The problem of 'personal data' in cloud computing: What information is regulated?-the cloud of unknowing

International Data Privacy Law

Volumn 1, Issue 4, 2011, Pages 211-228

  Kuan Hon, W ^a   Millard, Christopher ^b   Walden, Ian ^a  

^a CLP ^*

^b UNIVERSITY OF OXFORD   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85070979158     PISSN: 20443994     EISSN: 20444001     Source Type: Journal    
DOI: 10.1093/idpl/ipr018     Document Type: Article

References (72)

1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31.
2. Eg Ponemon Institute, Flying Blind in the Cloud-The State of Information Governance (7 April 2010);
3. European Network and Information Security Agency, An SME perspective on Cloud Computing-Survey (ENISA, November 2009).
4. see Chris Reed's CLP paper, 'Information “Ownership” in the Cloud' (2010) Queen Mary School of Law Legal Studies Research Paper No. 45/2010,http://papers.ssrn.com/ sol3/papers.cfm?abstract_id=1562461. last accessed 26 August 2011.
5. C Kuner, European Data Protection Law: Corporate Compliance and Regulation (2nd edn, OUP, Oxford 2007), ch 1, pt G.
6. European Commission, 'A comprehensive approach on personal data protection in the European Union' (Communication) COM (2010) 609 final (November 2010);
7. Neelie Kroes, 'Cloud computing and data protection' (Les Assises du Numérique conference, Université Paris-Dauphine, 25 November 2010) SPEECH/10/686.
8. S Bradshaw, C Millard and I Walden, 'Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services' (2010) Queen Mary School of Law Legal Studies Research Paper No 63/ 2010 ('CLP Contracts Paper'),http://papers.ssrn.com/sol3/papers. cfm?abstract_id=1662374. last accessed 26 August 2011.
9. Heroku, 'Can I connect to services outside of Heroku?',http:// devcenter.heroku.com/articles/external-services. last accessed 26 August 2011.
10. Heroku's acquisition by SaaS (and, increasingly, PaaS) provider Salesforce.com was completed in January 2011. Salesforce.com, 'Salesforce.com Completes Acquisition of Heroku' (2011),http://www. salesforce.com/company/news-press/press-releases/2011/01/110104.jsp. last accessed 26 August 2011.
11. Eg, for Windows Azure users, Zuora's payments system. 'Real World Windows Azure: Interview with Jeff Yoshimura, Head of Product Marketing, Zuora' (Windows Azure Team Blog, 11 November 2010),http://blogs.msdn.com/b/windowsazure/archive/2010/11/11/real-world-windows-azure-interview-with-jeff-yoshimura-head-of-product-marketing-zuora.aspx. last accessed 26 August 2011.
12. 'Google Apps Marketplace now launched' (Google Apps, 10 March 2010) ,http://googleappsupdates.blogspot.com/2010/03/google-apps-marketplace-now-launched.html. last accessed 26 August 2011.
13. Some other data types are also regulated more stringently, eg 'traffic data' and 'location data' under Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector OJ L 201/37, 31.07.2002 ('ePrivacy Directive').
14. WP136, 13, and the contextual nature of 'personal data' has been recognized eg in Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47, (CSA), [27].
15. WP136, 20, and the examples in ICO, Determining what is personal data (Data Protection Technical Guidance) (2007), 5.2.
16. Such use may indeed be key to its business model. Miranda Mowbray, 'The Fog over the Grimpen Mire: Cloud Computing and the Law' (2009) 6:1 SCRIPTed 129, 144-5.
17. K Zetter, 'Medical Records: Stored in the Cloud, Sold on the Open Market' (Wired, 19 October 2009),http://www.wired.com/threatlevel/ 2009/10/medicalrecords/. last accessed 26 August 2011.
18. HipSnip, HipSnip Legal Statement,http://hipsnip.com/hip/legal. last accessed 26 August 2011.
19. I Walden, 'Anonymising Personal Data' [2002] 10(2) International Journal of Law and Information Technology 224.
20. In the UK, a tribunal has held that anonymization is 'processing'-All Party Parliamentary Group on Extraordinary Rendition v The Information Commissioner & The Ministry of Defence, [2011] UKUT 153 (AAC) (APGER), [127].
21. C Dwork, 'Differential Privacy: A Survey of Results, Theory and Applications of Models of Computation', in Manindra Agrawal, Dingzhu Du, Zhenhua Duan and Angsheng Li (eds), Theory and Applications of Models of Computation (Springerlink 2008).
22. Arvind Narayanan and Vitaly Shmatikov, 'De-anonymizing Social Networks' (Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, IEEE Computer Society Washington, DC, USA, 17-20 May 2009) 173.
23. Eg Joined Cases C 92/09 and C 93/09 Volker und Markus Schecke (Approximation of laws) OJ C 13/6, 15.1.2011
24. Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems (2nd edn, John Wiley & Sons, 2008), Ch 5.3.1.
25. Peter Fleischer, 'Austrian insights' (Peter Fleischer: Privacy . . . ?, 22 February 2010),http://peterfleischer.blogspot.com/ 2010/02/austrian-insights.html. last accessed 26 August 2011.
26. The Scottish court in Craigdale Housing Association & Ors v The Scottish Information Commissioner [2010] CSIH 43, [2010] SLT 655 [19]
27. Department of Health v Information Commissioner, [2011] EWHC 1430 (Admin)
28. The Safe Harbor is one method enabling export of personal data to the USA. Commission Decision 2000/520/EC [2000] OJ L 215/7.
29. European Commission, Frequently Asked Questions relating to Transfers of Personal Data from the EU/EEA to Third Countries (2009).
30. See the AOL search results release incident, summarized in Paul Ohm, 'Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization' (2010) 57 UCLA Law Review 1701.
31. Douwe Korff, European Commission Comparative study on different approaches to new privacy challenges, in particular in the light of technological developments-Working Paper No. 2: Data protection laws in the EU: The difficulties in meeting the challenges posed by global social and technical developments (European Commission 2010), 48.
32. Even differential privacy is attackable. See Graham Cormode, 'Individual Privacy vs Population Privacy: Learning to Attack Anonymization' (2010),http://arxiv4.library.cornell.edu/abs/1011.2511. last accessed 26 August 2011.
33. Research also continues on anonymization-eg the Purdue project on anonymizing textual data, and its impact on utility,http://projects. cerias.purdue.edu/TextAnon/..
34. Matt Blaze et al, Minimal key lengths for symmetric ciphers to provide adequate commercial security (US Defense Technical Information Center 1996).
35. Greg Miller, 'CIA to examine impact of files recently released by WikiLeaks', The Washington Post (22 December 2010).
36. Eg messages encrypted using Data Encryption Standard (DES) were decrypted by the US Electronic Frontier Foundation-see,http://w2. eff.org/Privacy/Crypto/Crypto_misc/DESCracker/. last accessed 26 August 2011.
37. Bruce Schneier, 'Cryptanalysis of SHA-1' (Schneier on Security, 18 February 2005),http://www.schneier.com/blog/archives/2005/02/ cryptanalysis_o.html. last accessed 26 August 2011.
38. Eg Mozilla Weave, now Firefox Sync-Christopher Soghoian, 'Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era' [2010] Journal on Telecommunications and High Technology Law 8(2) 359
39. Thomas Roth, 'Cracking Passwords in the Cloud: Amazon's New EC2 GPU Instances' (Stacksmashing.net, 15 November 2010),http://stacksmashing.net/2010/ 11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances. last accessed 26 August 2011.
40. Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR' (Electric Alchemy, 30 October 2009),http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html. last accessed 26 August 2011.
41. Ryan Singel, 'Dropbox Lied to Users about Data Security, Complaint to FTC Alleges' (Wired, 13 May 2011),http:// www.wired.com/threatlevel/2011/05/dropbox-ftc/. last accessed 26 August 2011.
42. W Kuan Hon, Millard and Walden, 'Who is Responsible for “Personal Data” in Cloud Computing? The Cloud of Unknowing, Part 2' (2011),http://papers.ssrn.com/sol3/ papers.cfm?abstract_id=1794130. last accessed 26 August 2011.
43. Seny Kamara and Kristin Lauter, 'Cryptographic Cloud Storage', in Radu Sion and others (eds), FC'10 Proceedings of the 14th International Conference on Financial Cryptography and Data Security (Springer-Verlag Berlin, Heidelberg 2010), 136.
44. Eg Mozy's procedures involve encrypting data on a user's local computer, using the user's key, before transfer to Mozy's servers via encrypted transmissions. Mozy, Inc, 'Is MozyHome secure?' (2010),http://docs.mozy.com/docs/ en-user-home-win/faq/concepts/is_it_secure_faq.html. last accessed 26 August 2011.
45. Eg N Smart and F Vercauteren, 'Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes' in Phong Q Nguyen and David Pointcheval (eds), Public Key Cryptography-PKC 2010, 420 (Springer, Berlin/Heidelberg 2010).
46. R Chow and others, 'Controlling data in the cloud: outsourcing computation without outsourcing control' in Radu Sion and Dawn Song (chairs), Proceedings of the 2009 ACM workshop on Cloud computing security (ACM, Chicago, Illinois 2009).
47. Other approaches to secure cloud processing include data obfuscation-Miranda Mowbray, Siani Pearson and Yun Shen, 'Enhancing privacy in cloud computing via policy-based obfuscation' (online 31 March 2010) The Journal of Supercomputing DOI: 10.1007/s11227-010-0425-z.
48. Daniele Catteddu and Giles Hogben, Cloud Computing-Benefits, Risks and Recommendations for Information Security (European Network and Information Security Agency, 2009) 55, V10.
49. See IaaS provider Rackspace US, Inc.'s submission, International transfer of personal data (Consultation Paper on the Legal Framework for the Fundamental Right to Protection of Personal Data) (2009),http://ec. europa.eu/justice/news/consulting_public/0003/contributions/ organisations_not_registered/rackspace_us_inc_en.pdf. last accessed 26 August 2011.
50. Tim Mather, Subra Kumaraswamy and Shahed Latif, Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (O'Reilly 2009), 62.
51. Eg Facebook uses relational database MySQL and NoSQL database Cassandra-Sean Michael Kerner, 'Inside Facebook's Open Source Infrastructure' (Developer.com, 22 July 2010),http:// www.developer.com/features/article.php/3894566/Inside-Facebooks-Open-Source-Infrastructure.htm. last accessed 26 August 2011.
52. Google Apps-Rajen Sheth, 'Disaster Recovery by Google' (Official Google Enterprise Blog, 4 March 2010),http://googleenterprise.blogspot. com/2010/03/disaster-recovery-by-google.html. last accessed 26 August 2011.
53. Microsoft Windows Azure-Microsoft, 'Introduction to the Windows Azure Platform' (MSDN Library),,http://msdn.microsoft.com/en-us/ library/ff803364.aspx. last accessed 26 August 2011.
54. Eg to equalize workload across different servers and/or data centres. LA Barroso and U Hölzle, The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines in Mark D Hill (ed.), Synthesis Lectures on Computer Architecture (Morgan & Claypool 2010) 16.
55. Eg data stored using Amazon's Elastic Block Store (EBS), appearing to users as physical hard drives, are, before being stored as EBS snapshots on Amazon's S3 storage service, first broken into chunks whose size depends on Amazon's optimizations. Amazon, Amazon Elastic Block Store (EBS) (2011),http://aws.amazon.com/ebs/. last accessed 26 August 2011.
56. Alan Eustace, 'Creating stronger privacy controls inside Google' (Official Google Blog 22 October 2010),http://googleblog.blogspot.com/2010/10/creating-stronger-privacy-controls.html.
57. (Symform, 'How Symform Processes and Stores Data' (Symform),http://symform.com/ faq-how-symform-processes-and-stores-data.aspx.) last accessed 26 August 2011.
58. On law enforcement issues in cloud computing see another CLP paper: Ian Walden, 'Law Enforcement Access in a Cloud Environment' (2011) Queen Mary School of Law Legal Studies Research Paper No. 72/2011,http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1781067. last accessed 26 August 2011.
59. Thilo Weichert, 'Cloud Computing and Data Privacy' (The Sedona Conference 2011) ,https://www.datenschutzzentrum.de/cloud-computing/20100617-cloud-computing-and-data-privacy.pdf., 10-11, last accessed 26 August 2011.
60. Adrian Chen, 'GCreep: Google Engineer Stalked Teens, Spied on Chats (Updated)' (Gawker 14 September 2010),http://gawker.com/5637234/. last accessed 26 August 2011.
61. David Drummond, 'Greater transparency around government requests' (Google Public Policy Blog, 20 April 2010),http://googlepublicpolicy.blogspot.com/2010/04/ greater-transparency-around-government.html. last accessed 26 August 2011.
62. Concerns have recently been raised about US providers handing users' data to US authorities if compelled by US law, eg the US PATRIOT Act, including data located outside the USA. See, for example, Jennifer Baker, 'EU upset by Microsoft warning about US access to EU cloud' (NetworkWorld 5 July 2011),http://www.networkworld.com/ news/2011/070511-eu-upset-by-microsoft-warning.html. last accessed 26 August 2011.
63. Peter Carey, Data Protection: a Practical Guide to UK and EU Law (OUP, 2009), 86: a TV interview statement is public; what about a personal announcement to friends?
64. Eg A29WP and Working Party on Police and Justice, The Future of Privacy-Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, WP 168 (2009) [48], [71];
65. A29WP, Opinion 5/2009 on online social networking, WP 163 (2009), 3.1.2 and 3.2.
66. Martin Whitehead, GSMA Europe response to the European Commission consultation on the framework for the fundamental right to the protection of personal data (GSMA Europe, 2009),http://ec.europa.eu/justice/news/ consulting_public/0003/contributions/organisations/gsma_europe_en. pdf. last accessed 26 August 2011.
67. Cisco Systems, Cisco response to the consultation on the legal framework for the fundamental right to protection of personal data (2009),http://ec.europa.eu/justice/news/consulting_public/0003/contributions/ organisations/cisco_en.pdf. s 3.3, 5, last accessed 26 August 2011.
68. Swedish Ministry of Justice, Personal Data Protection-Information on the Personal Data Act (2006).
69. Neelie Kroes, 'Towards a European Cloud Computing Strategy' (World Economic Forum Davos 27 January 2011) SPEECH/11/ 50. Encryption and security measures also need standardization, with a view to appropriate legal recognition of accepted standards.
70. Eg IBM's Idemix, Microsoft's technologies incorporating Credentica's U-Prove, the Information Card Foundation's Information Cards. Touch2ID pilots smartcards proving UK holders are of drinking age without revealing other data-Kim Cameron, 'Doing it right: Touch2Id' (Identity Weblog, 3 July 2010),http://www.identityblog.com/?p=1142. last accessed 26 August 2011.
71. Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinaporssi and Satamedia Oy (Approximation of laws) OJ C 44/6, 21.2.2009;
72. [2008] ECR I-9831.