Conference PaperPDF Available

Cloud Computing: Legal Issues

Authors:

Abstract

Cloud computing, by its nature, presents fresh challenges to the existing legislation governing the security and privacy of customer data. As clouds are essentially data centres or server farms, used to host and maintain customer data, the customer data is no longer under the complete control of the customer themselves. Traditional licensing agreements and contracts may be legally inadequate, and typically do not provide remedies and legal recourse for specific situations. Also, there is an underlying fear amongst some customers with regards to data security, with the protection and privacy of their data, both from loss and inappropriate distribution, being to the fore. This paper will outline some of the legal issues associated with cloud computing and how they may be addressed, and will consider some of the specific legal issues that are relevant for Ireland.
1
Cloud Computing: Legal Issues
Jonathan Roche
Cork Institute of Technology, Department of Computing, Cork, Ireland
jonathan.roche2@mycit.ie
Abstract - Cloud computing, by its nature,
presents fresh challenges to the existing
legislation governing the security and privacy
of customer data. As clouds are essentially
data centres or server farms, used to host and
maintain customer data, the customer data is
no longer under the complete control of the
customer themselves. Traditional licensing
agreements and contracts may be legally
inadequate, and typically do not provide
remedies and legal recourse for specific
situations. Also, there is an underlying fear
amongst some customers with regards to data
security, with the protection and privacy of
their data, both from loss and inappropriate
distribution, being to the fore. This paper will
outline some of the legal issues associated
with cloud computing and how they may be
addressed, and will consider some of the
specific legal issues that are relevant for
Ireland.
Keywords - Cloud Computing, Legal Issues,
Data Protection Legislation
I. INTRODUCTION
In its broadest sense, cloud computing can be
seen as the provision of a computing service
over a network, which is in most cases the
internet. Though the number of service types
continues to grow, they can generally be
broken down into three categories
Software as a Service - Application
provision across a network.
Platform as a Service - Application
development across a network.
Infrastructure as a Service - Resource
provision across a network.
Due to the potential cost savings to its
customers, cloud computing has become a
viable alternative for all business types, from
small enterprises to large scale multinationals.
Customers of the service no longer need to
worry about expensive hardware installations,
or to commission a custom application from a
niche development house, given that an off the
shelf service subscription can be acquired at a
fraction of the cost.
As with many subscription services, customers
typically have to sign a contract to avail of the
service, and in the process have to deal with
the legal agreements set out by the service
provider. In some cases, a customer may not
be satisfied with the legal constraints as
outlined by the service contract, and may seek
to have some aspects of the contract modified
to cater for their specific requirements, or to
have extra stipulations inserted into the
contract [1]. Before entering into any
contractual agreement with a service provider,
a customer needs to carefully evaluate the
implications of the contract before availing of
the service.
Also, the standard terms and conditions of a
service provider’s contract may not meet the
legal requirements of a customer. Such issues
need to be highlighted early in the process, as
they may have an impact, not only on the
pricing of the service itself, but also on the
service providers ability to provide a service
that meets the legal requirements of the
customer [2].
2
II. GENERAL LEGAL ISSUES
While far from an exhaustive list, some of the
key legal issues that need to be agreed upon by
the customer and the service provider are as
follows:
Governing Law and Jurisdiction - Virtually
without exception, the service provider will
outline that it is liable and governed within its
own country, and that all disputes that arise
from the contract are under the jurisdiction of
the courts of the service provider’s country.
Many customers may want to have this
amended to move any legal jurisdiction to
their home country and in some cases when
the service provider is a large multi-national,
this may be possible. It may also be possible to
remove such a provision from a contract and
allow legal debate to decide, when or if a
situation should arise [3].
Data Location - Many service provider
contracts explicitly outline the right to
maintain customer data on any of their sites,
regardless of the origin of the data. While
some service providers do not address the
issue directly, most follow a similar policy on
the grounds that not explicitly prohibiting the
practice legitimizes it. Although maintaining
data across multiple geographical locations
provides a greater level of security, it does
raise issues in relation to export control and
needs to be addressed directly within the
contract, legislating against extraterritorial
storage [4].
Privacy and Confidentiality - In many cases,
data collected for a specific purpose may only
be used for that specific purpose. For example,
student information stored in college databases
typically may only be outsourced to designated
vendors with legitimate interests in the data.
Contracts governing data outsourcing need to
ensure data usage specifically for the required
service, and non-disclosure of data by the third
party without authorization. Without being
expressed explicitly within a contract,
enforcement may be compromised [5].
Data Security - In the case of contracts that
address data security, most limit their
provision to a "reasonable" level of security, or
to implement "industry standard" security
practices. Despite providing a level of
confidence in the service provision, these
terms are widely open to argument and
interpretation. To ensure a greater level of
security, this needs to be replaced by
independent specific security standards, and
updated and audited periodically. Also, any
contract should place a requirement on the
service provider to give notice of data or
security breaches [5].
Data Access for E-Discovery - While it is not
an absolute necessity, an understanding of the
architecture of the service being provided is
important. In order to prepare for any e-
discovery requirements that could arise,
knowledge of the format used for data storage
and available tools for data access is required.
Some services fail to provide such tools,
turning e-discovery into a cumbersome and
time consuming task [6].
End User Responsibility - Service provider
contracts may require the customer to ensure
that the end users of the service abide by the
service providers usage terms and conditions.
While this is an understandable condition on
the service provider - customer relationship, it
also places the liability of the third party usage
of the system with the customer. An
alternative would be to enforce agreement
between third parties and the service provider
for compliance of the service providers’ terms
and conditions [7].
Inappropriate and Unauthorized Usage - Some
service providers may place the responsibility
of preventing inappropriate and unauthorized
usage of the provided service with the
customer. Considering that the service
provided resides in the cloud, and is by and
large outside of the control of the customer, it
is recommended that the contract limits the
liability to the customer not authorizing or
knowingly allowing prohibited usage of the
3
service. These contracts typically also include
a requirement on the customer to inform the
service provider of all unauthorized or
inappropriate usage of the service. It is in the
best interest of the customer to increase the
threshold of reporting to material breaches
rather than all unauthorized or inappropriate
usages [2].
End User Account Suspension - Occasionally
service providers may specify the right to
suspend the accounts of an end user on the
violation of the service provider’s terms and
conditions. With a broad statement of right,
service providers can suspend the customer’s
end users at will. It is preferable for the
customer to restrict the service provider’s right
of suspension to material or significant
violations that compromise the security of the
vendors system [1].
Emergency Security Issues - Service providers
may have legislation inserted to suspend
without notice a service provision, should an
offending use of the service cause an
emergency issue. It is in the best interest of the
customer to clearly define the constitution of
an emergency issue, thus limiting the
flexibility or discretion of the service provider,
and ideally should only incorporate a
significant violation of the service provider’s
terms and conditions [1].
Service Suspension and Termination -
Typically service providers reserve the right to
suspend a service, or to even terminate a
service, in the event of specified events.
Although such conditions are practical and
legitimate for the service provider’s point of
view, they too need to be limited to a strict set
of events without any ambiguity. Such clauses
need to provide the customer with an
opportunity to remedy the situation, rather
than an instant denial of service (with the
exception of extreme emergencies), and to
provide the customer to make alternative
arrangements for service provision. It is also
essential that, in the occurrence of such an
event, the customer's data is available in a
usable format for a specified amount of time
after service termination. Finally, the service
provider needs to be obliged to return or
destroy any customer data once the service
termination is complete [8].
Data Ownership - It is essential that the
contract between the service provider and the
customer explicitly states that all data is the
property of the customer, and that the service
provider does not acquire any licenses or
rights to the customer’s data based on the
transaction. The restriction of any security
interest in the customer’s data by the service
provider should also be noted [9].
Publicity - Occasionally, the service provider
may be permitted to the use of the customer’s
name, trademarks or logos for the service
providers own publicity. If such stipulations
cannot be removed, a modification should take
place that requires the customers approval for
any use of the customer brand, or at the very
least to limit the use to the customer name
without implying an endorsement [10].
Service Level Agreements - Guarantees for the
service provision need to be detailed to
provide for the minimum amount of uptime,
the process, and the timescale associated with
correcting downtime. Consequences for falling
outside the agreed SLAs need to be precise
and detailed [11].
Disclaimer of Warranty - Typically, a service
provider contract will disclaim all warranties,
occasionally explicitly including any guarantee
that the service providers offering is not in
breach of the intellectual property rights of a
third party. As a minimum requirement, the
contract should guarantee that the provided
service functions according to its
specifications, and that it is not in breach of
the rights of any third party. In the absence of
such warranties, an enforceable assurance of
the service functionalities is not possible, or
that the service provider even has the authority
to provide the service. In the event of service
failure, or liable action being taken against the
4
customer, without such warranties the
customer will not have any legal recourse
against the service provider [2].
Customer Indemnification - Some service
provider contracts require indemnification for
the service provider in the event of illicit third
party actions, along with customer actions.
While this does not constitute adopting an
extra liability as the customer may face legal
action over third party content, it is in the best
interest of the customer to avoid accepting this
liability voluntarily [1].
Vendor Indemnification - It is rare for service
provider contracts to outline any
indemnification that benefits the customer,
despite legal protection being essential in a
minimum of two scenarios - third party
intellectual property rights infringement and a
breach or unauthorized disclosure of sensitive
customer data. In both scenarios, the
responsibility lies solely with the service
provider, and defending or remedying either
situation can prove extremely costly. By
refusing to accept liability in either scenario,
the service provider is displaying a lack of
confidence in their provision, and careful
consideration needs to be taken by the
customer before making a decision to adopt
the service [1].
Contract Modifications - In many cases, the
service provider will reserve the right to
modify their services as they deem
appropriate. Given the nature of the industry,
such modification rights are necessary to
provide upgrades and patches to services.
However, specifying the rights in a vague
manner once again exposes the customer to the
possibility of a deterioration of the service
provided. It is within the customer’s interests
to limit such modifications to commercially
reasonable ones that are not materially
detrimental to the service provided [12].
URL Terms Incorporation - Service provider
contracts may also reference an additional set
of terms and conditions outlined on the
provider’s website, which are subject to
change by the service provider. This results in
a contract that is incomplete, and allows the
service provider to make changes to the
contract when they deem fit. In many cases,
such as technical aspects of the services, it
may be acceptable and normal behaviour to
specify such information externally. However,
legal information should be maintained within
the confines of the contract. In the case where
service providers cannot provide this,
advanced and individual notice of such a
change should be incorporated, with the option
of termination of service provided to the
customer without penalties, should such
amendments be deemed materially detrimental
to the requirements of the customer [1].
Automatic Renewal - It is typical for a service
contract to automatically renew on expiration,
regardless of the new contract incorporating
additional terms and conditions from the
previously expired contract. Ideally, a service
contract should provide advanced notice of
any changes to terms and conditions in the
renewal, and automatically renew with the
option of termination on short notice within a
specified period of time after the automatic
renewal [13].
III. LEGAL ISSUES IN IRISH LAW
In general, Irish companies have been
relatively slow to migrate to utilizing cloud
services when compared to their American
counterparts. While some of this can be
attributed to the infancy of the technology,
there is an increasing concern amongst
industry experts with regards to data security
and protection that threatens its adoption on a
large scale.
This can be evidenced by a statement from the
Office of the Chief State Solicitor in February
of 2010, cautioning that contracts governing
cloud service provisions were insufficient by
public standards, and did not adequately
address concerns such as confidentiality, data
protection and security [14]. This came as a
5
surprise to the Irish cloud community as a
whole, given that the government who had
previously embraced the technology now
decided against its implementation. Their
report outlined a number of legal shortcomings
in the existing legislation.
Jurisdictional Issues - Under Section 11(1) of
the Data Protection Acts of 1988 and 2003
[15][16], a "Data Controller" is not permitted
to distribute customer data to a jurisdiction
with a reduced level of data protection, with
the exception of the specified exemptions as
set out in Section 11(4) of the same act. To
ensure full compliance with the Data
Protection Act, a Data Controller needs to
ensure that the data under their control is
stored exclusively with compliant
jurisdictions.
While the restrictions of Section 11(1) can be
circumvented through obtaining, in advance,
consent for each data transfer, or by utilizing
EU-approved "Model Contracts", this could be
avoided through an agreement between the
Data Controller and the customer on list of
approved countries [15][16]. In many cases,
this is a valid option offered by the service
provider, though in most cases it incurs a
premium charge.
Data Security and Accessibility Issues -
Within the Data Protection Act, a number of
sections deal with security and accessibility
issues. Section 2(1)(d) stipulates that
appropriate steps need to be taken to prevent
unauthorized access, alteration, disclosure and
destruction of "Personal Data", with specific
provisions for data transmitted over a network.
Section 2C(1) covers the constitution of
"appropriate security measures", with the
data's point of encryption being of significant
importance [15][16].
Section 2C(3) of the act covers the processing
of Personal Data by a Data Processor on the
behalf of the Data Controller. In this case, the
Data Controller is required to enforce that the
processing of Personal Data is carried out in
line with the contractual agreement between
the Data Processor and the Data Controller.
The Data Processor also needs to guarantee the
security measures taken during the processing
of Personal Data on behalf of the Data
Controller. Finally, the Data Controller needs
to reserve the right to examine the security
measures employed by the Data Processor.
Despite the initial negative reaction of the
cloud computing industry in Ireland towards
the letter from the Office of the Chief State
Solicitor, it may provide long term positive
impacts on the industry. To this point,
contracts that were weighted in favour of
service providers were the only option of
service adoption, with a prevalent "take it or
leave it" mentality from the service providers.
Though contract negotiation is a possibility, it
may not be a realistic possibility for small
entities when dealing with large multinational
service providers.
Following the concerns outlined, service
providers are starting to come to the
realization that, for the technology to grow in
line with industry expectations, service
provision contracts need to be tailored to meet
the requirements of their clients.
IV. CONCLUSIONS
In migrating towards cloud service adoption,
significant benefits can be realized such as
cost reductions, a lower on site support
requirement and greater application scalability.
However in addition to having a number of
known risks such as data security and privacy,
and the inherent trust issues when handing
over the responsibility to a service provider,
significant legal and regulatory issues need to
be addressed.
The application of due diligence by the service
customer, along with a contract defined with
attention to detail with regards to the
liabilities, rights and obligations of all parties
concerned, are without a doubt the highest
priority risk mitigation tasks a customer can
6
undertake before moving to a cloud
deployment strategy.
Irish entities have been adopting a "wait and
see" strategy with regards to the uptake of
cloud computing services, with some cloud
technology professionals attributing the pace
of implementation to a lack of knowledge of
the cloud computing discipline. However, the
truth is that having been impacted in the past
by a surge towards emerging technologies still
in their infancy, companies are correct to
ensure that mistakes of the past are not
repeated.
Some organisations may be deterred from
adopting a cloud strategy due to the associated
security and privacy risks, even though the
risks may arguably be no greater than
maintaining an on premise solution. Other
organisations may choose specific areas of
their business to migrate to the cloud, where
their responsibilities outlined by the Data
Protection Act are not as stringent.
It is the belief of many within the industry that
the adoption of cloud services by the Irish
Government and larger organizations will be
needed to drive confidence in the industry.
Only based on the success of the larger
organizations, and their dealings with the
complex legal issues associated with the
technology, will the smaller organizations
follow suit.
Many proponents of cloud computing make
the case that an amendment to EU legislation
will be required before the true potential of
cloud computing can be realized. Jurisdictional
issues in particular are limiting the adoption of
cloud technologies, and both service providers
and customers can reap the rewards from
changes to the current legislation.
V. REFERENCES
[1] Winkler, V.J.R., "Securing the Cloud:
Cloud Computer Security Techniques and
Tactics", Syngress, 2011, ISBN 978-1-59749-
592-9.
[2] Marchini, R., "Cloud Computing: A
Practical Introduction to the Legal Issues", BSI
Standards, 2010, ISBN 978-0-58070-322-5
[3] Directorate-General for Internal Policies,
"Fighting cyber crime and protecting privacy
in the cloud", Policy Department C, Citizens
Rights and Constitutional Affairs, European
Parliament., 2012
[4] Hogan Lovells, "Cloud Computing: A
Primer on Legal Issues, Including Privacy and
Data Security Concerns", [online] Available at
http://www.cisco.com/web/about/doing_busin
ess/legal/privacy_compliance/docs/CloudPrim
er.pdf
[5] Pearson, S., and Benameur, A., "Privacy,
security and trust issues arising from cloud
computing." Cloud Computing Technology
and Science (CloudCom), 2010 IEEE Second
International Conference on. IEEE, 2010.
[6] Kaufman, L.M. "Data security in the world
of cloud computing." Security & Privacy,
IEEE 7.4 (2009): 61-64.
[7] Gartner, "Seven cloud-computing security
risks", [online] Available at
http://www.networkworld.com/news/2008/070
208-cloud.html
[8] Forbes, "Top Five Legal Issues For The
Cloud", [online] Available at
http://www.forbes.com/2010/04/12/cloud-
computing-enterprise-technology-cio-network-
legal.html
[9] Mowbray, M., "The Fog over the Grimpen
Mire: Cloud Computing and the Law",
Scripted Journal of Law, Technology and
Society, Volume 6, no.1, April 2009.
7
[10] Cloud Times, "Cloud Computing and its
Legal Implications", [online] Available at
http://cloudtimes.org/2012/12/03/cloud-
computing-and-its-legal-implications/
[11] Berkelhammer, D.R., "A Cloud of
Suspicion: Legal Issues Surrounding Cloud
Computing", [online] Available at
http://www.lexisnexis.com/legalnewsroom/cor
porate/b/business/archive/2013/05/14/a-cloud-
of-suspicion-legal-issues-surrounding-cloud-
computing.aspx
[12] Australian Government Information
Management Office, "Negotiating the cloud -
legal issues in cloud computing agreements -
better practise guide", 2012
[13] Catteddu, D., "Cloud Computing:
benefits, risks and recommendations for
information security", Springer, Berlin
Heidelberg, 2010.
[14] McIntyre, T.J., "IT Law in Ireland",
[online] Available at
http://www.tjmcintyre.com/2010/03/cloud-
computing-controversy-wont-clear.html
[15] Office of the Attorney General, Irish
Statute Book, Data Protection Act, 1988
[16] Office of the Attorney General, Irish
Statute Book, Data Protection (Amendment)
Act, 2003
VI. DISCLAIMER
This report is submitted in partial fulfilment of
the requirements for the Degree of Master of
Science in Software Development at Cork
Institute of Technology. It represents
substantially the result of my own work except
where explicitly indicated in the text. The
report may be freely copied and distributed
provided the source is explicitly
acknowledged.
... Among the problems and issues that had been highlighted in previous studies are: security and privacy, network and performance. According to Kerr and Teng, the security and privacy issues has caused some lack of trust among the SMEs [16]. This is especially when the SMEs have no direct controls of data stored in data center somewhere, where they cannot get physical access to it [10]. ...
... Kerr and Teng stated that it is important for the SMEs to be aware of their responsibilities with regards to data confidentiality, integrity, and availability as well as the related information systems. Providing a standard operating procedure before any data transmission could also overcome the issues above [16]. Jadeja highlighted on performance issues that caused poor connection quality between the user and the Cloud Computing server [10]. ...
Conference Paper
Full-text available
This paper presents literature review that covered key areas in this research such as e-Business development, Cloud Computing concept and opportunities for Malaysian SMEs. This research aims to investigate the best practices of Cloud Computing within the e-Business context for the Malaysian SMEs. This paper also discussed the qualitative and quantitative approaches that were used to gather data on how the Cloud Computing can strategically provide technology and business opportunities to the SMEs in Malaysia. Deliverable from this research will be a set of recommendations to guide the Malaysian SMEs to adopt both e-Business and Cloud Computing technologies. This paper presented a recommendation for creating awareness of Cloud Computing approach among the SMEs for their e-Business needs.
... Among the problems and issues that had been highlighted in previous studies are: security and privacy, network and performance. According to Kerr and Teng, the security and privacy issues has caused some lack of trust among the SMEs [16].This is especially when the SMEs have no direct controls of data stored in data center somewhere, where they cannot get physical access to it [10]. Among the available solution is to apply encryption to all data that includes system access credentials from unauthorized interception [13,14]. ...
... Kerr and Teng stated that it is important for the SMEs to be aware of their responsibilities with regards to data confidentiality, integrity, and availability as well as the related information systems. Providing a standard operating procedure before any data transmission could also overcome the issues above [16]. Jadeja highlighted on performance issues that caused poor connection quality between the user and the Cloud Computing server [10]. ...
Conference Paper
Full-text available
This paper presents literature review that covered key areas in this research such as e-Business development, Cloud Computing concept and opportunities for Malaysian SMEs. This research aims to investigate the best practices of Cloud Computing within the e-Business context for the Malaysian SMEs. This paper also discussed the qualitative and quantitative approaches that were used to gather data on how the Cloud Computing can strategically provide technology and business opportunities to the SMEs in Malaysia. Deliverable from this research will be a set of recommendations to guide the Malaysian SMEs to adopt both e-Business and Cloud Computing technologies. This paper will only discuss a recommendation for creating awareness of Cloud Computing approach among the SMEs for their e-Business needs.
... Some issues in cloud computing, such cloud security and data privacy might be in concern because of the absence of the cloud computing standards because each cloud provider takes a different approach and offers different services [26]. Therefore, the provider is the only one that really has the ability to reach the information and modify it without getting permission. ...
... Users mainly using the main two operations in cloud computing which are upstream and downstream operations in on-demand model, so they can discuss and negotiate some terms and factors to manage some issues as license agreement, using of data, scalability and fundamental breaches [26]. ...
Article
Full-text available
This paper discover the most administration security issues in Cloud Computing in term of trustworthy and gives the reader a big visualization of the concept of the Service Level Agreement in Cloud Computing and it's some security issues. Finding a model that mostly guarantee that the data be saved secure within setting for factors which are data location, duration of keeping the data in cloud environment, trust between customer and provider, and procedure of formulating the SLA.
... There are repercussions for noncompliance with legal and regulatory requirements (NIST 2011). In the United States, Canada and the European Union, tenants or client organisations are subject to numerous regulatory requirements (Winkler 2012). Non-compliance with legal requirements is also a challenge in Africa, where cloud-computing services are hampered by inadequate and outdated legislation in the archives and records management field, as found by different scholars (Asogwa 2012;Mosweu 2012;Ngoepe & Saurombe 2016). ...
Article
Full-text available
Background: Cloud-based services are increasingly used by organisations around the world and Africa is no exception. Literature has revealed that organisations adopt them as they offer efficient and cost-effective services. Notably, Africa is generally at an infant stage in the adoption of cloud-computing services in records management. Objectives: This article presents and deliberates on the implications of cloud-computing services in archives and records management in Africa and determines whether such services are challenged by the inherent weaknesses faced by Africa in the digital age. Method: This study adopted a qualitative research approach. It utilised content analysis of the reviewed literature related to cloud computing in records management. Results: Cloud computing offers good tools for organisations to conduct businesses efficiently and improve their records management practices. However, issues related to records storage, jurisdiction, privacy, security and the digital divide, to mention a few, are a challenge that need to be surmounted if Africa is to benefit fully from cloud-based records management services. Conclusion: Although cloud-computing services in records management promise huge benefits for Africa, the continent is not ready to fully embrace such technologies and benefit from them. Actually, cloud-based records management services are an Achilles heel for Africa.
... There are repercussions for noncompliance with legal and regulatory requirements (NIST 2011). In the United States, Canada and the European Union, tenants or client organisations are subject to numerous regulatory requirements (Winkler 2012). Non-compliance with legal requirements is also a challenge in Africa, where cloud-computing services are hampered by inadequate and outdated legislation in the archives and records management field, as found by different scholars (Asogwa 2012;Mosweu 2012;Ngoepe & Saurombe 2016). ...
Article
Full-text available
Background: Cloud-based services are increasingly used by organisations around the world and Africa is no exception. Literature has revealed that organisations adopt them as they offer efficient and cost-effective services. Notably, Africa is generally at an infant stage in the adoption of cloud-computing services in records management. Objectives: This article presents and deliberates on the implications of cloud-computing services in archives and records management in Africa and determines whether such services are challenged by the inherent weaknesses faced by Africa in the digital age. Method: This study adopted a qualitative research approach. It utilized content analysis of the reviewed literature related to cloud computing in records management. Results: Cloud computing offers good tools for organisations to conduct businesses efficiently and improve their records management practices. However, issues related to records storage, jurisdiction, privacy, security and the digital divide, to mention a few, are a challenge that need to be surmounted if Africa is to benefit fully from cloud-based records management services. Conclusion: Although cloud-computing services in records management promise huge benefits for Africa, the continent is not ready to fully embrace such technologies and benefit from them. Actually, cloud-based records management services are an Achilles heel for Africa. Keywords: Africa; cloud-computing; ICTs; records management; digital records.
Article
Full-text available
Human life today has become entangled in the Internet. We access e-mail, store content, and use services online without a thought as to where data reside or how data are protected. The "cloud," a conceptualization of how data reside on the Internet rather than locally, is the latest technological innovation or computing trend du jour. However, many concerns surrounding cloud computing remain unaddressed. How are the data we store online kept confidential? Who else has the right to access our private information? What kind of laws and policies offer us protection? We begin by evaluating the current situation by examining the Terms of Service (ToS) agreements and privacy policies from well-known cloud providers, and we describe the types of privacy protections (or lack thereof) that they offer. We conclude that a contractarian approach to privacy protection is likely to lead to a situation in which consumers end up trading their privacy without being well-informed about the implications and consequences of their choices. Next, we examine whether the applicable laws are adequate to protect the privacy of consumers in the cloud. We discuss privacy protections in the cloud by considering the Fourth Amendment, the Stored Communications Act, the Federal Information Security Management Act, and the USA PATRIOT Act, and we conclude that they are inadequate in according a minimum level of privacy to consumers in the cloud, setting the stage for a vigorous study of the form and substance of cloud computing-centric privacy legislation.
Article
Today, we have the ability to utilize scalable, distributed computing environments within the confines of the Internet, a practice known as cloud computing. In this new world of computing, users are universally required to accept the underlying premise of trust. Within the cloud computing world, the virtual environment lets users access computing power that exceeds that contained within their own physical worlds. Typically, users will know neither the exact location of their data nor the other sources of the data collectively stored with theirs. The data you can find in a cloud ranges from public source, which has minimal security concerns, to private data containing highly sensitive information (such as social security numbers, medical records, or shipping manifests for hazardous material). Does using a cloud environment alleviate the business entities of their responsibility to ensure that proper security measures are in place for both their data and applications, or do they share joint responsibility with service providers? The answers to this and other questions lie within the realm of yet-to-be-written law. As with most technological advances, regulators are typically in a "catch-up" mode to identify policy, governance, and law. Cloud computing presents an extension of problems heretofore experienced with the Internet. To ensure that such decisions are informed and appropriate for the cloud computing environment, the industry itself should establish coherent and effective policy and governance to identify and implement proper security methods.
Article
Legal requirements for the handling of particular types of data (for example health data and financial data) are one of the forces creating a market for cloud services with more stringent service level requirements. Some laws and regulatory regimes place requirements for auditing or data security that may not be provided by current cloud services. Pharmaceutical companies and financial organisations have best-practice requirements that some kinds of data have to be stored on an identifiable server. It should not be impossible to build a cloud storage service which can identify for the customer the precise server or servers on which their data is currently stored, although such a service might be less efficient. Similarly, although UK companies storing personal data with some cloud computing services might find themselves in breach of the seventh principle of the Data Protection Act 1998 if the standard subscription agreement for the services does not give sufficient (or indeed any) guarantees that the computers that the data will be stored on are appropriately secure,29 it is possible to create cloud services that meet industry security standards; for example, Google Apps has SAS70 Type II certification.30
Conference Paper
Cloud computing is an emerging paradigm for large scale infrastructures. It has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay-per-use business model. These new features have a direct impact on the budgeting of IT budgeting but also affect traditional security, trust and privacy mechanisms. Many of these mechanisms are no longer adequate, but need to be rethought to fit this new paradigm. In this paper we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed.
Cloud Computing: A Practical Introduction to the Legal Issues
  • R Marchini
Marchini, R., "Cloud Computing: A Practical Introduction to the Legal Issues", BSI Standards, 2010, ISBN 978-0-58070-322-5
Directorate-General for Internal PoliciesFighting cyber crime and protecting privacy in the cloud
Directorate-General for Internal Policies, "Fighting cyber crime and protecting privacy in the cloud", Policy Department C, Citizens Rights and Constitutional Affairs, European Parliament., 2012
Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns
  • Hogan Lovells
Hogan Lovells, "Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns", [online] Available at http://www.cisco.com/web/about/doing_busin ess/legal/privacy_compliance/docs/CloudPrim er.pdf
Seven cloud-computing security risks
  • Gartner
Gartner, "Seven cloud-computing security risks", [online] Available at http://www.networkworld.com/news/2008/070