JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Call for better privacy protection in the cloud


Drew Turney

Zoom in on this story. Explore all there is to know.

Cloud services must ensure users' privacy doesn't evaporate once 'I agree' is ticked.

Cloud services must ensure users' privacy doesn't evaporate once 'I agree' is ticked. Photo: Michele Mossop

It might be easy to click "I agree" on the bottom of endless software end user licence agreements (EULAs) without a second thought, but when it comes to putting one's data on the cloud the one-size-fits-all approach needs to be overhauled, according to University of Illinois IP and technology law professor Jay P Kesan.

Professor Kesan says people need to be better informed about what happens to their data when they accept terms and conditions.

He warns that as long as we find it perfectly acceptable to give personal information to online services, it allows their owners to snoop, aggregate and data mine our online habits as they see fit. 

Kesan and colleagues surveyed the EULAs of 19 major online services (including Amazon, Google, Microsoft, Dropbox, Facebook, Flickr, Cisco, Salesforce and VMWare) and found that providers were consistently more detailed when describing user's obligations to them than the other way around.

In response, Kesan and colleagues published a paper calling for 'baseline protections' for personal information and more control by users over their data, saying the agreement between a provider and user is a contract – one the user should be able to negotiate in their favour.

"They cannot," is how he responds when asked how individual users can negotiate better terms. "[Users] have no leverage and no bargaining power. We could incentivise new cloud providers to charge users a fee in return for better privacy protections so they're less dependent on advertising for revenue and more privacy-aware. The privacy policies will be especially important."

Many agree, even from within the cloud computing industry. "The cards are stacked against you when it comes to the agreements," says Nick Crown. As product strategy director for identity data platform provider UnboundID, Crown is an expert in the myriad agreements we have to agree to or sign to interact online, and he says it's 'impossible' for individual users to understand them all.

It might be high time for more transparent cloud service agreements. The sector shows no signs of slowing down, and Google raised eyebrows when company lawyers told a US court that 'all users of email must necessarily expect ... emails will be subject to automated processing'. This week, it was revealed Australian jobseekers are having their medical examination results supplied to potential employers.

Many already feel jittery about the cloud. Some 33 per cent of respondents to a survey from social research company 1WorldOnline said security concerns keep them from using cloud storage, and as reported in August, the US cloud computing industry stands to lose $38.7b after revelations about the extent of private data snooping by the NSA.

Kesan says cloud EULAs are deliberately fuzzy and one sided, giving the providers legal wiggle room around whatever privacy laws exist. "There's virtually no way for a consumer to know what the 'industry standard' practices are for protecting personal information, for example," he says. "Vague assurances don't provide an effective baseline and can undermine efforts to enforce a company's privacy policy against it."

One result of rigid cloud service EULAs is going to be simply that some potential customers can't buy them. "Financial services organisations in particular are subject to stringent cloud restrictions directed by the Australian Prudential Regulatory Authority," says Gerry Grealish, spokesman for cloud security firm PerspecSys.

So far, governments are talking the protective talk – the last thing anyone wants is catastrophic loss of consumer confidence in a burgeoning new technology sector, after all. The Department of Communications cites Australian Consumer Law, which it says applies to 'most cloud service providers' and enhances consumers' rights, 'particularly where there is an imbalance of bargaining power'.

Even so, regulatory assurance isn't making cloud users feel any better. In March this year a Gartner report said 'buyers of commercial cloud services, especially software-as-a-service, are finding security provisions woefully inadequate'.

"Some cloud providers directly monetise user content," says Matt Branton, chief executive of Coinlock, a cloud service to monetise content using Bitcoin. "It's in their best interests to prevent people from moving out of their walled gardens. Cloud service agreements are one-sided, designed not only to protect the company from liability but ensure revenue and limit competition. Only wide, sweeping regulation of user privacy will change the status quo."


  • Most cloud EULAs are unilateral contracts not bilateral contracts so the legal relationship is formed when the subscriber begins using the cloud service. It could be argued therefore that most cloud EULA's are invitations to treat not an offer. Currently, if you use a cloud service that data shares it is quite legal for them to do so with virtually anyone. Whether that permits the automated subscription to another service which as part of their EULA grants them access to your bank account would be subject to the data share conditions you agreed too by using the original cloud service. Sure the Privacy Act offers some protection but if the provider is off shore or if the data is being sent off shore for processing, even if a country has an equivalent Act it will only protect citizens, not foreign data.

    Real DC
    Date and time
    November 28, 2013, 1:57PM
    • Try this exercise. Every time someone uses the word 'Cloud' replace it with 'place you don't know run by people you don't know'. Then you'll see how ridiculous it is to expect any privacy or legal remedy.
      Take this article title for an example.
      "Call for better privacy protection in the cloud"
      Call for better privacy protection in the place you don't know run by people you don't know"
      See how simpler it is ?

      Date and time
      November 29, 2013, 1:02PM
      Comments are now closed
      This Column is advertiser content
      Featured advertisers