Data protection in cloud computing - Data Protection Conference 2011


Published on

Kuan Hon's slides for workshop on data protection in cloud computing at Data Protection 2011 conference organised by Holyrood in Edinburgh, UK on 24 February 2011.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ‘ Amazon Web Services Customer Agreement’ Clause 7.2, available online at http://
  • Data protection in cloud computing - Data Protection Conference 2011

    1. 1. Data Protection in the Clouds 24 February 2011 Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London / [email_address] Data Protection 2011
    2. 2. Introduction <ul><li>Cloud Legal Project </li></ul><ul><ul><li>Cloud terms of service analysis paper </li></ul></ul><ul><li>Questions we will tackle today – </li></ul><ul><ul><li>What information in the cloud is regulated under data protection laws? </li></ul></ul><ul><ul><li>Who is responsible for personal data? </li></ul></ul><ul><ul><li>Where is personal data processed? </li></ul></ul><ul><ul><li>Whose laws apply in a dispute? </li></ul></ul>
    3. 3. Maturity - Gartner hype cycle Oct 2010 (as at Aug 2010)
    4. 4. But first… what is cloud computing? <ul><ul><li>It usually involves the provision of scalable IT resources (data storage, application hosting, etc. ) on demand, delivered via the internet </li></ul></ul><ul><ul><li>Cloud Legal Project definition : </li></ul></ul><ul><ul><ul><li>Provides flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in response to demand.  </li></ul></ul></ul><ul><ul><ul><li>Services (especially infrastructure) are abstracted and typically virtualised, generally being allocated from a pool shared as a fungible resource with other customers. </li></ul></ul></ul><ul><ul><ul><li>Charging, where present, is commonly on an access basis, often in proportion to the resources used. </li></ul></ul></ul>
    5. 6. Government cloud – some recent papers <ul><li>ENISA - Security and Resilience in Governmental Clouds - p.41ff on data protection </li></ul><ul><li>UK - G-Cloud Report: Data Centre Strategy G-Cloud and The Applications Store for Government - Commercial Strategy Team - ANNEX C: Data Protection, including consideration of the US Patriot Act </li></ul>
    6. 7. <ul><li>Key cloud computing concepts </li></ul>
    7. 8. Virtualisation <ul><ul><li>Virtualisation = many things but in this context mainly involves multiple “virtual machines” running on shared hardware via the internet </li></ul></ul>
    8. 9. Data centers <ul><ul><li>Massive data centres are being built, often containing sealed shipping containers, themselves containing pre-configured servers: “The trucks back ’em in, rack ’em and stack ’em” (Ray Ozzie: Microsoft’s former Chief Software Architect) </li></ul></ul><ul><ul><li>Huge requirements for power / cooling / connectivity </li></ul></ul><ul><ul><li>Google has patented a “water-based data center” - a system that includes “a floating platform-mounted computer data center comprising a plurality of computing units, a sea-based electrical generator in electrical connection with the plurality of computing units, and one or more sea-water cooling units for providing cooling to the plurality of computing units.” </li></ul></ul>
    9. 10. Google’s “water-based data center” So just when we thought we had identified all the technical, commercial and legal risks associated with outsourcing and offshore data processing … … we have to tackle maritime law … and the risk of meeting real pirates on the high seas!
    10. 11. Types of service <ul><ul><li>Software as a Service (SaaS) ( eg. Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) </li></ul></ul><ul><ul><li>Infrastructure as a Service (IaaS) = delivery of servers, software, storage, etc as a fully outsourced service, typically billed on a utility computing basis ( eg. Amazon Web Services, Rackspace) </li></ul></ul><ul><ul><li>Platform as a Service (PaaS) = web-based environment for developing and deploying applications ( eg. Google App Engine, Microsoft Windows Azure or which provides a set of tools and applications for customising the apps) </li></ul></ul><ul><ul><li>Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online ( eg. </li></ul></ul><ul><ul><li>NB ecosystem of players – hardware, software, support, consultancy… </li></ul></ul>
    11. 12. Possible architectures From
    12. 13. Deployment models: private, community, public and hybrid clouds …
    13. 14. <ul><li>Data protection law issues </li></ul>
    14. 15. Key features for data protection law purposes <ul><li>Storage and processing </li></ul><ul><ul><li>May be split up and geographically-distributed (might in practice to be local(ish), for latency reasons - but might not…) </li></ul></ul><ul><li>Sharding – data may be fragmented </li></ul><ul><ul><li>a fragment may contain personal data (or it may not?) </li></ul></ul><ul><li>Data replication </li></ul><ul><li>Data deletion </li></ul><ul><li>Design and access – encrypted? Can provider access user’s account? Internal controls on such access? </li></ul><ul><li>Multiple parties possible – transparency? </li></ul><ul><li>Other – shared “multi-tenant” infrastructure, eg . running same application instance, sharing same database; reliance on provider </li></ul>
    15. 16. Foundational issues <ul><li>What information in the clouds is regulated under data protection laws? (“personal data”) </li></ul><ul><li>Who is responsible for personal data? </li></ul><ul><li>Where is personal data processed? </li></ul><ul><li>Whose laws apply in a dispute? </li></ul><ul><li>Issues may differ for cloud users, cloud providers and data subjects </li></ul>
    16. 17. What is regulated - “personal data” in the clouds <ul><li>Not “personal data” = no data protection law restrictions </li></ul><ul><li>Processing “anonymised” data in the cloud: </li></ul><ul><ul><li>By cloud user, after “anonymisation” eg. by aggregation </li></ul></ul><ul><ul><li>By cloud provider – may be integral to business model </li></ul></ul><ul><li>Encrypted data – status? </li></ul><ul><ul><li>Key-coded data analogy. Pro Life Alliance; Craigdale . </li></ul></ul><ul><li>The “personal data” definition is critical – but insufficiently clear </li></ul><ul><li>Anonymisation/encryption procedures – status? </li></ul><ul><ul><li>Source Informatics . </li></ul></ul>
    17. 18. Who is responsible for personal data in the cloud? <ul><li>Cloud user </li></ul><ul><ul><li>If data controller, remains data controller </li></ul></ul><ul><li>Cloud provider </li></ul><ul><ul><li>Metadata regarding cloud service usage, where cloud user is individual etc - provider is controller </li></ul></ul><ul><ul><li>Personal data processed in the cloud by cloud user – what’s the provider’s status? </li></ul></ul><ul><ul><ul><li>It depends on the facts! Advertising, sale… </li></ul></ul></ul>
    18. 19. Who is actually responsible for data in clouds? “ acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” Q. Will that be good enough? A. It depends what the cloud user is going to use the service for (and how)
    19. 20. Where is data stored - can you control where your data are stored in clouds? <ul><li>It depends! </li></ul><ul><li>Some service providers can’t, for technical reasons, or won’t, for commercial reasons, let you choose </li></ul><ul><li>Other service providers are designing their clouds so as to offer customers a choice between ‘regions’ ( eg. Amazon Web Services) </li></ul><ul><li>Other service providers, if asked, say they currently store customer data by default in the customer’s local region ( eg. Decho Mozy Inc) </li></ul><ul><li>Geolocation may become a critical differentiator for customers concerned about where their data are stored ( eg. because of disclosure risks associated with litigation or regulators) or subject to restrictions on data transfers (such as national rules based on Articles 25 + 26 of the DP Dir.) </li></ul><ul><li>An amorphous cloud may not be appropriate for regulated data, eg. if you don’t know where the data will be processed and by whom </li></ul>
    20. 21. But… should location of data really matter? <ul><li>With storage virtualisation & sharding – will seizing one server necessarily afford access to intelligible data…? </li></ul><ul><li>In practice, what may be more important is: </li></ul><ul><ul><li>whether the system’s design allows the cloud provider to access user data ( eg . by logging into their account), cf. full encryption (where provider has no access to decryption key), and </li></ul></ul><ul><ul><li>who can effectively assert jurisdiction over the provider ( eg . the location of the provider , rather than of its servers) </li></ul></ul>
    21. 22. What about disclosure of cloud users’ data to third parties? Would a cloud user feel more comfortable signing up to this… “ The Receiving Party [] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.” … or this? “ You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.”
    22. 23. Whose laws apply if you have a cloud dispute? Choice of law specified by cloud provider… Number * US State : California (most common), Massachusetts (Akamai), Washington (Amazon), Utah (Decho), Texas (The Planet) 15 English law , probably because service provider based there 4 English law , for customers in Europe / EMEA 4 Other EU jurisdictions (for European customers): eg . Ireland (Apple), Luxembourg (some Microsoft services) 2 Scottish law (Flexiant) 1 The customer’s local law 2 No choice of law expressed or implied, or ambiguous choice ( eg . “UK Law” for 3 * Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project
    23. 24. In practice <ul><li>Location, location, location </li></ul><ul><ul><li>In some situations, choose only provider that allows zoning? </li></ul></ul><ul><li>Contract </li></ul><ul><ul><li>procurement process? </li></ul></ul><ul><ul><li>the provider “stack” </li></ul></ul><ul><li>Contract terms – standard (multiple sources); negotiate? Including: </li></ul><ul><ul><li>Exclusions/disclaimers </li></ul></ul><ul><ul><li>Disclosure/monitoring </li></ul></ul><ul><ul><li>Data location </li></ul></ul><ul><li>Encryption, encryption, encryption </li></ul><ul><ul><li>Simple scenarios only – storage </li></ul></ul><ul><ul><ul><li>NB has provider access to key? ( eg . for indexing/searching) </li></ul></ul></ul><ul><ul><li>If cloud applications run on data – data must be decrypted before they can be worked on, currently </li></ul></ul>
    24. 25. Forthcoming papers <ul><li>Next few weeks – </li></ul><ul><ul><li>What data is regulated as “personal data” in cloud computing? </li></ul></ul><ul><ul><li>Who is responsible for “personal data” in the cloud? </li></ul></ul><ul><li>Published - </li></ul><ul><ul><li>Information ownership in the cloud </li></ul></ul><ul><ul><li>Cloud terms of service analysis http :// </li></ul></ul><ul><li>Future – </li></ul><ul><ul><li>Law enforcement access (soon) </li></ul></ul><ul><ul><li>International transfers of data </li></ul></ul><ul><ul><li>Governance </li></ul></ul>
    25. 26. T hanks for listening! Kuan Hon Cloud Legal Project, CCLS, Queen Mary, University of London [email_address] (or http :// ) Any questions …