Who Owns Your Data in the Cloud?

1Executive Summary

Increasingly, individuals and businesses are entrusting data to to the cloud. As computing moves inexorably from the desktop to the web, more of our  information — from emails and personal documents to financial information and even our current whereabouts — sits in the cloud. Gmail, Google Docs, Zoho, Facebook, Basecamp, Flickr, Twitter, Mozy — so much of our data is now kept online. Most people don’t stop to think about where that data is stored or how it might be accessed or used. So, who owns your data and who has access to it? How much privacy can you expect?

These questions have become more complex recently, because many web app vendors are now using cloud computing resources (like Amazon’s Web Services, Microsoft’s Windows Azure and Google’s App Engine). Your data doesn’t sit on the web app vendor’s server; it’s actually being stored elsewhere. Coupled with that is an increased use of APIs to facilitate greater interoperability between web apps, meaning that your data may be used in ways that you don’t expect. It’s becoming much harder to keep track of where your bits and bytes are actually being held, and how they can be used.

Who Owns Your Data?

The simple answer to the question, “Who owns your data?” is “you do.” However, in return for access to certain apps or services, you might relinquish ownership of some or all of your data, or you might agree to grant a license to use that data in some way. In particular for businesses with intellectual property concerns, it’s important to read any Privacy Policies or Terms of Service (ToS) before signing up to a site and to make sure that any provisions to use your data are reasonable.

For example, Facebook’s Terms of Service state that if you upload any content covered by intellectual property rights (such as photos and videos) you grant Facebook a non-exclusive temporary license to use that content, while that content exists on its server. While Facebook probably needs that license to be able to then display my photos to my friends, it also means that it could (in theory) use my photos in ways that I hadn’t originally intended, perhaps using them to advertise the service. I think the license is a reasonable one to grant in order to be able to share my photos with my friends, but you may not.

There’s also a question of what is your data. Obviously things you create and upload to the web, like photos, blog posts and emails, are yours, but what about things like lists of contacts or other data generated by using a particular site? You might consider them to be your property, but the site may disagree. Robert Scoble highlighted this last year when he was barred from Facebook for using a scraping program to harvest “his” contacts’ details from the service to use with Plaxo.

Data Privacy

You may think that you have a reasonable expectation of privacy of your data, perhaps that it is protected from snooping by the Fourth Amendment (or similar statutes in your country), which states that people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” However, as web apps and cloud computing are new technologies, the courts have yet to provide a significant amount of guidance in this area. The contents of emails are protected under the law, but many other types of data (even the inbox the emails are stored in) might not be. In particular, the “third-party doctrine,” which states that if you pass information to a third party, you lose your Fourth Amendment rights, undermines online privacy considerably.

The Minnesota Law Review report “Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing” concludes:

“By universally recognizing that digital content does not lose its highly personal status when it is placed online, and by further recognizing that properly concealed virtual containers retain reasonable expectations of privacy, the courts will bring Fourth Amendment law up to speed with modern technology and societal expectations.”

While the law may change to take into account new technologies, it has not done so yet; you cannot assume that your data is not open to being accessed by the Department of Justice or other governmental body.

The issue of privacy of data is even more sticky when data is not stored in the U.S. Some cloud storage providers allow customers to elect where (in what jurisdiction) their data will be stored, which gives their customers some control over what privacy laws might apply to that data. For instance, Amazon allows customers to choose between three different Regions in which to store their data (two in the U.S., one in the EU), while Azure will have similar region-based pricing. Notably, customers cannot make a similar choice with Google App Engine, making determining where the data will be stored much harder.

If you are using a web app that relies on cloud storage, you’ll need to check with the vendor about the privacy safeguards they have in place, which cloud services they use and where the data is stored. All of this makes ensuring privacy of your data a tricky and involved process. It’s no surprise that many customers just trust that their web app vendors safeguard their data. If that data is confidential company IP, then extra care is required.

Your data could also be used by your web app vendors. It’s vital that you check privacy policies before signing up to any service to see how your data might be used. For example, Facebook and Google will use your data to serve you targeted ads. Other vendors may pass your data to third parties. As privacy policies tend to change over time, you also need to make sure that those changes haven’t introduced anything that you’re uncomfortable with.

Data Security

In some ways, cloud storage of data is great. You don’t have to worry about the hard drive failing on your machine, and you can access your data anywhere. But what happens if your web app vendor goes bust (as happened to about 20,000 unlucky customers of early cloud storage provider The Linkup)? Or what happens if your account is hacked, or if you get locked out of your account (see Chris Brogan’s account of Nick Saber losing access to his Google accounts, for example, or this NPR story about Abel Habtegeorgis also losing his Google access). Although you may own the data, if you entrust it to a third party, you no longer have sole control over it and, consequently, you risk losing access to it. It’s worth remembering that having your data stored in the cloud does not obviate the need for backups.

As data portability and privacy issues become more recognized (thanks, in part, to the efforts of organizations like DataPortability.org and the EFF), most web app vendors and cloud storage providers certainly seem to be taking these issues seriously. However, you shouldn’t completely trust a third party with your private data; if you or your company have some data that you truly need to remain private and secure, keep it on your own servers.

Relevant analyst in cloud computing
You must be logged in to post a comment.
23 Comments Subscribers to comment
  1. Great piece Simon.

    My opinion is to look at data and say “is it valuable?”.

    The answer is a resounding yes. If we think about it money is data.

    Then lets look at the way we treat money. We get things like federal ( government) protections and assurances about the data.

    ^^^It doesn’t matter if its a flickr pic or a key piece of drug company research. We are in an age where data is starting to have unprecedented value to its owners.^^^ Cloud base infrastructure is inevitable and the storage of that data will migrate there. And not everyone can or will have their own servers. It’s like saying we should all buy a mattress to stuff our money into – it works but it isn’t the long term solution. But I agree that its the best solution at the moment.

    What will happen is there will be some spectacular failures of cloud – technical and business related – that will cause the governments of the world to create policies and safeguards they way they have done for banks and money.

    I am rather adamant that it will be inevitable rather than a “might”. The Danger Hiptop outage was the first ( and spectacular bad handling of the situation ). Can you even imagine what would happen if that happened to the Blackberries on Wall Street?

  2. Antoine RJ Wright Monday, January 25, 2010

    Maybe the ideal system is where users have personal servers (mobile, USB key, etc.) which hold an authentication key for services such as the Facebooks and Googles to hold certain information for a time until its downloaded to that personal server. And then for those things like the analytics which draw even more information from the information stored/uploaded/shared, those APIs and tools are open enough so that users can see what others see about their information – not necessarily the connections they make which turns into their addressable IP.

  3. ^^^Even more interesting will be the treatment of derived ‘meta data’ (Who I know, who I email, what coffee shops do I like to visit etc). We have already seen the first implications on manipulating / exposing this type of data on Facebook or Google Buzz.^^^ Both with respect to privacy between users and the ability of a social network operator to charge say a third party retailer to run campaigns on their behalf targeting all users and their friends who fit a certain demographic. Would this infringe privacy laws (in which countries) or EULA ‘click through’ commercial rights (and fair use)? Would or should the user be notified? No data need actually be transferred to the retailer so has any data protection regulation been violated? Plenty of issues to keep lawyers and providers busy and users vigilant.

    1. Yes, I touched on this briefly with the “what is your data?” question, but it’s definitely going to be an increasingly important problem as this kind of data becomes more useful and more therefore more valuable.

    2. This is also something that Ed Gubbins looked at in a column late last year — except with an eye toward potential upside benefits for we users: http://pro.gigaom.com/2009/11/will-marketing-data-as-currency-enable-self-monetization/

      “What if I had control over all of it, rather than Facebook or Google or the grocery store? What if I harnessed all my personal data myself and could control exactly how much I sold, to whom, and for how much? What if I could convert it to real dollars in a neutral exchange? It’s a strange currency, sure, because it includes things like personal tastes and opinions, so every time I change my mind, it could be like printing money. But it would encourage me to release much more information than I do today.”

Explore Related Topics

Learn about our services or Contact us: Email / 800-906-8098