Cloud Computing and Privacy
A WhitePaper by Nicholls Legal
I Introduction
The adequate protection of the privacy of personal and sensitive data has proved to be one of the key concerns that has emerged in the area of cloud computing. Adequate protection of privacy intersects with many other issues affecting cloud computing, including data security, jurisdictional concerns and contractual issues. With information privacy a growing international and domestic concern, the issues surrounding privacy in the cloud require close scrutiny by anyone seeking to enter the cloud, providers of cloud services, industry bodies and government. It is important to note that many of the problems raised by cloud computing are not individually unique, but as the National Institute of Standards and Technology (NIST) notes:
Because cloud computing has grown out of an amalgamation of technologies, including service oriented architecture, virtualization, Web 2.0, and utility computing, many of the privacy and security issues involved can be viewed as known problems cast in a new setting. The importance of their combined effect, however, should not be discounted.[1]
This whitepaper examines some of the privacy issues raised by the rise of cloud computing.
II Privacy Concerns in the Cloud
The issues surrounding private data in the cloud often intersect with questions as to the overall security of data stored in the cloud. However, the sensitive nature of private data raises additional questions and issues for those involved in cloud computing. In particular, the potential for loss of control and abuse of personal data when it is moved offsite is a significant barrier to cloud adoption. This is the essence of privacy concerns in the cloud, ‘the fact that you are handing over potentially highly sensitive and private information to a third party to store and process.’[2] There is particular concern when data is moved overseas, which is the subject of a separate whitepaper. This paper will deal more generally with the issue of privacy in all clouds and how they might be addressed by government and/or industry regulation, and by users of cloud services.
III Case Study – Google Buzz
A Introduction
As one of the largest providers of cloud services in the market today, Google has faced significant criticism regarding the ability of their services to protect the privacy of users. The controversy over their Google Buzz service provides a useful illustration of the potential perils of cloud computing as it relates to user privacy.
Google Buzz was a social network that was launched by Google on 9 February 2010. Buzz was designed by Google to interact with their existing Google Apps services, particularly users Gmail accounts. Soon after launching Buzz met a raft of criticisms regarding its protection of users private data that provide some useful illustrations of the privacy issues that are raised by cloud computing. The complaint filed by the Electronic Privacy Information Centre (EPIC) to the US Federal Trade Commission (FTC) illustrates the concerns that many had over the services offered by Buzz, in particular, the way that Buzz made public Gmail data on a users profile without their consent.
B The EPIC Complaint
EPIC’s complaint concerned both the perceived inadequate protection by Google and inaccuracies they identified with Google’s representations to customers about protection of their private data. In particular, EPIC was concerned that Buzz made publicly visible by default users Gmail contact list, lists which ‘routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors’.[3] Buzz further contained features which allowed other users to ascertain the frequency of contact that Buzz users had with different contacts through that users publicly visible ‘following’ list. Further, EPIC alleged that Google’s privacy policy misrepresented the extent to which Google protected user data, and that Google violated their policy when they launched Buzz. In particular, some users who declined to sign up to Google Buzz were nonetheless ‘enrolled’ in certain features of Google Buzz, and Buzz utilised personal data in a manner different from that which Gmail users consented to when they created their Gmail account. Finally, the complaint alleged that Google misrepresented to European Union Customers that it was handling their data in a manner consistent with the U.S.-EU Safe Harbor privacy framework. Google settled with the FTC in March of 2011, accepting that it had used deceptive tactics and violated its own privacy promises to consumers. The settlement:
bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties… The settlement … requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.[4]
The settlement included a sum of USD 8.5 million from Google for a fund to distribute awards to organizations focused on internet privacy or privacy education.[5] Buzz faced similar criticism and complaints in Canada[6].
