- Google Transparency Report Reveals Risks of Cloud-based Computing: According to a recent report from Google, the company received 20,938 requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The United States accounted for 7,969 requests in the 2012 report. And of these requests, Google provided user data to the US government in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. And earlier this year, Google reduced safeguards for Gmail users, over the objections of many lawmakers and users, when it consolidated privacy policies across its various Internet services. In 2009, EPIC L3[urged] the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. For more, see EPIC - "Cloud Computing". (Nov. 14, 2012)
- European Expert Group Affirms Privacy Rules for Cloud Service Providers: The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing. (Jul. 3, 2012)
- Google Terms of Service Grant Company Broad Rights over Data of Google Drive Users: Google’s Terms of Service--which govern Google’s cloud-based file storage, Google Drive--give the company the right to “reproduce, modify, create derivative works” using uploaded content, as well as to “publicly perform, [and] publicly display” files. In 2009, EPIC asked the FTC to require privacy safeguards for Google's cloud-based services. EPIC cited previously-discovered privacy and security flaws, including one that disclosed user-generated documents saved on Google Docs to users of the service who lacked permission to view the files, and another that permitted unauthorized individuals to access user-generated Google Docs content. For more information, see EPIC: Cloud Computing and Privacy. (Apr. 26, 2012)
- Twitter Adopts Privacy Enhancing Technique, Defaults to HTTPS: Twitter has joined the ranks of Gmail with a decision to implement HTTPS functionality by default for all users in order to encrypt data and protect privacy. The change stems from several security problems in early 2011, including two incidents where hackers gained administrative control of the popular service and led to a settlement with the Federal Trade Commission requiring Twitter to adopt stronger security measures. Earlier, EPIC had pointed out the importance of HTTPS by default in a complaint to the Commission regarding Google and Cloud Computing Services. For more information, see EPIC: Social Networking Privacy and EPIC: In re Google and Cloud Computing. (Aug. 24, 2011)
- Chairman Leahy Announces New Subcommittee on Privacy and Technology: Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has established a new Subcommittee on Privacy, Technology and the Law as part of his commitment to protecting “Americans’ privacy in the digital age.” Sen. Al Franken (D-MN) will chair the subcommittee, which will will cover privacy laws and policies, new business practices, social networking sites, privacy standards, and the privacy implications of emerging technologies. For related information, see EPIC: Social Networking Privacy, EPIC: Cloud Computing. (Feb. 16, 2011)
- Facebook Enables Full-Session Encryption: Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA," to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy. (Feb. 7, 2011)
- NIST Seeks Comments on Guidelines for Cloud Computing: The National Institute for Standards and Technology (NIST) has announced that it is accepting comments on two draft documents on cloud computing: the NIST Definition of Cloud Computing and the Guidelines on Security and Privacy in Public Cloud Computing. The documents were prepared after the Federal Chief Information Officer asked NIST to develop standards and guidelines to assist the federal government’s secure adoption of cloud computing. EPIC has warned of the ongoing privacy risks associated with cloud computing since its expansion into the public sphere in 2008. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Comments on both NIST documents are due no later than February 28, 2011. For more information, see EPIC: Cloud Computing and EPIC: In re Google and Cloud Computing. (Feb. 3, 2011)
- DHS Privacy Office Releases 2010 Annual Report: The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office. (Sep. 24, 2010)
- Google Adds Two-Factor Authentication to Google Apps: Google announced today that it is adding two-factor verification for Google Applications. This will allow users to set up a one-time code delivered to a mobile phone, in addition to a regular password. Currently this option is only available for paid Google apps, although it will be available to all users in the coming months. If an administrator of a paid Google Apps account enables two-factor verification, then all users will be required to submit their mobile phone number. Google Apps operate by using cloud computing. In March 2009, EPIC filed a complaint with the Federal Trade Commission over Google's lack of adequate safeguards for its Cloud Computing Services. For more information, see EPIC: Cloud Computing. (Sep. 24, 2010)
Cloud computing refers to data, processing power, or software stored on remote servers made accessible by the Internet as opposed to one's own computers. The term "the cloud" comes from computer network diagrams which, because the individual computers that formed its components were too numerous to show individually, depicted the Internet as a vast cloud at the top of the network chain. One of the key features of cloud computing is that the end users does not own the technology they are using. All the hardware and software is owned by a cloud computing service, while the user simply rents time or space. Several cloud computing applications, such web email, wiki applications, and online tax preparation, have become common experiences for the average Internet user.
For users, cloud computing arrangements can bring about major cost reductions and efficiencies. For example, in a cloud computing arrangement the end user does not have to pay large up front capital costs for hardware or for that hardware's continued maintenance. If the user needs temporary additional space, he can simply tell the cloud service provider to up his quota for the time being, rather than purchase additional physical capacity which would only be needed for a short period and then left idle. This also means that computer resources as a whole are generally used more efficiently. Rather than have lots of machines running a few tasks and then wasting the rest of their computing power, cloud computing allows a few machines to do lots of tasks without wasted computing cycles. Cloud Computing can be thought of as a way to make the world of computer resources seamlessly scalable.
At the same time, cloud computing also creates dependency. The emergence of cloud computing services is structured around a re-imagining of the relationship between technology and end users. The end user must rely on the cloud computing service provider to ensure that data is kept secure and reliably accessible. They must also depend on the telecommunications infrastructure that will act as the delivery and retrieval pathways for the flow of data to and from the cloud. The further away users are from the underlying technology that they rely upon, the more dependent the relations may become. In addition, once an end user adopts a cloud computing arrangement it may be difficult to move back to a personal computing based platform for data services.
The move toward computing resources as a service to be provided by remote sources with greater access to unbounded computing power presents some attraction to computer users with limited resources and a growing need for information services, but it also presents serious issues that must be examined.
Although cloud computing has only matured in recent years, the underlying concept of multiple users sharing computer resources is not new. The earliest computing operations allowed multiple users to bring work projects, usually in the form of data encoded onto punch cards, magnetic tapes, or floppy disks to a central stand-alone computer for processing. These stand-alone computers could only perform one job or task at a time, and, as a result, they were kept frequently in use processing one user's task after the next.
In 1969, the Department of Defense's Advance Research Projects Agency sought to expand the distances over which computers could reliably communicate. At the time the project was undertaken, the cost of a computer was very high and processing speed was much slower than today's computing systems. Often times a computers could be tied up for hours, days, or even weeks on a single project. The ARPAnet project sought to create a platform that would allow distributed users to share their valuable computing resources and collaborate on documents. Using the ARPAnet, a user could access a computer located elsewhere on the network and function as a local user at the remote site. The ARPAnet mainly linked government agencies and universities, but it was out of the ARPAnet that what we now know as the Internet was originally developed.
With the development of the operating system, stand-alone computers could perform multiple functions simultaneously for the first time. This opened the door for the first instances of multiple users using a system at the same time. Early instances of multiple clients sharing a single, sometimes more powerful, computing device were known as local area networks. In these settings, a single central server or computing device supported several stand-alone personal computers or dumb terminals (keyboards and computer screens) housed in the same physical location. The terminals would connect to the central server, which would do the terminal's actual processing.
Cloud Computing is an evolution from these previous efforts at shared computing. As prices for processing power and storage have fallen and high-speed internet connections have become ubiquitous, cloud computing has become an increasingly attractive option for many individuals and businesses. As of September 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs, such as word processing applications, whose functionality is located on the web.
There are three basic types of cloud computing:
1. Software as a Service (SaaS) is the most common and widely known type of cloud computing. SaaS applications provide the function of software that would normally have been installed and run on the user's desktop. With SaaS, however, the application is stored on the cloud computing service provider's servers and run through the user's web browser over the Internet. Examples of SaaS include: Gmail, Google Apps, and Salesforce.
2. Platform as a Service (PaaS) cloud computing provides a place for developers to develop and publish new web applications stored on the servers of the PaaS provider. Customers use the Internet to access the platform and create applications using the PaaS provider's API, web portal, or gateway software. Examples of PaaS include: Saleforce's Force.com, Google App Engine, Mozilla Bespin, Zoho Creator.
3. Infrastructure as a Service (IaaS) seeks to obviate the need for customers to have their own data centers. IaaS providers sell customers access to web storage space, servers, and Internet connections. The IaaS provider owns and maintains the hardware and customers rent space according to their current needs. An example of Iaas is Amazon Web Services. IaaS is also known as utility computing.
When users place their data and applications on centralized servers, they lose the ability to maintain complete control of that information. With the rise of cloud computing, critical and sometimes sensitive information that was once safely stored on personal computers now resides on the servers of online companies. Examples of such information including users email, banking information, and full backups of individuals' hard drives. This phenomenon creates a multitude of risks for the users.
One of the biggest risks of storing data in the cloud is the possibility that this data will be accessed by unwanted third parties. While some cloud computing services encrypt user data when it is stored, others store data in clear text, leaving it especially vulnerable to a security breach. Data stored in the cloud might also be provided to marketers. For example, many email providers allow secondary advertising uses for e-mail communications. In recent studies, an overwhelming majority of Cloud Computing Services users expressed serious concern regarding the possibility that a Cloud Computing Services provider would disclose their data to others. According to a report by the Pew Internet and American Life Project, 90% of cloud application users say they would be very concerned if the company storing their data sold it to a third party. 80% of users say they would be very concerned if companies used their photos or other data in marketing campaigns and 68% say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.
Legal rights and regulatory authority for the protection of the privacy of cloud computing users are not well defined. Data stored in the cloud may be subject to less stringent legal protection than data stored on a personal computer. Under the Electronic Communications Privacy Act, data stored in the cloud may be subject to a lesser standard for law enforcement to gain access to it than if the data were stored on a personal computer. Moreover, the terms of service for cloud computing services often make clear that they will preserve and disclose information to law enforcement when served with legal process. Health information services that store user medical information may not be subject to the privacy protections of the Health Insurance Portability Protection Act. Even where it is clear that user data is protected, cloud computer service providers often limit their liability to the user as a condition of providing the service, leaving users with limited recourse should their data be exposed or lost.
Storing data in the cloud means that access to that data is subject to the cloud computing service provider's terms. Often the terms of service allow the cloud computing service provider to terminate the service at any time. On the other hand, depending on the terms of service, deleting an account may not actually remove the stored data from the provider's servers. One might also imagine a data hostage scenario where it is vital that a user gain access to online information, but the data holder refuses that access without first receiving a payment or other compensation. In addition, there are serious concerns about the reliability of cloud computing services. As mentioned earlier, if the cloud computing service goes down or loses data, the users would have little legal recourse.
Amazon Web Services
Amazon Web Services (AWS) offers a range of cloud computing services that allow users to "securely" store and manage a wide range of data types. AWS also incorporates identity, payment, database, messaging, and other services.
Amazon promotes AWS as a reliable cloud computing option, but its service level agreement states that "AWS reserves the right to refuse service, terminate accounts, remove or edit content in its sole discretion."
Further, the AWS terms and conditions' "Disclaimer of Warranties and Limitations of Liability," state that:
"AWS DOES NOT WARRANT THAT THIS SITE; INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING ANY SOFTWARE) OR SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THIS SITE; ITS SERVERS; OR E-MAIL SENT FROM AWS ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. AWS WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF THIS SITE OR FROM ANY INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THIS SITE, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING. CERTAIN STATE LAWS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES OR THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE ABOVE DISCLAIMERS, EXCLUSIONS, OR LIMITATIONS MAY NOT APPLY TO YOU, AND YOU MIGHT HAVE ADDITIONAL RIGHTS."
As additional protection for itself, Amazon limits all legal actions that may arise over its Cloud Computing services to King County, Washington, where the company is located.
Another Cloud Computing service provider Mozy.com offers users cloud computing services to backup photographs, documents, accounting records, or any information that is stored on a personal computer. The service reserves broad rights to "at any time to modify, suspend, or discontinue providing the Service or any part thereof in its sole discretion with or without notice."
The Decho Corporation operates Mozy.com, MozyPro.com and Decho.com. The company considers signing up for the service as an agreement of the terms. The customer may end the agreement by "destroying the Software and closing your account," but it does not address what happens to the information that remains in the hands of the company. Closing an account does not mean that information collected or stored on the service will be removed.
The company defines personal "as any data from which it is practical to directly determine the identity of an individual." Further, under the terms and conditions users are told, "You agree to indemnify, defend, and hold harmless Decho and its suppliers from any and all loss, cost, liability, and expense arising from or related to your data, your use of the Service..."
Medical information services, such as WebMD provides tools to users that allow them to establish medical information accounts that can be used to record details regarding health conditions, symptoms, medications, search for medical professionals, and details about the type of medical advice sought.
WebMD's Terms and Conditions of Use, state that information provided to them by e-mail, blog posting, uploading photos or video, or submitting information to "Public Areas," this information becomes the property of WebMD.
Although federal law allows for patient record privacy though the Health Insurance Portability Protection Act (HIPPA), the records created by WebMD and other health cloud computing services are not covered by HIPPA. WebMD states in its Terms and Conditions of Use that the company will not be liable for any damages.
- Verizon Terremark Deal May Spur Cloud Acquisitions, BusinessWeek, Jan. 28, 2011.
- For Your Files, Lots of Room In the Cloud, The New York Times, Jan. 26, 2011.
- The Digital Forecast Is Cloudy, The Wall Street Journal, Jan. 25, 2011.
- WikiLeaks and the Cloud Wars, The Washington Post, Dec. 9, 2010.
- GSA to be first federal agency to move e-mail to cloud-based system, Dec. 2, 2010.
- Can Google Solve the Cloud Security Problem for Enterprises?, Klint Finley, Read Write Web, July 26, 2010.
- The Constitutional Issue of Cloud Computing, Bob Sullivan, MSNBC.com, April 13, 2010.
- User Ignorance Causes Cloud Security Leak; Accounts, Passwords Revealed, Jonathan Siegel, Read Write Web, March 31, 2010.
- Microsoft Urges Cloud-Computing Privacy Bill, Chloe Albanesius, PC Magazine, January 20, 2010.
- F.T.C.: Has Internet Gone Beyond Privacy Policies? by STEPHANIE CLIFFORD, New York Times, January 11, 2010
- FTC Examining Cloud Computing Privacy Concerns, Daniel's Web Trends Blog, Daniel Nations, About.com Guide to Web Trends, Tuesday January 5, 2010
- Privacy Group Asks FTC to Investigate Google, Preston Gralia, PCWorld, December 19, 2010
- L.A. Cloud Contract Goes To Google Over Microsoft, Patricia Resende New Work Security News, October 29, 2009
- Cloud Goes Boom, T-Mo Sidekick Users Lose All Data, Eric Zeman, Information Week, October 10, 2009.
- Google Helps Users Jump Ship to Rival Web Services, by Paul Meller, IDG News Service, September 11, 2009
- Lost in the Cloud, Jonathan Zittrain, New York Times, July 20, 2009
- World Privacy Forum Sends Letter to LA Mayor Regarding Cloud Computing Contract, July 17, 2009
- CSC Launches Cloud Services, Justin Lee, Web Host Industry Review, June 12, 2009
- HP Unveils Scale-Out Computing Hardware For Data Centers, Antone Gonsalves, Information Week, June 10, 2009
- Tech Firms Seek to Get Agencies on Board With Cloud Computing, Kim Hart, Washington Post, March 31, 2009
- More Security Loopholes Found In Google Docs, Robin Wauters, Washington Post,TechCrunch.com, March 26, 2009
- Privacy groups to FTC: Investigate Gmail, Picasa, Jaccqui Cheng, Arstechnica, 3/18/2009
- Privacy Group Asks F.T.C. to Investigate Google, Miguel Helft, New York Times, 3/17/2009
- FTC urged to investigate security of Google services, Jeremy Kirk, Network World, 3/18/2009
- FTC questions cloud-computing security, Sephanie Condon, CNET News, 3/17/2009
- Group asks U.S. FTC to probe Google privacy safety, Alexei Oreskovic, 3/18/2009
- FTC To Probe Google Privacy Protections' Adequacy, 3/17/2009
- New Privacy Complaint Filed Against Google (And The Cloud), Greg Sterling, 3/18/2009
- Piracy Police Want FTC To Investigate Google Cloud Services, Maureen O'Gara, Sys-Con Media
- EPIC Petitions FTC to Probe Google, Cloud Computing Services - Update, RTT News, 3/17/2009
- News Group asks FTC to examine Google's reliability, John Letzing, Market Watch WSJ, 3/17/2009
- Who Ya Gonna Call? Cloudbusters!, Alan Williamson, AJAX World Magazine, 3/17/2009
- The Perils Of Cloud Computing: Privacy Group Wants To Take Your Gmail Away, Leena Rao, Tech Crunch, 3/17/2009
- Cloud computing: How we got here, Charles Cooper, CNET.com, 3/16/09 Cloud Computing Begins to Gain Traction on Wall Street, Penny Crosman, 1/6/2009
- Cloud computing is a trap, warns GNU founder Richard Stallman, Guradian (UK),September 2008
- 'Cloud computing' heightens privacy risks, Glenn Chapman, Australian IT, 08/11/2008
- Gartner Says Cloud Computing Will Be As Influential As E-business, Special Report, Garner Newsroom, 6/26/2008
- Five cloud computing questions, Network World, 8/5/2008
- Keep an eye on cloud computing, Amy Schurr, Network World, 7/8/08
- What is cloud computing?, Galen Gruman, Information Age, 6/16/2008
- Privacy commissioner probes cloud computing, Shane Schick - ComputerWorld Canada, 5/29/2008
- What cloud computing really means, Galen Gruman, Eric Knorr, Info World, 4/7/2008
- Cloud Computing's Stormy Side, Andy Greenberg, Forbes, 02/19/2008
- I.B.M. to Push 'Cloud Computing,' Using Data From Afar, Steve Lohr, New York Times, 11/15/2007
- Google and I.B.M. Join in 'Cloud Computing' Research, Steve Lohr, New York Times, 10/08/2007
- Amazon Cloud Computing goes beta, CBR, 8/25/2006
- Piden en EEUU una investigación sobre la seguridad de Google, El Mundo | España | AFP, 20-03-09
- Google pode ser investigado sobre segurança de dados de usuários, ComputerWorld | Brazil | Por IDG News Service 19-03-09
- A CAUSA DE UNA FALLA EN SU SOFTWARE DE OFICINA ONLINE | Argentina, 19-03-09
- Piden que se investigue la seguridad de los servicios de Google, Redacción LAVOZ.com | Argentina, 18-03-09
- Reclaman investigar la seguridad de las aplicaciones de Google, Argentina, 19-03-09
- EPIC: "Google servisleri ki?isel bilgiler için tehlike arzediyor, SaintLazarus, Hardware Mania, 19-03-09
- Organización pide que se analice la seguridad de servicios online de Google, El Mercurio | Chile, 18-03-09
- Piden que se investigue la seguridad de los servicios de Google, ABC.es (MADRID), 18-03-09
- Grupos defensores de la privacidad piden la suspensión de los servicios de Google, ELPAÍS.com - Madrid, 18-03-09
- Defensores de la privacidad piden que Google desactive sus servicios hasta que mejore seguridad, Eltiempo.com | Colombia
- Do You Know Where Your Data is in the Cloud?, Forrester Research.
- EPIC, FTC Complaint Google Cloud Computing Services, March 17, 2009
- Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, World Privacy Forum, February, 23, 2009
- An A to Z of Cloud Computing in New York City
- Cloud Computing Workshop, Center for Information Technology Policy, January 14-15, 2008
- Cloud Computing, Wikipedia
- What is Cloud Computing?
- Envisioning the Cloud: The Next Computing Paradigm, Marketplace Report, March 2009
- TCP/IP, Network Administration, Second Edition, Craig Hunt, O'Reilly & Associates, January 1998
- A Brief History of NSF and the Internet
- Architectural manifesto: An introduction to the possibilities (and risks) of cloud computing
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.