Privacy in the Clouds: Other Cloud Computing Issues
From a privacy and confidentiality perspective, the terms of service may be the most important feature of cloud computing for an average user who is not subject to a legal or professional obligation. The discussion above and throughout this analysis repeatedly addresses the relevance of a provider’s terms of service to privacy and confidentiality protections.
Scope of rights claimed by cloud service providers
If the terms of service give the cloud provider rights over a user’s information, then a user is likely bound by those terms. A cloud provider may acquire through its terms of service a variety of rights, including the right to copy, use, change, publish, display, distribute, and share with affiliates or with the world the user’s information. There may be few limits to the rights that a cloud provider may claim as a condition of offering services to users.
The scope of the rights claimed by a cloud provider could affect the legality of information sharing by a user. The actual use by a cloud provider or by anyone that the cloud provider transferred the information to could violate a statute in a way that could create liability on the part of the original user. If a user fails to safeguard data properly and a third party uses information in violation of a legal duty, the user could be both civilly and criminally liable. Much might depend on the specific standards in the statute, but the possibility may be unnerving to some.
Changeable terms of service
Merely returning to the cloud provider’s website might constitute acceptance of the new terms so a user may not even have a practical opportunity to remove information from the provider’s site before the new terms become effective. For a user who concluded that sharing documents under a cloud provider’s terms of service did not violate any of the user’s legal obligations, a change in the terms of service could create legal or other liabilities for the user.
Termination of services
The terms of service may allow a cloud provider to terminate services to a user at any time. The result could be that a user who did not maintain a full backup of information stored in the cloud may lose the information permanently. This could present a significant problem to any business or individual simply because of the loss of data. The loss may be especially troublesome for a business required to document its activities and for a government agency that has an obligation under law not to dispose of records without following required procedures.
Location of Cloud Data and Applicable Law
The location of a cloud provider’s operations may have a significant bearing on the law that applies to a user’s data. The actual location may or may not appear in the provider’s terms of service. Even if the provider discloses the location of records, the provider may change it, possibly without any notice. The same data may be stored in multiple locations at the same time. A provider who promises to maintain user data in a specific jurisdiction (e.g., the United States) may reduce some of the location risks that a user may face.
The European Union’s Data Protection Directive offers an example of the importance of location on legal rights and obligations. Under Article 4 of the Directive, a national data protection law applies when a controller located in the territory of Member State processes personal information. A cloud provider in an EU Member State could bring personal data obtained from a non-EU based user under a European data protection law. Once EU law applies to the personal data, the data remains subject to the law, and the export of that data will thereafter be subject to EU rules limiting transfers to a third country. Thus, if a U.S. company gave its data to a cloud provider based in France, French data protection law would attach, and the export of the data back to the United States could be restricted or prohibited. In addition, the subjects of the data would acquire rights of notice, access, correction, etc. under French law. Once an EU Member State’s data protection law attaches to personal information, there is no clear way to remove the applicability of the law to the data.
It may be possible to argue that the cloud provider is not a controller with respect to a user’s data because it is a mere processor only transiting the data through a Member State. That argument is uncertain on its own, and it is an even more difficult argument if the cloud provider reserves in its terms of service the right to use, disclose, or otherwise process the data. Indeed, it is possible depending on those terms for the cloud provider to be the effective controller of a user’s data for EU purposes. If so, the cloud provider would be obliged to undertake the data protection obligations of a controller with respect to the use’s data. If so, the situation is likely to be undefined because of the lack of any relevant understanding between the user and the cloud provider respecting data protection obligations. Any resulting litigation is likely to be novel and lengthy.
Other legal consequences aside from the application of data protection rules could also follow from location choices. Consider, for example, if the law of trade secrets in the jurisdiction where a user’s data is stored is less protective of information than the law in the jurisdiction where the user is physically located. A litigant might be able to select a forum to dispute the trade secret claim or otherwise rely on the trade secret standards of a jurisdiction unanticipated by a user. It is also possible that data held in another country would be more accessible to government access than the user could expect at home.
Other location issues are foreseeable. For example, a United States cloud provider of services to a firm or an individual may itself subcontract to or avail itself of the service of another cloud provider. That second-degree cloud provider may be located in another country or another state in the United States. The user may be unaware of the existence of a second-degree provider or the actual location of the user’s data. Indeed, it may be impossible for a casual user to know in advance or with certainty which jurisdiction’s law actually applies to information entrusted to a cloud provider. These uncertainties complicate the ability of a user to determine the protections that apply to data entrusted to a cloud provider.
For some, cloud computing may be a sword and for others, cloud computing may be a shield. Arguably, uncertainty about location could provide a practical benefit to someone trying to keep data beyond the reach of a government or litigant. The model is onion routing. Onion routing is a technique for anonymous communication over a computer network. Messages are repeatedly encrypted and then sent through multiple network nodes called onion routers. Each onion router removes a layer of encryption to uncover routing instructions and sends the message to the next router where the activity repeats until the message reaches its final destination.
Intermediary nodes do not know the origin, destination, and contents of the message. One could envision a series of onion cloud providers who move information through various jurisdictions to make it hard for governments or litigants to find or obtain the information of a user of onion cloud providers. Each attempt to force a cloud provider to turn over a user’s information might have to use compulsory powers in multiple jurisdictions, first to find the data’s actual location and then to obtain the data. The ability of a government or private litigant to pursue a user’s data through multiple jurisdictions might not be easy, fast, or possible.
Ownership and Transfer of a Cloud Provider
Who owns a cloud provider? The provider’s terms of service may not reveal the real owner. The actual owner could be under the control of a subsidiary of a competitor, a U.S. government agency, a foreign agency, or an Internet news service. If a government agency owns the provider, terms of service that allow sharing with affiliates could result in all of the user’s information being obtained by prosecutors or intelligence agencies without further notice or process.
A variety of circumstances could lead to the transfer of a cloud provider’s operations, together with all user information maintained by the provider. These include sale of the cloud service, sale of the cloud company, a merger, seizure by the government for non-payment of taxes, and bankruptcy. Some bankruptcy issues have been discussed above. It is also possible that a user’s information will be considered a corporate asset and available for sale or transfer through the bankruptcy process to other parties. This may be more likely if the terms of service give the provider rights regarding the user’s information. Another possibility is that bankruptcy will terminate the cloud provider entirely with little or no notice.
Under any transfer scenario, a user may not have any advance notice of the transfer and therefore no opportunity to remove records before the transfer. For an individual, the transfer of records from one cloud provider to another could result in the conglomeration of personal information that the individual sought to keep separate or away from a particular company. A new owner who is a creditor of a user might seize valuable information or documents (e.g., photographs).
For a business, a transfer could result in result in records suddenly being stored in a state or country that imposes privacy or other obligations on a user or in a location that has other consequences for the legal status of information. The combination of unlimited transfer by a cloud provider with the ability of the provider to instantaneously change terms of service could produce a result that is highly unfavorable to a user.
Consider the corporate user that carefully chose a particular cloud provider because the provider did not reserve the right to read user files and had no affiliation with the corporate user’s competitors. If the chosen cloud provider was sold to another organization and the terms of services changed under the provider’s reservation of the right to change the terms, the corporate user could find its’ confidential, internal documents accessible by a competitor.
Transactional, Relationship, and Other Information
Most of the discussion here relates to the consequences for information that a user placed with a cloud provider. Any use of a cloud provider will also generate transactional, relationship, and other information about the user or other third parties. Transactional information may include data about dates, times, locations, equipment, activities, and other characteristics of a user and of any other person who the user allowed to access the user’s information.
For example, if a user places a draft document with a cloud provider and allows three colleagues to access the document, the system would have transactional information on the user and the user’s colleagues. The same information could also show relationships among the four individuals and their institutional affiliations. In some circumstances, a cloud provider could provide the provenance of a document that might not be readily available from any other source.
In other circumstances, transactional information may reveal substantive activities. For example, if two publicly owned companies considering a merger share documents with each other through a cloud provider, the transactional and relationship information might reveal confidential plans even if the provider does not read the actual documents.
Another concern could arise from what might be called secondary use of information by a cloud provider. Consider, for example, a cloud provider that says that it will not market to a user based on the user’s information. A user’s information might contain useful data about others, and a cloud provider’s seemingly reassuring promise may not be so reassuring after all. It is conceivable that the cloud provider can still market to non-users who show up in the user’s records, especially if the non-users can be identified in some way.
If, for example, a cloud provider reads the taglines of a user’s photographs and learns that a John Doe (who is not a user of the service) in one of the photos skis, the provider may then use or sell knowledge of John Doe’s skiing interest for marketing purposes. If not restricted, secondary use of documents, photographs or other information entrusted by a user to a cloud provider has broad potential to expand the use of information in ways the user did not anticipate.
Possibilities of compelled disclosure by the government or a private litigant have already been discussed. Companies involved in litigation can use the process of discovery to obtain records of other parties to the litigation in the possession of cloud providers. A cloud provider, like any third party, could promise to notify a user of a subpoena and delay responding to the subpoena to allow the user to intervene.
Privacy policies at some websites promise to provide notice of subpoenas to users when legally permissible to do so, but the practice is far from universal and the promises are often highly qualified. Even if a cloud provider’s terms of service make a promise about notice, the promise may be limited or subject to change. Terms of service may waive any liability for failure to notify.
The more activity that a user conducts in the cloud, the greater the risk of third party disclosure is. Consider the user who employs a cloud provider to provide a complete backup for the user’s hard disk. The provider would, in essence, maintain a full record of the user’s computer activities. Anyone seeking access from the provider might obtain all of the user’s records. For example, in a divorce, a lawyer for one party might seek useful information such as documents, videos, photographs, email, and other data from the other party’s cloud provider.
Audits and Security
Requirements for auditing of corporate records might make it difficult or impossible for some users to store some information with a cloud provider because of an inability to audit the use of the information. Audits and other data integrity measures may be important if a user’s local records differ from the records maintained on the user’s behalf by a cloud provider.
Determining which version of a record stored in multiple locations is the correct version may be complex. Security requirements for information may also create problems because of the inability of the user to assess the provider’s security, to audit security for compliance, or to determine whether the level of security meets statutory or regulatory security requirements.
Possible Cloud Provider Disclosure Obligations
It is possible that cloud providers will have obligations to monitor users in some cases. For example, some jurisdictions in the United States require computer technicians to report evidence of child pornography that they find when repairing or otherwise servicing computers to police or prosecutors. Whether cloud providers have similar obligations is beyond the scope of this analysis, but it is conceivable that cloud providers could be obliged to report about the activities of users. Reporting might also be required for evidence of money laundering, fraud, bribery, child abuse, child abduction, or many other illegal activities. A copyright owner might ask or compel the cloud provider to scan all of a user’s files (or, perhaps, all files of all users) seeking to find copyrighted material.
If the government is looking for a fugitive, terrorist, missing child, or other individual, it might ask a cloud provider to search all user photos and data for the individual. The government could also seek to scan available photos for evidence useful in criminal trials. Some governments might be able to ask or compel a provider to scan all photos when entered into the provider’s system for information of interest to the government.
To the extent that cloud computing places a diverse collection of user and business information in a single location, it may be tempting for governments to ask or require cloud providers to report on particular types of criminal or offensive behavior or to monitor activities of particular types or categories of users (e.g., convicted sex offenders). The possibility that a cloud provider could be obliged to inform a government or a third party about user activities might be troubling to the provider as well as to its users. Other possibilities include searching for missing children and for music or software copyright violations.
 See, e.g., Alan Murphy, Cloud Security: A New Level of Trust, Virtual Data Center Blog at <http://thevirtualdc.com/?p=134>. Last accessed Feb. 19, 2009.
Roadmap: Privacy in the Clouds – Risks to Privacy and Confidentiality from Cloud Computing: Part IV – Other Cloud Computing Issues