1) Users trust storing data locally more than storing in the cloud due to privacy concerns over third parties accessing their data without permission.
2) Cultural differences between Switzerland and India influence attitudes towards cloud privacy, with Swiss having stronger expectations of privacy protections.
3) Users are generally unaware of the actual privacy policies of cloud storage providers and assume they have more rights to their data than the policies state.
3. “Dropbox may sell […] your Personal
Information, in connection with a
merger, acquisition, reorganization or
“GOOGLE […] SHALL NOT BEto pre-screen, review, flag, filter, modify, […] any Content”
“Google reserves the right […] LIABLE TO YOU FORsale of assets or OR DAMAGE”
[…] ANY LOSS in the event of
bankruptcy.”
Third-Party
Cloud Storage
(Foreign)
Governments
Legal Courts
Law
Enforcement
Storage
Provider
Hacker
Internet
Service
Provider
Friend
Data Owner
Wednesday 4 December 13
SOUPS 2011
3
5. Related Work
§ Enterprise studies: security and privacy are top concerns
in cloud adoption [1]
§ No study looked into end-users’ practices and concerns
§ Most previous privacy studies focused on US
§ Known issue: users don’t read the privacy policies
[1] E. Schindler. Cloud development survey. Evans Data Corporation, Strategic Reports, July 2010.
http://www.evansdata.com/reports/viewRelease.php?reportID=27.
Wednesday 4 December 13
SOUPS 2011
5
6. Our Contributions
§ Conducted interviews in India and Switzerland and an
online survey
§ Showed that:
§ Users trust local storage more than the cloud
§ Users assume higher protection than actual
§ Cultural differences influence cloud privacy attitudes
Wednesday 4 December 13
SOUPS 2011
6
7. Cultural Differences
Switzerland
India
§ Individualistic vs. collectivist society
§ Right to privacy guaranteed/not guaranteed by
constitution
§ People accept that power is distributed equally/unequally
Wednesday 4 December 13
SOUPS 2011
7
8. Agenda
§ Study setup/ Methodology
§ Interview studies
§ Online questionnaires
§ Results
§ Current practices
§ Perceived privacy
§ Terms of service
§ Conclusions
Wednesday 4 December 13
SOUPS 2011
8
9. Methodology
II. ONLINE SURVEY
I. INTERVIEWS
1. Current practices
Multiple choice
2. Privacy perceptions
Mann-Whittney test
Likert scale
3. Rights & guarantees
Fisher’s exact test
Zurich
Delhi
Swiss
Indians
All
16
20
132
190
402
Interviews
Wednesday 4 December 13
Interviews
Online Survey
SOUPS 2011
9
10. Results
§ Current practices
§ Perceived privacy
§ Awareness of terms and conditions
Wednesday 4 December 13
SOUPS 2011
10
11. Current Practices
§ The cloud is my folder
§ Email accounts are subfolders: private, official, spam
§ With further folders…
Wednesday 4 December 13
SOUPS 2011
11
12. Survey: Data Storage and Internet Attitudes
G,A0,6=1C,#/<#G1A807-16=5#
I people put such privateassensitive Internet document I store and instead
not no their thing
There keep local backupsdata on thedocuments on service or on the Internet.
consumer protection gets hacked, it is on own
Iftry to isto store important,of every important and itthe Internet,policetheirthe
keep They should on my personal felt that
Internet whom I know that to, if Icomputers.safe on the Internet.
fault. them offline,could turn nothing is reallymy rights were violated.
)!"#
!"#$%&'()*+*(!+,#*-%(*./(0.+%#.%+(12+"/%3(
(!"#
'!"#
&!"#
%!"#
$!"#
!"#
*#+,,-#./01.#
210+3-#
B=A/6C.D#ECA,,#
Wednesday 4 December 13
4/#5,65789,#
/6.76,#
B/@,;>1=#ECA,,#
:;6#<13.=#7<#
>10+,?#
B/@,;>1=#F751CA,,#
SOUPS 2011
4/#0/653@,A#
-A/=,08/6#
B=A/6C.D#F751CA,,#
12
13. Perceived Privacy
§ “Nothing on the Internet is safe”
§ Anybody can see my data if they want to:
§ Hackers
§ Employees
§ Governments
§ But I am not interesting to them
§ “I am not criminal”
§ “I am not Obama”
Wednesday 4 December 13
SOUPS 2011
13
14. § On my computer:
§ I look after my
computer
myself
§ I can go offline
§ In the cloud:
§ My computer
might crash
Wednesday 4 December 13
Percentage of participants
Survey: My data is safer…
80%
60%
40%
20%
0%
On my computer
In the cloud
Swiss
SOUPS 2011
Indians
14
15. Users would pay for better privacy in the cloud
“Dropbox may sell, transfer or otherwise share some or all of its assets,
including your Personal Information, in connection with a merger,
acquisition, reorganization or sale of assets or in the event of bankruptcy.”
Wednesday 4 December 13
SOUPS 2011
15
17. Results
§ Privacy concerns for users differ from those of companies
§ Users are less concerned with:
§ Country of storage
§ Storage outsourcing
§ Guaranteed deletion of data
§ Users have misconceptions about the cloud architecture
§ The cloud/Internet is everywhere
§ “Why would they keep a backup?”
Wednesday 4 December 13
SOUPS 2011
17
18. Survey: Does your webmail provider have the
right to disable your account?
Yes, at anybut only I am advanced notice and awithout explanation.
Yes, time, without using itNo. notice and valid reason.
Only if with advanced criminal purposes.
for
Percentage of participants
50%
40%
30%
20%
10%
0%
Wednesday 4 December 13
Yes
Only with
advanced
notice &
reason
Only if used
for criminal
purposes
SOUPS 2011
No
I don't know
Swiss
Indians
18
19. Survey: Does your webmail provider have the right to
see or modify your email attachments?
They have thethem, to to not modify them,any of anythese are my store.or
They have right but see and at nor because of onlydocuments.
Theycan seethe rightright to look modifymodify the documents I
don't have the see and modify my documents my in criminal
terrorists cases. they belong to me, even if I store them there.
documents and
Percentage of participants
50%
40%
30%
20%
10%
0%
Wednesday 4 December 13
No
Can see, but
not modify
Only in
criminal
cases
SOUPS 2011
Yes
Swiss
I don't know
Indians
19
20. Survey: If your webmail provider lost some of your
data, what would your rights be?
If haveano rights even if I wouldn't care regardless whether it would have
I it data is lost anyway. is damages, about There An no was would
My is free pay me have a paid-for service.money. are apology a paid
They shouldservice, Iforitthe no rights, but if I paid for it, they guarantees.
to enough. the damages.
be or me for
forpayfree service. We had a contract.
Percentage of participants
50%
40%
30%
20%
10%
0%
Pay me for Pay me if not
damages a free service
Wednesday 4 December 13
I have no
rights
SOUPS 2011
Don't care
Swiss
I don't know
Indians
20
21. Survey: Internet Surveillance Attitudes
It is good if the government monitors every Internet communication
If the government had access to every document users store on theand
all user that would be a major violation of first.
Internet,accounts. National security comes individual privacy.
>:4?:0326:#5@#>24A?-B203.#
!"#$%&'$&()*+%#$,--.&/$)01(+2$34)*5,33)#36)7&2,.&3)
*!"#
)!"#
(!"#
'!"#
&!"#
%!"#
$!"#
!"#
+,-..#
/01-20.#
+,-..#
C5DE#2??:..#35#B4-D23:#15?.#-.#F21E#
+3450678#964::#
Wednesday 4 December 13
+5;:,<23#964::#
/03:40:3#;50-354-06#-.#6551E#
+5;:,<23#=-.264::#
SOUPS 2011
/01-20.#
+3450678#=-.264::#
21
22. Conclusions
§ Users trust local storage more than the cloud
§ Users assume to have more rights than stated in the
agreement
§ Cultural differences influence privacy and attitudes and
behavior
Wednesday 4 December 13
SOUPS 2011
22
23. Recommendations
§
§
§
§
Provide stronger security mechanisms in the cloud
Improve presentation of privacy policies
Create consumer protection agencies for the cloud
Investigate awareness of international laws
Wednesday 4 December 13
SOUPS 2011
23