Information Privacy and Data Control in Cloud Computing: Consumers, Privacy Preferences and Market Efficiency

Information Privacy and Data Control in Cloud Computing: Consumers, Privacy Preferences and Market Efficiency

Illinois Program in Law, Behavior and Social Science Research Paper No. LBSS12-11 Illinois Public Law and Legal Theory Research Paper No. 11-20 Information Privacy and Data Control in Cloud Computing: Consumers, Privacy Preferences and Market Efficiency Jay P. Kesan* Carol M. Hayes** Masooda N. Bashir*** *Professor, University of Illinois College of Law **University of Illinois ***University of Illinois This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection: http://papers.ssrn.com/pape.tar?abstract_id=2042638 Electronic copy available at: http://ssrn.com/abstract=2042638 Information Privacy and Data Control in Cloud Computing: Consumers, Privacy Preferences, and Market Efficiency Jay P. Kesan Carol M. Hayes Masooda N. Bashir Abstract So many of our daily activities now take place “in the cloud,” where we use our devices to tap into massive networks that span the globe. Virtually every time that we plug into a new service, the service requires us to click the seemingly ubiquitous box indicating that we have read and agreed to the provider’s terms of service (TOS) and privacy policy. If a user does not click on this box, he is denied access to the service, but agreeing to these terms without reading them can negatively impact the user’s legal rights. As part of this work, we analyzed and categorized the terms of TOS agreements and privacy policies of several major cloud services to aid in our assessment of the state of user privacy in the cloud. Our empirical analysis showed that providers take similar approaches to user privacy and were consistently more detailed when describing the user’s obligations to the provider than when describing the provider’s obligations to the user. This asymmetry, combined with these terms’ nonnegotiable nature, led us to Professor and H. Ross & Helen Workman Research Scholar, University of Illinois College of Law. Research Associate, University of Illinois College of Law; Fall 2010 Fellow in the Christine Mirzayan Science and Technology Policy Graduate Fellowship program at the National Academy of Sciences. Assistant Director for Social Trust Initiatives, Information Trust Institute, University of Illinois. The authors also wish to acknowledge the excellent research assistance of Robert Zielinski in preparing this work. 1 Electronic copy available at: http://ssrn.com/abstract=2042638 2 70 WASH. & LEE L. REV. 0000 (2013) conclude that the current approach to user privacy in the cloud is in need of serious revision. In this Article, we suggest adopting a legal regime that requires companies to provide baseline protections for personal information and also to take steps to enhance the parties’ control over their own data. We emphasize the need for a regime that allows for “data control” in the cloud, which we define as consisting of two parts: 1) the ability to withdraw data and require a service provider to stop using or storing the user’s information (data withdrawal); and 2) the ability to move data to a new location without being locked into a particular provider (data mobility). Ultimately, our goal with this piece is to apply established law and privacy theories to services in the cloud and set forth a model for the protection of information privacy that recognizes the importance of informed and empowered users. Table of Contents I. Introduction ........................................................................ 4 II. Cloud Computing Fundamentals ....................................... 7 A. Background Technology ............................................... 7 1. The Internet ............................................................ 9 2. Mobile Computing ................................................. 10 3. Security ................................................................. 12 4. Related Regulations .............................................. 12 B. What Is Cloud Computing? ........................................ 14 1. Defining Cloud Computing ................................... 14 2. Growth of Cloud Computing ................................. 16 3. Uses of Cloud Computing ..................................... 17 4. Types of Cloud Computing Services ..................... 20 C. Advantages and Disadvantages of Cloud Computing 21 D. Cloud Computing Legal Issues .................................. 24 1. Privacy .................................................................. 25 2. Jurisdiction ........................................................... 28 E. Calls for Action in the Cloud ...................................... 30 1. Transparency and Control .................................... 31 F. Cloud Services in Different Industries ....................... 32 III. Privacy Fundamentals ...................................................... 34 A. Privacy Theories ......................................................... 34 Electronic copy available at: http://ssrn.com/abstract=2042638 INFORMATION PRIVACY AND DATA CONTROL 3 1. Warren and Brandeis ........................................... 38 2. Prosser .................................................................. 40 a. Prosser’s Privacy Torts and Information Privacy ............................................................. 42 3. Modern Informational Privacy Theory ................. 43 a. Concepts of Privacy ......................................... 45 b. The First Amendment Critique....................... 47 c. Privacy As a Commodity ................................. 48 B. Privacy Law ................................................................ 51 1. Steps Towards Regulation of Privacy ................... 51 2. Federal Privacy Statutes and State Laws ............ 53 a. Electronic Communications Privacy Act......... 57 (1) Stored Communications Act ...................... 59 (2) Applying the SCA to the Cloud ................. 63 3. Case Law ............................................................... 65 a. Fourth Amendment ......................................... 66 b. Stored Communications Act ............................ 71 c. Contracts and Privacy ..................................... 73 4. European Privacy Law ......................................... 75 a. The Safe Harbor Framework .......................... 77 IV. Companies, Customer Data, and Customer- Company Interactions ...................................................... 78 A. Companies and Customer Data ................................. 78 1. Terms of Service Agreements ............................... 79 a. TOS as Contracts of Adhesion......................... 81 2. Privacy Policies ..................................................... 83 a. Sharing Information with the Government .... 85 3. Effects of Security Breaches ................................. 87 4. Protecting Consumer Data—Who Watches the Watchers? ....................................................... 89 5. Tracking Technologies and Behavioral Marketing.............................................................. 93 6. Personally Identifiable Information and “Anonymous” Information .................................... 97 V. Empirical Analysis of Agreements and Policies in the Cloud ..........................................................................100 A. Methodology ...............................................................100 B. Terms of Service Agreements ....................................103 C. Privacy Policies ..........................................................106 D. Analysis and Discussion ............................................114 4 70 WASH. & LEE L. REV. 0000 (2013) E. Implications ...............................................................116 VI. Recommendations—Building a Baseline for Facilitating Transactions in the Cloud ...........................117 A. Building the Baseline ................................................117 1. Baseline Regulation .............................................119 B. Data Control ..............................................................121 1. Personally Identifiable Information ....................122 2. Secondary Use ......................................................122 3. Course-of-Business Data .....................................125 VII. Conclusion ........................................................................128 “You have zero privacy anyway. Get over it.” —Scott McNealy, Chairman and former CEO of Sun Microsystems, 1999 I. Introduction What price for your privacy? As social interactions and business activities have shifted online, or into “the cloud,” personal information has become a currency with an undervalued exchange rate. What data are consumers willing to trade in exchange for convenience and services online? Would they be as willing to engage in this trade if their privacy rights were more protected and if they had the ability to exercise meaningful control over their data? Technological and social changes have stimulated many developments over the last decade as the Internet became ingrained in society and social interactions. Substantial technological changes require the law to adapt. When our perceptions change, policymakers amend the law accordingly to address evolved expectations. In this Article, the perceptions and law that we are concerned about are those associated with privacy, especially privacy in the context of services provided over the cloud. This is not the first time that conceptions of privacy have been shaped by technology. The Right to Privacy, published in 1890, was the seminal work of

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    130 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us