Sharding as a Method of Data Storage
A Legal Research Regarding Implementation of Decentralizes Data Storage Instead of Traditional Cloud
Master Thesis International Business Law
Writer Maryam Afra Snr 2021688 Master: International Business Law Year 2019 Supervisor I. Skultétyová
1
Acknowledgments:
Praise is to god, the most compassionate, the most merciful for giving me strength and persistence in order to accomplish my study.
First and foremost, I would like to express my sincere and deepest gratitude to my supervisor ivona skultétyová whose advices, encouragement, stimulating suggestions and useful remarks helped me all the time during writing this dissertation. It would have been impossible to finish this thesis without her tremendous support.
Furthermore, I would like to thanks my family and friends for their continuous and unparalleled love, help and support. I am forever indebted to my parents for giving me the opportunities and experiences that have made me who i am.
Last but definitely not least, i would like to illustrate my appreciation to all staff members of department of business law for their endless cooperation and kind help during my study period.
Enjoy reading my master thesis,
Maryam Afra Tilburg, June 2019
2
Table of content:
Introduction…………………………………………………………………………………………………………………………….…..….………5
Background…………………………….…………………………………………………………………………………………….…………………5
Problem Statement……………...... 6
Research Questions……………………………………………………………………………………………………..………………………..10
Chapter 1: What Should Be Defined As Sharding And What Its Potential Role With Regard To Blockchain?...... 11
1.1:Introduction To Sharding……………….…………………………………………………………………………..……………………11
1.2:An Insight Into Sharding Method…………………….………………………………………………………….……………………12
1.2.1:Background…………………………………………….…………………………………………………………………………………12
1.2.2:What Drives The Need For Sharding……………………….…………………………………………………………………13
1.2.3:How Sharding Plans To Solve This Issue?...... 17
1.2.4:Possible Challenges And Limitations Associated With Sharding……………………………..……….…………17
1.2.5:Implementation Of Sharding For Data Storage…………………………………………………….……………………19
Conclusion…………………………………………………………………………………………………………………….………………………20
Chapter 2:An Insight Into Cloud Computing With Regard To Its Legal Issues……………………………..……….…21
2.1:Technical,Non-Technical And Legal Issues…………………………………………..…………………..………………………23
2.1.1:Technical Issues……………………………………………………………………………………………………………………..23
2.1.2:Non Technical Issues………………………………………………………………………………………………………..…….26
2.1.3:Legal And Regulatory Issues……………………………………………………………………………………………….…..27
2.2:Potential Legal Issues Arising From Cloud Computing……………………………….…….………………………………28
2.2.1:Security And Privacy Issue………………………………………………………….……………………………………..……29
2.2.2:Regulatory Compliance………………………………………………………………………………..…………………………33
3
2.2.3:Contractual Concerns……………………………………………………………………..………………………………………37
2.2.4:Cloud Computing Standardization………………………………………………………………………………..………. 46
2.2.5:Data Location And Governing Law…………………………………………………………………………….……………47
Conclusion………………………………………………………………………………………………………………….…………………………48
Chapter 3:Sharding As An Alternative Cloud Computing Solution……………………..……………………………..……49
3.1:Revolutionary Decentralized Data Blockchain-Based Platform…………………………………………………………49
3.2:A Brief Comparison Between Blockchain And Cloud Computing………………………………………………………50
3.2.1:Blokchain And Security……………………………………………………………………………………………………………50
3.2.2:Blockchain-GDPR Compliance…………………………………………………………………………………………………53
3.2.3:Contractual Concerns……………………………………………………………………………………………………………..62
3.2.4:Does Blockchain Address The Issue Of Costly Data Storage In Cloud Computing?...... 66
Conclusion……………………………………………………………………………….……………………………………………………………67
Bibliography………………………………………………………………………………………….………………………………………….……70
4
Introduction
Background
As time goes by, technology illustrates its impact concerning various sectors of our live. Ever since Satoshi Nakamoto published an invention called bitcoin in 2009, the matter of cryptocurrency has had its up and down.1 While most people have heard about the blockchain in tandem with the rise of bitcoin, it should be taken into account that blockchain can be used in various ways and should not be limited to the sphere of cryptocurrencies.2 As far as business activities are concerned, the growing consensus among business leaders and entrepreneurs is that The future of blockchain technology will be about a lot more than Bitcoin.3 once business people understood about the blockchain, the second part is how they can apply this fresh technology in the most efficient way to improve their day by day tasks.4 While there has been numerous debates over some advantages of blockchain such as smart contract, less attention has been paid toward the potential impacts which blockchain can have on data storage. With regard to traditional way of data storage, people used to store their data in hard drives on a computer. Since the advent of cloud computing, the way businesses store their data has remarkably been changed. On the contrary of what people used to do in the past, today this new service has enabled people to have access to the same facilities through internet. 5
Moreover, not only there has been an increase in the number of companies which offer this service to their customers, But the number of businesses and companies which rely on this service has also enhanced .Cloud service providers or briefly csps, are companies that offer network services, infrastructure, or business applications in the cloud. The cloud services are hosted in a data center that can be accessed by companies or individuals using network connectivity.6
To describe it better, There are various number of services that csps provide the customer with such as Software as a Service (saas), a computing platform for developing or hosting applications,
1 John Rampton, '5 Applications For Blockchain In Your Business' (The Economist-Executive Education Navigator, )
5 known as Platform as a Service (paas); or an entire networking or computing infrastructure, known as Infrastructure as a Service (iaas).
This divisions, however, are not always definite and clear because some csps offer their cloud service in multiple forms. For example, you might go to a cloud provider, such as Rackspace, who started as a web hosting company and buy either PAAS or IAAS services. Many cloud providers are focusing on specific verticals, such as hosting health care applications in a secure IAAS environment.7 With regard to CSP pricing policy, it should be taken into account that most of csps offer their service on subscription based model which means customers will pay fixed amount of fee on monthly or annual basis. After reaching a consensus about the price the CSP and customer will come up with an agreement that define both parties duty and responsibilities.8
Typically customer consider their demand and purchase services which they highly require in order to avoid any extra cost for company. Some csps offer their services included in one package and in the form of a bundle. So it is a matter of necessity for customers to figure out what exactly they need for their business and what is considered as an extra cost for the company.9
Problem Statement
One may ask what cause these companies to use this service while there is always a possibility for them to manage this requirement internally, without exposing their sensitive data to strangers. Some reasons are as follows:
1. The main reason which justify this arising demand comes in efficiency and economies of scale. It cannot be denied that Rather than individuals and companies building their own infrastructure to support internal services and applications, the services can be obtained from the CSP, which provide the services for huge number of customers from a shared infrastructure.10
2. Using this service remarkably will decrease costly maintenance costs. Especially a far as small to medium size businesses are concerned, setting up a full time IT department is not logical as usually they have simple networking system.11 Moreover, as companies using csps service only are obliged to pay a fixed monthly price for using this service, they
7 'What Are Cloud Service Providers?' (Sdxcentral, )
6
will be able to have greater prediction toward the amount of money they want to invest in IT sector and consequently will be able to organize their budget plan more wisely.12
3. Csps service can significantly contribute to this fact that companies are no longer obliged to allocate their time for training IT personnel once new technology or required upgrade gets released. As cloud service providers are completely prepared for managing this situation it is a logical way to use their service instead of spending company’s time on such these things. Usually, csps offer a robust network infrastructure with 24/7 monitoring. Depending to the content of agreement between customer and providers they can also offer their service with monitoring and scanning the network for patch requirement 13security .14
4. As far as recovery disaster is concerned, cloud service providers have designed numerous networks and data center with high level of redundancy and resiliency to maintain business continuity. They can assure customer that their data remain completely safe and secure throughout the cloud service. In case any disaster, there will always be a possibility of recovering all the data and companies will experience minor issue in this matter.15this should be taken into account that not every cloud providers offer recovery solutions alongside their service. So companies intend to use this service are required to do a vast search for providers which possess reliable backup system and can ensure the security of all stored data in the best possible way. Some leading csps offer backups at multiple locations which means multiple copies of data are stored in various data center. This approach will significantly decrease the chance of recovery disaster occurrence as if one copy is completely damaged, the customer still has access to its data.16
While it cannot be denied that csps have provided companies and business with various amount of advantages ,there are also some negative aspects with regard to this matter as follows:
1. First and foremost, Traditional Cloud storage works by allowing you to upload your data to a cloud. Once the data is uploaded, the service provider transfer and save all information inside their data center. This makes customer enabled to have access to data anytime with sending a request to the data center and wait to receive the data back. Most of the time, the data center will not be in the same location that customers are in.
12 Ibid. 13 A Patch Is A Set Of Changes To A Computer Program Or Its Supporting Data Designed To Update, Fix, Or Improve It. This Includes Fixing Security Vulnerabilities And Other Bugs With, Such Patches Usually Being Called Bug Fixes And Improving The Usability Or Performance. 14 , '10 Benefits Of Cloud Managed Services Providers' ( Agile It, January 17, 2018)
7
Consequently, there will be some amount of delays in the delivery, something that does not work well in an age where users expect fast access to their information and any kind of delay hardly could be tolerated.17
2. Another remarkable challenge facing current data storage mechanisms is their safety. While major service providers have put in place rigorous measures and ensure their customer that their data will be kept safe and secure, it cannot be denied that human errors are inevitable. While some suggest that customers need to request for security guarantees in order to avoid ant undesirable outcome, this considerably alter pricing pattern cause this impose higher amount of risk to providers. Eventually, customer will be obliged to pay higher amount of fee to receive this extra service. 18
3. Finally, it should be taken into account that errors caused by human are not the only factor posing a threat for customer privacy. Most of csps will offer their service and design their privacy policies in a manner that still allows them to have access and share personal data legally.19 csps are positioning to be not liable mostly in case of security breach issue which is quite common. They follow this policy in order to escape from any responsibility which force them to pay damage to the clients.20
All in all, with regard to negative aspects of using csps services, blockchain has been introduced to address these issues. Based on global research firm, Gartner, business value of blockchain technology will reach nearly 200$ billion by 2025,while a significant portion of this value will be obtained through data storage.21.
In addition, while it cannot be denied that the market for blockchain is still in its early stages, the number of companies which are creating blockchain-based data storage has remarkably increased in order to provide customers with full control over their personal data. In this case, some people engaged in the matter of blockchain technology such as Antonio Verdon(co-founder of Proxeus, a Swiss-based startup) believe that in the near future the traditional cloud storage will be completely replaced by blockchain technology.22
17 Katalyse Io, 'Why Blockchain Is The Future Of Data Storage' (Medium, 8 July 2018)
8
With regard to advantages n of implication of blockchain compared to traditional cloud storage:
1. In decentralized blockchain network, data files are broken apart and spread across multiple nodes. This process is called SHARDING. These files are encrypted with a private key, which makes it impossible for any other node participating in the network to look at the file. Sharding ensures that files are just a fraction of their original self, which means reading their entire content is impossible.23This matter will be discussed more detailed on following chapter.
2. Blockchain main intention is to put the full control of the data in the hand of the owner. So data in blockchain sector remain extremely secure and safe. To describe it better, data is broken down into chunks which then is managed ad monitored by users. On the other hand, if the person who intend to access data is not a member, he/she cannot reach the data at all. The reason is every use has a private key required for accessing data and nobody else has this key to obtain data. Consequently, nobody can alter any part of data unless the person is a user and has whole access to the stored data in the system.24
3. Moreover, as was mentioned before, by implementation of Sharding method, data is divided in various parts and is distributed throughout the network. As a result, retrieving data will be much easier and faster compared to traditional cloud at which data is stored intact and in only one single location. This method significantly will increase the speed and scalability of the data meant to be stored.25
However, this method is also associated with some defects such as:
1. It cannot b argued that Blockchain is still in its primary stages of development. Gartner has predicted that all the blockchain platform implemented in 2021 will require “replacement within 18 month in order to remain competitive and secure and avoid obsolescence”.26
2. According to Michael Widenius remarks (the main author of the original version of the open source mysql database) cryptocurrencies such as bitcoin use blockchain technology as a distributed ledger to ensure all the data is remained secure but with regard to data storage ,this approach is inefficient. Slow and impractical for general data storage. Based
23 Ibid. 24 Tim, 'Benefits Of Blockchain For Data Storage' (Nano Etx Express, 25 April 2018)
9
on his point of view, blockchain is made of a list of blocks which are linked together using the method of cryptography. As far as data storage is concerned, this method could be implemented as a proof that nobody has altered the data. 27
3. Finally, as Vitalik Buterin the founder of Ethereum puts it, blockchain platform is far from taking the place of cloud computing due to scalability issues which this platform is struggling with. But this claim does not deny this fact that as time passes by and technology is developed the blockchain might completely transform the whole data storage industry.28
Research Question
Overall, While it cannot be argued that due to theories indicating some potential drawbacks for application of blockchain we should not expect to observe a rapid shift from centralized to distributed services, but this does not deny this fact that the blockchain technology is capable of transforming the whole data storage industry. It is only a matter of time before we can say goodbye to the big centralized oligopolies that have failed to enable us make the most of our data.29 This thesis aims to provide an answer for the main research question that: To what extent can be sharding superior to cloud computing services in terms of addressing of legal risks related to the outsourced storage of data and other business processes?
In order to answer this main research question, we also need to provide an answer for these sub- questions as follows:
1. In case of replacement, what are its potential impacts on data storage industry?
2. How businesses such as law firms can benefit from this potential shift by structuring their business model based on this new approach.
27 Ibid. 28 Sadie Williamson, 'The Blockchain Is Here To Make Cloud Computing Better' (Information Age, 4 June 2018)
10
Chapter 1: What Should Be Defined As Sharding And What Its Potential Role With Regard To Blockchain?
1.1: Introduction To Sharding
This chapter firstly, will focus on definition some terms with regard to blockchain technology including sharding method and secondly, will examine the implication of sharding and its practical usage both with regard to scalability issue and also from the perspective of data storage.
It cannot be denied that, over the past decades, Cryptocurrencies have progressed remarkably and those such as bitcoin and Ethereum are becoming more and more popular.30 to understand how cryptocurrencies work, initially some terms should be clarified as follows:
1. Public ledger: historically, public ledger is derived from a record-keeping mechanism that was use to keep and illustrate information to public regarding some matters such as agriculture commodity price and news.31 because of this reason that blockchain-based cryptocurrencies apply the same system for keeping its record, this name was also accepted with regard to cryptocurrencies. To describe it better, public ledger is quite similar to bank record. The transaction details on cryptocurrency network is approved by two transaction participants while there is no one to monitor the whole process and there is no such a possibility to know the identity of each of participants .32 A blockchain is a form of public ledger on which details of each transaction made on the ledger is recorder once they are verified and validated by suitable participants(miners).at the next step, the confirmed transactions are stored on the network. Once the capacity of each block is filled, new set of blocks are mined and are added to the network by miners.33
2. Block: simply put, blocks are batches of transactions which are confirmed and subsequently shared on the blockchain.34block on blockchain are made up of digital information which store information about transaction which are mined by miners ,details of each transaction’s parties and finally they store some information which distinguishes them from others.35
30 Ameer Rosik, 'Blockchain Scalability: When, Where, How?' (Block Geeks, 2017)
11
3. Mining : the process of mining in cryptocurrencies world refers to the system applied for assessing and validating transactions made throughout the system of blockchain.36. In order to attract the attention of some people to do the process, the idea of mining was introduced by satoshi nakamato which based on that people who put effort and invest their computational skills and time on processing bitcoin transaction and determining the result of a hashing algorithm will be rewarded by some free tokens.37Going deeper, proof of work refers to an requirement for some expensive computational calculation (called mining) that is applied in order to create new series of trustless transactions on blockchain network.38 Briefly the process is done as follows:
1. Transactions are bundles together in block 2. Miners examine each transaction to approve their legitimacy 3. Miners should solve some mathematic puzzles knows as proof of work to do their task. 4. In nest step, confirmed transactions are stored in public blockchain.39
4. Nodes: nodes is a device on blockchain network. A node can be any type of electronic device such a a computer as long as it is connected to the internet. Node is used to support the blockchain by maintaining a copy of all data available on the platform and in some cases to process transactions.40
5. Sharding: this terms refers to a type of partitioning data that intend to separate very large database into smaller parts called shards. The word of shard means a small part of a whole. From a technical perspective, sharding is used to refer to any type of database partitioning that is meant to make a very large database more manageable.41
1.2: An Insight Into Sharding Method
1.2.1: Background
36 , 'What Is Mining' (Cryptocraze, )
12
It cannot be denied over the past years blockchain has gained enormous popularity especially between companies and start ups. In fact 84% of company’s executives have claimed that their companies are actively engaged in this trending technology.42 While it is highly believe that the invention of blockchain has been one of the greatest invention in the sphere of technology, increasing popularity of blockchain especially with regard to cryptocurrencies such as Bitcoin or Ethereum has given rise to some concerns regarding scalability issue. According to report, 40% of company executives consider scalability issue as major problem for enterprise implementation. Conversely, only 7% of those survey believed that scalability is a major issue for their business.43 regarding this fact, it is not much of a surprise that more than 60% of executives have claimed blockchain has been more complex that what they have thought at first.44 With regard to this fact that in modern era speed in doing task comes first, it seems if scalability remain unsolved, this technology will be obsolete sooner than what it was already thought.
1.2.2: What Drives The Need For Sharding?
The increasing popularity of blockchain-based cryptocurrencies has made scalability a primary and urgent concern .45 with more tokens, users, investors, exchange and startups involved in blockchain , scalability has turned into a primary and urgent issue required immediate attention to be solved.46
Overall, Two main scalability issues regarding cryptocurrencies are as follows:
A. The length of time usually is taken to put a transaction into a block(TPS) B. The time for reaching consensus47
A: Transaction Per Second TPS is a commonly used term in cryptocurrencies world. This term will define the number of transactions processed completely per second through blockchain system. Tps determine how fast blockchain is able to process the transactions. High number of tps will lead to faster operation of validating transactions.48
42 Gerald Fenech, 'Scalability On The Blockchain - Is There A Solution?' (Forbes, Dec 16, 2018, 10:00am)
13
With regard to the bitcoin and Ethereum and in comparison with mainstream systems such pay pal , it could be observed that while visa can process around 1700 transactions per second in average 49 the transaction processing capacity maximum for bitcoin and Ethereum is estimated between 7 and 15-25 respectively.50 As can be observed, low rate of processing transactions has caused scalability issue which eventually might lead to a bad future for blockchain technology. But the main question is what cause TPS to take that much time? There are various reasons which contributes to the low rate of TPS. We try to examine its potential reasons concerning two major blockchain based cryptocurrencies named Ethereum and bitcoin.
I. Ethreum
This currency is unable to increase its TPS rate due to the matter of gas limit. 1. Gas Generally Speaking , gas refers to a term used to measure the amount of computational effort required for doing operations. For each function specific amount of gas is assigned. For instance if a miner intend to add 2 number it will cost 3 gas or sending a transaction will cost 21000 gas.51 For instance, Alice has issued a smart contract for Bob. Bob sees that the elements in the contract will cost X amount of gas. Gas meaning the amount of computational effort on Bob’s part. Accordingly, he will charge Alice for the amount of Gas he used up.52 some platforms such as MEW offer default gas limit suggested for each transaction.53 Since computation is expensive (mind that it has to be done by every full node in the network), excessive consumption of gas needs to be discouraged.54
2. Transaction Gas Limit
To prevent from excessive consumption of gas by miners, each transaction has a gas limit to illustrate how much gas sender intend to buy. If during execution, the amount of gas used is equal or less than gas limit, transaction is processed. In case if the total gas exceeds the gas limit, then
49 Li Kenny, 'The Blockchain Scalability Problem & The Race For Visa-Like Transaction Speed' (Hackermoon, 3o January 2019)
14 all changes are reverted.55 This mechanism will remarkable makes the platform slower and less efficient and will result in huge amount of time and effort to be wasted. Additionally, Miners are the people who get their hands dirty to get the job done on the Blockchain. They are always looking for incentives. Miners earn a percentage of every fee paid for Blockchain transactions when they add/mine a block successfully. High Gas price will entice a miner to work on transaction and hash a new block. Except when transactions are short in supply, low gas limits will drive transaction to the bottom of the waiting list. 56
source:blockgeeks.com/guides/blockchain-scalability/
3. Block Gas Limits This term refers to the maximum amount of gas allowed in a block to determine how many transactions can be accommodated in specific block .for example if 5 transaction with gas limit of 10,20.30,40 and 50 are requested to be mined and block gas limit is 100 ,only the first four transactions can be fit in the block.so in each case the miner need to examine the capacity of each block and to decide whether can to put transaction in block or not.it takes considerable amount of time and can be considered as reason for scalability issue.57
i. Bitcoin With regard to bitcoin, a transaction is made when a miner puts data transaction in the block and then transaction is complete. For instance, suppose A plan to send 4 BTC to B. To do so, she/he sends the transaction data to miner and miner puts data in block and by then process is finished.58
55 Hudson Jameson, 'Accounts, Transactions, Gas, And Block Gas Limits In Ethereum' (Hudson Jameson, 27 June 2017)
15 the process seems quite easy, but it should be taken into account that as bitcoin gets more popular and higher proportion of users become engaged in, the process gets more complicated and time-consuming. Beside, once bitcoin was introduced in 2009, the maximum size of each block was only 1 MB. Although it was designed to keep the bitcoin safe, but the founders were not completely aware of this fact that by passing time the number of transactions recorded on each block will increase.59 this feature will bring about lots of issue such as scalability problem. In 2017 there was huge conflict between ones who were advocate of increasing bitcoin block size and ones who believe this should remain on 1 MB. Eventually those who were a fan of growth in block size rely on “bitcoin cash” which was planned to increase block size. 60 Bitcoin cash developers believe that by increasing block size there will be a larger number of transactions to be processed , this increase the rate of TPS and makes blockchain more efficient and solve the issue of scalability and consider that a solution for scalability in blockchain .61 According to report, while the idea was extremely logical to be applied , in practice it turned out BCH has never mined a block that is 8 MB in size.62According to long hash the largest block which BTC has mined gas been only 171 kb which constitutes only 2.1% of BCH limit (8MB).63
B. The Issue Of Consensus At the moment , all blockchain-based cryptocurrencies are designed to function as a peer-to- peer network and participant, also known as nodes are not given any extra privileges. The blockchain offer a decentralized system at which there is no central authority to monitor the network.64 But the question is without a governing body to monitor everything, how they will be aware of this that a new transaction has been made? The answer rely on gossip protocol. Suppose A send 3 ETH to B. Once the transaction has been made, the nearest nodes to A will transit this information to their neighbors and this cycle continues until all of nodes fully become aware of this transaction.65 The problem is as blockchain is structure based on a trustless system , just because of this reason that node A says that a transaction is valid, does not directly mean that node B believe it. This means every node has its own way on investigation and use from a copy of blockchain to help
59 Connor Blenkinsop, 'Blockchain’s Scaling Problem, Explained' (Cointelegraph, 22 August 2018)
16 them to do so. as can be observed this method of reaching consensus makes the system very slow.66
1.2.3: How Sharding Plans To Solve This Issue?
The main question is can decentralized blockchain be scaled up to match the performance of a mainstream payment process and what is the potential approach which should be taken to reach that goal? In practice, Projects that intend to apply sharding as a scalability solution are Ethereum, Zilliqa and Cardano. Ethereum has been developing a sharding solution for a long time now and Zilliqa recently postponed their mainnet launch until somewhere in 2019 which makes one wonder if we have the time to wait for sharding to be fully developed in order to solve the scalability issue. There are some rumors going around that sharding will be applied in the Ethereum blockchain in 2020.67 Simply put, Sharding is a scaling strategy by which the information from the general database is divided into blocks and spread to various servers, which are called shards. The process of using this strategy is called sharding.68 By implication of sharding, data is split to various sections named shard. By distributing the data among multiple machines, a cluster of database systems can store larger dataset and handle additional requests. Sharding is necessary if a dataset is too large to be stored in a single database. Moreover, many sharding strategies allow additional machines to be added. Sharding allows a database cluster to scale along with its data and traffic growth.69 This method is described as horizontal partitioning. The distinction of horizontal and vertical comes from traditional tabular view of database. 70Traditional way of database architecture implements vertical scaling that means splitting the table into number of columns and keeping them separately in physical or logically Grouping .71This will lead into scalability issue. In order to solve this issue, Data Sharding method is introduced by which the database are scaled horizontally instead of vertically by splitting the database into shards and spreading those into a number of vertically scalable servers.72
1.2.4: Possible Challenges And Limitation Associated With Sharding
66 Ibid. 67 Linda Willemse, 'Solving The Blockchain Scalability Issue: Sharding V’s Sidechains' (Blockdeltaio, 4 October 2018)
17
1. Technical Issues
a) Network Sharding: The first and foremost challenge in sharding is the creation of shards. A mechanism will need to be developed to determine which nodes reside in which shard in a secure way in order to avoid possible attacks from someone who gains a lot of control over a particular shard.73 b) Shard Exhaustion: Shards are often fixed sized. If data is continually written to a fixed sized shard, or a particular value becomes too large, the shard will exceed its capacity. Imagine a User object that stores the social network for a popular user, it could have millions of entries, which could easily blow out the resources for a shard. 74 c) Inter-Shard Communication Issue: Contrary to inter-node communication, which is relatively easy, communication between shards needs the development of a different protocol. However, this protocol is still in its infant stages and without it the inter-shard communication would be ineffective. Therefore, many technical hurdles prevent sharding-associated blockchain from becoming a widely adopted phenomenon.75
If you segment the blockchain and become part of one shard, it makes it near impossible to interact with a different shard without adding a separate protocol. 76 If a user from one shard wants to transact with another user form different shard, this type of transaction need different protocol to be established.77 Additionally, to prevent any type of double spending, you must lock your funds into a specific shard, restricting your interaction to those in the shared shard.78
To ensure security, the network randomly repositions nodes from various shards. The network must be able to facilitate communication within the nodes of a shard and within all the shards in the network and the communication layer enables this.79
2. Security Issues
It should be taken into account that although sharding has considerably solved the issue of scalability, this method will remarkably decrease the level of security in blockchain system. in this
73 Yaoqi Jia, 'Op Ed: The Many Faces Of Sharding For Blockchain Scalability' (Bitcoin Magazine, 20 March 2018)
18 case implication of sharding can be described as trade-off between scalability and security. The problem is, while by implication of sharding the rate of TPS will increase, the amount of computational resource for each transaction noticeably decrease.80
Simply put, as a data is distributed between shards, it is possible for attacker to just through getting the control of 1% of network hash rate dominate the shard but in traditional system, attacker had to put more effort and after gaining the control of 51% or majority of network hash rate, was able to reach the goal.the difference is illustrated as below:81
Figure 1+2: source:www.medium.com
Another issue with regard to sharding is this method adds additional programming and operational complexity to application, user will lose the convenience of accessing the application’s data in a single location. Managing multiple servers adds operational challenges.82
1.2.5: Implementation Of Sharding For Data Storage Traditional Cloud storage services work as follows: You pay a monthly fee up front for a fixed amount of storage space. During the paid time, you can use any amount of storage space up to that limit. When your paid time expires, you have two choices: pay for another month or your files get deleted. Your cloud provider only keeps your files for as long as you keep paying. Blockchain databases cannot work on this model. A blockchain database must store data indefinitely, so the recurring payment model does not work. Data storage costs must be paid up front, and must cover not just that month but all the months and years to come.83
80 Hsiao Wei Wang, 'Ethereum Sharding: Overview And Finality' (Medium, 27 December 2017)
19
It also should be taken into account that this fact that data will remain forever through the blockchain system, can be in contradiction with GDPR regulation. This matter will be discussed in following chapters.
Furthermore, data store hosted by a single cloud server constantly is faced with numerous limitation. For instance, although cloud application is supposed to support a large number of users, a single server hosting the data store might not be able to manage all the users and provide required computational power to support this load. This issue will eventually lead to extended response time for users and frequent failures every time application attempts to store and retrieve data. 84 As was previously mentioned in part 1.2.3, sharding can present a practical solution for this issue by using its special method.
Conclusion: To conclude, it can be observed that sharding is an innovative method which not only can tackle the scalability issue as major problem blockchain technology has been struggling with over the years, but also make it possible for cloud operators to benefit from this method in order to solve their systematic problems and scale up their business. However, as it was mentioned before, sharding has its own pros and cons and it is really a matter of necessity for all who intend to apply this method to prior using this, consider all the potential consequences and aspects and based on the level of benefits it can provide them with, decide whether to implement it or not.
84 Masashi Narumoto And Others, 'Sharding Pattern' (Microsof Azure, 23 June 2017)
20
Chapter 2: An Insight Into Cloud Computing With Regard To Its Legal Issues
In recent years, due to the popularity and rapid growth in processing and storage technologies and the success of the Internet, computing resources have become cheaper, more powerful and more available than ever before. This technological trend is popularly known as cloud computing and has led to a new way to provide a better answer to current and future information and communication technology requirements. 85 With the advent of Cloud, the increasing number of cloud providers and the variety of service offerings have made it difficult for the researcher and pose numerous challenges to cope with. Over the past years, researchers have hardly worked to introduce some solutions in order to implement the cloud computing mechanism not only in business sector but also in other areas of IT infrastructure.86 It cannot be argued that cloud computing can be considered as a remarkable revolution with regard to IT industry as it has wholly transformed the way people used to store and keep their data. This method has provided all users with tons of opportunity by which not only can store their information but also process them on demand. But the question is, what exactly can be defined as cloud computing? While there are plenty of definitions out there try to describe this new trend better, the one prepared by the NIST 87can be considered as the most comprehensive explanation as indicated below: “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”88 In terms of advantages, Cloud computing is a way to increase the capacity or add capabilities without investing in new infrastructure, training new personnel, or licensing new software. In the last few years, cloud computing has grown from being a promising business concept to one of the fast growing segments of the IT industry. But as more and more information on individuals and companies are placed in the cloud, concerns are beginning to grow about just how safe an environment it is. Despite of all the hype surrounding the cloud, enterprise customers are still reluctant to deploy their business in the cloud.89 But the question is what cause this hesitation?
85 Deepak Puthal And Siksha Kumar Mishra, 'Cloud Computing Features, Issues And Challenges: A Big Picture' [January 2015] 9( ) International Conference On Computational Intelligence And Network Networks < Https://Tinyurl.Com/Yyohjhah> Accessed 10 April 2019 86 Ibid. 87 National Institute Of Standard And Technology 88 The Benefits And Challenges Of Cloud Computing' [ ] 10( ) Quest Technology Management For Business
21
For instance, the largest data breach has occurred in 2018 in India known as Aadhaar data breach.90 This was a major breach of data that exposed literally over a billion India citizens. The Aadhaar Indian database is a government ID database that serves up identity, biometric, and other information on more than 1.1 billion registered Indian citizens. The database has far reaching impacts for Indian citizens as they can use the data found in the database to carry out many activities including opening bank accounts. it has been noted that Amazon and other major companies utilize the Aadhaar database to identify customers. Specifically, information exposed to the outside included such information as the Aadhaar DB member’s names, their identity numbers, and information about services they are subscribed to such as bank details, etc. 91 Furthermore, no one knew the severity of the breach cloud-based file sharing giant Dropbox announced back in 2012. In fact, it was not until four years later that we learned what really happened. Hackers tapped into more than 68 million user accounts – email addresses and passwords included – representing nearly 5 gigabytes of data. Those stolen credentials reportedly made their way to a dark web marketplace – the price for them was bitcoins. At the time, this was equivalent to roughly $1,141.92 Cloud computing, presents novel challenges to the traditional protections built into the law to ensure security of corporate capital- and knowledge-based assets. Corporate counsel and stakeholders must understand that the traditional legal playing field is shifting, yet again, with the introduction of private and public clouds. These clouds are essentially “data centers” or “server farms” on which software and data can be remotely stored, instead of on-site. The economic incentives consist of lower costs, limited site-support, and scalability. Resources can readily be adjusted to meet normal demand and supply curves.93 Overall, it should be taken into account that while cloud computing has brought about lots of benefits for users especially enterprises and companies to improve and scale up their business compared to traditional method of storing and keeping data, it also has various number of negative aspects required to be taken into account. This section considers the risks to consumers that arise from the use of a cloud computing service. Organizations , businesses and individuals interested in using cloud computing products must ensure they are aware of the privacy and security risks associated with using the product and take those risks into account when deciding whether to use it.94
90 Yogesh Sapkale, 'Aadhaar Data Breach Largest In The World, Says Wef’s Global Risk Report And Avas' (Money Life, 19 February 2019)
22
Beside problems regarding practical and technical aspect of cloud computing such as a data recovery, there are also plenty of non-technical, legal issues and consumer risks arising from implication of this method. Shortly, cloud computing challenge can be divided in three distinct section as follows: 1. Technical challenges 2. Non-technical issues 3. Legal concerns
This chapter firstly and briefly, will provide some explanations with regard to these issues ,concerning implication of cloud computing and secondly, will focus more specifically on its potential legal issues required to be taken into consideration.
2.1:Technical , Non-Technical And Legal Issue’s Terminology
2.1.1:Technical Issues: It cannot be denied every novel and innovative system has its own challenge and struggles and cloud computing cannot be considered as an exception. Since the advent of cloud computing, this trend has been struggling with some main technical issues as follows:
I.Scalability Problem Ii.Matter Of Trust In Cloud Iii.Integrity Of Data
I. Scalability Issue In Cloud Environment One of the key benefits of using cloud computing paradigm is its scalability. It supports the long term strategies and business needs. 95 Cloud computing offers numerous major benefits to organizations, but perhaps the biggest benefit of all is the ability to scale your cloud environment on-demand. Scalability in the context of cloud computing can be defined as the ability to handle growing or diminishing resources to meet business demands in a capable way. In essence, scalability is a planned level of capacity that can grow or shrink as needed.96 But the main question is what cause scalability issue in cloud computing? The resources of the providers are usually hosted in the form of a data center. The data center is a set of physical machines which are interconnected, virtualized, and geographically distributed. Since the customer may have different geographic location, a service provider should have distributed data centers throughout the world so as to provide services to the customers. In the
95 Abrashid Dar And Dr Ravindran, 'Survey On Scalability In Cloud Environment ' [July 2016] 5( 7) International Journal Of Advanced Research In Computer Engineering & Technology (Ijarcet)
23 cloud computing, the distance between datacenters leads to undesirable network latency, which in turn leads to delay in services and eventually will give rise to scalability issue.97
Ii. Trust In Cloud: As far as offline services are concerned, due to absence of central and physical authority to monitor situation, people find it hard to trust to such these systems. Broadly speaking, trust means an act of faith, confidence and reliance in something that is highly expected to behave or deliver as promised.98 Obviously, users trust a system less if it does not provide them with adequate amount of information about its expertise and plain claims such a “ultimate secure cloud” without any sufficient reason to prove that, do not help to increase the level of trust to them unless these providers offer sufficient amount of transparency concerning their function for their customers.99 While reaching and establishing trust inside Cloud environment is considered to be an important subject, it has not yet received adequate attention from both academia and industry.100 Simply put, a trusted cloud environment is designed in the way to provide customers with high level of availability, resiliency, adaptability and reliability.
If a system become unable to maintain these factors throughout the system, each of these failures can be considered as a technical issue required to be tackled , otherwise cloud provider will be unable to attract customers for its services.
a) Availability This feature ensures the reliable and timely access to cloud data or cloud computing resources by the appropriate personnel. in other words, Availability refers to the property of a system being accessible and usable upon demand by an authorized entity. System availability includes a systems ability to carry on operations even when some authorities misbehave. The system must have the ability to continue operations even in the possibility of a security breach. The cloud owner needs to guarantee that information and information processing is available whenever clients ask for.101
The availability of cloud service providers is also a big concern, since if the cloud service is disrupted it affects more customers than in the traditional model. For instance, the recent
97 Aarti Singh And Manisha Malhotra, 'Agent Based Framework For Scalability In Cloud Computing ' [April 2012] 5( ) International Journal Of Computer Science & Engineering Technology (Ijcset)
24 disruption of the Amazon cloud service in the year 2011, took down a number of websites including Reddit, Foursquare, and Quora. Cloud providers are required to ensure that the systems are running properly when needed and enterprises are provided with proper and available service This involves making architectural changes at the application and infrastructural levels to add scalability and high availability.102
b) Reliability Enterprise applications are now so critical that cloud service must be reliable and available to support 24/7 operations. In the event of failure or outages, contingency plans must take effect and for disastrous or catastrophic failure, recovery plans must begin with minimum disruption. Each aspect of reliability should be carefully considered when engaging with a CSP, negotiated as part of the SLA. However, Additional costs may be associated with the required levels of reliability.103
c) Resiliency: Is the ability of a system to operate its function despite a number of infrastructure outage. High resilience requires a design which uses redundancy to eliminate any single points of failure, together with well-crafted procedures.104 The major providers in cloud environment, such as Amazon, Rackspace, and IBM, apply and implement some resiliency mechanisms that ensure data is not lost in the case of a sudden outage or failure in the system.105 There is no doubt that each system has its own failures regardless of this fact that how many measures are taken to tackle the concerns. Structuring a plan to address those failures ( detect, fix and recover) involves not only developers but all the teams as part of a cloud strategy. To solve it better, there are a range of techniques available to target these issues. The three fundamental techniques that are used to increase the resiliency of a cloud system are as indicated below:106
• Monitoring technique: refers to a continuous process which review the whole system on a regular basis in order to make sure this meets the minimum specifications of behavior. Although this method seems to be very basic and simple, it is a main key to detect failures
102 Rashmi Rai And Others, 'Securing Software As A Service Model Of Cloud Computing: Issues And Solutions' [September 2013] 12( ) International Journal On Cloud Computing: Services And Architecture (Ijccsa)
25
• Checkpoint and restart: The status of the entire system is saved based on certain circumstances. System failures show a process of restoration to the latest correct checkpoint and the system recovers.107
d) Adaptability This refers to the ability of the service provider to adjust changes in services based on customers’ requests. It is defined as the time taken to adapt to changes or upgrading the service to a higher level.108
Iii: Integrity Of Data Another significant technical concern with regard to cloud computing is the matter of data integrity. it is a fact that sometimes due to some reasons such as high amount of data shared between the computers, system collapse and this has negative effect on the matter of data integrity.109 Integrity, in terms of cloud data security, is the guarantee that data can only be accessed or modified by those authorized to do so, in simple words it is the process of verifying data. Data Integrity is important among the other cloud challenges as provides the guarantee that data is of high quality, correct and unmodified.110
2.1.2:Non-Technical Issues In addition, there are also a variety of non-technical concerns which require to be addressed. Otherwise, can prohibit from growth and evolution in cloud computing.111 One main examples is known as Lack of interoperability between clouds. Customers do not want to be locked into a single cloud provider. They would like the freedom to move among the clouds , ideally from public to private and back again. This would give customers the freedom to switch providers as their computing needs grow or shrink, and the ability to move applications and workloads around as their business requirements change.112
107Nicolas Bohorquez, 'Challenges To Traditional Cloud Computing: Security, Data, Resiliency' (Sumo Logic, 19 April 2018)
26
For interoperability, there are many challenges associated with cloud computing. In general, the interfaces and apis113 of cloud services are not standardized and different providers use different apis for what are otherwise comparable cloud services.114
2.1.3:Legal And Regulatory Issues It cannot be argued that cloud computing has gained enormous reputation. However, this trend has always been engaged with many concerns and risks for customers which give rise to some legal issues as indicated below .moreover, All of these matters in addition to other probable legal concerns will be widely discussed on second section of current chapter.
a) Security Issues The development of cloud computing is now at the beginning stage, so reaping about the critical areas of security can only be possible through the experience of early adopters and the researcher who examine experiments with currently available technologies. Security issues can be discussed in various categories ranging from privacy concerns to network security.115
b) Regulatory Compliance Generally speaking, Compliance implies enforcing the rules that implement the policies defined in the regulations and Regulatory compliance is when a company obeys the laws, regulations, guidelines that is related to its business. 116 Traditional Service Providers submit to external audits and security certifications, providing their customers with information on the specific controls that were evaluated. A cloud-computing provider that is unwilling or unable to do this is signaling that customers can only use them for the most trivial functions.117 According to the National Institute of Standards and Technology (NIST) organizations are fully responsible for all compliance-related issues. The cost of not being compliant may result in penalty fees, lawsuits, and bad business reputation.118 The general data Protection Regulation or briefly GDPR refers to an European legislation enacted by the EU to strengthen the people’s control over their personal data and increase the obligations of organizations that collect/process such these data on behalf of EU citizens.(here csps). The
113 A Cloud Storage Api Is An Application Program Interface That Connects A Locally-Based Application To A Cloud-Based Storage System, So That A User Can Send Data To It And Access And Work With Data Stored In It 114 , 'Interoperability And Portability For Cloud Computing: A Guide' Object Management Group, December 2017)
27 regulation came into force in May 2018, and its set of rules have particularly strong ramifications in the context of cloud computing.119 As matter of fact, it is obvious that csps not only need to become attentive and focused toward this regulation and increase their understanding about various aspects of that , but also are required to totally comply with its content in order to avoid any potential liability.
c) Contractual Concerns Like virtually all other consumer products on the Internet, the supply of consumer cloud computing products is typically governed by terms and conditions drafted exclusively by the providers with no input from consumers. so in most cases, these agreements are drafted unilateral without any focus on customer’ benefits.120 Furthermore, as consumers move towards adopting cloud service, the quality, resiliency, availability and reliability of the services become important aspects. However the demands of the service consumers vary significantly. It is not possible to fulfill all consumer expectations from the service provider perspective and hence a balance needs to be made via a negotiation process. At the end of the negotiation process, provider and consumer commit to an agreement. This agreement is referred to as a SLA. Overall, this SLA serves as the foundation for the expected level of service between the consumer and the provider.121
d) Data’s Location, Governing Law And Jurisdiction Moving to cloud computing model, will give rise to one significant legal issue when customer’s data reside in a cloud provider’s data center in a different country than the one in which customer reside. Different countries, states and in some cases different municipalities have distinct laws and governing regulations. The key question which remains unsolved is which law applies to my organization’s data in the cloud. The law where user is located or where data subject lives? International consensus on this issue has not been achieved yet.122
2.2: Potential Legal Issues Arising From Cloud Computing This section will comprehensively address some concerns and consumer risks involved in the process of cloud computing implication. This is a fact that in most cases, if enough attention has not been paid to these risks and concerns, eventually will result in some remarkable legal issues bringing difficulties and legal liability for cloud operators.
119 Dispatch, 'Challenges Of Maintaining A Gdpr-Compliant Cloud Platform' (The Nyu Dispatch, 6 August 2018)
28
In other words, institutions and organizations intend to apply this technology, at first step need to make a comprehensive evaluation with regard to potential legal issues which might be engaged in cloud computing.. This section will discuss a list of major consumer risks and concern having a possibility to lead into legal issues and conflict and required to be taken account by both cloud providers and users.
2.2.1: Security And Privacy Issues: In a traditional on-premise application deployment model, the sensitive data of each company reside within the enterprise boundary and is subject to its physical, logical and personnel security and access control policies. 123 However, in cloud, the enterprise data is stored outside the company. Consequently, the cloud providers should apply additional security checks in order to make sure security of information hold and stored is kept and prevent breaches due to security defects in the application or via malicious employees. For instance, they need to implement strong encryption techniques for data security to control access to data.124 Overall, Security issue can be discussed in various categories, ranging from data breach to matter of confidentiality in the cloud. This section will state the most remarkable security issue arising from cloud computing as follows:
a) Data Breach While the number of companies shifting to cloud computing has remarkably increased, there have also been some undesirable side effects resulting from this trend as a matter of data breach in cloud. Unawareness among enterprises regarding the complexities involved in securing data over cloud can be considered as a reason. Enterprises have moved to the cloud very fast and that includes the conventional businesses like banking and healthcare. Data breach in the cloud still remains a matter of concern and this has to be addressed collectively by the enterprises as well as the cloud vendors.125 This should be taken into account that when organizations decide to move their data to the cloud, many assume that the responsibility for securing that data moves with it, to the cloud provider. On the surface, this assumption isn’t entirely unreasonable. After all, by transferring sensitive information into a third-party environment, a certain degree of control over where it’s stored and how it’s protected is lost. However, in reality this isn’t the case. For example, Amazon Web Services (AWS) is one of the leading providers of cloud services, with more than a million customers worldwide. When it comes to data security, AWS, like most providers, operates a
123 Subashini And V Kavitha, 'A Survey On Security Issues In Service Delivery Models Of Cloud Computing' [January 2011] 34( 1) Journal Of Network And Computer Applications
29
Shared Security Responsibility model. This means that it assures certain layers of infrastructure and software security, but the customer is ultimately responsible for how data is used and accessed.126 To describe it better, this shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system to the physical security of the facilities in which the service operates. Amazon has provided that Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.127
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
Due to sensitivity and importance of data leakage in cloud environment, it cannot be denied that if adequate amount of attention is not paid by cloud providers to address that, this can pose a significant threat for cloud business as less users will choose to move their data to csps. In addition to this, the privacy is considered as fundamental human right that includes the right to be left alone. In commercial environment, privacy not only refers to the protection and appropriate use of the information provided with customers but also includes meeting the expectations of customers about its usage. For organizations, privacy means the application of laws, regulations, standards and processes by which personal Information of individuals is managed. 128
126Idg Connect, 'The Most Common Causes Of Cloud Data Breaches' (Idg Connect, 1 February 2018)
30
Overall, cloud providers are required to implement sufficient techniques and procedures in order to avoid any potential legal liability in the future.
b) Confidentiality Another example of privacy breach is related to matter of confidentiality. Confidentiality refers to the prevention of intentional or unintentional unauthorized disclosure of information.The entire contents of a user’s storage device may be stored with a single cloud provider or with multiple cloud providers. Whenever an individual, a business, a government agency, or any other entity shares information in the cloud, privacy or confidentiality questions arise.129 This requirement means only authorized parties should have the ability to access protected data. The threat of data leakage increases in the cloud because of the vast number of parties, devices and applications involved that leads to an increase in the number of points of access.130 One of the biggest challenges of cloud is how effectively csps can protect the confidentiality of cloud service user’s data. Usually confidentiality is achieved through encryption. But encryption alone may not provide security. To solve the issue, Encryption needs to be integrated with some other technique to provide better and stronger security.131 If confidentiality cannot be protected by csps, it can eventually lead to the issue of data and privacy breach and bring about huge amount of legal consequence for cloud providers.
c) Data Integrity Although ,as was mentioned before, this concern itself is defined as a major technical issue arising from inadequate ability in data management or defect in servers, this also can result in some legal issues. After storing data to the cloud, user depends on the cloud to provide more reliable services to them and hopes that their data is in secured manner. But that hope may fail sometimes the user’s data may be altered or deleted. At times, the cloud service providers may be dishonest and they may discard the data which has not been accessed or rarely accessed to save the storage space .Moreover, the cloud service providers may choose to hide data loss and claim that the data is still correctly stored in the Cloud. 132 Obviously, all of these can be considered as breach of transparency requirement and eventually will bring about legal liability for cloud providers.
d) Control Over Data’s Lifecycle
129 Rashmi Rai And Others, 'Securing Software As A Service Model Of Cloud Computing: Issues And Solutions' [August 2013] 3( ) International Journal On Cloud Computing: Services And Architecture
31
Another noticeable issue with regard to cloud computing is to provide an opportunity for customers to make sure all users have direct access over controlling their data lifecycle (to simplify it, deletion).such this possibility, makes clients enabled to find out their data which they decided to remove is totally deleted and cannot be recoverable anymore by a cloud service provider. Unfortunately in practice, there is no ways to prove this as it relies on trust, and the problems is much more complex with regard to cloud environment because:133 1. There can be many copies of the data, each held by different entities. 2. This risk depends very much on the type of cloud service model is being used. For instance by Saas approach, the customer is one of the users of a multi-tenant application developed by the CSP and the information is stored in the cloud to be accessible the next time the customer logs in. The data would only be deleted at the end of the lifecycle of the data, in case the customer wishes to change service provider.134
From a broad perspective, if data owners do not possess any control over their data and would not be enabled to decide when and based on which conditions their data should be permanently removed from the csps’ database, the matter of customer’s privacy is completely ignored. They are not provided with any possibility to manage their own data and the situation is quite the same as the data does not belong to them. If users will be provided with this feasibility, it will considerably increase the level of their trust toward csps. Consequently, they will be able to attract more customers and this eventually will help them to scale up their business. summary The matter of privacy should be taken into consideration by both csps and customers. As cloud computing is new it is matter of necessity for cloud provider to implement some assessment regarding the level of security and privacy issue before offering their service to customers. On the other hand, organizations, businesses and individuals planning to use cloud computing services, must make sure they are aware of the privacy and security risks associated with using the product and take those risks into account when deciding whether to use it or not. For anyone intending to use a cloud computing product on a commercial basis, or otherwise to store other individuals’ personal information, this should involve undertaking a PIA135 before adopting cloud computing techniques.136 With regard to privacy risks in the cloud, context is very important as privacy threats differ according to the type of cloud scenario.so we need to distinguish between personal and public information.
133 Siani Pearson And Azzedine Benameur, 'Privacy, Security And Trust Issues Arising From Cloud Computing ' [January 2011] ( ) 2nd Ieee International Conference On Cloud Computing Technology And Science
32
In practice, cloud application areas and services which manage public information might face a very low privacy threat. The privacy risk is high and privacy need should be taken into account only if the service possess, store and manage personal information .In addition, services that are dynamically personalized (based on people’s location, preferences, calendar and social networks,) would require privacy to be taken into account a great deal, as the potential risk is high.137 These security risks and legal issues, however difficult to overcome, are not insurmountable, and in fact can effectively be addressed by wise selection of relevant cloud technology providers, implementation of requisite controls, proper adherence to regulatory and legislative constraints, and implementation of security related technologies. If all of these have been applied, there will be no doubt that not only the matter of privacy will be better protected but as will increase the level of trust of customers, can consequently help cloud operators to scale up their business and raise much more profits.138
2.2.2: Regulatory Compliance: The concept of cloud computing seems very simple but everything becomes much more complex when it should be examined with regard to regulatory compliance. One regulation concerning cloud computing which both vendors and users should be familiar with is GDPR .the problem is more noticeable with regard to public cloud as compare to private type, users do not maintain any control over their data and the whole process of retaining and controlling data is done by cloud vendors.139 GDPR compliance is highly important to be monitored by vendors as any kind of unintentional violation may lead to huge fine. The European Commission's official statistics show 41,502 data breach notifications between May 25, 2018, and January 28, 2019 (Data Protection Day). However, this only covered 21 of the 28 EU member states and didn't include countries like Norway, Iceland and Lichtenstein, which are not EU members but are part of the European Economic Area (EEA) and are subject to the same regulation.140
For instance, in January 2019, Google has been fined €50m by the French data protection watchdog for GDPR. The French agency, CNIL, ruled that the search giant had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalization. The CNIL concluded that Google had breached the General Data Protection Regulation in two ways: by failing to meet transparency and information requirements,
137 Siani Pearson And Azzedine Benameur, 'Privacy, Security And Trust Issues Arising From Cloud Computing ' [January 2011] ( ) 2nd Ieee International Conference On Cloud Computing Technology And Science
33 and failing to obtain a legal basis for processing.141Cloud computing vendors have to adopt technologies to ensure that their enterprise users’ data satisfy their compliance requirements. Again, this does not seem to have received much press as a major concern yet.142
GDPR Compliance The PDP (data protection directive) has been in place for around 20 years. This legislation was not comprehensive and sets out a minimum of standard for data protection law in EU member states. However, the legislation was not sufficient and some issues such as the matter of interstate trades between EU members had made it difficult for organizations to determine which set of laws they should comply with.143 To solve this issue, after a long and intense reform, the European Union (EU) adopted the new Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data repealing the previous Data Protection Directive.144 European Union drafted GDPR based on this idea that a single and unified law would be a more effective way to achieve two main goals including:
1. Protecting the rights, privacy and freedoms of natural persons in the EU. 2. Reducing barriers to business by facilitating the free movement of data throughout the EU. 145 The GDPR intend to impose some level of specific restrictions on both usage and storage of personal data in order to protect the interests of both the EU citizen and the organizations that do business within it. An organization that is acting quickly to ensure compliance with the GDPR will thrive in the evolving regulatory environment, potentially also using its compliance as a marketing advantage. Those that get on top of understanding the importance of GDPR compliance will be able to distinguish themselves in the market and stand out of the crowd.146 In the broad perspective, GDPR will require all people engaged in the subject of data control and processing personal information to implement appropriate technical and organizational measures to make sure availability, confidentiality, resiliency and integrity of data is protected. GDPR can be considered as the latest global movement toward recognizing the importance of personal information. Although the matter of data protection has always been existed, due to
141 Rebecca Hill, 'French Data Watchdog Dishes Out Largest Gdpr Fine Yet: Google Ordered To Hand Over €50m' (The Register, 21 January 2019)
34 the emergence of cyber theft which has posed significant risks for data owners, this issue has gained much more popularity.147
a) The Concept Of Controller/Processor: Based on EU Data protection directive, the burden of legal compliance was carried out by controller and processor was not liable. GDPR has altered this and has extended the scope of this requirement to processor.148 Under DIR95, the controller was liable for the damage caused to the data subject as a result of an unlawful processing operation or any act incompatible with the national provisions adopted pursuant to the directive. The GDPR expanded this liability to cover the processors as well and obliges them to pay the data subject compensation for the damage in case they have not complied with its obligations or the controller’s instructions. The GDPR also clarifies the liability of joint controllers, provides that each controller or processor is held liable.149 ARTICLE 4 150defines who is considered to be controller/processor:
i. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; ii. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.151
As can be observed, under the GDPR it will no longer be possible for CSP processors to position themselves as mere processors and evade the reach of data protection rules. The GDPR requires data processors to develop and implement a number of internal procedures and practices to protect personal data. CSP processors might be particularly affected, as they have a deeper pocket and no direct contractual means to easily limit or control their potential exposure.152
b) The Extent Of Compliance Territorial Scope:
147 Itgp Privacy Team, Eu General Data Protection Regulation (Gdpr): An Implementation And Compliance Guide - (Second Edition Edn, It Governance Publishing 2017) 148 Mark Webber, 'The Gdpr’s Impact On The Cloud Service Provider As A Processor ' [ ] 16(4) Pfpjournals
35
This matter is set out in article 3 GDPR as follows: 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 2.1. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 2.2. The monitoring of their behavior as far as their behavior takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.153
Generally speaking, the GDPR applies to all companies based in the EU. This includes all small businesses incorporated in a single EU state, as well as those spanning multiple EU member states. Broadly speaking, all companies with a EU “establishment” are bound by the GDPR. Determining establishment is easy for the examples above, and not much different from the current state of affairs. But what about international corporations or businesses from outside the EU?154 Currently, any type of Data processing linked to an EU establishment is covered by the GDPR no matter where it takes place and even if the EU establishment is not directly involved in the data processing. (An “establishment” for these purposes means any type of consistent physical presence in the EU, including office branch, etc.) For example, if an EU-headquartered pharmaceutical company processes clinical trial-related personal data at its branch outside the EU, that data will be protected by the GDPR because the processing is linked to the parent company’s activities.155
Material Scope: Article 2 defines the material scope of the GDPR. The Regulation applies to the processing of “personal data,” which is defined to mean any information relating to an identified or identifiable natural person (a “data subject”). In contrast to the Directive, the GDPR adds special categories
153 Article 3 Gdpr Regulations, Accessed Online From: Https://Gdpr-Info.Eu/Art-3-Gdpr/ 154Material And Territorial Scope Of The Gdpr' (Gdpr Informer, 5 September 2017)
36 of “sensitive data”. The GDPR covers all “data processing,” which is broadly defined to cover any operation or set of operations which is performed on personal data.156 Compared to other legislations, GDPR has remarkably expanded the extent of data protection as: 1. The new regulation through changing the definition of personal information has significantly extended the scope of that. Based on new regulation any types of data owned by EU citizens by which the person can be easily identified should be considered as personal information.157 Under this, identifiers such as IP address and cookies should also be recognized as personal information, protected by GDPR.158 Whereas in the past, data protection concerned mainly the banking and medical sectors, the scope of ‘personal data’ has broadened considerably and now includes any information relating to a person , from their name, photograph, email address or bank account details to messages posted on public websites, medical data or a computer’s IP address.159 2. In addition to this, GDPR will apply to both automated personal data which we collect automatically online from existing services and manual filing systems.160
Consequence Of GDPR For Csps: GDPR imposes fines on data controller and processor for non-compliance and infringement. Fines are administrated by individual member state authorities. There are some criteria 161 which determine the amount of fine each cloud provider should pay as a non-compliance penalty such as Nature of infringement (number of people affected, damaged they suffered, duration of infringement, and purpose of processing), Intention (whether the infringement is intentional or negligent) and Mitigation ( actions taken to mitigate damage to data subjects).162 Non-compliance fine is divided in two major section as upper level and lower level based163 on the type of infringement .for instance if the violated provision is about basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9 the firm should be fined on upper level base to pay up to Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.164
2.2.3: Contractual Concerns
156 Privacy In Focus, 'The Gdpr’s Reach: Material And Territorial Scope Under Articles 2 And 3' (Wiley Rein Llp, May 2017)
37
From the broad perspective, terms and conditions regarding cloud agreements appear in various forms, from relatively short to lengthy, but usually includes four components as follows:165
a) Terms of service: usually refers to as terms and conditions is an agreement which identify governing principles between user and cloud service provider. Elements of a TOS can include privacy policies and accountability and liability provisions. Some may set up arbitration to be applied in some situation.166 With regard to cloud computing, most of csps such as google drive167 , clearly obliged any user to agree to these terms provided in this document. These terms are drafted one-sided which means In case after reading terms, customers is not fully agreed with these terms, the only option is not to use the service and user cannot make any change in these principles. b) Service level agreement: SLA refers to type of agreement which identify the level of service customer expects from a supplier. This agreement is a significant part of any vendor contract including agreement between cloud computing vendors and users.168 while each of cloud providers will try to dictate its own criteria in SLA agreements, it should be noted that they need to comply with principles and standards imposed by ISO.169
It should be taken into account that some providers do prepare both of T&C documents and it is quite common to see many services – even some paid ones – do not offer an SLA.170 Overall, two major types of cloud agreement will be discussed as follows:
A. TERMS OF SERVCIES It is matter of necessity for all companies and individuals planning to utilize their services to consider this issue and pay adequate amount of attention to these clauses, usually imposed to them unilaterally, in order to find out whether specific cloud provider can meet their demands or not. It cannot be denied that when companies and individuals rely on cloud vendor to store their data, there is always a possibility that due to some defects such as technical glitches, the issue of data breach occurs and they privacy will be completely harmed. For instance, If a hacker is capable of
165 Simon Bradshaw And Others, 'Contracts For Clouds: Comparison And Analysis Of The Terms And Conditions Of Cloud Computing Services'[August 2011] 47( ) I J Law And Information Technology
38 breaching that cloud, stealing your data, and using it to harm your customers, someone is going to be considered liable and pay civil penalties.171 In other words, vendor draft and organize the agreement with their customers in away their agreement in such a way that their liability for some issue such as legal negligence is completely ignored and the scope pf their liability is limited to what they consider as an actual damages. To describe it, Actual damages refers to the amount of money which user has already paid for using the cloud service that eventually was not provided. By doing this, the possibility that the vendor could be eventually liable for 'consequential damages' is completely eliminated.172
Due to this fact that some cloud providers such as dropbox 173 and icloud 174do not make separate agreements with their users , TERMS OF SERVCIES is considered to be a substitute for regular contract and constitute the entire agreement. Commonly in case of making a regular agreement, both party’s expectations and demands can be discussed through the process of reasonable and efficient negotiation in order to satisfy both party’s interests. In this case, as all provisions and conditions are unilaterally created and are imposed to customers in the shape of terms and condition , the role of data owner is limited to signing a contract without having any active role in drafting its details.
In this section T&Cs of three major cloud provider have been discussed as follows:
171Juan Martinez , 'Cloud Regulations: What You Need To Know To Be Safe' (Pcmag, May 9, 2016 9:55am Est) 39 Terms and Google drive Drop box I.Cloud conditions MANDATORY Dropbox will collect and use your You are not required to provide the 1.Use data for analytics and data in furtherance of its personal information that we have measurement to provide our legitimate interests in operating requested, but, if you chose not to service and maintain ,improve , our Services and business. do so, in many cases we will not be develop and measure them.175 Specifically, Dropbox uses your able to provide you with our data to:178 products or services or respond to 2.Use data about the ads users 1.Understand how you use our any queries you may have. interact with to help Services and improve them We may process your personal advertisers understand the information:180 performance of their ad 2.Send marketing emails and campaigns.We may combine other communications in certain 1.for the purposes described in this Privacy the information and collect instances Privacy Policy, with your consent, Protection among our services and across for compliance with a legal your devices for the purposes 3.Investigate and prevent obligation to which Apple is subject described above.For example, security issues and abuse of or when we have assessed it is if you watch videos of guitar Dropbox Services or Dropbox necessary for the purposes of the players on youtube, you might users. legitimate interests pursued by see an ad for guitar lessons on Apple or a third party to whom it a site that uses our ad products 4.In order to provide, improve, may be necessary to disclose do this, including Google protect, and promote our information. Analytics.176 Services, Dropbox shares your personal information with 2.to help us create, develop, VIA PERMISSION trusted third parties, including: operate, deliver, and improve our We will ask for your consent Dropbox, Inc. Amazon Web products, services, content and before using your information Services,Inc.teleperformancea.179 advertising, and for loss prevention for a purpose that is not and anti-fraud purposes covered in this Privacy Policy.177 3.for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications. 175 Google Drive Privacy Policy/ Https://Www.Gstatic.Com/Policies/Privacy/Pdf/20190122/F3294e95/Google_Privacy_Policy_En.Pdf Https://Www.Gstatic.Com/Policies/Privacy/Pdf/20190122/F3294e95/Google_Privacy_Policy_En.Pdfhttps://Www.Gstatic.Com/Policies/Privacy/Pdf/2019 0122/F3294e95/Google_Privacy_Policy_En.Pdf>Accessed >Accessed 15 May 2019 176 Google Drive Privacy Policy/ Https://Www.Gstatic.Com/Policies/Privacy/Pdf/20190122/F3294e95/Google_Privacy_Policy_En.Pdf>Accessed 15 May 2019 40 Google storage plan purchases In most cases, if you cancel your Any fees paid by you prior to your are non-refundable. The Plus or Professional termination are nonrefundable amount of storage you subscription before it expires, (except as expressly permitted Cancellation purchased is yours for the you'll have to finish your current otherwise by this Agreement), and Refund length of the subscription, subscription without receiving including any fees paid in advance Policy even if you decide to cancel money back. for the billing year during which it.181 If you purchased a subscription you terminate. Termination of your through the Apple app store or Account shall not relieve you of any Google Play, you'll have to obligation to pay any accrued contact either Apple or Google fees.183 directly to request a refund.182 We provide Google Drive using We strive to provide great Apple does not guarantee, a reasonable level of skill and services, but there are certain represent, or warrant that your use care and we hope that you will things that we cannot guarantee. of the service will be uninterrupted Warranties enjoy using Google Drive. But or error-free, and you agree that and there are certain things that To the fullest extent permitted by from time to time apple may Disclaimers we don’t promise about law, dropbox and its affiliates, remove the service for indefinite Google Drive.184 suppliers and distributors make periods of time, or cancel the no warranties, either express or service in accordance with the Other than as expressly stated, implied, about the services. The terms of this agreement.187 we don’t make any services are provided "as is." 186 Apple does not represent or commitments about the guarantee that the service will be specific functionality available free from loss, corruption, attack, through Google Drive, its viruses, interference, hacking, or reliability, availability, or ability other security intrusion, and apple to meet your needs.185 disclaims any liability.188 177 Google Drive Privacy Policy/ Https://Www.Gstatic.Com/Policies/Privacy/Pdf/20190122/F3294e95/Google_Privacy_Policy_En.Pdf>Accessed 15 May 2019 178 Https://Help.Dropbox.Com/Security/Privacy-Policy-Faq>Accessed 16 May 2019 179 Ibid. 180 Https://Www.Apple.Com/Uk/Legal/Privacy/En-Ww/Accessed 16 May 2019 181 Goggle Drive Terms Of Service/ Https://Www.Google.Com/Drive/Terms-Of-Service/ Accessed 16 May 2019 182 Https://Www.Dropbox.Com/Terms#Business_Agreement>Accessed 17 May 2019 183 Https://Www.Apple.Com/Legal/Internet-Services/Icloud/En/Terms.Html>Accessed 17 May 2019 184 Goggle Drive Terms Of Service/ Https://Www.Google.Com/Drive/Terms-Of-Service/ Accessed>Accessed 17 May 2019 185 Ibid. 186 Https://Www.Dropbox.Com/Terms#Business_Agreement>Accessed 17 May 2019 187 Https://Www.Apple.Com/Legal/Internet-Services/Icloud/En/Terms.Html>Accessed 17 May 2019 188 Ibid. 41 Google and its suppliers and They exclude or limit liability to Apple and its subsidiaries, officers, distributors are not where it would be illegal to do directors, employees, agents, responsible or liable for:189 so—this includes any liability for partners and licensors shall not be dropbox’s or its affiliates’ fraud or liable to you for any direct, 1.losses that were not caused fraudulent misrepresentation in indirect, incidental, special, by our breach of these Terms; providing the services.190 consequential or exemplary damages, including, but not limited 2. Any loss or damage that was In countries where exclusions or to, damages for loss of profits, not, at the time the relevant limitations of liability are goodwill, use, data, cost of contract with you was formed, allowed, dropbox, its affiliates, procurement of substitute goods a reasonably foreseeable suppliers or distributors won’t be or services, or other .192intangible consequence of Google liable for: losses, resulting from:193 breaching the Terms; Or 1. Any indirect, special, 1.the use or inability to use the 3.losses relating to any incidental, punitive, exemplary, service business of yours including lost or consequential damages 2.any changes made to the service Liability profits, revenues, opportunity or any temporary or permanent or data. 2.Any loss of use, data, business, cessation of the service or any part or profits, regardless of legal thereof; The total liability of Google, theory. 3. The unauthorized access to or and its suppliers and alteration of your transmissions or distributors, for any claims These exclusions or limitations data; under these terms, including will apply regardless of whether 4. The deletion of, corruption of, for any implied warranties, is or not dropbox or any of its or failure to store and/or send or limited to the amount you paid affiliates has been warned of the receive your transmissions or data us to use the services (or, if the possibility of such damages. on or through the service subject of the claim is the free Other than for the types of service, to supplying you the liability we cannot limit by law (as services again. described in this section), we limit our liability to you to the greater of $20 USD or 100% of any amount you have paid under your current service plan with dropbox.191 189 Goggle Drive Terms Of Service/ Https://Www.Google.Com/Drive/Terms-Of-Service/ Accessed 18 May 2019 190 Https://Www.Dropbox.Com/Terms#Business_Agreement>Accessed 18 May 2019 191 Ibid. 192 Https://Www.Apple.Com/Legal/Internet-Services/Icloud/En/Terms.Html>Accessed 18 May 2019 193 Ibid. 42 ANALYSIS OUTCOME: 1. As can be observed in terms of privacy policy, both dropbox and google drive use customer’s personal information for various purposes including advertisement and marketing. In case of icloud , although this company claims that it is not obligatory for data owners to provide them with details of their personal information, but in fact it is not optional as eventually users who refuse to give permission, will be excluded from getting some specific products or services or receiving respond for their potential queries .so while the company claims that there is no such compulsory rule to fore customers about giving permission, their freedom is quite limited as they will be prevented from some major benefits. 2. With regard to refund policy, if data owner decides to terminate or cancel the contract , they will not be eligible to receive their money back. All of these major cloud provider has imposed a unique policy as none of them rebate the fee to data owners. All the money paid for specific period cannot be received and it is expressly determined in cloud agreement. 3. Furthermore, while they claim their offered services are extremely great and is presented without any defect, they also mention to this fact that there is always a chance there will be some issue in the quality of their services. Due to these, all of cloud providers explicitly refuse to make any comprehensive and adequate warranties about the quality and condition of their services in order to avoid any potential liability. 4. Limitation of liability: all cloud providers have limited their legal liability toward customers. For instance, in drop box the extent of liability in limited to intentional and fraudulent acts and there is no solution to determine what will happen with regard to a specific case in which an unintentional damage is occurred and that is a direct consequence of Provider’s conduct. in case of google, this company completely refuse to accept any liability which is higher than the amount they have paid for cloud service. in addition, they also restrict the scope of liability to loss or damage that was not reasonably foreseeable consequence of Google breaching the Terms. Based on above table, icloud also has followed the same pattern. As far as fine payment is concerned, in most of terms provided by cloud providers the extent of liability is limited to the amount they have paid for the fee. it does not consider this fact that sometimes the extent of damages caused by CSP is much more than the amount of fee they have initially paid for subscription. To sum up ,it can be observed that all cloud providers which their privacy policies were examined have already given priority to their benefits without considering customers’ interests. one-sided terms and conditions are created in accordance with provider’s welfare and do not consider other 43 party’s will. This gives rise to an issue as fundamental purpose of making a agreement is to ensure both parties’ benefits. While terms and conditions, imposed by csps, considered to be a substitute for regular agreement between data owner and cloud provider, they completely ignore other party’s expectations and violate basic features of a contract. To solve this, if cloud providers insist to present T&C as replacement for agreement, they should draft that in away to also include user’s interests. B. Cloud Service-Level Agreement: SLA specifies set of conditions and terms among user and Cloud service provider. The SLA should specify the following matter: Actions which will be taken by CSP when in case a data breach has occurred, remedial actions and performance level at minimum level. The users should have clear view on security for their resources and all other requirements should be agreed upon the SLA.194 Traditionally, service level agreement do not cover security aspects such as confidentiality and integrity. With regard to cloud computing environment, it is reasonable to expect that not all providers will be able or willing, to provide the same level of security to their customers. In some specific cases, there is a chance that csps offer services with varying levels of security depending on how much the customer is willing to pay for the service. SLAs which cover the matter of security will typically follow a lifecycle where they are first published generically by a provider, and when a user wishes to use a cloud service, she will then negotiate a specific SLA to which the provider will commit, and the service will be provisioned. The user may want to monitor the service to ensure that the negotiated SLA is being adhered to by the provider. At any time during the commitment, provisioning and monitoring phases, the cycle may return to the negotiation phase, e.g, if the provider after all cannot commit to the previously negotiated SLA. 195 Risk of security issue are quite high in the cloud. Considering this fact, cloud providers try to draft SLA in a way to decrease the risk of liability in case any conflict occurs between parties such as data breach. Users need to be attentive to this fact during negotiation process and ascertain to what extent the contract meet their expectations.From provider’s point of view sometimes in quite impossible to fulfill all consumer demands. Due to the contradiction of ides, both parties agree to clarify their demands and expectations during the negotiation process.at the end, provider and consumer commit to an agreement which cannot be violated under any circumstances.196 Another remarkable concern is to what extent data can be kept safe and confidential near csps and with which quality cloud providers offer their services .the SLA is signed by both parties, commonly including Quality of Service requirements and penalties applied when some of these 194Naresh Vurukonda And B. Thirumala Rao , 'A Study On Data Storage Security Issues In Cloud Computing ' [2016] 92( ) Procedia Computer Science} 44 obligatory requirements are not met by providers. However, it should be taken into account that SLA is not sufficient to ensure Cloud reliability. For example, if a business has critical Web application deployed on Cloud and it fails, it can bring about massive financial loss for data owner. Nevertheless, according to most SLA contracts, they only give a penalty as much as a portion of the deployment fee. So in practice, the responsibility cannot be transferred to csps through enforcement of SLA.197 In addition, as the essence of using SLA in Cloud business is to guarantee customers a certain level of quality for their services, In a situation where this level of quality is not met, the provider pays penalties for the breach of contract.198 Overall, four key factors are included in SLA as indicated below: a) Control: SLA must guarantee the quality and performance of operational functions like availability, reliability, performance, maintenance, backup, disaster recovery, etc, that used to be under the control of the in-house IT function when the applications were running on-premises and managed by internal IT, but are now under the vendor’s control since the applications are running in the cloud and managed by the vendor b) Operational risks: perceived risks around security, privacy and data ownership c) Business risks: guarantees around successful and timely implementations, the quality of technical support, business value received and even to money back guarantees – if a client is not satisfied, they get their money back d) Penalties, rewards and transparency: The service level agreement should also determine some practical and suitable financial penalties when an SLA violation by any party occurs. Obviously, if SLA will be drafted and enforced without any suitable fine or penalty to be imposed to cloud provider in case the vendor has violated its contractual commitment, it cannot be expected that agreement be efficient.199 Furthermore, many cloud suppliers treat the service they offer as a commoditized service and the documentation and service contracts are drafted to reflect that. Accordingly, the contracts for the supply of many cloud services are non-negotiable and many are made available only through click-wrap agreements. However, as these services developed and became more 197 Vahid Dastjerdi And Others, 'A Dependency-Aware Ontology-Based Approach For Deploying Service Level Agreement Monitoring Services In Cloud' [2011] ( ) 45 sophisticated, service agreements became more robust, as a result of customer demand and competition.200 Moreover, due to sensitivity of cloud computing (as it keep and process very personal information) government impose some restrictions toward agreement drafted between parties. For instance, these restrictions impose some obligations with regard to information disclosure, misleading conduct and misrepresentation .other restrictions are usually related to the formation of contract such as parties’ capacity and in addition to this other restriction are made to govern to the content of contract such as unfair contractual provisions and implied or imposed terms.201 A particularly interesting issue arising in this context is the extent to which cloud computing providers will be liable for issues such as service outages and loss of data. There can be little doubt that providers of cloud services will seek to exclude liability for such events. It is clear that if these established restrictions will not be followed by providers , it can be considered as breach of compulsory regulations giving rise to legal responsibility for cloud providers. Another matter that is likely to be a source of disputes in relation to consumer cloud computing products is where the provider seeks to vary the terms on which the product is provided. Such changes may not be permitted where they are unilateral and does not consider other party’s expectation.202 To conclude, it is extremely necessary for data owners to before signing up any contract with target cloud provider, ascertain how the content and provision of the agreement will affect their data and their business. As entering into SLA considered to be a major decision, customers should give priority to this and after doing sufficient consultation with other team member, IT experts and of course a lawyer (familiar with the sphere of cloud computing and SLA) decide to sign the agreement. It should be taken into consideration, service level agreement is very important and is far more than a mere “I agree to the Terms and Conditions”.203 Overall, this subject gives rise to this question whether is there any standardization with regard to cloud computing? In other words, is there any standard which govern cloud and monitor how their service are provided? 2.2.4: Cloud Computing Standardization: There are two fundamental regulation which govern cloud computing as follows. One is related to the matter of service level agreement and second one target cloud security. ISO/IEC 19086-:2016: drafted by these organizations, seeks to establish a set of principles that can be used to create cloud Service Level Agreements and is for the benefit and use of both cloud service providers and cloud service customers .The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers. Cloud 200 Cloud Computing: Legal Model And Legal Issues Accessed From: Http://Www.Rushmoorlaw.Com/Articles/News/ 201 Danjerker Svantesson And Clarke Roger, 'Privacy And Consumer Risks In Cloud Computing' [ July 2010] 18( ) Computer Law & Security Report 46 service agreements and their associated cloud SLAa vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers.204 ISO/IEC 27001:2013 is one of the most widely used of all ISO cloud requirements. Designed for application within organizations of any size, this standard lists the requirements for handling all phases (from creation to maintenance) of information security management systems. This regulation also specifies how organizations must address the security risks that they come across. ISO/IEC 27017 and ISO/IEC 27018 are two other ISO regulations that establish reliable security standards for both cloud vendors and cloud users alike.205 2.2.5: Data Location And Governing Law With regard to cloud computing environment, location is important as all companies using cloud services, want to make sure their data remain in specific cloud environment which is governed by their intended jurisdiction. This provides a chance for owners to establish their control over their data. As data protection law differs from county to country, it is very important to determine which law is applicable toward specific data and it cannot be discovered unless location of data is ascertained.206 One of the main feature of cloud environment is that data stored in CSP’s database will not remain permanently stable in one location and move all around the internet(information flow) Consequently , there is a possibility that data location will be different with a place data owner reside in. Many service provider contracts explicitly outline the right to maintain customer data on any of their sites, regardless of the origin of the data. While some service providers do not address the issue directly, most follow a similar policy on the grounds that not explicitly prohibiting the practice legitimizes it. Although maintaining data across multiple geographical locations provides a greater level of security, it does raise issues in relation to export control and needs to be addressed directly within the contract, legislating against extraterritorial storage.207 Furthermore, there is always a chance that each of these states claim jurisdiction over data and this eventually will lead to conflict of law. In some other cases, many legal authorities have enacted some law which dictate customer data should be stored in the same country as the 204 Https://Www.Iso.Org/Standard/67545.Html 205 Charles Phillips, '7 Of The Most Significant Cloud Compliance Regulations' (Charles Philips, 8 Amrch 2018) 47 customer reside. The reason is to protect data confidentiality and decrease the chance of data leakage , the issue which is quite common with regard to cloud environment.208 Most agreements clearly identify the governing law under which any disputes will be resolved as well as the location of the court where lawsuit will be held. With cloud computing the applicable law governing the stored data can vary as it might be the law of where the organization is headquartered, Where cloud provider is headquartered, where data center is located or the law of data owner location. as can be observed, it is very important for cloud computing contract to identify the geographic region in which data centers are hosting the data and potentially the headquarter of the cloud provider. Otherwise, the overlap and potential conflict between the possible governing laws could make legal and data access compliance impossible.209 Conclusion: While cloud initially was introduced, was rapidly able to attract the attention and trust of businesses to rely on this service for storing their data. For instance, as the whole process of data storage is done by specialist and third parties, data subject, usually businesses which do not possess essential infrastructure and facilities required for storing data, use cloud service in order to avoid wasting time and money for training employee or setting up on-premise infrastructure required for storing data. However, we noticed that this method is also associated with various issues such as vulnerability in case of security requirement which in some cases will lead to matter of data breach. This problem will cause huge amount of difficulties both for data owners (as their privacy is breached) and csps(legal liability).data subject want its sensitive data to be kept secure and safe and this week point in system does not fully satisfy user’s expectation. Furthermore, both terms of services and service level agreement are drafted in away to protect service provider’s benefits, without considering demands and expectations of data owner. They have to follow a pattern which is offered by csps and do not have any possibility to become engaged in a negotiation process in order to make sure both party’s benefits is protected. To conclude, while cloud can solve many problem concerning data storage companies and individuals are struggling with, users need to be focused and attentive toward all prior issues in order to avoid any potential risks in the future 208 Traceyc, 'How Does The Location Of Your Data Affect You Legally?' (Veber, 28 September 2018) 48 Chapter 3: Sharding, As An Alternative Cloud Computing Solution As can be observed form the last chapter, while it cannot be denied that cloud computing has enormously reshaped the way industries and enterprise used to do their regular business by providing an remarkable opportunity in terms of data storage ,it is also associated with a variety of technical and legal issues required to be taken into account by both ,ones who intend to implement this technology in their workplace and the cloud service providers. Ina addition to this, there are also some specific types of challenges, for which no practical solution by csps has been introduced , such as matter of sensitive data breach which eventually will give rise to privacy and confidentiality issues. Although cloud providers are extremely concerned about these types of challenges and are struggling to introduce methods to tackle them, still most of them remain unsolved. Furthermore , due to this fact that technology completely has transformed our lives and people are becoming more dependent to matter of online data storing, the issue of data breach has become more prominent. Blockchain technology has been introduced as new method in the sphere of data storage to tackle these issues. it is highly believed that due to special way blockchain stores data, it significantly decrease or almost eliminate any chance of data breach and will totally protect sensitive data. However, blockchain is also engaged with some struggles such as scalability as much as cloud computing is. Overall, While no one can undermine significant role blockchain plays in the sphere of data storage, it should also be taken into account that this method is not always free of any challenges and as an emerging method, it has its own difficulties and limitation. 210 This chapter initially and briefly illustrate how blockchain technology as decentralized data storage can be implemented and secondly will illustrate a comparison between blockchain technology and cloud computing in order to clarify whether this method possess a potential to can be considered as superior substitute for cloud computing or not. 3.1: Revolutionary Decentralized Data Blockchain - Based Platform Data is quickly becoming one of the most valuable resources in the world. That value means your data, especially your sensitive data, is now a prime target for cyber criminals, and you probably are not as protected as you think. As was mentioned before cloud computing cannot be considered as a suitable solution because this system is engaged with some security issues. In addition, user also need to trust a third party to store its sensitive data which for many companies often it is not desirable or even legal as they prefer to keep their data internally rather than 210 Todd Hoff, 'Troubles With Sharding - What Can We Learn From The Foursquare Incident?' (High Scalability, 15 October 2010) 49 sharing with third parties. As a consequence, the need for an alternative method to solve this issue has become more obvious.211 All in all, Blockchain technology has attracted tremendous interest from wide range of sectors including finance, healthcare, utilities, real estate and government agencies. Blockchains are shared, distributed and fault-tolerant database that every participant in the network can share, but no entity can apply control over that. The decentralization and security characteristics of blockchain have attracted researchers to develop various applications such as smart contracts, and recently decentralized data storage.212 Simply put, the most common way blockchain is used for data storage is composed of these steps: 1. First, break up data into chunks. 2. Secondly, Encrypt the data so that data owner in the only one enabled to have access stored data. 3. Finally, Distribute files across a network in a way that means all your files are available, even if part of the network is down.213 This method means instead of giving data to third party(cloud providers) to keep them it will be saved and distributed over a network of people all over the world while nobody has an ability to change or later the data.214 3.2: A Brief Comparison Between Blockchain And Cloud Computing While no one can doubt about numerous advantages blockchain technology can bring about especially in the sphere of data storage, it should also be taken into consideration ,as will be discussed in following sections, this trend is not completely safe and free of any challenges. So it is a matter of necessity for all that intend to implement this method to consider these issues before choosing platform for storing their data. 3.2.1: Blockchain And Security: As it was already mentioned, cloud computing is engaged with various security issues This method of data storage will significantly increase the risk of some privacy issues such as data leakage and confidentiality. It cannot be denied that if you are storing your company’s information in the cloud, you are placing a very large amount of trust in these third parties, particularly if your data is especially sensitive. Because of this reason, many are predicting that, even though centralized cloud computing has many numerous advantages, the cloud might shift 211 Maryann Callahan, 'How Blockchain Can Be Used To Secure Sensitive Data Storage' (Dataversity, 7 November 2017) 50 to a distributed, decentralized approach and this is where blockchain technology storage enters the picture.215 The main theme of blockchain computing compared to traditional method of data storage is that it is decentralized. Storing data on decentralized platform will lead to higher level of security and privacy. Decentralized cloud storage is more difficult to attack than traditional centralized data namely cloud. Generally speaking, once a hack is successfully executed on a centralized database, vast amounts of data can be accessed by hackers. With application of sharding, hacks are much more difficult to execute. In Storj 216, for example, only a small amount of data can be accessed in a hack since data is encrypted and distributed across a large network of databases.217 Centralized systems make data breaches possible because it only takes a mere vulnerability or irresponsibility of one person to "leave the gates open". For example, in Equifax's data breach in 2017, the hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.218 They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.219 In this case, hackers used vulnerability in website, a months-old issue that Equifax knew about but failed to fix, and gained access to login credentials for three servers. They found that those credentials allowed them to access another 48 servers containing personal information.220 In this case, blockchain technology can be considered superior to tradition centralized system as in the context of modern cybersecurity, “centralized” is always translated to “vulnerable”.221 However, despite the promises of blockchain to provide better security, it’s still important to consider some of the risks of blockchain implementation. Contrary to popular belief, it seems the blockchain is also hackable. Let’s examine a few of the challenges that need to be addressed in 2019 and beyond.222 Types of fraud and hacking. The most important security issue of the blockchain based system is the so-called 51% attack. Bitcoin measures the level of computing activity on the network in 215 Http://Techgenix.Com/Blockchain-Technology-For-Cloud-Storage/> ACCESSED 19 MAY 2019 216 Storj Is An Open Source, Decentralized File Storage Solution. It Uses Encryption, File Sharding, And A Blockchain-Based Hash Table To Store Files On A Peer-To-Peer Network. The Goal Is To Make Cloud File Storage Faster, Cheaper, And Private 217Delton Rhodes, 'Blockchain Data Storage Could Soon Be The New Standard' (Coin Central, 25 June 2018) 51 terms of the hash rate. When more than 51% of the hash rate is controlled by a single node (one miner or pool of miners), the blockchain can be distorted maliciously.223 51% attack occurs when an attacker overwhelms a network temporarily with hash power and is able to create a longer chain than the primary chain. This allows them to either falsify transactions, perform a double spend, or in the case of Verge and its time warp attack, mine an incredible amount of coins due to tricking the system itself.224 For miners in order to add a new block, they must perform complex calculations in order to prove they have done the work. The first miner who offers the right solution to the problem gets the opportunity to create a new block and an appropriate reward for it. The more processing power at the disposal of the miner, the higher the chances of finding the right solution faster than everyone and the greater the amount of remuneration. When the miner finds the right solution, the system notifies all network participants about it.225 As can be observed, the probability of mining a block depends on the work done by the miner .Because of this mechanism, people will want to join together in order to mining more blocks, and become “mining pools”, a place where holding most computing power. Once it hold 51% computing power, it can take control this blockchain. Apparently, it cause security issues.226 This issue is currently considered to be a challenge with regard to cryptocurrencies. For instance, in January 2019, devastating breach occurred when hackers pulled off a 51 percent attack against Ethereum Classic. 227 Although this cryptocurrency’s website claims that its technology is “immutable” and “unstoppable,” this was proven false when hackers gained control of more than 50 percent of its network and began rewriting transaction histories.228 In terms of data storage, initially it seems this method can also be used by hackers in order to gain access to valuable information stored on blockchain network. But the question is to what extent hackers will be able to use stolen data? Due to this fact that in sharding chunks of data is encrypted and nobody can read or tamper that , even files will be hacked, eventually it is not associated with any reasonable benefits for hackers as they cannot use this encrypted data. This will remarkably decrease hacker’s incentives and will transform blockchain to a noticeable secure environment for storing sensitive data. Furthermore, a key aspect of Information Security is integrity. Integrity means that asset be modified only by authorized parties or in preconceived ways. Data Integrity refers to protecting 223 Dmitry Efanov And Pavel Roschin, 'The All-Pervasiveness Of The Blockchain Technology' [2018] 123 ( ) Procedia Computer Science 52 data from unauthorized deletion and modifications. By preventing unauthorized access, organizations can achieve greater confidence in data and system integrity. Additionally, such mechanisms offer the greater visibility into determining who or what may have altered data. 229 As was previously discussed, these issues are prevalent in cloud computing environments, as data owners hardly can establish control over where their data is stored, who can actually access them, and in which way. However , more and more private and public organizations are relying on this method because “it relieves the burden of maintenance cost as well as the overhead of storing data locally”.230 Blockchain has recently emerged as a fascinating technology which provides compelling properties about data integrity .231 blockchain provides an environment at which all entries are made into an immutable chain of events that is distributed across the network. Each entry, in addition to being time-stamped,232 is irreversible and remain immutable. So it cannot be refused when it was done.233 As a result, when using blockchain , it is quite easy to deliver on the integrity of the data as the concept of blockchain is based on immutability and being tamper-proof.234 In terms of confidentiality, it cannot be denied that as data in cloud computing is kept with third party in its entirety. It cannot remain totally confidential as it is shared with strangers. Blockchain technology provides an opportunity for sensitive data to be saved encrypted with a private key so one can gain access to them. To conclude, it is obvious that blockchain technology is still relatively new and it means that the teams in charge of securing data have to consider a variety of possible security approaches. They must design effective solutions to prevent data breaches from occurring. It seems much more reasonable for projects to make changes to their security measures instead of being more proactive in preventing threat. Although the security of blockchain is continuously enhanced, problems have continued to be reported and there are active studies on security.235 3.2.2: Blockchain - GDPR Compliance: Blockchain is widely depicted as the most disruptive technology since the advent of the Internet. While this technology was used at first for the virtual currency Bitcoin, its current applications go 229 Dimitrios Zissis And Others, 'Addressing Cloud Computing Security Issues' [March 2012] 28( 3) Future Generation Computer Systems 53 far be yond cryptocurrencies and a vast scope of business models236 can be built upon that .the recent enactment of GENERAL DATA PROTECTION REGULATION which shores up the level of data protection throughout the EU, might bring tension between its principles and core features of blockchain technology.237 Whereas the GDPR was fashioned for a world where data is centrally collected, stored, and processed, blockchains decentralize each of these processes. With a paradigm shift of such radical contours, we must enquire about the applicability of a legal framework constructed for a sphere of centralization to one of decentralization. Blockchain developers are currently struggling to determine whether they can legally store and process personal data on their ledgers. This answer will largely depend on whether such activity falls within the scope of the EU’s data protection regime.238 For the application of EU data protection law, data stored on the Blockchain must furthermore be personal data under the definition of Article 4(i) GDPR. 239To identify what personal data exactly is, ‘personal data’ is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.240 It eventually means that the information is not personal data only if there is no way imaginable to link it to a person, pseudonymized data, on the other hand, is data that cannot directly be re- identified. The personal data definition includes specific data types, such as biometric, genetic and health information, as well as online identifiers. It does not extend any rights to deceased persons.241 We will observe that at least at first sight blockchains (especially those that are public and permissionless ) and the GDPR are profoundly incompatible at a conceptual level as the data Protection mechanisms developed for centralized data silos cannot be easily reconciled with a decentralized method of data storage and protection.242 All in all, it should be taken into account that once the GDPR was drafted in 2012,its application was modelled upon centralized system such cloud service providers and social networks. As a result, blockhchain was not the main target of GDPR but due to this fact that scope of blockchain 236 Ranging From Fintech Products Like Cryptosecurities Or 'Smart Bonds' Over 'Smart Property' Registers, To So Called 'Smart Contracts' With Transactional Protocols Which Assume The Formation, Performance And Execution Of A Fully Electronic Contract 237 Matthias Berberich; Malgorzata Steiner, Blockchaintechnology And The Gdpr - How To Reconcile Privacy Anddistributed Ledgers, 2 Eur. Data Prot. L. Rev. 422 (2016) 238 Finck, Michèle, Blockchains And Data Protection In The European Union (November 30, 2017). Max Planck Institute For Innovation & Competition Research Paper No. 18-01. Available At Ssrn: Https://Ssrn.Com/Abstract=3080322 Or Http://Dx.Doi.Org/10.2139/Ssrn.3080322 239 Matthias Berberich; Malgorzata Steiner, Blockchaintechnology And The Gdpr - How To Reconcile Privacy Anddistributed Ledgers, 2 Eur. Data Prot. L. Rev. 422 (2016) 240 Gdpr Regulation/Article 4(1)/Accessed Online From: Https://Gdpr-Info.Eu/Art-4-Gdpr/ 241 Simon Schwerin, 'Blockchain And Privacy Protection In The Case Of The European General Data Protection Regulation (Gdpr): A Delphi Study' [19 April 2018] 1(1) The Journal Of The British Blockchain Association 54 has increased over time from mere environment for cryptocurrencies transaction history to a network with ability of storing personal information, currently blockchain also fall under GDPR framework legislation.243 To identify potential contradiction between GDPR and implementation of blockchain some issue will be discussed : a) Identifying Controller/Processor Based on GDPR regulation, all organizations are obliged to understand the difference between the meaning of data controller and data processor. The reason which justify this distinction is while GDPR hold liability for both of them but set and impose different obligation to them. 244 GDPR in article 4 provides a definition both terms as follows: Controller : the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” Processor: natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.245 As a result, the organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.246 To identify who exactly in considered to be data controller/processor in the context of blockchain , CNIL 247 within its comprehensive assessment of the compatibility of blockchain and GDPR, has tried to figure out the status of data controller and processor and has announced its research outcome as follows. it should be taken into account that CNIL initially made it clear that its assessment do not encompass private blockhchain. “The CNIL observes that participants, who have the right to write on the chain and who decide to send data for validation by the miners, can be considered as data controllers. More specifically, the CNIL considers that the participant is a data controller248: 243 Hasib Anwar, 'Blockchain Gdpr Paradox: Is It A Rising Conflict Between Law And Technology?' (101 Blockchains, 24 September 2018) 55 • When the said participant is a natural person and that the personal data processing operation is related to a professional or commercial activity (i.e. When the activity is not strictly personal) • When the said participant is a legal person and that it registers personal data in a blockchain.249 The CNIL also categorize two groups as data processor including250: • The smart contract developer who processes personal data on behalf of the participant, who is the data controller; • The miners who validate the transaction containing personal data on a blockchain For instance, insurance company AXA has launched Fizzy, an Ethereum smart contract that provides for automatic indemnification for a delayed flight. According to the CNIL, the developer of the software in this case will be considered the data processor, while AXA is the data controller in addition, miners who validate the transactions are also processor .251 With regard to miners, CNIL believes they cannot be considered as data controller as their role is limited to the matter of validating transactions, therefore they do not define the purpose and the means of the processing.252 Another challenge is related to what happens if several participants jointly decide to carry out processing operations on a blockchain? When a group of participants decide to carry out processing operations with a common purpose, the CNIL recommends to identify beforehand the data controller. For example, the participants may create a legal person in the form of an association or economic interest group. They may also choose to identify one participant who makes decisions for the group and to designate the said participant as a data controller. Otherwise, all participants could be considered joint controllers, as provided by Article 26 of the GDPR 253 , and must therefore determine their respective responsibilities to ensure compliance with the regulation.254 b) Immutability Issue: 249 Ibid. 250 Ibid. 251 John Chopyk, 'Gdpr Vs Blockchain: The Saga Continues ' (Laelesstech, 27 November 2018) 56 GDPR in its content mentions to some principles as “rights of the data subject.” Including right to access255 their information is being processed, right to correct and amend 256that information, and the right to take it elsewhere or erase it257. Article 17 GDPR provides that: “the data subject shall have the right to obtain from the controller ‘the erasure of personal data concerning him or her without undue delay’. Controllers are obliged to delete personal data subject to a number of conditions, such as (i) that personal data is no longer necessary for the purposes it was collected or otherwise processed; (ii) that the data subject withdraws consent on which the processing is based or where there is no other ground for processing; (iii) that the data subject objects to the processing and that there are no overriding legitimate grounds for processing; that (iv) data has been unlawfully processed; (v) that personal data has to be erased for compliance with national or supranational law to which the controller is subject; or that (vi) personal data has been collected in relation to the offer of an information society service to a child under 16 years of age.258 Distributed ledger technology poses two challenges here. At first, it would be even harder to identify a data controller in a public Blockchain who could fulfil data subjects' claims. But secondly, and more importantly, the distributed architecture of blockchain preclude a simple deletion up on request by the data subject because As set out previously, one of the unique blockchain features is that data stored on chain cannot be altered without acceptance of other nodes, which requires at least cooperation of more than half of all nodes for every transaction.259In fact if old transactions were to be removed retroactively, the majority of nodes would have to verify again the legitimacy of every effected transaction backwards, unbuild the entire BC block by block and then rebuild it afterwards, with every such transaction step to be distributed block wise to all existing nodes. This would require extreme computational power and the cooperation of all nodes to de construct a BC back to the point of change and to re construct it afterwards which eventually make the process in practice impossible.260 What can be categorized as potential solution to deal with this contradiction: 1. In article 17 of GDPR, the terminology ‘erasure of data’ is mentioned a couple of times, but not anywhere in the document, not even in the definitions part is there any 255 Article 15 Gdpr 256 Aticle 16 Gdpr 257 Article 17 Gdpr 258 Finck, Michèle, Blockchains And Data Protection In The European Union (November 30, 2017). Max Planck Institute For Innovation & Competition Research Paper No. 18-01. Available At Ssrn: Https://Ssrn.Com/Abstract=3080322 259Matthias Berberich; Malgorzata Steiner, Blockchain Technology And The Gdpr - How To Reconcile Privacy And Distributed Ledgers, 2 Eur. Data Prot. L. Rev. 422 (2016)Https://Tinyurl.Com/Y5lugv6s > Accessed 19 May 2019 260 Matthias Berberich; Malgorzata Steiner, Blockchain Technology And The Gdpr - How To Reconcile Privacy And Distributed Ledgers, 2 Eur. Data Prot. L. Rev. 422 (2016)Https://Tinyurl.Com/Y5lugv6s > Accessed 19 May 2019 57 explanation of what the term erasure of data actually means.261The interpretation of ‘erasure of data’ is very important here because it directly correlates with what can actually be stored on a blockchain. If encryption of data without storing the corresponding encryption keys upon deletion is sufficient for ‘erasure of data’, then personal data can be stored on a blockchain. If not, storing personal data directly on a blockchain is simply not allowed because it ‘cannot be erased’.262 2. In addition, It is important to note that “erasure”263 is not an absolute right and if, for example, the data involve defense of a legal claim or have overriding public . Generally, The goal of GPDR is to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world,” and “one of the things GDPR states is that data ‘should be erasable.’ Since throwing away your encryption keys is not the same as ‘erasure of data’, GDPR is in the contradiction with Blockchain technology.264 3. Several studies have shown the opportunities hiding behind the apparent contradiction, where the technology can make it significantly easier for businesses to comply with GDPR.265 for instance, one alternative solution for this challenge is the adoption of off- chain data storage. In this technique all GDPR sensitive information(personal information) are stored off-chain in cloud-based servers and the hashes which is a specific encryption of this data are stored in the blockchian environment.266 To clarify it better, Store the personal data off-chain and store the reference to this data, along with a hash of this data on the blockchain. Although this solution provide a 100% compliance with GDPR, this remarkably decrease the level of data privacy and transparency due to this fact that by storing personal data off-chain, there is no way of knowing for sure who accessed this data in the past, and who currently has access the data.267 261 Andries Van Humbeeck, 'The Blockchain-Gdpr Paradox' (Bl-Platform, 3 April 2018) 58 4. Another potential solution might be to have the data stored on the blockchain but encrypted. Where a person who owns the private keys can decrypt the data, and potentially also have it removed from the chain by erasing his/her own private keys essentially. However this is not foolproof and in EU law it says that encrypted data is not anonymous. Meaning that it’s still considered by EU law to be personal data, and therefore still posses the initial challenges.268 Finally, it should be taken into account that blockchain as an emerging technology is in its infancy which contribute to this fact that there must be lots of experiments in order to reach to a point where the comprehensive compatibility is provided. c) Privacy By Design Data protection by design and data protection by default are two overarching guiding principles of the GDPR. Whilst they are not individual rights as such we nonetheless briefly examine these Principles as they confirm the tension between blockchains’ promises and perils for data protection. Obligations are addressed to controllers which must ‘implement’ such mechanisms defined269 by software developers.270 A fundamental part of the European Union’s General Data Protection Regulation (GDPR) which went into effect on May 25, 2018 is the recommendation to pseudonymize personal data wherever possible. Articles 4, 6, 25, 32, 40 and 89 as well as Recitals 28, 29, 75, 78, 85 and 156 of the GDPR explicitly mention to pseudonymization. 271 Article 25(1) GDPR indicates that encryption can be a desirable feature, The remaining question is whether the pseudonymisation of public keys can be fashioned so as to be compliant with the GDPR. The regulation considers that the pseudonymisation of personal data ‘can reduce the risks to the data subject concerned and help controllers and processors to meet their data-protection obligations.272 In short article 25 requires: 1. Data protection by design: data controllers must put technical and organizational measures such as pseudonymisation in place – to minimise personal data processing. 2. Data protection by default: data controllers must only process data that are necessary, to an extent that is necessary, and must only store data as long as necessary.273 268 Penglund, 'Blockchain And Gdpr Are Struggling To Co-Exist' (Go Crypto Wise, 6 March 2019) 59 Pseudonymization and Anonymization are two distinct terms that are often confused in the data security world. With the advent of GDPR, it is important to understand the difference. these terms are different in one key aspect. Anonymization irreversibly destroys any way of identifying the data subject. Pseudonymization substitutes the identity of the data subject in such a way that additional information is required to re-identify the data subject.274 The legal distinction between anonymized and pseudonymized data is its categorization as personal data. Pseudonymous data still allows for some form of re-identification (even indirect and remote), while anonymous data cannot be re-identified.275 Since anonymized data cannot be used to identify any individual and there is no chance left to be reassembled in the future, it is no longer considered personal data and as such does not fall under the GDPR.276 This is clearly mentioned in recital 26 GDPR. 277 Whether the blockchain features are in- compatible with Article 25 GDPR is doubtful. At one hand, some of its features like perpetual distributed storage and the lack of central entities (in public BC models) could be seen as not completely in line with data minimisation and accountability. In respect of the latter, it could therefore make a difference whether public or private blockchain models are used. At the other hand, a strong Blockchain encryption and data security would be in line with pbd.278 To sum up, it is obvious that the GDPR was initially designed for centralized models of data collection, storage and processing that cannot readily be transposed to decentralized and distributed databases. Only time will reveal how regulators and judges will approach the tension between the GDPR and DLT. In order to make sense of this tension we must consider it from a meta-perspective and evaluate the two conflicting normative objectives of EU law at play; fundamental rights protection on the one hand and the promotion of innovation on the other.279 d) Decentralizes Database And Issue Of Data’s Location According to Art 3 of the GDPR, the Regulation applies to the processing of personal data of data subjects who are in the European Union Or in the context of activities of an establishment located in the Union.(regardless of this fact that processing takes place in EU or not).280This is also creating friction with the blockchain technology as having multiple data controllers located 274 Clyde Williamson, 'Pseudonymization Vs Anonymization And How They Help With Gdpr' (Protegrity, 5 January 2017) 60 around the world does not make it easy to establish jurisdiction. Indeed, blockchain technologies have no geographical limitations and data can quickly transfer around the world. Given Articles 44 to 49 of the GDPR, personal data transfer may only occur if the other country conforms to the Regulation or present a similar level of protection or appropriate guarantees.281 Overall, these questions with regard to blockchain remains including how can one determine in which country the other participant is or how can the Blockchain ensure that transfers only occur in countries with a sufficient level of protection? e) Sharding- GDPR Compliance As can be observed ,this part is dealing with the matter of blockchain and GDPR compliance. It should be taken into consideration, sharding technique is a method which is almost different from regular blockchain network and was introduced with its unique structure to address many issues with regard to blockchain as scalability problem. As a result, it seems quite important to investigate it separately to make it clear whether this technique can sit comfortably with GDPR regulation or as was discussed regarding blockchain, this technique has also its own contradiction and challenges with GDPR. Overall, through doing relevant research concerning Sharding implementation in the sector of data storage , It can be observed that since this method considered to be a novel idea and there is not much operational information or legal precedent to identify how in practice this method interact with GDPR, we cannot claim firmly that this technique is in contradiction with GDPR or they can co-exist. Sharding is designed based on an extremely technical structure and still many aspects of this method is uncertain and ambiguous in particular for legal services who are not familiar with scientific features of this method. From one perspective, as sharding is a blockchain-based method some characteristics and features of blockchain such as immutability should also be available in sharding. In this case, as this feature can not co-exist with some GDPR principles such as right to erasus , sharding providers should take necessary steps in order to ensure their services comply with GDPR and design their technical structure in a way which guarantee this compliance. Otherwise, they will be faced with numerous legal consequences. However , it should be taken into account that with regard to sharding, data are essentially kept off-chain and distributed on computers of third parties .as the personal data is not kept on the blockchain directly, hence the content of the data stored may not create any issues regarding the GDPR compliance. 281 Https://Www.Linkedin.Com/Pulse/Gdpr-Contradictions-Between-Blockchain-Nicolas-Ameye> Accessed 24 May 2019 61 All in all, it seems this subject requires more attention from both legal sectors and Sharding specialists. The companies need to share information about this method in order to be understood by other sectors. Sharding is already implemented by some companies engaged in the sphere of data storage and undoubtedly noticeable proportion of this data can be categorized as an personal information. As GDPR governs such these data, there should be some factors to determine how these companies plan to deal with this issue. As can be observed, we need to wait for further relevant information and research to become released and published about sharding methodology in order to provide us with more clarity about the technique sharding companies are using. We can have this positive prospect that this companies have been aware of the GDPR compliance and already applied some operational method to cope with this in the perfect way. 3.2.3: Contractual Concerns A. Τerms And Conditions: As was already discussed in cloud computing part regarding the common terms of services drafted by csps, it was concluded terms of services are usually drafted in a way which are most focused on the benefits of cloud providers and user’s expectation is usually ignored. This will gives rise to this question whether this issue is also common in terms of services principles, drafted and provided by decentralized cloud providers or not. In order to find out, storj, a company which provide this decentralized cloud computing is illustrated as an example. The table below show a brief summary of its terms and conditions, indicated in the company’s official website as follows: 62 You grant Company a non-exclusive, royalty-free, worldwide, perpetual, irrevocable, Privacy transferable and fully sublicensable right to reproduce, modify, distribute, and export any Storage Materials solely as necessary to comply with your instructions to store such Storage Materials via the Storage Platform.282 We reserve the right, without notice and in our sole discretion, to terminate this Agreement Cancellation And or suspend your right to access the Services.283 Termination 1. You are solely responsible for ensuring that any processing of Storage Materials via the Storage Services is in compliance with all applicable laws. We make no representations or warranties regarding the suitability of the Storage Services for the processing of any particular types of data.284 2. We do not own, control or endorse any User Content that is transmitted, stored, or processed via the Services. You are solely responsible for any of your User Content and for your use of any interactive features and areas of the Services,285 Warranty And Disclaimer 3. To the fullest extent permitted by applicable law and except as otherwise specified in the agreement: a) The services are provided on an “as is” and “as available” basis without warranties of any kind, and we expressly disclaim all implied warranties as to the services, including, without limitation, implied warranties of merchantability, fitness for a particular purpose, title and non-infringement; b) (b) we do not represent or warrant that the services are accurate, complete, reliable, current or error-free, meet your requirements, or that defects in the services will be corrected c) We cannot and do not represent or warrant that the services or our servers are free of viruses or other harmful components.286 282 Storage Term Of Services/Sec 5-A> Https://Storj.Io/Terms-Of-Service/>Accessed:29 May 2019 283 Storj Terms Of Use/Sec 20 >Https://Storj.Io/Terms-Of-Use/ Accessd 29 May 2019 284Storage Term Of Services/Sec 5-E> Https://Storj.Io/Terms-Of-Service/>Accessed:29 May 2019 285 Storj Terms Of Use/Sec 10-A>Https://Storj.Io/Terms-Of-Use/ Accessd 29 May 2019 286 Storj Terms Of Use/Sec 14>Https://Storj.Io/Terms-Of-Use/ Accessd 29 May 2019 63 1. In no event will company or any of the company parties be liable for any indirect, special, incidental, consequential, or exemplary damages of any kind arising out of or in any way related to the access or use of the services or otherwise related to the agreement, whether based in contract, tort or any other legal or equitable theory (even if the party has been advised of the possibility of such damages and regardless 287 of whether such damages were foreseeable). 2. In no event will the aggregate liability of company and the company parties (jointly), whether in contract, warranty, tort , arising out of or relating to the agreement or the Liability use of or inability to use the service, exceeds the greater of any compensation you pay to us for use of the services or $100 USD.288 3. Company will not be responsible for any loss, misuse, or deletion of Storage Materials or any failure of any Storage Materials to be stored or encrypted. You are solely responsible for backing up any Storage Materials.289 4. You are responsible for properly configuring and using the Storage Services to store your Storage Materials via the Storage Platform, and for maintaining appropriate security of your Storage Materials, which may include the use of encryption.290 Analysis Outcome As can be observed, there is no difference between cloud computing and blockchain-based company, storj in terms of terms of services which customers are provided with. Both providers draft the terms and conditions unilateral, one sided and without considering the expectation and benefits of their customer. They have limited their responsibility in order to avoid any potential legal liability. Users have to sign these agreements which are imposed on them without having a right to change some items in order to make a balance between both party’s benefits. So regarding terms of services, neither blockchain nor cloud can be considered superior .It has to be borne in mind that Storj according to its terms and conditions is not even liable for any damage or erasure of the data and recommends its customers to back up the data elsewhere. 287 Storj Terms Of Use/Sec 15-A>Https://Storj.Io/Terms-Of-Use/ Accessed 29 May 2019 288 Ibid. 289 Storage Terms Of Services/Sec 5-C> Https://Storj.Io/Terms-Of-Service/> Accessed 29may 2019 290 Storage Term Of Services/Sec 5-D> Https://Storj.Io/Terms-Of-Service/> Accessed 29 May 2019 64 That completely defies the purpose of cloud storage and enables even reckless behavior from the company. Storj’s Customer ‘s Reviews Regarding Its Terms And Conditions: 1. Some storj users complain that this database does not work properly and the upload and download speed is pretty low.291 2. In terms of cost, some people believe that storj rate is so expensive compare to other counterparts such as sia and even in comparison with centralized cloud providers such as google drive its almost same .Furthermore, google drive gives users 40 GB while this amount for storj is 25.292 Price is not cheaper than other companies like Amazon, Google Drive,but some customer are more looking for "privacy" and "safety of data" and are ready to put the price to use storj.293 3. Storj is now going in a different direction than the goals they had when they started. Storj is sacrificing decentralization and trustlessness in order to be more appealing to businesses.294 4. Currently Storj uses centralized bridges run by Storj Labs. They claim that this does not make Storj centralized. This is manipulative. The only easily usable bridge is run by them. Storj Labs holds the metadata to where user’s files are. If they disappeared, data owner would lose all his/her files. They claim it does not matter because the network is decentralized. But the question is What is the point of a decentralized network if the only way to access it is through a centralized ramp offered by only one company ?.295 5. All stored materials will be removed after 90 days.296? Even if user keeps paying for them they will be deleted. The company does not notify data owner in any way, and the files even still appear to be available until you customer try to download them and get an error.297 As can be observed ,based on customer review this method is not free of any challenge and is associated with numerous issues and consumer risks. as a consequence, ones who intend to use decentralized data storage, should take all these negative aspects into consideration and after doing adequate amount of relevant research decide to become a user for this service or not. B. Service Level Agreement: 291 Https://Www.Reddit.Com/R/Storj/Comments/7rfftg/Is_Storj_Really_Cheaper/ Accessed 29 May 2019 292 Https://Www.Reddit.Com/R/Storj/Comments/7ommsh/Why_Would_I_Use_Storj/ Accessed 29 May 2019 293 Https://Www.Reddit.Com/R/Storj/Comments/96fwez/Is_Storj_Ready_To_Be_Used_By_End_Users_For/ Accessed 29 May 2019 294 Https://Www.Reddit.Com/R/Storj/Comments/7t0qxd/What_Are_The_Differences_Between_Sia_And_Storj/ Accessed 29 May 2019 295 Https://Www.Reddit.Com/R/Storj/Comments/7t0qxd/What_Are_The_Differences_Between_Sia_And_Storj/ Accessed 29 May 2019 296 Https://Storj.Io/Terms-Of-Service/ 297 Https://Www.Reddit.Com/R/Storj/Comments/8xzm0h/Why_I_Chose_Storj_Over_Google_Drive/ Accessed 29 May 2019 65 STORJ company in its website clearly provides that: 1. Users are able to sign SLA solely By clicking to agree to Storage Terms of Service (“Storage Terms”) during the account setup process, or by otherwise accessing or using the Storage Services of Storj Labs Inc. (“Company,” “we,” or “us”) that enable them to use the open source, distributed cloud storage platform (“Storage Platform”).in case users are unwilling to be a bound to SLA conditions and do not agree with that, they simply are banned from having access or use of Storage Services.298 2. In terms of service availability, Company claims that except for scheduled maintenance, our Storage Services will be available 99.99% of the time. We calculate availability based upon the service records we maintain. 3.2.4 .Does Blockchain Address Issue Of Costly Data Storage In Cloud Computing? One of the key challenges of cloud computing that the blockchain seeks to address is the cost. On-premise data centers are expensive to buy, operate, and maintain. On the other hand ,space on cloud storage is also becoming expensive given the amount of data that needs to be stored. Also, considering the network and communications costs of accessing that data time and time again from all those distributed locations. It seems apparent that blockchain storage have a possibility to reduce the cost of data storage. Compared to cloud data storage like Amazon S3, Blockchain data storage seems significantly cheaper.299However, it should be taken into account that cloud computing solutions tend to be cheaper when used variably but can be quite expensive when used for applications with a predictable workload. In other words, these solutions are cost effective when used for occasional needs but are more expensive than traditional means when used on a daily basis.300 Overall, some decentralized data storage companies such as storj has claimed that not only their price is affordable but also is much cheaper compared to their centralized counterparts.301 298 Storage Service Level Commitment> Https://Storj.Io/Storage-Sla/Accessed 29 May 2019 299 Anupam Bhide, 'Will Blockchain Disrupt The World Of Data Storage As We Know It?' (Calsofti-Nc, 25 April 2019) 66 Conclusion: Since the advent of cloud computing and its implementation in the sphere of data storage , regardless of numerous amount of advantages this method has brought about especially regarding companies and businesses, this method has always been associated with a vast number of negative aspects and disadvantages which eventually have given rise to a question whether there is any suitable alternative which would be free of the aforementioned drawbacks For example, while cloud was considered to be much more affordable compared to on-premise infrastructure, this method was engaged with security issues and is constantly facing the problem of data breach. In this case, the matter of blockchain technology, concretely so-called sharding was introduced to solve difficulties cloud computing was dealing with. This application of blockchain expanded its scope of application as it is no longer limited to the matter of cryptocurrencies and smart contracts. From a theoretical perspective, blockchain-based sharding can be considered superior to cloud computing. Indeed, due to its special characteristics which guarantee high level of security and transparency ,this method can address some main issues associated with cloud computing and definitely can be considered as a viable substitute. Since then, some have tried to clarify the accuracy of this theory to find out whether this method can be performed in the way to completely satisfy businesses operational demands and has a potential to occupy the market position cloud computing has hold for a long time in the field of data storage. In practice, while choosing either method, some factors should be taken into consideration. Sharding primarily was introduced to tackle issue of costly cloud computing and many decentralized cloud provider such as storj claimed that their service is much cheaper compared to their centralized counterparts. However, we observe that storj customer hold different view and believe not only this technique is not affordable compared to centralized cloud, it is much more expensive particularly when it is designed to be implemented on a large scale. However, regarding companies and businesses in which data is valuable and considered to be an asset, cost of storing their sensitive data is not their priority as they are more focused on this matter what method can protect their data and keep them secure better. For instance, a law firm is willing to pay higher price for implementation of blockchain in expense of higher level of security to preserve its reputation. Furthermore, in case we believe sharding is superior over traditional cloud ,for instance because of its higher level of security which customers will be provided with, this statement is not 67 obsolete as it is highly dependent on various factors. Customers and all who intend to choose sharding , should initially do adequate research and identify the structure and type of network which is applied by blockchain-based cloud provider. For instance, Ethereum proved to perform its function much faster.302 In case of blockchain-GPDR compliance , it is highly dependent on the way data is stored on blockchain, and off-chain. The simplest way of storing information with a blockchain is to simply store the data in the chain itself. For example, data can be stored as part of a transaction and will then be distributed to the community along with all the other transactions. Obviously, when data is considered to be personal, this eventually will lead to matter GDPR violation. 303 On the contrary, with regard to off-chain method, the hash of a piece of data, which is quite small, can be stored in the chain. Due to the relatively small size of a hash, the corresponding cost for storage will also be low. The only challenge, then, is to provide a link between the hash in the chain and the physical storage location.304 Most importantly, this method solve the issue of GDPR compliance as data itself is not stored on chain. However, while it cannot be denied that both centralized and decentralized data storage are associated with their own challenges and issues, recently the emergence of some blockchain- based companies which offer data storage services through application of sharding technique, has altered prior statement. For instance , storj company as a provider of blockchain-based sharding has claimed that it has addressed two main issues regarding regular blockchain network: cost and complexity. This company in its website has indicated its service is simple to use and is highly affordable.305 storj intends to facilitate a faster, cheaper and more secure file storage solution than traditional cloud storage platforms. to achieve this goal, this company deploys several innovative technologies and methods to make sure that users are able to store and retrieve data in a fastest possible way while not compromising the security and integrity of data.306 Storj founder claim that even their service is in the early days of its innovation cycle, it is still drastically more affordable than centralized solutions. As it continues to evolve, it is likely to drop in price.307Centralized systems such as Google Drive can not provide users with an encrypted service. 302 'Ethereum Is Cheaper And Faster Than Bitcoin' (Medium,) 68 Data in Google, Microsoft or Dropbox will be analyzed, classified and used in the best way for them to create target for ads or sell data.308 In storj, user’s file will be shredded to pieces, each piece is encrypted and copied to the 6 different location across the world. even if user loses 2/3 of the shards, they can still restore the entire file from the remaining and parity shards.309 However, due to this fact that this mechanism is still quite novel and most of its technical aspects are almost difficult to be understood by non-specialist in this field, most of our finding is based on some sources such as customer reviews , company’s website and blogs and many aspects of this approach is still unclear. Nonetheless, regarding prior statements, it should not be such a surprise that this method may overtake cloud computing and becomes the first player in the sector of data storage industry in the near future. 308 Https://Www.Reddit.Com/R/Storj/Comments/7ommsh/Why_Would_I_Use_Storj/> Accessed 3 June 2019 309 Https://Www.Reddit.Com/R/Storj/Comments/7ommsh/Why_Would_I_Use_Storj/>. Accessed 3 June 2019 69 Babilography • John Rampton, '5 Applications For Blockchain In Your Business' (The Economist-Executive Education Navigator, ) • Adamc Uzialko, 'Beyond Bitcoin: How Blockchain Is Improving Business Operations' (Business News Daily, December 4, 2017 06:00 Pm Est) • Parth Misra, '5 Ways Blockchain Technology Will Change The Way We Do Business' (Entrepreneur Europe, March 20, 2018) • Laura Shin, 'Looking To Integrate Blockchain Into Your Business? Here's How' (Forbes, May 10, 2016, 08:00am)Https://Www.Forbes.Com/Sites/Laurashin/2016/05/10/Looking-To-Integrate- Blockchain-Into-Your-Business-Heres-How/#79d9e3641a15 • Sales Force Uk, 'Why Move To The Cloud? 10 Benefits Of Cloud Computing' (Sales Force, 17 November 2017) • Katalyse Io, 'Why Blockchain Is The Future Of Data Storage' (Medium, 8 July 2018) • Joe Clabby, 'The Problem With Cloud Service Providers And Security Slas' (Computerworld, February 05, 2015 10:42 Am Pt) • Rachel Wolfson, 'Blockchain-Based Data Storage Solutions Help Secure User Data' (Forbes, Sep 25, 2018, 09:00am) • Tim, 'Benefits Of Blockchain For Data Storage' (Nano Etx Express, 25 April 2018) 70 • Sadie Williamson, 'The Blockchain Is Here To Make Cloud Computing Better' (Information Age, 4 June 2018) • Zack Herbert, 'Why Blockchains Are The Future Of Cloud Storage' (Sia, 6 February 2017) • Ameer Rosik, 'Blockchain Scalability: When, Where, How?' (Block Geeks, 2017) • Shobhit Seth, 'What Is A Cryptocurrency Public Ledger?' (Investopedia, 25 April 2018) • Grace Caffyn, 'What Is The Bitcoin Block Size Debate And Why Does It Matter?' (Coindesk, Aug 21, 2015 At 15:11 Utc) • Luke Fortney, 'Blockchain, Explained' (Investopedia, 1 May 2019) • Ameer Rosik, 'Proof Of Work Vs Proof Of Stake: Basic Mining Guide' (Block Geeks, 2017) • Margaret Rouse, 'What Is Sharding' (Search Oracle, December2011) • Gerald Fenech, 'Scalability On The Blockchain - Is There A Solution?' (Forbes, Dec 16, 2018, 10:00am) • Kyle Croman And Others, 'On Scaling Decentralized Blockchains' [ ] 16( ) • Li Kenny, 'The Blockchain Scalability Problem & The Race For Visa-Like Transaction Speed' (Hackermoon, 3o January 2019) • Daniel Frumkin, 'Transactions Per Second And Consensus Mechanisms Of The Top 50 Cryptocurrencies' (Invest In Blockchain, 8 April 2019) 71 • Catalin Zorzini, 'What Are Gas Limit And Gas Price For Ethereum Transactions?' (Unblock, 20 Febuarary 2018)< Https://Ethical.Net/Unblock/What-Are-Gas-Limit-And-Gas-Price • Hudson Jameson, 'Accounts, Transactions, Gas, And Block Gas Limits In Ethereum' (Hudson Jameson, 27 June 2017) • Connor Blenkinsop, 'Blockchain’s Scaling Problem, Explained' (Cointelegraph, 22 August 2018) • David Canellis, 'Bitcoin Cash Has Failed To Make Use Of Its 8mb Block Size, Analysts Say' (Tnw, ) • Utkarsh Anand, 'Bitcoin Cash: Does It Solve Problems Or Create More?' (Bitsonline, 17 October 2017) • Jeeyoung Kim, 'How Sharding Works' (Medium, 5 December 2014) • Krishna Prasad, 'Sharding, Scaling, Data Storage Methodologies, And More: Insights On Big Data' (D Zone, 5 December 2014) • Yaoqi Jia, 'Op Ed: The Many Faces Of Sharding For Blockchain Scalability' (Bitcoin Magazine, 20 March 2018) • Saketkumar Singh, 'Guide: What Is Sharding In The Blockchain?' (Bittpress, 8 November 2018) • Anca Faget, 'Blockchain 101: What Is Sharding In Blockchain?' (Coindoo, 19 May 2019) • Romi Kumar, 'How To Use Sharding Without Sacrificing Security' (Bitcoin Insider, 05/02/2019 - 18:17) • Hsiao Wei Wang, 'Ethereum Sharding: Overview And Finality' (Medium, 27 December 2017) 72 • Jeeyoung Kim, 'How Sharding Works' (Medium, 5 December 2014) • Jamila Omaar, 'Forever Isn’t Free: The Cost Of Storage On A Blockchain Database' (Medium, 19 July 2017) • Masashi Narumoto And Others, 'Sharding Pattern' (Microsof Azure, 23 June 2017) • Deepak Puthal And Siksha Kumar Mishra, 'Cloud Computing Features, Issues And Challenges: A Big Picture' [January 2015] 9( ) International Conference On Computational Intelligence And Networks < Https://Tinyurl.Com/Yyohjhah > • S Sabashini And V Kavitha, 'A Survey On Security Issues In Service Delivery Models Of Cloud Computing' [11 July 2010] 11( ) Journal Of Network And Computer Applications • Yogesh Sapkale, 'Aadhaar Data Breach Largest In The World, Says Wef’s Global Risk Report And Avas' (Money Life, 19 February 2019) • Brandon Lee, 'Top Cloud Data Breach In 2018/Lessons Learned' (Spinbackup, 18 March 2019) • Johndavid Kerr And Kwok Teng, 'Cloud Computing: Legal And Privacy Issues' [ ] 11( ) Journal Of Legal Issues And Cases In Business • Dan Svantesson And Clarke Roger, 'Privacy And Consumer Risks In Cloud Computing' [ July 2010] 18( ) Computer Law & Security Report • Abrashid Dar And Dr Ravindran, 'Survey On Scalability In Cloud Environment ' [July 2016] 5( 7) International Journal Of Advanced Research In Computer Engineering & Technology (Ijarcet) • Sarah Vonnegut, 'Scalability In The Cloud: How Organizations Win With The Cloud' (Stratoscale, ) 73 • Aarti Singh And Manisha Malhotra, 'Agent Based Framework For Scalability In Cloud Computing ' [April 2012] 5( ) International Journal Of Computer Science & Engineering Technology (Ijcset) • Khaled Mkhan And Quataibah Malluhi, 'Establishing Trust In Cloud Computing' [30 September 2010] 8( 5) It Professional • Imadm Abbadi And Andrew Martin, 'Trust In Cloud' [August-November 2011] 16( 3- 4) Information Security Technical Report • Rashmi Rai And Others, 'Securing Software As A Service Model Of Cloud Computing: Issues And Solutions' [September 2013] 12( ) International Journal On Cloud Computing: Services And Architecture (Ijccsa) • Maricela-Georgiana Avram, 'Advantages And Challenges Of Adopting Cloud Computing From An Enterprise Perspective' [December 2014] 6( )The 7th International Conference Interdisciplinarity In Engineering (Inter-Eng 2013) • Raul Chong, 'Data Resiliency On The Cloud' (Cloud Computing News, 30 November 2011) • Nicolas Bohorquez, 'Challenges To Traditional Cloud Computing: Security, Data, Resiliency' (Sumo Logic, 19 April 2018) • Saurabh Kumar Garg And Others, 'A Framework For Ranking Of Cloud Computing Services' [June 2013] 29(4) Future Generation Computer Systems • Sunita Sharma, 'Data Integrity Challenges In Cloud Computing' [January-February 2018] 4(1) International Journal Of Current Trends In Engineering & Technology • Nehar Thakur And Aman Kumar Sharma, 'Data Integrity Techniques In Cloud Computing: An Analysis' [August 2017] 7(8) International Journal Of Advanced Research In Computer Science And Software Engineering} • Wada Abdullahi And Others, 'Cloud Computing: Technical, Non-Technical And Security Issues' [March 2014] 3(3) International Journal Of Computer Applications Technology And Research 74 • Bill Claybrook, 'Cloud Interoperability: Problems And Best Practices' (Computerworld, 1 June 2011) • Yashpal Kadam, 'Security Issues In Cloud Computing A Transparent View' [October 2011] ( ) International Journal Of Computer Science & Emerging Technologies • Alex Miller, 'Regulatory Compliance In The Cloud' (Tripwire, 30 January 2017) • Jay Heiser ,Mark Nicolette 'Assessing The Security Risks Of Cloud Computing ' (Gartner Research, 3 June 2008) • Dereje Yimamemail And Eduardob Fernandez, 'A Survey Of Compliance Issues In Cloud Computing' [10 May 2016] ( ) Journal Of Internet Services And Applications • Dan Svantesson And Clarke Roger, 'Privacy And Consumer Risks In Cloud Computing' [ July 2010] 18( ) Computer Law & Security Report • Ajith Harshana Ranabahu, And Others 'Service Level Agreement In Cloud Computing' [2009] ( ) Cloud Workshop At Opsala • Thomasj Trappler, 'Cloud Adviser: Where Is Your Data?' (Computerworld,13 December 2011) • Subashini And V Kavitha, 'A Survey On Security Issues In Service Delivery Models Of Cloud Computing' [January 2011] 34( 1) Journal Of Network And Computer Applications • Shared Responisbility Mode' (Aws, ) • Rashmi Rai And Others, 'Securing Software As A Service Model Of Cloud Computing: Issues And Solutions' [August 2013] 3( ) International Journal On Cloud Computing: Services And Architecture • Dimitrios Zissis And Others, 'Addressing Cloud Computing Security Issues' [March 2012] 28( 3) Future Generation Computer Systems 75 • Siva Selvan And Others, 'Confidentiality Issues In Cloud Computing And Countermeasures: A Survey' [March 2016] ( ) Conference Paper • Siani Pearson And Azzedine Benameur, 'Privacy, Security And Trust Issues Arising From Cloud Computing ' [January 2011] ( ) 2nd Ieee International Conference On Cloud Computing Technology And Science • Rhonda Farrell, 'Securing The Cloud—Governance, Risk, And Compliance Issues Reign Supreme' [19 November 2010] 19( 6) Information Security Journal: A Global Perspective} • Jim Buchanan, 'Cloud Computing: 4 Tips For Regulatory Compliance' (Cio, 8 August 2018) • Lucian Constantin, 'Report: Over 59,000 Gdpr Data Breach Notifications, But Only 91 Fines' (Cso, 6 February 2019) • Rebecca Hill, 'French Data Watchdog Dishes Out Largest Gdpr Fine Yet: Google Ordered To Hand Over €50m' (The Register, 21 January 2019) • Won Kim, 'Cloud Computing: Today And Tomorrow ' [2009] 8(1) Journal Of Object Technology • Gauthier Chassang, 'The Impact Of The Eu General Data Protection Regulation On Scientific Research' [January 2017] ( ) French Institute Of Health And Medical Research • Mark Webber, 'The Gdpr’s Impact On The Cloud Service Provider As A Processor ' [ ] 16(4) Pfpjournals • Christina Tikkinen-Piri And Others, 'Eu General Data Protection Regulation : Changes And Implications For Personal Data Collecting Companies' [ 2017] 34(1) Computer Law & Security Review • Jeremy Feigelson, 'New Guidance On The Gdpr’s Territorial Scope – Are You Covered?' (Nyu, 6 December 2018) • Colin Tankard, 'What The Gdpr Means For Business' [June 2016] 2016(6) Network Security 76 • Jocelyn Krystlik, 'With Gdpr, Preparation Is Everything' [June 2017] ( ) Computer Fraud & Security • Simon Bradshaw And Others, 'Contracts For Clouds: Comparison And Analysis Of The Terms And Conditions Of Cloud Computing Services'[August 2011] 47( ) I J Law And Information Technology • Stephanie Overby, 'What Is An Sla? Best Practices For Service-Level Agreements' (Cio, July 05, 2017 03:00 Am Pt) • Juan Martinez , 'Cloud Regulations: What You Need To Know To Be Safe' (Pcmag, May 9, 2016 9:55am Est) • Naresh Vurukonda And B. Thirumala Rao , 'A Study On Data Storage Security Issues In Cloud Computing ' [2016] 92( ) Procedia Computer Science} • Chunming Rong And Others, 'Beyond Lightning: A Survey On Security Challenges In Cloud Computing' [2013] 39( 1) Computers & Electrical Engineering • Pankesh Pate And Others, 'Service Level Agreement In Cloud Computing' [2009] ( ) Cloud Workshops At Oopsla • Vahid Dastjerdi And Others, 'A Dependency-Aware Ontology-Based Approach For Deploying Service Level Agreement Monitoring Services In Cloud' [2011] ( ) • Vincentc Emeakaroha And Others, 'Desvi: An Architecture For Detecting Sla Violations In Cloud Computing Infrastructures' [2010] 21( )Department Of Computer Science And Software Engineering, University Of Melbourne, Australia • Danjerker Svantesson And Clarke Roger, 'Privacy And Consumer Risks In Cloud Computing' [ July 2010] 18( ) Computer Law & Security Report • Charles Phillips, '7 Of The Most Significant Cloud Compliance Regulations' (Charles Philips, 8 Amrch 2018) • Traceyc, 'How Does The Location Of Your Data Affect You Legally?' (Veber, 28 September 2018) • Roche Jonathan, 'Cloud Computing: Legal Issue' [2014] ( ) 77 • Todd Hoff, 'Troubles With Sharding - What Can We Learn From The Foursquare Incident?' (High Scalability, 15 October 2010) • Xueping Liang And Others, 'Provchain: A Blockchain-Based Data Provenance Architecture In Cloud Environment With Enhanced Privacy And Availability' [2017] ( ) 2017 17th Ieee/Acm International Symposium On Cluster, Cloud And Grid Computing • Delton Rhodes, 'Blockchain Data Storage Could Soon Be The New Standard' (Coin Central, 25 June 2018) • Seena Gressin, 'The Equifax Data Breach: What To Do' (Federal Trade Commission Consumer Information, 8 September 2017) • Alfred Ng, 'How The Equifax Hack Happened, And What Still Needs To Be Done' (Road Show, September 2018) • Tim Sandle, 'Why Blockchain Storage Is More Secure Than The Cloud' (Digital Journal, 2 July 2018) • Delton Rhodes, 'Blockchain Security Issues And Legislative Challenges' (Coin Central, 22 April 2019) • Dmitry Efanov And Pavel Roschin, 'The All-Pervasiveness Of The Blockchain Technology' [2018] 123 ( ) Procedia Computer Science • Robert Devoe, 'Gamecredits Uses Komodo Platform To Fight 51% Attacks & Secure Network' (Blockonomi, 7 June 2018) • Iuon-Chang Lin And Tzu-Chun Liao, 'A Survey Of Blockchain Security Issues And Challenges' [2017] 19(5) International Journal Of Network Security • Sarah Sinning, '51% Attack Proves Blockchain Is ‘Unhackable’ The Way The Titanic Was ‘Unsinkable’' (Dzone, 22 Feburary 2019) • Edoardo Gaetani And Others, 'Blockchain-Based Database To Ensure Data Integrity In Cloud Computing Environments' [2017] ( ) In Proceedings Of The First Italian Conference On Cybersecurity (Itasec17), Venice, Italy 78 • Martijn Veldkamp, 'Blockchain Could Solve Data Integrity Problems' (Martijn Veldkamp Ramblings And Random Thoughts, 17 September 2016) • Silvan Jongerius , 'A Primer To Gdpr, Blockchain, And The Seven Foundational Principles Of Privacy By Design' (Dataconomy,8 January 2019) • Jinho Park And Jonghyuk Park, 'Blockchain Security In Cloud Computing: Use Cases, Challenges, And Solutions' [2017] ( ) Symmetry • Matthias Berberich; Malgorzata Steiner, Blockchain Technology And The Gdpr - How To Reconcile Privacy And Distributed Ledgers, 2 Eur. Data Prot. L. Rev. 422 (2016)Https://Tinyurl.Com/Y5lugv6s > • Robert Herian, 'Regulating Disruption: Blockchain, Gdpr, And Questions Of Data Sovereignty' [2018] 1-16( ) Journal Of Internet Law • Andries Van Humbeeck, 'The Blockchain-Gdpr Paradox' (Bl-Platform, 3 April 2018) • Penglund, 'Blockchain And Gdpr Are Struggling To Co-Exist' (Go Crypto Wise, 6 March 2019) • Finck, Michèle, Blockchains And Data Protection In The European Union (November 30, 2017). Max Planck Institute For Innovation & Competition Research Paper No. 18-01. Available At Ssrn: Https://Ssrn.Com/Abstract=3080322 • Ben Davis, 'Gdpr Requires Privacy By Design, But What Is It And How Can Marketers Comply?' (Econsultancy, 25 August 2017) • Clyde Williamson, 'Pseudonymization Vs Anonymization And How They Help With Gdpr' (Protegrity, 5 January 2017) • Cédric Burton, 'Personal Data, Anonymization, And Pseudonymization In The Eu' (Wsgr, 15 September 2015) • Nick Farrell, 'Data Privacy Is The New Standard' (Cuttlesoff, 7 June 2018) • Anupam Bhide, 'Will Blockchain Disrupt The World Of Data Storage As We Know It?' (Calsofti- Nc, 25 April 2019) 79 • Sadie Williamson, 'The Blockchain Is Here To Make Cloud Computing Better' (Information Age, 4 June 2018) • Gdpr And Blockchain: Contradictory Or Complementary?' (Coin Isseurcom, 4 February 2019) • Material And Territorial Scope Of The Gdpr' (Gdpr Informer, 5 September 2017) • Privacy In Focus, 'The Gdpr’s Reach: Material And Territorial Scope Under Articles 2 And 3' (Wiley Rein Llp, May 2017) • Bitcoin Exchange Guide News Team, 'Transactions Per Second (Tps): Cryptocurrency And Blockchain Importance Examined' (Bitcoin Exchange Guide, 2 September 2018) • Bit Rewards, 'Blockchain Scalability: The Issues, And Proposed Solutions' (Medium, 25 April 2018) • Troubles With Sharding - What Can We Learn From The Foursquare Incident?' (D Zone, 15 October 2010) • The Benefits And Challenges Of Cloud Computing' [ ] 10( ) Quest Technology Management For Business • Data Breach In The Cloud – 2018 Trends That It Pros Must Think' (Cloud Codes, 1 June 2018) • Incloud360, 'What To Expect In A Cloud Service Level Agreement (Sla)' (Incloud360, 18 August 2014) • Idg Connect, 'The Most Common Causes Of Cloud Data Breaches' (Idg Connect, 1 February 2018) • Itgp Privacy Team, Eu General Data Protection Regulation (Gdpr): An Implementation And Compliance Guide - Second Edition (Second Edition Edn, It Governance Publishing 2017) 12 • Https://Www.Techopedia.Com/Definition/9746/Terms-Of-Service-Tos/Accessed 12 May 2019 80 • What Are Cloud Service Providers?' (Sdxcentral, ) Https://Www.Sdxcentral.Com/Cloud/Definitions/What-Are-Cloud- Service-Providers/ • Dispatch, 'Challenges Of Maintaining A Gdpr-Compliant Cloud Platform' (The Nyu Dispatch, 6 August 2018) • Blockchianus, 'What Is The “51% Attack?”' (Blockchainus, 4 September 2018) • Gdpr Technical Series #1: Anonymization And Pseudonymization' (Dataguise, 14 August 2018) • Many Benefits Of Using Cloud Backup Service From A Reliable And Reputed Service Provider, Mansi Singh, Available At Https://Www.Youtube.Com/Watch?V=-Jgkhnasxac, • Cloud Computing: Legal Model And Legal Issues Accessed From: Http://Www.Rushmoorlaw.Com/Articles/News/ • Interoperability And Portability For Cloud Computing: A Guide' Object Management Group, December 2017) • What Is A Node' (Lisk, ) • What Is Mining' (Cryptocraze, ) Websites: • Https://Www.Google.Com/Search?Client=Safari&Rls=En&Q=Storj+Coincentral&Ie=Utf- 8&Oe=Utf-8 • Https://Www.Linkedin.Com/Pulse/Gdpr-Contradictions-Between-Blockchain-Nicolas-Ameye • Storage Term Of Services> Https://Storj.Io/Terms-Of-Service/ • Https://Www.Gstatic.Com/Policies/Privacy/Pdf/20190122/F3294e95/Google_Privacy_Policy_En .Pdfhttps://Www.Gstatic.Com/Policies/Privacy/Pdf/20190122/F3294e95/Google_Privacy_Policy _En.Pdf> • Https://Bitcoin.Stackexchange.Com/Questions/39132/What-Is-Gas-Limit-In-Ethereum> 81 • Https://En.Bitcoinwiki.Org/Wiki/Sharding • Storj Terms Of Use>Https://Storj.Io/Terms-Of-Use/ • Storage service level commitment> https://storj.io/storage-sla/ • Https://Www.Apple.Com/Legal/Internet-Services/Icloud/En/Terms.Html • Goggle Drive Terms Of Service/ Https://Www.Google.Com/Drive/Terms-Of- Service/Https://Www.Dropbox.Com/Privacy#Terms> • Https://Help.Dropbox.Com/Security/Privacy-Policy-Faq > • Https://Www.Apple.Com/Uk/Legal/Privacy/En-Ww/ • Https://Www.Dropbox.Com/Terms#Business_Agreement>Accessed • Https://Gdpr-Info.Eu/Recitals/No-26/ • Https://Www.Gdpreu.Org/Compliance/Fines-And-Penalties/ • Article 2 Gdpr/ Https://Www.I-Scoop.Eu/Gdprarticle/Gdpr-Article-2-Material-Scope/ • Article 3 Gdpr Regulations, Accessed Online From: Https://Gdpr-Info.Eu/Art-3-Gdpr/ • Article 4 Gdpr/ Https://Www.Gdpreu.Org/The-Regulation/Key-Concepts/Personal-Data/ • Article 83 Gdpr/ Https://Gdpr-Info.Eu/Art-83-Gdpr/ • Http://Techgenix.Com/Blockchain-Technology-For-Cloud-Storage/ • Report • Https://Www.Google.Com/Drive/Terms-Of-Service/ • Https://Medium.Com/Rubius-Inc/Ethereum-Is-Cheaper-And-Faster-Than-Bitcoin- F0b53879b7aa • Https://Coinswitch.Co/Info/Storj/What-Is-Storj • Https://Coincentral.Com/Storj-Beginners-Guide/ 82 Standards and legislations • ISO/IEC 19086:2016 • ISO/IEC 27001:2013 • ISO/IEC 27017 • ISO/IEC 27018 • GDPR (regulation) 83