TuviaPeretzFirstPaper 4 - 03 Jan 2012 - Main.TuviaPeretz
|
|
META TOPICPARENT | name="FirstPaper" |
| |
Introduction | |
< < | With the increased use of cloud storage new questions have arisen related to the privacy and confidentiality of files stored on the cloud. Although file storage on remote servers is not a new creation, many of the legal doctrines surrounding privacy and confidentiality of files were created without use of the cloud in mind and have not been adapted to the expanded use of the cloud. This paper will explore some of the ways in which files stored on the cloud may be treated differently from files stored on a user's hard-drive, what steps are being taken to improve the legal doctrines surrounding cloud computing, and what roadblocks stand in the way of improvements. | > > | Use of cloud computing services for data storage has become increasingly popular. Enthusiasts are speaking about the economic efficiencies which can be gained from large scale providers of cloud services and characterizing the cloud as a revolutionary force in the internet which will define the next era of computing. Before accepting that the future is here, however, we need to better understand the privacy risks which go hand in hand with this migration to the cloud. I see two significant privacy concerns associated with the use of the cloud—one structural and the other legal. | | | |
< < | NOTE: The focus here is on issues related to cloud storage in the United States and not jurisdictional complications. There are a whole set of other legal issues related to cloud computing which have to do with information moving across jurisdictions and being exposed to differing, and potentially conflicting, privacy regimes. | > > | Structural Concern | | | |
< < | Legal Inconsistencies
While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection. Information which the user may have otherwise stored themselves can be subject to a different set of legal standards once the information is turned over to a third party and retained on a server. | > > | Data Control
Instead of data being controlled by those who the data belongs to and stored on the owner’s servers, all of this data is stored by massive cloud storage providers on the cloud storage provider’s servers which can be accessed remotely. The cloud service provider now has access to any information which the owner has placed in the provider’s possession. Even if we assume that the cloud provider would never use any of the data (see Amazon Cloud Terms of Service particular 5.2), this still leads to an erosion of a user’s privacy in two ways. First, the cloud service provider is more likely to turn over a user’s data to the government or another party willing to pay for the data. Second, if that turnover of information occurs, a user has no knowledge of it. When the government asks a user to turn over information, or if a user were to sell it to a marketing company, at least the user knows that another party now possesses this information and that the user’s activity is known to others. By contrast, when the cloud service provider turns over your information, you have no idea that this data turnover has occurred and are unlikely to find out as the government has a strong interest in you remaining in the dark. Additionally, the fact that the cloud service provider has so many people’s information increases the value of that information because it has already been, or can easily be, aggregated. | | | |
< < | When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files. Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes. The government argues that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator. The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage. | > > | Potential Solutions
There is no clear way of solving the structural issues which arise when you lose control of your own data. Conceptions of the cloud which fully incorporate the economy of scale arguments in favor of the cloud cannot take the data out of the hands of those who maintain the cloud, and therefore there is no way for the user to retain control of the data. Before turning to the cloud, a user must take a serious look at the costs and benefits of the cloud. They must look at what they plan on using the cloud for and the cost savings which can be realized. These cost savings must be compared with the control lost and how important it is that the data or applications in the cloud which they are utilizing remain private. One way of tempering the effects of the privacy loss while gaining some of the economic benefits associated with the cloud could be tailored utilization of different cloud deployment models. For example, users with similar needs and concerns could use a community cloud which they would maintain collectively while also realizing (though to a lesser degree) the potential economic benefits of the cloud computing model. | | | |
< < | The question we need to ask is whether there is any valid justification for treating a file turned over to a third party for storage differently than the a file retained by an individual or corporation. Those in favor of the government’s right to access such information would argue that an individual or corporation does not have a reasonable expectation of privacy once they turn over the information to a third party. However, is this how individuals and corporations think of the issue when storing information on the cloud? While most people would likely acknowledge that there is a set of privacy concerns associated with the cloud, I believe these concerns stem from the fact that the information is being stored on the internet as well as whether they trust the third party to which the information is turned over—not the legal distinctions associated with the fact that it has been turned over to a third party. The decision to have data and information stored on a particular cloud is closer to a decision to hire a file management consultant, about whom you hopefully make a educated decision whether or not to trust, to manage and protect your data and less like putting that information in a lockbox to which the government has the key but can only open it when they think it’s important. The view that you do have a reasonable expectation of privacy in E-mails was endorsed in a recent Sixth Circuit decision, US v. Warshak (2010) (Wikipedia), but it remains to be seen how this will impact the law in the area. | > > | Legal Concern | | | |
< < | The main statutory provision which protects wire, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA). Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage. The ECPA has not undergone a major revision since being enacted in 1986 and its privacy standards are wildly out of sync with much of the computer activity which occurs today. Take, for example, the fact that E-mail can be accessed by the government without a warrant if it has been left on a server for more than 180 days. When the law was passed, E-mail was generally downloaded. Therefore, the law considered E-mail which remained on a server for more than 6 months to be abandoned. Today, however, E-mail is regularly kept and stored on servers, yet the law still considers E-mail left on a server abandoned and allows law enforcement to access it without a warrant. This means that POP and IMAP E-mail services are treated asymmetrically for privacy purposes. | > > | Jurisdictional Differences
The legal privacy concern associated with use of the cloud stems from the fact that the laws protecting data privacy differ from jurisdiction to jurisdiction. This means that if the benefits of the cloud are fully realized and data is seamlessly transferred from one remote location to another, the laws regulating the privacy of this data may change with each move of the data. There is a lot of conflict between European data privacy laws and those that are present in the United States, especially when applied to data which belongs to citizens of other countries. For example, section 217 of the PATRIOT act allows the government to intercept “communications of a computer trespasser” if the owner of a “protected computer” authorizes that surveillance. This law would mean that the government has warrantless search authority of any computer if the service provider agrees to it. This should raise serious concerns amongst users of cloud computing services. Information can move seamlessly from jurisdiction to jurisdiction and there is no knowing what surveillance and data privacy standards may be applied along the way. Additionally, the owner of the data has no idea that their data is being observed. | | | |
< < | Proposals For Change
An organization called Digital Due Process (a coalition of various companies) has laid out its major principles for bringing the ECPA up to date with today’s computing needs, and Senator Patrick Leahy has introduced a bill in the Senate.
Roadblocks
The major roadblocks to enacting this change come from the government and the cloud computing industry itself. Obviously the government is interested in continuing the practices it currently takes part in. The government wants its investigative procedures to remain as simple and as quiet as possible. The government does not want individuals to know they are being investigated and has no interest in increasing the evidentiary standard required to obtain data and information on a person or corporation.
The industry is caught in a tough position. On the one hand they want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services. However, the cloud providers want to continue to access individuals data for their own informational purposes (look at Amazon terms of service regarding your files particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data.
It's difficult to know what you mean by cloud storage here. Partly this results from the complete obscurity of the term most of the time, as a buzzword without concrete technical meaning. But here, by including email held in ordinary spools, you seem to mean by "cloud storage" all non-local storage. And your legal discussion, such as it is, concerns updating ECPA, which—for reasons you give in the course of the discussion—is orthogonal to questions about "cloud."
I doubt the effectiveness of your disclaimer at the top, for this reason. Email servers can be said to have a location, and the law that applies to them is, as the saying used to be among pretentious international law types, lex loci server. What might be meant by "cloud storage," however, would be clustered file systems deliberately straddling jurisdictional boundaries (indeed all boundaries), where merely determining the law governing any individual quantum of data at any fixed time may be impossible. | > > | Potential Solutions
Legal differences in how data is treated between jurisdictions has significant costs both in terms of the potential lack of legal protections as well as the lack of certainty and predictability regarding the data protection regime. As a worldwide uniform data privacy regime is impossible to imagine, we need to look for less drastic ways of reducing the legal risks associated with the cloud. In Europe, some have suggested that the way to solve this problem is by instituting a country of origin approach. This could lead to greater predictability within a certain limited zone but may also lead to reduced portability of data which would reduce the economic benefits of the cloud. Another solution would simply involve cloud computing companies sorting themselves based on the zones in which they maintain data, and the corresponding legal data privacy protections which apply. | | | |
> > | Conclusion
Although the economic model behind cloud computing presents a compelling case for a shift towards the cloud, it is important to evaluate the privacy losses which correspond to this shift before endorsing a full-fledged flight to the cloud. Although a complete move to the cloud may be unwarranted, there may be ways of capturing some of the economic benefits associated with the cloud while also controlling the privacy risks. | |
|
|
TuviaPeretzFirstPaper 3 - 10 Nov 2011 - Main.EbenMoglen
|
|
META TOPICPARENT | name="FirstPaper" |
| |
< < | It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.
Ready to be Read | | PRIVACY AND CLOUD STORAGE | | The industry is caught in a tough position. On the one hand they want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services. However, the cloud providers want to continue to access individuals data for their own informational purposes (look at Amazon terms of service regarding your files particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data. | |
> > | It's difficult to know what you mean by cloud storage here. Partly this results from the complete obscurity of the term most of the time, as a buzzword without concrete technical meaning. But here, by including email held in ordinary spools, you seem to mean by "cloud storage" all non-local storage. And your legal discussion, such as it is, concerns updating ECPA, which—for reasons you give in the course of the discussion—is orthogonal to questions about "cloud."
I doubt the effectiveness of your disclaimer at the top, for this reason. Email servers can be said to have a location, and the law that applies to them is, as the saying used to be among pretentious international law types, lex loci server. What might be meant by "cloud storage," however, would be clustered file systems deliberately straddling jurisdictional boundaries (indeed all boundaries), where merely determining the law governing any individual quantum of data at any fixed time may be impossible.
| |
# * Set ALLOWTOPICVIEW = TWikiAdminGroup, TuviaPeretz |
|
TuviaPeretzFirstPaper 2 - 06 Nov 2011 - Main.TuviaPeretz
|
|
META TOPICPARENT | name="FirstPaper" |
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted. | |
> > | Ready to be Read | | PRIVACY AND CLOUD STORAGE
-- By TuviaPeretz - 30 Oct 2011
Introduction | |
< < | With the increased use of cloud storage new questions have arisen related to the privacy and confidentiality of files stored on the cloud. Although file storage on remote servers is not a new creation, many of the legal doctrines surrounding privacy and confidentiality of files were created without use of the cloud in mind and have not adapted to the expanded use of the cloud. This paper will explore some of the ways in which files stored on the cloud may be treated differently from files stored on a user's hard-drive, what steps are being taken to improve the legal doctrines surrounding cloud computing, and what roadblocks stand in the way of improvements. | > > | With the increased use of cloud storage new questions have arisen related to the privacy and confidentiality of files stored on the cloud. Although file storage on remote servers is not a new creation, many of the legal doctrines surrounding privacy and confidentiality of files were created without use of the cloud in mind and have not been adapted to the expanded use of the cloud. This paper will explore some of the ways in which files stored on the cloud may be treated differently from files stored on a user's hard-drive, what steps are being taken to improve the legal doctrines surrounding cloud computing, and what roadblocks stand in the way of improvements. | | NOTE: The focus here is on issues related to cloud storage in the United States and not jurisdictional complications. There are a whole set of other legal issues related to cloud computing which have to do with information moving across jurisdictions and being exposed to differing, and potentially conflicting, privacy regimes.
Legal Inconsistencies | |
< < | While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection. Information which the user may have otherwise stored themselves can be subject to a different set of legal standards once the information is turned over to a third party for storage purposes and retained on a server. | > > | While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection. Information which the user may have otherwise stored themselves can be subject to a different set of legal standards once the information is turned over to a third party and retained on a server. | | When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files. Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes. The government argues that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator. The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage. |
|
TuviaPeretzFirstPaper 1 - 30 Oct 2011 - Main.TuviaPeretz
|
|
> > |
META TOPICPARENT | name="FirstPaper" |
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.
PRIVACY AND CLOUD STORAGE
-- By TuviaPeretz - 30 Oct 2011
Introduction
With the increased use of cloud storage new questions have arisen related to the privacy and confidentiality of files stored on the cloud. Although file storage on remote servers is not a new creation, many of the legal doctrines surrounding privacy and confidentiality of files were created without use of the cloud in mind and have not adapted to the expanded use of the cloud. This paper will explore some of the ways in which files stored on the cloud may be treated differently from files stored on a user's hard-drive, what steps are being taken to improve the legal doctrines surrounding cloud computing, and what roadblocks stand in the way of improvements.
NOTE: The focus here is on issues related to cloud storage in the United States and not jurisdictional complications. There are a whole set of other legal issues related to cloud computing which have to do with information moving across jurisdictions and being exposed to differing, and potentially conflicting, privacy regimes.
Legal Inconsistencies
While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection. Information which the user may have otherwise stored themselves can be subject to a different set of legal standards once the information is turned over to a third party for storage purposes and retained on a server.
When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files. Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes. The government argues that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator. The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage.
The question we need to ask is whether there is any valid justification for treating a file turned over to a third party for storage differently than the a file retained by an individual or corporation. Those in favor of the government’s right to access such information would argue that an individual or corporation does not have a reasonable expectation of privacy once they turn over the information to a third party. However, is this how individuals and corporations think of the issue when storing information on the cloud? While most people would likely acknowledge that there is a set of privacy concerns associated with the cloud, I believe these concerns stem from the fact that the information is being stored on the internet as well as whether they trust the third party to which the information is turned over—not the legal distinctions associated with the fact that it has been turned over to a third party. The decision to have data and information stored on a particular cloud is closer to a decision to hire a file management consultant, about whom you hopefully make a educated decision whether or not to trust, to manage and protect your data and less like putting that information in a lockbox to which the government has the key but can only open it when they think it’s important. The view that you do have a reasonable expectation of privacy in E-mails was endorsed in a recent Sixth Circuit decision, US v. Warshak (2010) (Wikipedia), but it remains to be seen how this will impact the law in the area.
The main statutory provision which protects wire, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA). Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage. The ECPA has not undergone a major revision since being enacted in 1986 and its privacy standards are wildly out of sync with much of the computer activity which occurs today. Take, for example, the fact that E-mail can be accessed by the government without a warrant if it has been left on a server for more than 180 days. When the law was passed, E-mail was generally downloaded. Therefore, the law considered E-mail which remained on a server for more than 6 months to be abandoned. Today, however, E-mail is regularly kept and stored on servers, yet the law still considers E-mail left on a server abandoned and allows law enforcement to access it without a warrant. This means that POP and IMAP E-mail services are treated asymmetrically for privacy purposes.
Proposals For Change
An organization called Digital Due Process (a coalition of various companies) has laid out its major principles for bringing the ECPA up to date with today’s computing needs, and Senator Patrick Leahy has introduced a bill in the Senate.
Roadblocks
The major roadblocks to enacting this change come from the government and the cloud computing industry itself. Obviously the government is interested in continuing the practices it currently takes part in. The government wants its investigative procedures to remain as simple and as quiet as possible. The government does not want individuals to know they are being investigated and has no interest in increasing the evidentiary standard required to obtain data and information on a person or corporation.
The industry is caught in a tough position. On the one hand they want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services. However, the cloud providers want to continue to access individuals data for their own informational purposes (look at Amazon terms of service regarding your files particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data.
# * Set ALLOWTOPICVIEW = TWikiAdminGroup, TuviaPeretz
Note: TWiki has strict formatting rules. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of that line. If you wish to give access to any other users simply add them to the comma separated list |
|
|
|
This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
|
|