Focusing public attention on emerging privacy and civil liberties issues

Cloud Computing

News

  • Pew/Elon Study: Cloud Computing Will Expand, Security and Privacy Issues Must be Addressed: According a recent Pew Internet and Elon University survey , most technology experts believe that the next decade will bring increased reliance on internet-based applications and cloud computing. The experts and social analysts surveyed also predicted greater use of mobile devices, with an accompanying reduction in general purpose computing. The survey found that the cloud computing brings considerable privacy and security risks. EPIC has a complaint pending before the Federal Trade Commission on Cloud Computing and Privacy. For more information, see EPIC Cloud Computing. (Jun. 11, 2010)
  • Congress Pursues Investigation of Google and Facebook's Business Practices: Following similar letters from other Congressional leaders, the head of the House Judiciary Committee has asked Google Inc. and Facebook to cooperate with government inquiries into privacy practices at both companies. Rep. Conyers (D-MI) noted that Google's collection of user data "may be the subject of federal and state investigations" and asked Google to retain the data until "such time as review of this matter is complete." Rep. Conyers also asked Facebook to provide a detailed explanation regarding its collection and sharing of user information. The House Judiciary Committee is expected to hold hearings on electronic privacy later this year. For more information, see EPIC: Facebook Privacy, EPIC: In re Facebook II, and EPIC: Search Engine Privacy. (Jun. 1, 2010)
  • Congress Urges FTC to Investigate Google Following Revelation that "Street View" Scarfed Wi-Fi Data: Congressmen Joe Barton (R-TX) and Edward Markey (D-MA) wrote to FTC Chairman Liebowitz about Google's collection of consumer's private Wi-Fi transmissions. The House members asked the FTC Chairman to investigate whether Google's actions violate federal privacy laws or consumer protection laws. Google has admitted to collecting email and internet surfing data, but has not clarified the extent or nature of the data collection. The letter from Congress follows an investigation in Europe which revealed that Google's "Street View" vehicles in 30 countries collected not only digital images, but also data transmitted on private wireless networks. EPIC has several privacy complaints pending at the FTC, including one on Cloud Computing. (May. 19, 2010)
  • FCC Release National Broadband Plan, Privacy Strategy Unclear: The Federal Communications Commission (FCC) released its National Broadband Plan today. The FCC notes that “many users are increasingly concerned about their lack of control over sensitive personal data" and warns that "Innovation will suffer if a lack of trust exists between users and entities with which they interact over the internet.” The FCC makes several recommendations, but there is no clear plan to address growing concerns about cloud computing, smart grids and unfair and deceptive trade practices. Last year, EPIC urged the FCC to develop a comprehensive strategy for online privacy as part of the national broadband strategy. (Mar. 17, 2010)
  • EPIC Recommends Effective Consumer Privacy Standards, Calls Notice and Choice a "Failed Experiment": At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing. (Mar. 17, 2010)
  • EPIC Seeks Records on Google-NSA Relationship: Today EPIC filed a Freedom of Information Act request with the National Security Agency, seeking records regarding the relationship between Google and the NSA. The press reported that Google and the NSA have entered into a partnership following a recent hacker attack on Google originating from China. The EPIC FOIA request also seeks NSA communications with Google regarding Google's failure to encrypt Gmail and cloud computing services. In March 2009, EPIC filed a complaint with the Federal Trade Commission urging it to investigate the adequacy of Google's cloud computing privacy and security safeguards. Today EPIC also filed a lawsuit against the National Security Agency and the National Security Council, seeking a key document governing national cybersecurity policy. For more information, see EPIC FOIA Litigation and EPIC Cloud Computing. (Feb. 4, 2010)
  • EPIC Urges FTC to Protect Users' Privacy On Cloud Computing and Social Networking Services: EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers. For more information, see EPIC: Cloud Computing and EPIC: Social Networking Privacy. (Jan. 28, 2010)
  • FTC Tells FCC it is Pursuing EPIC's Cloud Computing Complaint: The Federal Trade Commission is urging the Federal Communications Commission to consider the privacy implications of cloud computing in formulating the National Broadband Plan, due to Congress next month. The FTC interest into cloud computing was prompted by an EPIC complaint to the FTC in March 2009, in which EPIC described numerous privacy and security risk involving cloud-based applications. A subsequent letter from computer researchers and security experts supported EPIC's findings. For more information, see EPIC: Cloud Computing. (Jan. 6, 2010)
  • ENISA Report Examines Cloud Computing and Privacy: The European Network and Information Security Agency has released a new report on Cloud Computing. The ENISA report recommends that European officials determine the application of data protection laws to cloud computing services. The report also considers whether personal data may be transferred to countries lacking adequate privacy protection, whether customers should be notified of data breaches, and rules concerning law enforcement access to private data. Earlier this year, EPIC filed a complaint with the Federal Trade Commission, urging the Commission to examine the adequacy of privacy safeguards for cloud computing services. A subsequent letter by computer researchers, addressed to Google CEO Eric Schmidt, raised similar concerns. See EPIC Cloud Computing. (Nov. 25, 2009)
  • Administration Announces Cloud Computing Initiative, but Privacy Umbrella Missing: Chief Information Officer Vivek Kundra announced the launch of “Apps.gov”, a website where federal agencies can obtain cloud-based IT services. The initiative is aimed at "lowering the cost of government operations while driving innovation." Currently, the administration's main goal is to increase the size and scale of cloud computing, but key concerns, such as security and privacy, have received little attention. In March, EPIC filed a complaint with the FTC urging the agency to open and investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." Subsequently, thirty-eight computer security researchers and privacy academics sent a letter to Google's CEO, asking Google to uphold privacy promises made to users of Google Cloud Computing services. The FTC investigation is ongoing; no response has been received from Google. For more information, see EPIC's page on “Cloud Computing”. (Sep. 17, 2009)

What is Cloud Computing?

Cloud computing refers to data, processing power, or software stored on remote servers made accessible by the Internet as opposed to one's own computers. The term "the cloud" comes from computer network diagrams which, because the individual computers that formed its components were too numerous to show individually, depicted the Internet as a vast cloud at the top of the network chain. One of the key features of cloud computing is that the end users does not own the technology they are using. All the hardware and software is owned by a cloud computing service, while the user simply rents time or space. Several cloud computing applications, such web email, wiki applications, and online tax preparation, have become common experiences for the average Internet user.

For users, cloud computing arrangements can bring about major cost reductions and efficiencies. For example, in a cloud computing arrangement the end user does not have to pay large up front capital costs for hardware or for that hardware's continued maintenance. If the user needs temporary additional space, he can simply tell the cloud service provider to up his quota for the time being, rather than purchase additional physical capacity which would only be needed for a short period and then left idle. This also means that computer resources as a whole are generally used more efficiently. Rather than have lots of machines running a few tasks and then wasting the rest of their computing power, cloud computing allows a few machines to do lots of tasks without wasted computing cycles. Cloud Computing can be thought of as a way to make the world of computer resources seamlessly scalable.

At the same time, cloud computing also creates dependency. The emergence of cloud computing services is structured around a re-imagining of the relationship between technology and end users. The end user must rely on the cloud computing service provider to ensure that data is kept secure and reliably accessible. They must also depend on the telecommunications infrastructure that will act as the delivery and retrieval pathways for the flow of data to and from the cloud. The further away users are from the underlying technology that they rely upon, the more dependent the relations may become. In addition, once an end user adopts a cloud computing arrangement it may be difficult to move back to a personal computing based platform for data services.

The move toward computing resources as a service to be provided by remote sources with greater access to unbounded computing power presents some attraction to computer users with limited resources and a growing need for information services, but it also presents serious issues that must be examined.

Background

Although cloud computing has only matured in recent years, the underlying concept of multiple users sharing computer resources is not new. The earliest computing operations allowed multiple users to bring work projects, usually in the form of data encoded onto punch cards, magnetic tapes, or floppy disks to a central stand-alone computer for processing. These stand-alone computers could only perform one job or task at a time, and, as a result, they were kept frequently in use processing one user's task after the next.

In 1969, the Department of Defense's Advance Research Projects Agency sought to expand the distances over which computers could reliably communicate. At the time the project was undertaken, the cost of a computer was very high and processing speed was much slower than today's computing systems. Often times a computers could be tied up for hours, days, or even weeks on a single project. The ARPAnet project sought to create a platform that would allow distributed users to share their valuable computing resources and collaborate on documents. Using the ARPAnet, a user could access a computer located elsewhere on the network and function as a local user at the remote site. The ARPAnet mainly linked government agencies and universities, but it was out of the ARPAnet that what we now know as the Internet was originally developed.

With the development of the operating system, stand-alone computers could perform multiple functions simultaneously for the first time. This opened the door for the first instances of multiple users using a system at the same time. Early instances of multiple clients sharing a single, sometimes more powerful, computing device were known as local area networks. In these settings, a single central server or computing device supported several stand-alone personal computers or dumb terminals (keyboards and computer screens) housed in the same physical location. The terminals would connect to the central server, which would do the terminal's actual processing.

Cloud Computing is an evolution from these previous efforts at shared computing. As prices for processing power and storage have fallen and high-speed internet connections have become ubiquitous, cloud computing has become an increasingly attractive option for many individuals and businesses. As of September 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs, such as word processing applications, whose functionality is located on the web.

Types of Cloud Computing Services

There are three basic types of cloud computing:

1. Software as a Service (SaaS) is the most common and widely known type of cloud computing. SaaS applications provide the function of software that would normally have been installed and run on the user's desktop. With SaaS, however, the application is stored on the cloud computing service provider's servers and run through the user's web browser over the Internet. Examples of SaaS include: Gmail, Google Apps, and Salesforce.

2. Platform as a Service (PaaS) cloud computing provides a place for developers to develop and publish new web applications stored on the servers of the PaaS provider. Customers use the Internet to access the platform and create applications using the PaaS provider's API, web portal, or gateway software. Examples of PaaS include: Saleforce's Force.com, Google App Engine, Mozilla Bespin, Zoho Creator.

3. Infrastructure as a Service (IaaS) seeks to obviate the need for customers to have their own data centers. IaaS providers sell customers access to web storage space, servers, and Internet connections. The IaaS provider owns and maintains the hardware and customers rent space according to their current needs. An example of Iaas is Amazon Web Services. IaaS is also known as utility computing.

Issues

When users place their data and applications on centralized servers, they lose the ability to maintain complete control of that information. With the rise of cloud computing, critical and sometimes sensitive information that was once safely stored on personal computers now resides on the servers of online companies. Examples of such information including users email, banking information, and full backups of individuals' hard drives. This phenomenon creates a multitude of risks for the users.

One of the biggest risks of storing data in the cloud is the possibility that this data will be accessed by unwanted third parties. While some cloud computing services encrypt user data when it is stored, others store data in clear text, leaving it especially vulnerable to a security breach. Data stored in the cloud might also be provided to marketers. For example, many email providers allow secondary advertising uses for e-mail communications. In recent studies, an overwhelming majority of Cloud Computing Services users expressed serious concern regarding the possibility that a Cloud Computing Services provider would disclose their data to others. According to a report by the Pew Internet and American Life Project, 90% of cloud application users say they would be very concerned if the company storing their data sold it to a third party. 80% of users say they would be very concerned if companies used their photos or other data in marketing campaigns and 68% say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.

Legal rights and regulatory authority for the protection of the privacy of cloud computing users are not well defined. Data stored in the cloud may be subject to less stringent legal protection than data stored on a personal computer. Under the Electronic Communications Privacy Act, data stored in the cloud may be subject to a lesser standard for law enforcement to gain access to it than if the data were stored on a personal computer. Moreover, the terms of service for cloud computing services often make clear that they will preserve and disclose information to law enforcement when served with legal process. Health information services that store user medical information may not be subject to the privacy protections of the Health Insurance Portability Protection Act. Even where it is clear that user data is protected, cloud computer service providers often limit their liability to the user as a condition of providing the service, leaving users with limited recourse should their data be exposed or lost.

Storing data in the cloud means that access to that data is subject to the cloud computing service provider's terms. Often the terms of service allow the cloud computing service provider to terminate the service at any time. On the other hand, depending on the terms of service, deleting an account may not actually remove the stored data from the provider's servers. One might also imagine a data hostage scenario where it is vital that a user gain access to online information, but the data holder refuses that access without first receiving a payment or other compensation. In addition, there are serious concerns about the reliability of cloud computing services. As mentioned earlier, if the cloud computing service goes down or loses data, the users would have little legal recourse.

Case Studies

Amazon Web Services

Amazon Web Services (AWS) offers a range of cloud computing services that allow users to "securely" store and manage a wide range of data types. AWS also incorporates identity, payment, database, messaging, and other services.

Amazon promotes AWS as a reliable cloud computing option, but its service level agreement states that "AWS reserves the right to refuse service, terminate accounts, remove or edit content in its sole discretion."

graphic of Amazon's S3 statement of its services

Further, the AWS terms and conditions' "Disclaimer of Warranties and Limitations of Liability," state that:

"AWS DOES NOT WARRANT THAT THIS SITE; INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING ANY SOFTWARE) OR SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THIS SITE; ITS SERVERS; OR E-MAIL SENT FROM AWS ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. AWS WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF THIS SITE OR FROM ANY INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THIS SITE, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING. CERTAIN STATE LAWS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES OR THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE ABOVE DISCLAIMERS, EXCLUSIONS, OR LIMITATIONS MAY NOT APPLY TO YOU, AND YOU MIGHT HAVE ADDITIONAL RIGHTS."

As additional protection for itself, Amazon limits all legal actions that may arise over its Cloud Computing services to King County, Washington, where the company is located.

Mozy

Another Cloud Computing service provider Mozy.com offers users cloud computing services to backup photographs, documents, accounting records, or any information that is stored on a personal computer. The service reserves broad rights to "at any time to modify, suspend, or discontinue providing the Service or any part thereof in its sole discretion with or without notice."

mozy's policy on access to its service

The Decho Corporation operates Mozy.com, MozyPro.com and Decho.com. The company considers signing up for the service as an agreement of the terms. The customer may end the agreement by "destroying the Software and closing your account," but it does not address what happens to the information that remains in the hands of the company. Closing an account does not mean that information collected or stored on the service will be removed.

mozy's statement on its right to terminate service

The company defines personal "as any data from which it is practical to directly determine the identity of an individual." Further, under the terms and conditions users are told, "You agree to indemnify, defend, and hold harmless Decho and its suppliers from any and all loss, cost, liability, and expense arising from or related to your data, your use of the Service..."

mozy's disclaimer

WebMD

Medical information services, such as WebMD provides tools to users that allow them to establish medical information accounts that can be used to record details regarding health conditions, symptoms, medications, search for medical professionals, and details about the type of medical advice sought.

Web MD's rules regarding inforamtion sent to public areas

WebMD's Terms and Conditions of Use, state that information provided to them by e-mail, blog posting, uploading photos or video, or submitting information to "Public Areas," this information becomes the property of WebMD.

Web MD rules regarding posting of photos or video

Although federal law allows for patient record privacy though the Health Insurance Portability Protection Act (HIPPA), the records created by WebMD and other health cloud computing services are not covered by HIPPA. WebMD states in its Terms and Conditions of Use that the company will not be liable for any damages.

Web MD limits options for users who believe they have been injured by the service

News Items

News (Spanish)

Resources