ICTlogy

Notes from the 6th Internet, Law and Politics Conference: Cloud Computing: Law and Politics in the Cloud, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 7th and 8th, 2010. More notes on this event: idp2010.

Opening: Pere Fabra, Agustí Cerrillo

Privacy in the Cloud, a Misty Topic?
Ronald Leenes, Universiteit van Tilburg

An introduction to Cloud Computing

What is the relationship between Cloud computing, Grid computing, service oriented architecture (SOA) and Web 2.0?

Increasingly, data and applications are stored and/or run on a web server that hosts what usually was on your local machine. The web browser becomes the usual platform. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources.

If we talk about “resources”, the definition becomes broader, as we can also speak about computing power or computing time. And these resources are shared by many users, instead of having a dedicated machine. This provide rapid elasticity that allows for easy and quick scaling (up or down).

Models

• Software as a Service (Saas): e.g. webmail, online office applications; etc.
• Platform as a Service (Paas): e.g. Amazon AWS platform;
• Infrastructure as a Service (IaaS): all the power you might have in our PC, in the cloud.

Advantages

• Price: many cloud services are reee.
• Reliability: redundancy of services and scalability makes the system more stable.
• Accessibility: your services, everywhere.
• No piracy.
• Multiple business models: fees, ads, etc.
• Always current version of the software, no needs to update.

Privacy and security issues

Privacy: bodily integrity, data protection, inviolability of the home, secrecy of communications. The later two are specially relevant for cloud computing.

Data protection goals aim at facilitating the free flow of information while providing a minimum level of data protection. Data aspects: confidentiality, integrity, availability. The three of them are (more or less) under control while data are stored in a PC. In the cloud it is certainly less so.

The first thing to state is that, in the cloud, you don’t know where your data exactly are. Indeed, those date are interlinkable by other services, which make them even more ubiquitous while difficult to locate.

Second is that, in “physical” life, one’s identity is made up of different and partial identities of one self. There is a certain control to segregate audiences according to what they can see of me. Not in the cloud. To a large extent, we’re evolving toward a world where you are who Google says that you are (JD Lassica).

As data travel from my browser (and through the Internet) to a cloud service, anyone can potentially intercept your travelling data. The way to avoid this is use encryption (HTTPS) but cloud services do not usually have the incentive to (unlike banks, that are liable for data loss or money stealing) and do have incentives not to (HTTPS requires much more server power and time to encrypt and decrypt, thus making it more expensive at the aggregate level).

Regulation

• In the European Union: Data Protection Directive (DPD).

Personal data: data that can lead to identification of a person (data subject). Thus, personal data can be taken very broadly as even an e-mail message can lead to identifiable individuals. A processor is a body that processes personal data. A data controller holds or stores personal data.

The DPD is applicable when the data controller is within the European Union jurisdiction, regardless of where the data processor is.

Thus, if Google just provides a platform where the user processes their data, then Google is not a controller, but a processor, which means it is being affected differently by the (European) law. But if data, after being processed, are stored in Google’s servers, then Google becomes a controller. So, cloud service providers can switch between data controlling and data processing or both at a time, with legal consequences.

DPD principles: transparency, legitimate purpose and proportionality.

Discussion

Jordi Vilanova: are there any legal differences in privacy between individuals and institutions? A: legally, in strict sense it only applies to individuals. In the case of companies, we would be talking about intellectual property, trade secrets, etc.

Mònica Vilasau: to balance unequal distribution of bargaining power between service providers and users, what should be done? More regulation? Better contracts? Is the data protection directive enough for cloud computing? A: Contracts should suffice, as they are a very powerful tool. The difference is that in the EU privacy is a public good that needs to be protected, so the law will always be above any contract; while in the US privacy is something that can be bargained between contractors. The DPD is not enough for cloud computing, because its purpose was to regulate over the data controller, a very identifiable agent at a time (e.g. a hospital having data of you). But now, who is a data controller or a processor is very difficult to identify.

Q: Is one of the problems that cloud services are based in the US? A: Yes, of course, if data controllers, processors and subjects were in the same jurisdiction that would make things much easier.

Mònica Vilasau: what about cookies? A: if you accept cookies, you get less of your privay. If you do not, the service provider is no more a data controller (it is not storing data from you, because you refused the cookie) and then you are no more under the DPD. This is an ironic dichotomy.

See also

• ¿Estás en la nube? Pues empieza a proteger tus datos…, by Karma Peiró
• Privacitat al núvol, un concepte difús?, by Joan-Baptista Gavaldà i Moran
• The Evolution of Privacy on Facebook, a graphic representation by Matt McKeon.

Previous post: Baumol in the classrooom or the industrialization of education

Next post: 6th Internet, Law and Politics Conference (II). Pau Garcia-Milà: Myths and Realities of Cloud Computing