Increasingly, individuals and businesses are entrusting data to to the cloud. As computing moves inexorably from the desktop to the web, more of our information — from emails and personal documents to financial information and even our current whereabouts — sits in the cloud. Gmail, Google Docs, Zoho, Facebook, Basecamp, Flickr, Twitter, Mozy — so much of our data is now kept online. Most people don’t stop to think about where that data is stored or how it might be accessed or used. So, who owns your data and who has access to it? How much privacy can you expect?
These questions have become more complex recently, because many web app vendors are now using cloud computing resources (like Amazon’s Web Services, Microsoft’s Windows Azure and Google’s App Engine). Your data doesn’t sit on the web app vendor’s server; it’s actually being stored elsewhere. Coupled with that is an increased use of APIs to facilitate greater interoperability between web apps, meaning that your data may be used in ways that you don’t expect. It’s becoming much harder to keep track of where your bits and bytes are actually being held, and how they can be used.
Who Owns Your Data?
The simple answer to the question, “Who owns your data?” is “you do.” However, in return for access to certain apps or services, you might relinquish ownership of some or all of your data, or you might agree to grant a license to use that data in some way. In particular for businesses with intellectual property concerns, it’s important to read any Privacy Policies or Terms of Service (ToS) before signing up to a site and to make sure that any provisions to use your data are reasonable.
For example, Facebook’s Terms of Service state that if you upload any content covered by intellectual property rights (such as photos and videos) you grant Facebook a non-exclusive temporary license to use that content, while that content exists on its server. While Facebook probably needs that license to be able to then display my photos to my friends, it also means that it could (in theory) use my photos in ways that I hadn’t originally intended, perhaps using them to advertise the service. I think the license is a reasonable one to grant in order to be able to share my photos with my friends, but you may not.
There’s also a question of what is your data. Obviously things you create and upload to the web, like photos, blog posts and emails, are yours, but what about things like lists of contacts or other data generated by using a particular site? You might consider them to be your property, but the site may disagree. Robert Scoble highlighted this last year when he was barred from Facebook for using a scraping program to harvest “his” contacts’ details from the service to use with Plaxo.
You may think that you have a reasonable expectation of privacy of your data, perhaps that it is protected from snooping by the Fourth Amendment (or similar statutes in your country), which states that people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” However, as web apps and cloud computing are new technologies, the courts have yet to provide a significant amount of guidance in this area. The contents of emails are protected under the law, but many other types of data (even the inbox the emails are stored in) might not be. In particular, the “third-party doctrine,” which states that if you pass information to a third party, you lose your Fourth Amendment rights, undermines online privacy considerably.
The Minnesota Law Review report “Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing” concludes:
“By universally recognizing that digital content does not lose its highly personal status when it is placed online, and by further recognizing that properly concealed virtual containers retain reasonable expectations of privacy, the courts will bring Fourth Amendment law up to speed with modern technology and societal expectations.”
While the law may change to take into account new technologies, it has not done so yet; you cannot assume that your data is not open to being accessed by the Department of Justice or other governmental body.
The issue of privacy of data is even more sticky when data is not stored in the U.S. Some cloud storage providers allow customers to elect where (in what jurisdiction) their data will be stored, which gives their customers some control over what privacy laws might apply to that data. For instance, Amazon allows customers to choose between three different Regions in which to store their data (two in the U.S., one in the EU), while Azure will have similar region-based pricing. Notably, customers cannot make a similar choice with Google App Engine, making determining where the data will be stored much harder.
If you are using a web app that relies on cloud storage, you’ll need to check with the vendor about the privacy safeguards they have in place, which cloud services they use and where the data is stored. All of this makes ensuring privacy of your data a tricky and involved process. It’s no surprise that many customers just trust that their web app vendors safeguard their data. If that data is confidential company IP, then extra care is required.
Your data could also be used by your web app vendors. It’s vital that you check privacy policies before signing up to any service to see how your data might be used. For example, Facebook and Google will use your data to serve you targeted ads. Other vendors may pass your data to third parties. As privacy policies tend to change over time, you also need to make sure that those changes haven’t introduced anything that you’re uncomfortable with.
In some ways, cloud storage of data is great. You don’t have to worry about the hard drive failing on your machine, and you can access your data anywhere. But what happens if your web app vendor goes bust (as happened to about 20,000 unlucky customers of early cloud storage provider The Linkup)? Or what happens if your account is hacked, or if you get locked out of your account (see Chris Brogan’s account of Nick Saber losing access to his Google accounts, for example, or this NPR story about Abel Habtegeorgis also losing his Google access). Although you may own the data, if you entrust it to a third party, you no longer have sole control over it and, consequently, you risk losing access to it. It’s worth remembering that having your data stored in the cloud does not obviate the need for backups.
As data portability and privacy issues become more recognized (thanks, in part, to the efforts of organizations like DataPortability.org and the EFF), most web app vendors and cloud storage providers certainly seem to be taking these issues seriously. However, you shouldn’t completely trust a third party with your private data; if you or your company have some data that you truly need to remain private and secure, keep it on your own servers.