Focusing public attention on emerging privacy and civil liberties issues

Cloud Computing

News

  • Administration Announces Cloud Computing Initiative, but Privacy Umbrella Missing: Chief Information Officer Vivek Kundra announced the launch of “Apps.gov”, a website where federal agencies can obtain cloud-based IT services. The initiative is aimed at "lowering the cost of government operations while driving innovation." Currently, the administration's main goal is to increase the size and scale of cloud computing, but key concerns, such as security and privacy, have received little attention. In March, EPIC filed a complaint with the FTC urging the agency to open and investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." Subsequently, thirty-eight computer security researchers and privacy academics sent a letter to Google's CEO, asking Google to uphold privacy promises made to users of Google Cloud Computing services. The FTC investigation is ongoing; no response has been received from Google. For more information, see EPIC's page on “Cloud Computing”. (Sep. 17, 2009)
  • EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing: In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing. (Aug. 12, 2009)
  • Expert Group Asks Google to Improve Cloud Computing Privacy : A letter signed by 38 researchers and academics in the fields of computer science, information security and privacy law was sent to Google's CEO. The letter asks Google to uphold privacy promises made to users of Google Cloud Computing services. In March, EPIC filed a complaint with the FTC urging an investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." The EPIC complaint specifically recommended the adoption of encryption to help safeguard privacy and security. Addressing concerns about data vulnerability and interception, the expert group has asked Google to enable HTTPS (web-based encryption) by default in several Google apps, including Gmail. See also EPIC's page on Cloud Computing and EPIC's Page on In re Google and Cloud Computing. (Jun. 16, 2009)
  • EPIC Urges Privacy Protections for Government's Use of Social Media: The DHS Privacy Office is seeking public comments on developing best practices on the government's use of social media. EPIC submitted comments on the benefits, issues and privacy best practices. EPIC recommended Privacy Act protections to the data collected, prohibit commercialization and sharing, and the use of a model certification system. See also EPIC's page on Social Networking Privacy, Network Advertising Initiative, and Deep Packet Inspection and Privacy.. (Jun. 3, 2009)
  • EPIC Seeks Government Agreements with Social Networking Companies: EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing. (Apr. 30, 2009)
  • Federal Trade Commission to Review EPIC Cloud Computing Complaint: The Federal Trade Commission will review EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint describes numerous data breaches involving user-generated information stored by Google, including the recently reported breach of Google Docs. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," federal regulators said. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. For more information, see EPIC's complaint to the FTC. EPIC's Cloud Computing Page. (Mar. 19, 2009)
  • EPIC Petitions FTC to Investigate Google, Cloud Computing Services: EPIC has formally asked the Federal Trade Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. (Mar. 17, 2009)

Introduction

Cloud Computing can be thought of as a way to make the world of computer resources seamlessly scalable. "Cloud Computing Services" can involve "a software and server framework (usually based on virtualization)" that uses "many servers for a single software-as-a-service style application or to host many such applications on a few servers." Cloud Computing Services are an emerging network architecture where applications reside on third party servers, managed by private firms that provide remote access through web-based devices. Customers generally do not own the infrastructure. This model of service delivery is in contrast to an architecture in which data and applications typically reside on servers or computers within the control of the end user.

Users lose control of their information when they place applications, and their data files, on centralized servers. Critical and sometimes sensitive information that was once safely stored on personal computers now resides on the servers of online companies. Cloud Computing Services may mean that both access to the application and our data will be at risk by placing both in the hands of a third party. Data hostage scenarios are not hard to image, when it is vital that a user gain access to online information, but the data holder refuses that access without first receiving a payment or other compensation.

Some Cloud Computing Services use encryption, by default, to "respect individual privacy" and "provide users with the ability to fully control and customize their online experience." In addition, some Cloud Computing Services state, as a "key principle" that "users own their data, and have complete control over its use. Users need to explicitly enable third parties to access their data." However, other cloud computing services store data in plain text.

New cloud computer services are offering to store computer information for users, to assure that data is not lost, but little is said about the confidentiality or privacy of the information placed under the control of "cloud computing" service providers. Legal rights and regulatory authority for the protection of the privacy of cloud computing users are not well defined. There are many risks for cloud computing customers that should be explored and new legislative and regulatory frameworks developed to assure the confidentiality and privacy of data. A survey of Internet users, published in March 2009, found that 35% believed that their privacy had been violated at some point over the previous year.

Cloud computing may come in three forms:

1. Software as service or SaaS is one type of cloud computing when an organization outsources its IT assets, such as when an organization rents computing capacity for intensive computations that are beyond the capabilities of their on-site computer hardware. Peer-to-peer networks like BitTorrent and Skype ship data to servers via the Internet for processing or storage purposes. There are also desktop application services that remove the work from personal computers to remote servers hosted by cloud computing service providers such as Google Apps and Zoho Office.

2. Capacity Cloud Computing services that provide a single service to many users. Types of this kind of Cloud Computing are Amazon.com, Health IT services, and Wiki document hosting platforms. These Cloud Computing service providers may also engage customers by offering the equivalent of data centers to support large applications or manipulation of information. The customer may not be able to purchase high-end hardware or have a need to acquire specialized software for a project, but can cost effectively rent these services from an Internet cloud vendor.

3. Software cloud computing services is transparent to consumers who are aware of and opt-into using. For example, Health Information Services, Gmail, AOL, and Yahoo e-mail are free software as email products. The user's emails and email client software are stored on remote servers that can be accessed from any computer connected to the World Wide Web. This model is being embraced by numerous software providers and is also called utility computing because typically one pays a monthly fee to have the benefit of the e-mail service provided by a single vendor.

Background

Cloud computing or remote computing services have matured over recent years, but its underlying concepts are not new. The earliest computing operations allowed multiple users to bring work projects, usually in the form of data encoded onto punch cards, magnetic tapes, or floppy disks to a central stand-alone computer for processing. These stand-alone computers could only perform one job or task at a time. The development of operating systems allowed stand-alone computers to perform multiple functions simultaneously.

The "Cloud" refers to data, processing power or software being stored on remote servers made accessible by the Internet (the cloud) as opposed to being stored on one's own computers. Internet computer users have engaged in cloud computing arrangements through e-mail providers, wiki applications, and online tax preparation as well as digital filing services. This approach means that end users do not own the technology that will hold their information and depend on the hardware and software resources of the cloud computing service provider. The data owners must also rely on the telecommunications infrastructure that will act as delivery and retrieval pathways for the flow of data to and from the cloud.

The emergence of cloud computing services is structured around a re-imagining of the relationship between technology and end users. The further users are away from the underlying technology that they rely upon, the more dependent the relations may become. The move toward computing resources as a service to be provided by remote sources with greater access to unbounded computing power presents some attraction to computer users with limited resources and a growing need for information services. Once an end user adopts a cloud computing arrangement it may be difficult to move back to a personal computing based platform for data services.

Types of Cloud Computing Services

Examples of the some of the types of online cloud computing include database and backup services. Amazon Simple Storage Service (Amazon S3) and Amazon Web Services (AWS) offers a range of Cloud Computing services that allow users to "securely" store, and manage a wide range of data types.

Amazon S3 promotes itself as reliable, but its service level agreement states that the company can terminate the service.

graphic of Amazon's S3 statement of its services

AWS incorporate identity, payment, database, messaging, and other services. However, the terms of service states "AWS reserves the right to refuse service, terminate accounts, remove or edit content in its sole discretion." Further, the AWS terms and conditions' "Disclaimer of Warranties and Limitations of Liability," state that:

"AWS DOES NOT WARRANT THAT THIS SITE; INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING ANY SOFTWARE) OR SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THIS SITE; ITS SERVERS; OR E-MAIL SENT FROM AWS ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. AWS WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF THIS SITE OR FROM ANY INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THIS SITE, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING. CERTAIN STATE LAWS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES OR THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE ABOVE DISCLAIMERS, EXCLUSIONS, OR LIMITATIONS MAY NOT APPLY TO YOU, AND YOU MIGHT HAVE ADDITIONAL RIGHTS."

As further protection for itself, Amazon limits all legal actions that may arise over its Cloud Computing services to King County, Washington, where the company is located.

Another Cloud Computing service provider Mozy.com offers users cloud computing services to backup photographs, documents, accounting records, or any information that is stored on a personal computer. The service reserves broad rights to "at any time to modify, suspend, or discontinue providing the Service or any part thereof in its sole discretion with or without notice."

mozy's policy on access to its service

The Decho Corporation operates Mozy.com, MozyPro.com and Decho.com. The company considers signing up for the service as an agreement of the terms. The customer may end the agreement by "destroying the Software and closing your account," but it does not address what happens to the information that remains in the hands of the company. Closing an account does not mean that information collected or stored on the service will be removed.

mozy's statement on its right to terminate service

The company defines personal "as any data from which it is practical to directly determine the identity of an individual." Further, under the terms and conditions users are told, "You agree to indemnify, defend, and hold harmless Decho and its suppliers from any and all loss, cost, liability, and expense arising from or related to your data, your use of the Service..."

mozy's disclaimer

Medical information services, such as WebMD provides tools to users that allow them to establish medical information accounts that can be used to record details regarding health conditions, symptoms, medications, search for medical professionals, and details about the type of medical advice sought.

Web MD's rules regarding inforamtion sent to public areas

WebMD's Terms and Conditions of Use, state that information provided to them by e-mail, blog posting, up-loading photos or video, or submitting information to "Public Areas," this information becomes the property of WebMD.

Web MD rules regarding posting of photos or video

Although federal law allows for patient record privacy though the Health Insurance Portability Protection Act (HIPPA), the records created by WebMD and other health cloud computing services are not covered by HIPPA. WebMD states in its Terms and Conditions of Use that the company will not be liable for any damages.

Web MD limits options for users who believe they have been injured by the service

Other Issues

Banking

Consumers are being asked to trust their personal and household financial information to cloud computing service providers.

Finicity offers cloud computing financial servicesCheckbook offers cloud computing banking services

E-Mail

E-mail service providers, such as America-on-Line, Yahoo, MSN, Hotmail, and Gmail provide cloud computing e-mail service to users. E-mail cloud computing service providers may allow secondary uses for e-mail communications. These uses may relate to advertising uses that the user agrees to but may not seek the consent of e-mail recipients. These services may also have unlimited data retention policies, or stated polices may change without notice.

Each of the relationships outlined also created new legal questions that have yet to be answered by model legislation or government regulation that addresses the rights of consumers.

How Did We Get Here

In 1969, the most significant advancement in remote computing communications technology began as an experimental project of the Department of Defense's Advance Research Projects Agency called ARPnet. The project's goal was to expand the distances that computers could reliably communicate. At the time the project was undertaken the cost of a computer was very expensive and for this reason the overwhelming majority of computer ownership was restricted to government agencies, educational institutions, and major corporations. The technology was not as fast as today's computing systems, which meant that the work that computers could perform such as calculations, sorting large data sets, or generating reports could tie up systems for hours, days or in some cases weeks. The ARPnet project sought to create a platform that would allow distributed users to share their valuable computing resources and collaborate on documents. There was no need to limit access to the ARPnet because there were so few mainframe computers in use at the time.

The next phase of the project sought to distinguish one computing system from another as they worked within the ARPnet computer remote communications project. The solution was the first application of a domain name system, which is designed to identify computers sharing a single network. Today, computers using the Internet are assigned Internet protocol (IP) addresses so that they have a unique identity while communicating online.

As the number ARPnet networked computers grew it was evident that a method of keeping track of them was necessary. This prompted the development of the Transmission Control Protocol/Internet Protocol (TCP/IP). A version of this protocol is still in use as the Internet's host-networking communication traffic management system. In 1983, the ARPnet was divided into two networks: MILNET, the unclassified Defense Data Network and the ARPANET. The term "Internet" was used to refer to the entire network. In 1988, the Defense Department ended the ARPANET project.

Much of computing in the 1960s-1980s was limited to text-based documents. By the early 1990s, the majority of TCP/IP registrations were coming from academic institutions. In 1993, there were approximately 7,500 unique Internet domain name registrations. The National Science Foundation (NSF) was asked to take on the responsibility of managing domain name registrations because this necessary function continued to increase in difficulty. The NSF developed a new domain name management system to deal with the growing number of computers on the Internet. The new method continued to rely on the TCP/IP protocol and created partitions based on categories for registered computer networks, which is best known to today's Internet users by the ending extensions found in natural name addresses i.e. .com, .org, .edu, .net, etc. The Internet also took its first steps toward becoming a collaborative private/public/academic effort when private companies for the first time received registrations for backbone network services. In 1995, the number of registrants had grown to 120,000 and the first registration fee was charged. At that point, 97% of the applications for new Internet domain registrations came from commercial applicants.

Early instances of multiple clients sharing a single, sometimes more powerful, computing device were known as local area networks. In these settings, a single central server or computing device supported several stand-alone personal computers or dumb terminals (keyboards and computer screens) housed in the same physical location. Further software and hardware advancements expanded the capabilities of desktop personal computers, and later allowed users to remotely share their work using telecommunication technologies. This model evolved into what are known as distributed networks, which established reliable communication links between personal computers and computing devices over distances.

The mediums used to transmit computer data now include twisted pair, coaxial cables, broadband coaxial cable, fiber optics, and wireless communication devices. The Internet is now accessible from anywhere in the world where computers can gain access to telecommunication services.

As of September 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs, such as word processing applications, whose functionality is located on the web.

An overwhelming majority of Cloud Computing Services users expressed serious concern regarding the possibility that a Cloud Computing Services provider would disclose their data to others. According to a report of the Pew Internet and American Life Project:

  • 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party.
  • 80% say they would be very concerned if companies used their photos or other data in marketing campaigns.
  • 68% of users say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.

Future of Personal Computing and Cloud Computing

The advance of cloud computing may allow personal computing devices to become dumber, while remote computing services become much smarter. The ability to exercise consumer rights and privacy rights in a global Internet environment is a serious challenge that regulators and legislatures must tackle.

News Items

News (Spanish)

Resources