Privacy in the Clouds: Policy Observations

Report home | Read the report (PDF) | Previous section | Next section


Cloud computing is well underway and appears to be expanding rapidly. There has been a good deal of public discussion of the technical architecture of cloud computing and the business models that could support it. Debate about the legal and policy issues regarding privacy and confidentiality raised by cloud computing has not kept pace. The findings set out at the beginning of this document are a contribution to the debate, as are the following policy observations.

  • Responses to the privacy and confidentiality risks of cloud computing include better policies and practices by cloud providers, more vigilance by users, and changes to laws.

If the cloud computing industry adopted better and clearer policies and practices, users would be better able to assess the privacy and confidentiality risks they face. For some individuals, the actual risks involved with cloud computing may be minor or insignificant. Other individuals might have stronger concerns. For example, some users may be anxious to maintain full ownership of photographs and may not want to grant a cloud provider any rights over their photos. Other users, especially those in corporations or government, might have different and stronger reasons to protect sensitive or valuable information. Those who use cloud computing for some activities and not others may find it hard to keep confidential data from migrating to applications in the cloud.

  • The cloud computing industry could establish standards that would help users to analyze the difference between cloud providers and to assess the risks that users face.

The cloud computing industry could be doing a lot more to explain its services. One approach may be to group cloud services into types or categories based on levels of protections. For example, there might be two basic classes of cloud providers. One class of provider would promise never to use or disclose information. It might employ mandatory or optional encryption that prevents the provider from examining content of user information. In addition, the same class of provider might make stronger and more permanent commitments about not making substantive changes in the terms of service that would affect a user’s privacy or confidentiality interests. Strong security obligations might also be a part of the package of obligations. Commitments made by “class one” providers could be subject to independent audit and certification. The second class of cloud provider might make no or fewer promises regarding the content of user information and might retain a broader ability to change the terms of service. Of course, there may be a need for additional classes of cloud providers to meet different needs. Helping users find the appropriate level of protection will be important.  

  • Users should pay more attention to the consequences of using a cloud provider and, especially, to the provider’s terms of service.

Standardization of terminology and terms of service would help users to understand the risks and consequences of using a cloud provider. At present, however, the best a user can do is to select a cloud provider carefully based on its terms of service and privacy policy. Reading and understanding the terms of service may be the single most important thing for an individual to do before using a cloud provider. Regrettably, the terms of service are often complex, and may require a high level of interest and persistence to thoroughly parse and understand. An alternative is to avoid cloud providers altogether until better protections for users are available. A business or agency should be fully aware of any privacy or other obligations that attach to data being shared with a cloud provider.

  • For those risks not addressable solely through policies and practices, changes in laws may be needed.

For example, Congress could amend ECPA to address the shortcomings in the law and to determine what protections apply to user records. Other legislative responses could address ambiguities in privacy or other laws. It is possible to speculate about a statute establishing specific standards for cloud providers, including civil and criminal penalties for violations of the standards. States could also enact relevant legislation, although the effect of state law on an interstate or international activity is uncertain. It is also uncertain what the prospects are for a legislative response in the near-term future.

Whether an industry self-regulatory approach would work is uncertain. Other industry self-regulatory efforts focused on privacy have lapsed, failed entirely, or been heavily criticized by consumers as too one-sided in favor of industry. A good faith effort offers the hope of addressing some issues effectively. Neither self-regulation nor legislation is likely to offer a complete response to the privacy and confidentiality issues raised by cloud computing.

These policy suggestions are offered to further the debate about the risks of cloud computing for privacy and confidentiality. Users of cloud providers would benefit from greater transparency about the risks and consequences of cloud computing, from fairer and more standard terms, and from better legal protections. The cloud computing industry would also benefit.
Roadmap: Privacy in the Clouds – Risks to Privacy and Confidentiality from Cloud Computing: Part V – Policy Observations


Report home | Read the report (PDF) | Previous section | Next section