Revision of 11 November 2009

Introduction

Cloud computing is a vague term typically used to refer to a technical arrangement under which users store their data on remote servers under the control of other parties, and rely on software applications stored and perhaps executed elsewhere, rather than on their own computers. The term encompasses a variety of services, which are variously of long standing (including email), long-promised (including ‘software as a service’), and relatively new.

There are many potential benefits with such arrangements. For example:

• The user can access the same set of applications, and the same data, regardless of location, and regardless of which hardware they use (such as computers, PDAs and mobile phones, including both their own hardware and devices borrowed from other individuals and organisations)
• Several users can access and share the same applications and data, which assists in collaborative work
• Backup and recovery is delegated to a service-provider, which presumably enhances its reliability
• Licensing of software and third-party data can be simplified
• Complex tasks can be performed on relatively small devices by depending on more powerful remote servers

At the same time, cloud computing is associated with severe risks in the areas of service and data integrity, consumer rights, security and privacy. This Policy Statement addresses only the APF’s area of competency, privacy.

Key Concerns

The Australian Privacy Foundation has serious concerns about cloud computing:

• Cloud Computing is an immature and obscure technology with unknown risks. This means that:
  • providers of cloud computing products:
    • must undertake a Privacy Impact Assessment (PIA) before launching their product
    • must ensure that users of their products have easy access to clear and comprehensive information about the privacy and security risks involved in using the product
    • must ensure that users of their products can keep control over the use and disclosure of their personal information, including through accessible and clear privacy options
  • user organisations must undertake a PIA before adopting cloud computing techniques in relation to personal data, and must not use such services unless they can ensure that privacy and security risks are satisfactorily addressed, and privacy laws are complied with
  • individuals using cloud computing products must ensure they are aware of the privacy and security risks associated with using the product, and take those risks into account when deciding whether to use it
• In many models of cloud computing, data may be moved outside Australia to other countries resulting in a significant loss of privacy protections. In such cases:
  • providers of cloud computing products
    • must inform users of the arrangements in relation to transmission and storage of data, prior to the commencement of the service
    • must ensure that security and privacy are appropriately protected, and privacy laws complied with
    • in the case of cloud computing schemes targeted at Australians, must allow the user the choice of having personal data stored in Australia only
  • user organisations must ensure that privacy and security risks are satisfactorily addressed, and privacy laws complied with, and hence must not implement cloud computing techniques where the provider is unable to preclude transmission or storage in jurisdictions that do not have equivalent privacy laws
  • individual users of cloud computing products must carefully assess whether the use of the product justifies the risk of losing the privacy protection afforded under Australian law
• User organisations considering the use of cloud computing techniques for personal data must take full responsibility for ensuring that the service-provider:
  • applies appropriate security measures to the transmission and storage of the data – taking into account the fact that cloud computing products represent ‘honey-pots’ of data that inevitably attract hackers
  • does not use or disclose the data, other than as authorised by the organisation or required by law
• Individual users of cloud computing products must appreciate that:
  • network-connection may not be reliable
  • access to the service may not be reliable
  • data flows may be subject to interception, and the service-provider may fail to provide security for data transmission commensurate with its sensitivity
  • the remote data storage may be subject to unauthorised accesses – by insiders, and because cloud computing products represent ‘honey pots’ of data that inevitably attract hackers – and the service-provider may fail to provide security for data storage commensurate with its sensitivity
  • the service-provider may block access to or use of the data (e.g. because of a dispute over payment)
  • the service-provider may use the data for their own purposes
  • the service-provider may disclose the data
  • the service-provider may lose the data
  • the service-provider may not support extraction or transfer of the data in a format suitable to the user
• Regulatory agencies must take proactive steps to investigate and assess the security and privacy risks of using cloud computing, and to educate the public about these risks

Conclusions

While cloud computing has potentially valuable applications, it also gives rise to serious security and privacy risks. It is crucially important that:

• providers of cloud computing products act responsibly
• organisational users of cloud computing take full responsibility for protection of personal data
• individual users of cloud computing products be aware of the risks involved
• regulatory agencies take prompt steps to ensure appropriate, but not unduly intrusive or expensive, regulation of the technologies and practices underlying cloud computing

Resources

Cavoukian A. (2009) 'Privacy in the clouds: A white paper on privacy and digital identity' Information and Privacy Commissioner of Ontario, 2009

EPIC (2009) 'Resources on Cloud Computing' Electronic Privacy Information Center, Washington DC, 2009

Robert Gellman (2009) 'Cloud Computing and Privacy' World Privacy Forum [an industry assocation], 2009

Leslie Harris (2009) 'Perils in the Privacy Cloud' ABC News, 15 Sep 2009

Rosalie Marshall (2008) 'Experts urge caution on cloud computing' Secure Computing Magazine, 14 October 2008

Mather T., Kumaraswamy S. & Latif S. (2009) 'Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance ' O'Reilly Media, 2009

MS (2009a) 'Securing Microsoft’s Cloud' Microsoft, May 2009

MS (2009b) 'Privacy in the Cloud Computing Era – A Microsoft Perspective' Microsoft, November 2009