Don't Keep Your Head in the Clouds: Demand Protection for the Data You Store in the Cloud

Jan 27, 2010
By:
Nicole A. Ozer
default statue of liberty torch

We've already blogged generally about the Federal Trade Commission's "Exploring Privacy" roundtable and asked you to sign onto the ACLU of Northern California's petition demanding more transparency about when and why companies share our information with the government and others. In this blog post we're going to focus on the privacy implications of cloud computing services and why it is so important that you know how and when cloud providers share your personal information with third parties.

Information that goes into the cloud doesn't necessarily stay there – and cloud consumers are worried

Cloud computing services are tools accessed via the Internet that allow consumers to easily create, edit, and store documents online (like Google Docs, photo storage sites, or online calendars). They are growing in popularity: at least 69% of American Internet users, and 87% of users in the 18-29 age range, have engaged in some form of cloud computing activity.

From the user perspective, cloud computing services make the transition from offline to online activities increasingly seamless. But while it may be easy for consumers to transition information into the cloud, privacy protections for that personal information may not transition as smoothly.

One of the privacy issues that we will be bringing to the FTC's attention on Thursday is that outdated federal privacy laws–written way back in 1986, before the Internet even existed–lead to a lack of clarity about privacy protections in the cloud computing context. We are left to worry that our personal information is far more vulnerable in the cloud than it is on our hard drive or in our filing cabinet.

A lack of clarity about privacy protections in the cloud computing context is worrisome to consumers and should be worrisome to the FTC. It is not good for consumers or businesses when individuals have to worry that what goes into the cloud might not stay in the cloud. Consumers are already "very concerned" by scenarios in which their cloud computing information ends up being used in ways that they did not intend, such as when companies:

  • Turn their data over to law enforcement (49% of users);
  • Keep copies of files even after they try to delete them (63%);
  • Analyze data in the cloud for targeted advertisements (68%);
  • Use cloud documents in marketing campaigns (80%); and
  • Sell files to others (90%)."

And many companies agree that privacy protection is necessary to attract cloud computing users. Just last week Microsoft called on the government to update laws to provide protection for data in the cloud. The call comes as Microsoft pledges to spend millions to develop cloud computing products. We hope other companies will also push for robust protections and are convinced they will do so when they realize that privacy is good for the bottom line.

Notice and transparency are important first steps

In our written comments to the FTC in advance of this privacy roundtable we urged the agency to require that companies come clean with the public about how often consumer information is shared with the government and other third parties by publishing an annual record of all information requests. This record should include:

  • The number of Federal warrants, State warrants, grand jury subpoenas, civil and administrative subpoenas, and court orders received in the previous year;
  • The number and types of action taken by the company for each category of request;
  • The number of individuals whose personal information was disclosed by the provider by category of request;
  • The type of personal information disclosed by category of request; and
  • The total amount of money received by the company to fulfill each category of request.

The report should be available to the public in an online, searchable format so that cloud consumers can easily learn about and compare company disclosure rates. Any company with an online privacy policy should also create a prominent hyperlink from the disclosure section of its privacy policy to its latest report.

A model for such a report already exists in the wiretap context: the number of wiretaps requested and ordered is made public in an annual Wiretap Report. The report suggested here would merely expand public knowledge so that we would know about requests for information from online companies too.

This type of report is long overdue. You should know when and why companies are turning over consumer information in the cloud to the government and third parties. As the boundary between personal devices and the Internet "cloud" becomes less meaningful, it is imperative that privacy laws and policies are updated so that users do not have to choose between using cloud computing and keeping existing control over their personal information. Such a reporting mechanism would not stifle innovation or undermine benefits to consumers. Indeed by helping to ensure greater transparency, it may build consumer trust and help lead to additional privacy and security innovations in the cloud computing arena.

Please join us and tell the FTC that knowing the extent of information sharing is a necessary first step. You can also listen to the webcast of the privacy roundtable or submit a comment to the FTC here.

For more information about protecting your online privacy when using cloud computing and other new technologies, visit the Demand Your dotRights site at dotRights.org.

The FTC's Watershed Moment In PrivacyDon't Let Your Privacy Wash Away