-- By TuviaPeretz - 30 Oct 2011


Use of cloud computing services for data storage has become increasingly popular. Enthusiasts are speaking about the economic efficiencies which can be gained from large scale providers of cloud services and characterizing the cloud as a revolutionary force in the internet which will define the next era of computing. Before accepting that the future is here, however, we need to better understand the privacy risks which go hand in hand with this migration to the cloud. I see two significant privacy concerns associated with the use of the cloud—one structural and the other legal.

Structural Concern

Data Control

Instead of data being controlled by those who the data belongs to and stored on the owner’s servers, all of this data is stored by massive cloud storage providers on the cloud storage provider’s servers which can be accessed remotely.  The cloud service provider now has access to any information which the owner has placed in the provider’s possession.  Even if we assume that the cloud provider would never use any of the data (see Amazon Cloud Terms of Service particular 5.2), this still leads to an erosion of a user’s privacy in two ways.  First, the cloud service provider is more likely to turn over a user’s data to the government or another party willing to pay for the data.  Second, if that turnover of information occurs, a user has no knowledge of it.  When the government asks a user to turn over information, or if a user were to sell it to a marketing company, at least the user knows that another party now possesses this information and that the user’s activity is known to others.  By contrast, when the cloud service provider turns over your information, you have no idea that this data turnover has occurred and are unlikely to find out as the government has a strong interest in you remaining in the dark. Additionally, the fact that the cloud service provider has so many people’s information increases the value of that information because it has already been, or can easily be, aggregated.

Potential Solutions

There is no clear way of solving the structural issues which arise when you lose control of your own data.  Conceptions of the cloud which fully incorporate the economy of scale arguments in favor of the cloud cannot take the data out of the hands of those who maintain the cloud, and therefore there is no way for the user to retain control of the data.  Before turning to the cloud, a user must take a serious look at the costs and benefits of the cloud.  They must look at what they plan on using the cloud for and the cost savings which can be realized.  These cost savings must be compared with the control lost and how important it is that the data or applications in the cloud which they are utilizing remain private.  One way of tempering the effects of the privacy loss while gaining some of the economic benefits associated with the cloud could be tailored utilization of different cloud deployment models.  For example, users with similar needs and concerns could use a community cloud which they would maintain collectively while also realizing (though to a lesser degree) the potential economic benefits of the cloud computing model.

Legal Concern

Jurisdictional Differences

The legal privacy concern associated with use of the cloud stems from the fact that the laws protecting data privacy differ from jurisdiction to jurisdiction.  This means that if the benefits of the cloud are fully realized and data is seamlessly transferred from one remote location to another, the laws regulating the privacy of this data may change with each move of the data.  There is a lot of conflict between European data privacy laws and those that are present in the United States, especially when applied to data which belongs to citizens of other countries. For example, section 217 of the PATRIOT act allows the government to intercept “communications of a computer trespasser” if the owner of a “protected computer” authorizes that surveillance.  This law would mean that the government has warrantless search authority of any computer if the service provider agrees to it.  This should raise serious concerns amongst users of cloud computing services.  Information can move seamlessly from jurisdiction to jurisdiction and there is no knowing what surveillance and data privacy standards may be applied along the way.  Additionally, the owner of the data has no idea that their data is being observed.  

Potential Solutions

Legal differences in how data is treated between jurisdictions has significant costs both in terms of the potential lack of legal protections as well as the lack of certainty and predictability regarding the data protection regime.  As a worldwide uniform data privacy regime is impossible to imagine, we need to look for less drastic ways of reducing the legal risks associated with the cloud.  In Europe, some have suggested that the way to solve this problem is by instituting a country of origin approach.  This could lead to greater predictability within a certain limited zone but may also lead to reduced portability of data which would reduce the economic benefits of the cloud.  Another solution would simply involve cloud computing companies sorting themselves based on the zones in which they maintain data, and the corresponding legal data privacy protections which apply.  


Although the economic model behind cloud computing presents a compelling case for a shift towards the cloud, it is important to evaluate the privacy losses which correspond to this shift before endorsing a full-fledged flight to the cloud.  Although a complete move to the cloud may be unwarranted, there may be ways of capturing some of the economic benefits associated with the cloud while also controlling the privacy risks.   

