The Privacy Implications of Cloud Computing

It is difficult to come up with a precise definition of cloud computing. In general terms, it’s the idea that your computer’s applications run somewhere in the "cloud," that is to say, on someone else’s server accessed via the Internet. Instead of running program applications or storing data on your own computer, these functions are performed at remote servers which are connected to your computer through the Internet.

In telecommunications, a "cloud" is the unpredictable part of any network through which data passes between two end points. In cloud computing, the term refers generally to any computer network or system through which personal information is transmitted, processed, and stored, and over which individuals have little direct knowledge, involvement, or control.

With more reliable, affordable broadband access, the Internet no longer functions solely as a communications network. It has become a platform for computing. Rather than running software on your own computer or server, Internet users reach to the "cloud" to combine software applications, data storage, and massive computing power.

It’s a bit easier to understand the concept of cloud computing by providing examples. Google operates several well-known cloud computing services. It offers its users applications such as e-mail, word processing, spreadsheets and storage, and hosts them "in the cloud" -- in other words, on its own servers, not yours. So, for example, you can type a document without maintaining any word processing software on your computer. You can use Google’s software "in the cloud." All you need is an Internet-capable device. It doesn’t even need to be a computer.

Other examples of cloud computing include:

  • Web-based email services such as Yahoo and Microsoft Hotmail
  • Photo storing services such as Googleís Picassa
  • Spreadsheet applications such as Zoho
  • Online computer backup services such as Mozy
  • File transfer services such as YouSendIt
  • Online medical records storage such as Microsoft's HealthVault
  • Applications associated with social networking sites such as Facebook.

Some of the other major players in cloud computing include:

  • Google
  • Yahoo
  • Microsoft
  • IBM
  • Amazon
  • Salesforce
  • Sun Microsystems
  • Oracle
  • EMC

When users store their data with programs hosted on someone else's hardware, they lose a degree of control over their sensitive information. The responsibility for protecting that information from hackers and internal data breaches then falls into the hands of the hosting company rather than the individual user. Government investigators trying to subpoena information could approach that company without informing the data's owners. Some companies could even willingly share sensitive data with marketing firms. So there is a privacy risk in putting your data in someone else's hands. Obviously, the safest approach is to maintain your data under your own control.

The concept of handing sensitive data to another company worries many people. Is data held somewhere in the cloud as secure as data protected in user-controlled computers and networks? Privacy and security can only be as good as its weakest link. Cloud computing increases the risk that a security breach may occur.

One of the problems with cloud computing is that technology is frequently light years ahead of the law. There are many questions that need to be answered. Does the user or the hosting company own the data? Can the host deny a user access to their own data? If the host company goes out of business, what happens to the users' data it holds? And, most importantly from a privacy standpoint, how does the host protect the user's data?

So, before you utilize any cloud computing services, be aware of the potential risks. And make sure that you carefully read the privacy policy of the hosting company to become aware of your rights.

For more information on the privacy implications of cloud computing, see the May 2008 report by Ann Cavoukian, Privacy in the Clouds -- A White Paper on Privacy and Digital Identity: Implications for the Internet (Information and Privacy Commissioner of Ontario), .

Read the World Privacy Forum's report on cloud computing (Feb. 2009), available at . The title is Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, by Robert Gellman.

The Consumer Federation of America's (CFA) report, Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing emerged from a retreat that CFA held in June 2010 which brought together representatives from consumer and privacy organizations, academia, government and business from the United States and Europe.  The report may be read at