Cloud Computing and Privacy
A WhitePaper by Nicholls Legal
The adequate protection of the privacy of personal and sensitive data has proved to be one of the key concerns that has emerged in the area of cloud computing. Adequate protection of privacy intersects with many other issues affecting cloud computing, including data security, jurisdictional concerns and contractual issues. With information privacy a growing international and domestic concern, the issues surrounding privacy in the cloud require close scrutiny by anyone seeking to enter the cloud, providers of cloud services, industry bodies and government. It is important to note that many of the problems raised by cloud computing are not individually unique, but as the National Institute of Standards and Technology (NIST) notes:
Because cloud computing has grown out of an amalgamation of technologies, including service oriented architecture, virtualization, Web 2.0, and utility computing, many of the privacy and security issues involved can be viewed as known problems cast in a new setting. The importance of their combined effect, however, should not be discounted.
This whitepaper examines some of the privacy issues raised by the rise of cloud computing.
II Privacy Concerns in the Cloud
The issues surrounding private data in the cloud often intersect with questions as to the overall security of data stored in the cloud. However, the sensitive nature of private data raises additional questions and issues for those involved in cloud computing. In particular, the potential for loss of control and abuse of personal data when it is moved offsite is a significant barrier to cloud adoption. This is the essence of privacy concerns in the cloud, ‘the fact that you are handing over potentially highly sensitive and private information to a third party to store and process.’ There is particular concern when data is moved overseas, which is the subject of a separate whitepaper. This paper will deal more generally with the issue of privacy in all clouds and how they might be addressed by government and/or industry regulation, and by users of cloud services.
III Case Study – Google Buzz
As one of the largest providers of cloud services in the market today, Google has faced significant criticism regarding the ability of their services to protect the privacy of users. The controversy over their Google Buzz service provides a useful illustration of the potential perils of cloud computing as it relates to user privacy.
Google Buzz was a social network that was launched by Google on 9 February 2010. Buzz was designed by Google to interact with their existing Google Apps services, particularly users Gmail accounts. Soon after launching Buzz met a raft of criticisms regarding its protection of users private data that provide some useful illustrations of the privacy issues that are raised by cloud computing. The complaint filed by the Electronic Privacy Information Centre (EPIC) to the US Federal Trade Commission (FTC) illustrates the concerns that many had over the services offered by Buzz, in particular, the way that Buzz made public Gmail data on a users profile without their consent.
B The EPIC Complaint
bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties… The settlement … requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.
The settlement included a sum of USD 8.5 million from Google for a fund to distribute awards to organizations focused on internet privacy or privacy education. Buzz faced similar criticism and complaints in Canada.