industry would adopt better and clearer policies and practices, users would be better able to assess the privacy and confidentiality risks they face. Users might avoid cloud computing for some classes of information and might be able to select a service that meets their privacy and confidentiality needs for other categories of information. For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate. Each user of a cloud provider should pay more – and indeed, close – attention to the consequences of using a cloud provider and, especially, to the provider’s terms of service.

 

 

 

 


Endnotes
[1] Researchers and others are still sorting out the proper classification and terminology for describing cloud computing. See, e.g., Lamia Youseff et al, Toward a Unified Ontology of Cloud Computing, <http://www.cs.ucsb.edu/~lyouseff/CCOntology/CloudOntology.pdf>. Last accessed Feb. 19, 2009.
[2] For example, a user who publishes photographs using a cloud provider’s facilities may face few risks because the photos are already public. However, a business that stores unpublished financial results with a provider that reserves the right to read, use, or make public any information on the provider’s facilities faces a risk of premature release of information or use of that information by the cloud provider in ways that could violate securities law.
[3] 5 U.S.C. § 552a.
[4] See, e.g., 44 U.S.C. chapters 31 & 33.

 

 

Roadmap: Privacy in the Clouds – Risks to Privacy and Confidentiality from Cloud Computing: Part I – Introduction and Summary of Findings