Law Opinion
Cloud computing and privacy issues
Umme Wara Mishu
Cloud computing is a key component of today's information and technology system. This technology has been used in various forms though all of them do not carry similar privacy risk. Cloud computing is involved with some sensitive elements which can be exploited by cyber criminals, for example, privacy. This exploitation effects legality of the system and trustworthiness of users in a large extent. Though it has been said that, “a well configured cloud computing architecture is a hacker's worst nightmare. Conversely, a poorly configured cloud computing architecture is a hacker's best dream.” In this write up, the privacy challenges posed by cloud computing are addressed and some remedial measures are suggested.
Right to privacy and technology
Privacy means the capacity to keep secret any private or sensitive information and expose them carefully. According to United Nations Universal Declaration of Human Rights 1948 and other international conventions on human rights, right to privacy is one of the most important fundamental rights. Private information includes personal and sensitive identifiable information or sometimes exclusive device identities. In cloud computing system, these types of databases can move around from one organisation to the other one for its dynamic way of interaction.
In a new technology like this one, there are good sides and bad sides. To maintain the privacy of users and security of information through cloud technology becomes a hot issue for being the quickest method of transferring data between countries that eliminates the restrictions in doing so as before. And this removal of restrictions might be a justified reason of the fear of losing privacy in user's mind as in the year of 2007 a letter was sent from the cloud service provider Salesforce.com to their users explaining the way cybercriminals stole the emails and addresses of the customers.
The way of exploitation
Cyber criminals exploit the dynamic and quick movement of cloud computing in many ways. For example, sometimes they publicize sensitive information of a user in a wrong way with a malicious intention for which that particular person will be defamed in many ways. Sometimes unprotected data being spread out through the cloud by getting unauthorized access and use the information illegally which sometimes related to national jurisdictional matter. Sometimes an organisation can be defamed also because of any non fulfilment to venture regulations and principles.
Recently, Software as a Service (SAAS) has given a facility to the clients for latest function of service supplier where the access into internet is sufficient for it rather assimilate the software in to own system. But with this service, lots of information is moving around for which the software companies are in a threat for their privacy issues.
Two types of security risks are involved in putting information through cloud system. Firstly, someone cannot control ever about accessing his information by any other person and secondly, some applications are only accessible only when someone is in internet and that particular application is operating on that time. Google informed its clients recently about a software malfunction which permit subscribers unauthorized entrance to google docs those are accumulated on Google's servers. On March 7 of this year, Google Docs product manager Jennifer Mazzon notified that some of its users' information was erroneously shared by a bag which is believed to affect nearly 0.05 percent of total information. Study by Ponemon Institute on 2008, reveals that among all U.S. companies and government organizations, only 21% had a regular encryption strategy among all of their branches. Another study by the Identify Theft Resource Centre, it was also found that almost 12 million files of U.S. government and non-government bodies were lost and hacked over last six months. So, it is evident that securing of information and applications which run on the websites through cloud computing are t burning issues for technology world. Attacks can be made by hackers, thieves which turn in to vast financial damage, non-compliance activity, and devastating matters with client's sensitivity and pleasure. In absence of appropriate procedure or practice, these types of accidents are happening within a very short period of time.
Mechanisms to protect privacy
There are some mechanisms to protect the information and data of individuals and companies and lots of controversies arose regarding this issue. When in business any transfer of information to third party retailers by the other party to occurred, then the obligation do not concludes rather they should also think about the protection of that information.
An example from US of the Gramm-Leach-Bliley Act can be given here. This Act though allows financial organizations to reveal secret and private data to any third party (for example- cloud technology supplier), but the contract between the organization and the supplier has to be taken cautiously. Besides, the Privacy Rule under the Health Insurance Portability and Accountability Act of US also talked about the protection system regarding any business associations and agreements. In Shcherbakovskiy v. Da Capo Al Fine, Ltd., the U.S. Court of Appeals for the Second Circuit approved that any party can be entailed for producing data that has a real capacity to attain it.
Preventive measures
Most of the users do not know about the exploitation side of cloud technology. So, educating them is a big factor as they are the clients and they are the victims if any wrong happens through cloud computing. Users have to have the right to know what is going on regarding their personal information. And only those data can be processed that are significantly needed for the specific purpose. A proper legislation should be enacted that will clarify the rules, regulations and the accountability of the companies and users in such way so that any party can take shelter of that Act when it is justified. Consumers should pay concentration whether the cloud supplier preserves any right to reveal, or make publicize consumer's personal information. And they should also be aware that whether the cloud supplier notify for any alteration in their policy. Cloud providers also have to be cautious regarding their work policy. For example, they need to be sure before putting any data in the cloud system that they are not infringing any legal instrument.
The writer is Lecturer, Department of Law, Jagannath University, Dhaka.
