Child pages
  • Future Legal Implications
Skip to end of metadata
Go to start of metadata

 
 

Overview


As of today, there are minimal laws or court cases that are relevant to cloud computing. Therefore, when it comes to privacy, confidentiality and protection, the courts are usually unsure of what to do. This section of our portal will outline some issues, such as data ownership and terms of services and privacy policy, that could implicate the future of cloud computing. In addition, we will discuss how current laws are applied to some cloud computing related court cases, which set the precedent for possible future cases. 

Data Ownership

Data Owner(s)

Theorically, in cloud computing, the user is the data owner. As a result, he is free to share his personal information with a cloud provider. However, there are certain circumstances that prevent the user from being the sole owner of his personal information. These instances are the result of outdated current laws or the lack of relevant privacy laws. For example, a business is not prohibited from disclosing any information of its clients or employees with a cloud provider under the current laws. Therefore, it is important for users to seek out the privacy policy and terms of service of its cloud provider before disclosing any personal information.

According to Robert Gellman, a user’s privacy and confidentiality risks are “magnified when the cloud provider has reserved the right to change its terms and policies at will” (Gellman 6 ).

In addition to the understanding of a cloud provider’s privacy policy and terms of service, it is also vital for a user to determine what personal information he would want to share with his provider since more protection is given to the data’s owner as opposed to third parties. The creation of the Privacy Act of 1974, which imposed “standards for the collection, maintenance, use and disclosure of personal information” (5 ), prevents federal agencies from using cloud computing for personal information. As a result, even after disclosing personal information to a cloud provider, the user must still be aware of any personal and confidentiality risks because cloud providers may, at times, be restricted by law to provide personal information to government agencies and private litigants. This is due to the very few and weak laws that protect personal information disclosed to third parties.    

Data Location(s)

The location of data is vital in determining what type of protection and how much protection is provided to the party that processes or stores the data. Gellman states in Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing ,

“Any information stored in the cloud eventually ends up on a physical machine owned by a particular company or person located in a specific country. That stored information may be subject to the laws of the country where the physical machine is located” (7 ).

However, complications arise in terms of legality when cloud providers decide to store data in different locations at the same time without notifying its user’s information. Since there are no explicit laws that regulate cloud computing services, cloud providers are not required to notify its user. In addition, since data can be located at more than one legal location at the same time, it will be complicated when subjected by law.

Terms of Service and Privacy Policy

When a user first uses a cloud provider to share data, he must be aware that the terms of service of the cloud provider do not necessarily cover all aspects of its services. On occasion, the provider may have additional terms of service on certain services. In addition, some cloud providers may have a separate privacy policy that outlines the fair information practices of the services they provide.

The terms of service should state the amount of time the user should have access to the services. Generally, the user would have access until he decides to end its service with the cloud provider. However, it is important to note that the terms of service could give the cloud provider the permission to terminate services to a user at any time.

In addition, the terms of service may give the cloud provider various rights, including “the right to copy, use change, publish, display, distribute, and share with affiliates or with the world the user’s information” (17 ).

However, even if the user decides to terminate its account with the cloud provider, the provider can still hold control over the backup copies of data that was shared by the user. This aspect holds true to any updates and changes to the cloud provider’s terms of service. As a result, it is vital that users are aware of what they share on the cloud and pay close attention to the cloud provider’s terms of service and privacy policy so that they will receive the maximum privacy and confidentiality protections.

Interpretation and Application of Current Laws

Current Laws and Relevant Court Cases

Although there are currently no laws restricting users from sharing information to cloud providers, users need to understand that information released to third parties, such as cloud providers, do not have as much protection as information kept private to the respective users themselves. Therefore, it sometimes may be a lot easier for government agencies and private litigants to procure information about users without notifying the users themselves. Several court cases, such as the United States v. Miller and State v. Bellar , are important cases that are relevant to cloud computing. In addition, the Electronic Communications Privacy Act (ECPA) will be discussed in brief in terms of its relevance to cloud computing.

United States v. Miller

This court case is an example of how the government can initially bypass the law by obtaining evidence from third parties. In this case, the government obtained evidence against Miller for several federal crimes through banks via subpoenas. Miller argued that the government violated his Fourth Amendment rights by obtaining information from his bank. However, the Court dismissed that claim.

According to Gellman, “the case stands generally for the proposition that an individual’s personal records held by a third party does not have the same constitutional privacy protection as applies to the same record held by the individual” (12 ).

Although the Congress later overturned part of the Supreme Court’s decision, this case is still vital in terms of how there is little protection to information disclosed by third parties.

State v. Bellar

In a recent appeal in Oregon, the defendant, Bellar, argued for a motion to suppress evidence against his prosecution of 40 counts of encouraging child sexual abuse. Although this example does not involve cloud computing directly, it briefly mentions how current methods of data storage may not apply to current laws, but should still be protected for the privacy of its data owner (Legal Implications of Cloud Computing ). The court’s dissent is as followed:

“Nor are a person's privacy rights in electronically stored personal information lost because that data is retained in a medium owned by another. Again, in a practical sense, our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the “cloud,” on servers owned by internet service providers. That information can then be generated and accessed by hand-carried personal computing devices. I suspect that most citizens would regard that data as no less confidential or private because it was stored on a server owned by someone else” (STATE OF OREGON v. DONALD LEE BELLAR ).

Electronic Communications Privacy Act (ECPA)


As we have learned in class, the Electronic Communications Privacy Act (ECPA) provides some privacy protection against government access to electronic mail held by third parties. However, with emerging technologies in data storage, the court has been having trouble in determining whether or not the ECPA applies to certain circumstances. This is best represented by the case of United States v. Miller, in which the court decided that there is no privacy protection of data shared to others by third parties. Robert Gellman listed some factors that could play a big role in determining the proper application of the ECPA in his World Privacy Forum report. They are as followed:

  • The precise characterization of the activity as a communication or as storage (which itself may come in several flavors), complicated by the recognition that an activity can move from being a communication to being a stored communication depending on time and possibly other factors,
  • Whether the information in question is content or non-content (e.g., header or transaction information),
  • The nature of the service, e.g., whether it is an electronic communication service or a remote computing service,
  • The terms of service established by the cloud provider,
  • Any consent that the user has granted to the provider or others,
  • The identity of the service provider, for example, if the cloud provider is itself a government agency, the provider’s obligation would be different from those of a nongovernmental cloud provider, and the rights of users would also be different. (Gellman 13 )

It is unpredictable as to whether or not there will be definitive conditions that will make the court’s decision on data disclosed by third parties to government agencies more pronounced in the future. However, we as well as other experts in the IT Security field feel that there would be more and more upcoming court cases or legality related situations that will be relevant to cloud computing in the near future. We will just have to wait and see how the court will react to these situations that will affects many of our privacy concerns.

Resources

Gellman, Robert. “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” World Privacy Forum | Home. 23 Feb. 2009. Web. 6 Apr. 2010. <http://www.worldprivacyforum.org/cloudprivacy.html>.

"Legal Implications of Cloud Computing -- Part Four (E-Discovery and Digital Evidence) : Info Law Group." Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law. Nov. 2009. Web. 6 Apr. 2010. <http://www.infolawgroup.com/2009/11/articles/cloud-computing-1/legal-implications-of-cloud-computing-part-four-ediscovery-and-digital-evidence/>.

STATE OF OREGON v. DONALD LEE BELLAR. THE COURT OF APPEALS OF THE STATE OF OREGON. 30 Sept. 2009. < http://www.publications.ojd.state.or.us/A129493.htm>.

  • No labels