White Paper: Privacy in the Clouds

Download Full Report: Privacy in Cloud Computing

Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. While remote servers are not new, current emphasis on and expansion of cloud computing warrants a more careful look at its actual and potential privacy and confidentiality consequences.

The World Privacy Forum 'Privacy in the Clouds' report frames and analyzes the issues of privacy and confidentiality in the cloud computing environment. This report discusses the issue of cloud computing and outlines its implications for the privacy of personal information as well as its implications for the confidentiality of business and governmental information. The report finds that for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared.

Even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences.

In its analysis and discussion of relevant laws, the report finds that both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests.

Summary of Findings

This analysis of cloud computing finds the following:

•Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. This document identifies multiple and complex privacy and confidentiality issues that may be of interest or concern to cloud computing participants. While storage of user data on remote servers is not a new activity, the current emphasis on and expansion of cloud computing warrants a more careful look at the privacy and confidentiality consequences.

•A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider.
Those risks may be magnified when the cloud provider has reserved the right to change its terms and policies at will. The secondary use of a cloud computing user’s information by the cloud provider may violate laws under which the information was collected or are otherwise applicable to the original user. A cloud provider will also acquire transactional and relationship information that may itself be revealing or commercially valuable. For example, the sharing of information by two companies may signal a merger is under consideration. In some instances, only the provider’s policy will limit use of that information. Many users are likely not aware of the details set out in the terms of service for cloud providers or of the consequences of sharing information with a cloud provider.

•For some types of information and some categories of cloud computing users, privacy and confidentiality rights, obligations, and status may change when a user discloses information to a cloud provider. Procedural or substantive barriers may prevent or limit the disclosure of some records to third parties, including cloud computing providers. For example, health record privacy laws may require a formal agreement before any sharing of records is lawful. Other privacy laws may flatly prohibit personal information sharing by some corporate or institutional users. Professional secrecy obligations, such as those imposed on lawyers, may not allow the sharing of client information. Sharing information with a cloud provider may undermine legally recognized evidentiary privileges. Records management and disposal laws may limit the ability of a government agency to use cloud computing for official records.

•Disclosure and remote storage may have adverse consequences for the legal status of or protections for personal or business information.
For example, a trade secret shared with a cloud provider may lose some of its legal protections. When a person stores information with a third party (including a cloud computing provider), the information may have fewer or weaker privacy protections than when the information remains only in the possession of the person. Government agencies and private litigants may be able to obtain information from a third party more easily than from the original owner or creator of the content. A cloud provider might even be compelled to scan or search user records to look for fugitives, missing children, copyright violations, and other information of interest to government or private parties. Remote storage may additionally undermine security or audit requirements.

•The location of information in the cloud may have significant effects on the privacy and confidentiality protections of information and on the privacy obligations of those who process or store the information.
Any information stored in the cloud eventually ends up on a physical machine owned by a particular company or person located in a specific country. That stored information may be subject to the laws of the country where the physical machine is located. For example, personal information that ends up maintained by a cloud provider in a European Union Member State could be subject permanently to European Union privacy laws.

•Information in the cloud may have more than one legal location at the same time, with differing legal consequences. A cloud provider may, without notice to a user, move the user’s information from jurisdiction to jurisdiction, from provider to provider, or from machine to machine. The legal location of information placed in a cloud could be one or more places of business of the cloud provider, the location of the computer on which the information is stored, the location of a communication that transmits the information from user to provider and from provider to user, a location where the user has communicated or could communicate with the provider, and possibly other locations.

•Laws could oblige a cloud provider to examine user records for evidence of criminal activity and other matters.
Some jurisdictions in the United States require computer technicians to report to police or prosecutors evidence of child pornography that they find when repairing or otherwise servicing computers. To the extent that cloud computing places a diverse collection of user and business information in a single location, it may be tempting for governments to ask or require cloud providers to report on particular types of criminal or offensive behavior or to monitor activities of particular types of users (e.g. convicted sex offenders). Other possibilities include searching for missing children and for music or software copyright violations.

•Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users.
The law badly trails technology, and the application of old law to new technology can be unpredictable. For example, current laws that protect electronic communications may or may not apply to cloud computing communications or they may apply differently to different aspects of cloud computing.

Responses to the privacy and confidentiality risks of cloud computing include better policies and practices by cloud providers, changes to laws, and more vigilance by users. If the cloud computing industry would adopt better and clearer policies and practices, users would be better able to assess the privacy and confidentiality risks they face. Users might avoid cloud computing for some classes of information and might be able to select a service that meets their privacy and confidentiality needs for other categories of information. For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate. Each user of a cloud provider should pay more – and indeed, close – attention to the consequences.

Cloud Computing Tips for Business:

•Beware of "ad hoc" cloud computing. Any organization should have standardized rules in place telling employees when and if they may utilize cloud computing and for what data.

•Don’t put anything in the cloud you wouldn’t want a competitor, your government, or another government to see.

•Read the Terms of Service. Then read the Terms of Service again.
Make sure that you are not violating any law or policy, by putting data in the cloud, and think twice before putting any consumer data in the cloud.

•Consult with your technical, security or corporate governance advisors about the advisability of putting data in the cloud.

This information was provided by The World Privacy Forum. The World Privacy Forum is a nonprofit, non-partisan 501 (C) (3) public interest research group. The organization is focused on conducting in-depth research, analysis, and consumer education in the area of privacy. It is the only privacy-focused public interest research group conducting independent, longitudinal work. The World Privacy Forum does not recommend or endorse specific software products. www.worldprivacyforum.org