Cloud services must ensure users' privacy doesn't evaporate once 'I agree' is ticked. Photo: Michele Mossop
It might be easy to click "I agree" on the bottom of endless software end user licence agreements (EULAs) without a second thought, but when it comes to putting one's data on the cloud the one-size-fits-all approach needs to be overhauled, according to University of Illinois IP and technology law professor Jay P Kesan.
Professor Kesan says people need to be better informed about what happens to their data when they accept terms and conditions.
He warns that as long as we find it perfectly acceptable to give personal information to online services, it allows their owners to snoop, aggregate and data mine our online habits as they see fit.
Kesan and colleagues surveyed the EULAs of 19 major online services (including Amazon, Google, Microsoft, Dropbox, Facebook, Flickr, Cisco, Salesforce and VMWare) and found that providers were consistently more detailed when describing user's obligations to them than the other way around.
In response, Kesan and colleagues published a paper calling for 'baseline protections' for personal information and more control by users over their data, saying the agreement between a provider and user is a contract – one the user should be able to negotiate in their favour.
"They cannot," is how he responds when asked how individual users can negotiate better terms. "[Users] have no leverage and no bargaining power. We could incentivise new cloud providers to charge users a fee in return for better privacy protections so they're less dependent on advertising for revenue and more privacy-aware. The privacy policies will be especially important."
Many agree, even from within the cloud computing industry. "The cards are stacked against you when it comes to the agreements," says Nick Crown. As product strategy director for identity data platform provider UnboundID, Crown is an expert in the myriad agreements we have to agree to or sign to interact online, and he says it's 'impossible' for individual users to understand them all.
It might be high time for more transparent cloud service agreements. The sector shows no signs of slowing down, and Google raised eyebrows when company lawyers told a US court that 'all users of email must necessarily expect ... emails will be subject to automated processing'. This week, it was revealed Australian jobseekers are having their medical examination results supplied to potential employers.
Many already feel jittery about the cloud. Some 33 per cent of respondents to a survey from social research company 1WorldOnline said security concerns keep them from using cloud storage, and as reported in August, the US cloud computing industry stands to lose $38.7b after revelations about the extent of private data snooping by the NSA.
One result of rigid cloud service EULAs is going to be simply that some potential customers can't buy them. "Financial services organisations in particular are subject to stringent cloud restrictions directed by the Australian Prudential Regulatory Authority," says Gerry Grealish, spokesman for cloud security firm PerspecSys.
So far, governments are talking the protective talk – the last thing anyone wants is catastrophic loss of consumer confidence in a burgeoning new technology sector, after all. The Department of Communications cites Australian Consumer Law, which it says applies to 'most cloud service providers' and enhances consumers' rights, 'particularly where there is an imbalance of bargaining power'.
Even so, regulatory assurance isn't making cloud users feel any better. In March this year a Gartner report said 'buyers of commercial cloud services, especially software-as-a-service, are finding security provisions woefully inadequate'.
"Some cloud providers directly monetise user content," says Matt Branton, chief executive of Coinlock, a cloud service to monetise content using Bitcoin. "It's in their best interests to prevent people from moving out of their walled gardens. Cloud service agreements are one-sided, designed not only to protect the company from liability but ensure revenue and limit competition. Only wide, sweeping regulation of user privacy will change the status quo."