Privacy in the Clouds: Policy Observations

Report home | Read the report (PDF) | Previous section | Next section

Cloud computing is well underway and appears to be expanding rapidly. There has been a good deal of public discussion of the technical architecture of cloud computing and the business models that could support it. Debate about the legal and policy issues regarding privacy and confidentiality raised by cloud computing has not kept pace. The findings set out at the beginning of this document are a contribution to the debate, as are the following policy observations.

Responses to the privacy and confidentiality risks of cloud computing include better policies and practices by cloud providers, more vigilance by users, and changes to laws.

If the cloud computing industry adopted better and clearer policies and practices, users would be better able to assess the privacy and confidentiality risks they face. For some individuals, the actual risks involved with cloud computing may be minor or insignificant. Other individuals might have stronger concerns. For example, some users may be anxious to maintain full ownership of photographs and may not want to grant a cloud provider any rights over their photos. Other users, especially those in corporations or government, might have different and stronger reasons to protect sensitive or valuable information. Those who use cloud computing for some activities and not others may find it hard to keep confidential data from migrating to applications in the cloud.

The cloud computing industry could establish standards that would help users to analyze the difference between cloud providers and to assess the risks that users face.

The cloud computing industry could be doing a lot more to explain its services. One approach may be to group cloud services into types or categories based on levels of protections. For example, there might be two basic classes of cloud providers. One class of provider would promise never to use or disclose information. It might employ mandatory or optional encryption that prevents the provider from examining content of user information. In addition, the same class of provider might make stronger and more permanent commitments about not making substantive changes in the terms of service that would affect a user’s privacy or confidentiality interests. Strong security obligations might also be a part of the package of obligations. Commitments made by “class one” providers could be subject to independent audit and certification. The second class of cloud provider might make no or fewer promises regarding the content of user information and might retain a broader ability to change the terms of service. Of course, there may be a need for additional classes of cloud providers to meet different needs. Helping users find the appropriate level of protection will be important.

Users should pay more attention to the consequences of using a cloud provider and, especially, to the provider’s terms of service.

Standardization of terminology and terms of service would help users to understand the risks and consequences of using a cloud provider. At present, however, the best a user can do is to select a cloud provider carefully based on its terms of service and privacy policy. Reading and understanding the terms of service may be the single most important thing for an individual to do before using a cloud provider. Regrettably, the terms of service are often complex, and may require a high level of interest and persistence to thoroughly parse and understand. An alternative is to avoid cloud providers altogether until better protections for users are available. A business or agency should be fully aware of any privacy or other obligations that attach to data being shared with a cloud provider.

For those risks not addressable solely through policies and practices, changes in laws may be needed.

For example, Congress could amend ECPA to address the shortcomings in the law and to determine what protections apply to user records. Other legislative responses could address ambiguities in privacy or other laws. It is possible to speculate about a statute establishing specific standards for cloud providers, including civil and criminal penalties for violations of the standards. States could also enact relevant legislation, although the effect of state law on an interstate or international activity is uncertain. It is also uncertain what the prospects are for a legislative response in the near-term future.

Whether an industry self-regulatory approach would work is uncertain. Other industry self-regulatory efforts focused on privacy have lapsed, failed entirely, or been heavily criticized by consumers as too one-sided in favor of industry. A good faith effort offers the hope of addressing some issues effectively. Neither self-regulation nor legislation is likely to offer a complete response to the privacy and confidentiality issues raised by cloud computing.

These policy suggestions are offered to further the debate about the risks of cloud computing for privacy and confidentiality. Users of cloud providers would benefit from greater transparency about the risks and consequences of cloud computing, from fairer and more standard terms, and from better legal protections. The cloud computing industry would also benefit.
Roadmap: Privacy in the Clouds – Risks to Privacy and Confidentiality from Cloud Computing: Part V – Policy Observations

Report home | Read the report (PDF) | Previous section | Next section

Posted February 23, 2009 in Report: Privacy in the Clouds

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.