Now is a great time to become a cloud customer. With them, you can access all your digital information whenever and wherever you are, via cloud-compatible devices (iPad, Kindle, etc.). you can store your music collection in iCloud, and you can share your work and personal documents via Box.net and manage your expenses via Expensify. The list goes on and on.
Despite the convenience, you need to take into account the associated consequences for privacy. Who owns your private information after you've uploaded it? Does the provider have any rights to your data when it gets to the server?
The answer is that cloud privacy is still in its infancy.
Most of the consumer cloud services recognize that users retain the rights to the data after their introduction into the server.
Facebook's terms of use state: "You own all the content and information that you post on Facebook. And you can control them yourself through your privacy and app settings."
Similarly, the Gmail Intellectual Property Notice States: "Google does not claim ownership of any content, whether it is text, data, information, photos, music, sound, video, or any other material that you upload, transmit, or store on your Gmail account. We will not use your content for any purpose other than providing you with the Service."
Of course, in such cases, both Facebook and Google reserve some rights, but they have clearly stated their obligation to preserve the privacy and security of all data uploaded by users. However, the question remains how to interpret these obligations and in relation to what international laws.
Such boundaries of privacy have never been explored before, and this has become a topic of conversation among politicians and regulators. We don't even have a single international standard for online privacy, let alone cloud privacy. Often, the very nature of cloud computing makes it difficult to determine which laws apply to it, especially if data is uploaded under one jurisdiction and stored under another. However, the European Union is announcing new rules for cloud service providers this fall, and will be the first authority to do so.
The United States still does not have a comprehensive data privacy policy or any rules regarding cloud services. But recent actions by the Federal Trade Commission demonstrate that regulatory officials should direct consumer protection actions, even outside of the comprehensive Federal privacy law, against companies that do not adhere to their own privacy rules.
The Supreme court is constantly dealing with cloud privacy issues. In the case of Ontario V. Quon (2010), the judges decided that you cannot rely on privacy when connecting an employee's mobile device to an employer's cloud service. In a new court session, the Supreme court will address privacy concerns surrounding GPS surveillance by law enforcement agencies in the U.S. V. Antoine Jones case. The case raises interesting questions when applied to GPS technologies used in consumer cloud services (Google Maps, Foursquare) and their privacy obligations.
The Federal Trade Commission and other regulatory agencies are also taking a close look at data portability, the user's ability to easily move data from one service to another. Once consumers start storing more data online, they'll want to move it faster and easier. Most likely, in the future, data portability will become an integral point for all cloud service providers. Some providers are already thinking about this and use, for example, the open Auth 2.0 authentication scheme supported by Google, Facebook, Microsoft, Yahoo, etc.
What do these legal uncertainties mean for you and other cloud users at the moment? Will they prevent us from enjoying the comforts of being able to store information and access it on a whim?
Of course not. But this means that we need to choose the provider more carefully. Then there are our suggestions on how to manage consumer clouds while protecting your private information.
1. Think before you upload.
When you upload private information to a remote server, don't forget about the risks. Before uploading, think about whether you really want to store specific information on the cloud. The cloud is great for storing emails, photos, and entertainment; however, I don't recommend storing private information like birth certificates, tax returns, and other important documents there.
2. Know your provider, your provider's provider, and their policies.
Before you start using the service, please read the terms of use and privacy policy. Most of the services run on hosting providers (for example, Netflix runs on Amazon hosting), so it makes sense to also read the policies of these secondary platforms. The provider's policy should contain answers to the following questions::
3. Save copies.
If you decide to upload files to the cloud, always leave a backup copy. This is especially true for family photos and home videos.
4. Keep everything a secret.
It is wise to treat your accounts in the service in the same way as with your email account. User names and passwords should be kept secret and changed as often as possible. Do not share this data with anyone unless absolutely necessary.
Fran Mayer is President and Chairman of TRUSTe, A leading provider of online privacy solutions. She talks a lot about the challenges associated with privacy and trust on the Web and actively trains women to use technology. She frequently speaks at conferences related to the Internet and trust, including the Online Trust Alliance.
Despite the convenience, you need to take into account the associated consequences for privacy. Who owns your private information after you've uploaded it? Does the provider have any rights to your data when it gets to the server?
The answer is that cloud privacy is still in its infancy.
Most of the consumer cloud services recognize that users retain the rights to the data after their introduction into the server.
Facebook's terms of use state: "You own all the content and information that you post on Facebook. And you can control them yourself through your privacy and app settings."
Similarly, the Gmail Intellectual Property Notice States: "Google does not claim ownership of any content, whether it is text, data, information, photos, music, sound, video, or any other material that you upload, transmit, or store on your Gmail account. We will not use your content for any purpose other than providing you with the Service."
Of course, in such cases, both Facebook and Google reserve some rights, but they have clearly stated their obligation to preserve the privacy and security of all data uploaded by users. However, the question remains how to interpret these obligations and in relation to what international laws.
Such boundaries of privacy have never been explored before, and this has become a topic of conversation among politicians and regulators. We don't even have a single international standard for online privacy, let alone cloud privacy. Often, the very nature of cloud computing makes it difficult to determine which laws apply to it, especially if data is uploaded under one jurisdiction and stored under another. However, the European Union is announcing new rules for cloud service providers this fall, and will be the first authority to do so.
The United States still does not have a comprehensive data privacy policy or any rules regarding cloud services. But recent actions by the Federal Trade Commission demonstrate that regulatory officials should direct consumer protection actions, even outside of the comprehensive Federal privacy law, against companies that do not adhere to their own privacy rules.
The Supreme court is constantly dealing with cloud privacy issues. In the case of Ontario V. Quon (2010), the judges decided that you cannot rely on privacy when connecting an employee's mobile device to an employer's cloud service. In a new court session, the Supreme court will address privacy concerns surrounding GPS surveillance by law enforcement agencies in the U.S. V. Antoine Jones case. The case raises interesting questions when applied to GPS technologies used in consumer cloud services (Google Maps, Foursquare) and their privacy obligations.
The Federal Trade Commission and other regulatory agencies are also taking a close look at data portability, the user's ability to easily move data from one service to another. Once consumers start storing more data online, they'll want to move it faster and easier. Most likely, in the future, data portability will become an integral point for all cloud service providers. Some providers are already thinking about this and use, for example, the open Auth 2.0 authentication scheme supported by Google, Facebook, Microsoft, Yahoo, etc.
What do these legal uncertainties mean for you and other cloud users at the moment? Will they prevent us from enjoying the comforts of being able to store information and access it on a whim?
Of course not. But this means that we need to choose the provider more carefully. Then there are our suggestions on how to manage consumer clouds while protecting your private information.
1. Think before you upload.
When you upload private information to a remote server, don't forget about the risks. Before uploading, think about whether you really want to store specific information on the cloud. The cloud is great for storing emails, photos, and entertainment; however, I don't recommend storing private information like birth certificates, tax returns, and other important documents there.
2. Know your provider, your provider's provider, and their policies.
Before you start using the service, please read the terms of use and privacy policy. Most of the services run on hosting providers (for example, Netflix runs on Amazon hosting), so it makes sense to also read the policies of these secondary platforms. The provider's policy should contain answers to the following questions::
- Who owns the data when it is uploaded to the server?
- What rights does the provider have to the data after it is uploaded?
- Under whose laws is the contract drawn up?
- Do you have rights to data portability? (how easy is it to transfer data from one service to another?)
- What happens if you decide to opt out of the service? Will the provider retain the rights to the data, and for how long?
- Will the service deactivate your account and delete your data after a certain period of inactivity?
- Does the provider allow relatives or designated individuals to request access to your data and cancel your account if you become disabled or unable to access your account?
- Does the provider allow independent third-party privacy and security checks to verify that it adheres to its own policies?
3. Save copies.
If you decide to upload files to the cloud, always leave a backup copy. This is especially true for family photos and home videos.
4. Keep everything a secret.
It is wise to treat your accounts in the service in the same way as with your email account. User names and passwords should be kept secret and changed as often as possible. Do not share this data with anyone unless absolutely necessary.
Fran Mayer is President and Chairman of TRUSTe, A leading provider of online privacy solutions. She talks a lot about the challenges associated with privacy and trust on the Web and actively trains women to use technology. She frequently speaks at conferences related to the Internet and trust, including the Online Trust Alliance.
