Kuan Hon's slides for workshop on data protection in cloud computing at Data Protection 2011 conference organised by Holyrood in Edinburgh, UK on 24 February 2011.

1. Data Protection 2011 Data Protection in the Clouds
Data Protection 2011 24 February 2011
Data Protection in the Clouds
Kuan Hon
Cloud Legal Project
Centre for Commercial Law Studies, Queen Mary, University of London
www.cloudlegal.ccls.qmul.ac.uk / w.k.hon@qmul.ac.uk
Introduction
Cloud Legal Project
Cloud terms of service analysis paper
Questions we will tackle today –
What information in the cloud is regulated under data
protection laws?
Who is responsible for personal data?
Where is personal data processed?
Whose laws apply in a dispute?
Kuan Hon

2. Data Protection 2011 Data Protection in the Clouds
Maturity - Gartner hype cycle Oct 2010 (as at Aug 2010)
But first… what is cloud computing?
• It usually involves the provision of scalable IT resources
(data storage, application hosting, etc.) on demand,
delivered via the internet
• Cloud Legal Project definition:
• Provides flexible, location-independent access to
computing resources that are quickly and seamlessly
allocated or released in response to demand.
• Services (especially infrastructure) are abstracted and
typically virtualised, generally being allocated from a pool
shared as a fungible resource with other customers.
• Charging, where present, is commonly on an access
basis, often in proportion to the resources used.
Kuan Hon

3. Data Protection 2011 Data Protection in the Clouds
Government cloud – some recent papers
ENISA - Security and Resilience in Governmental
Clouds http://www.enisa.europa.eu/act/rm/emerging-
and-future-risk/deliverables/security-and-resilience-in-
governmental-clouds - p.41ff on data protection
UK - G-Cloud Report: Data Centre Strategy G-Cloud and
The Applications Store for Government - Commercial
Strategy Team
http://www.computerweekly.com/Articles/2011/02/07/245
289/G-Cloud-Report-Data-Centre-Strategy-G-Cloud-
and-The-Applications-Store-for-Government-
Commercial.htm - ANNEX C: Data Protection, including
consideration of the US Patriot Act
Kuan Hon

4. Data Protection 2011 Data Protection in the Clouds
Key cloud computing
concepts
Virtualisation
• Virtualisation = many things but in this context
mainly involves multiple “virtual machines” running on
shared hardware via the internet
Kuan Hon

5. Data Protection 2011 Data Protection in the Clouds
Data centers
Massive data centres are being built, often containing sealed
shipping containers, themselves containing pre-configured
servers: “The trucks back ’em in, rack ’em and stack ’em”
(Ray Ozzie: Microsoft’s former Chief Software Architect)
Huge requirements for power / cooling / connectivity
Google has patented a “water-based data center” - a system that
includes “a floating platform-mounted computer data center
comprising a plurality of computing units, a sea-based electrical
generator in electrical connection with the plurality of computing
units, and one or more sea-water cooling units for providing
cooling to the plurality of computing units.”
Google’s “water-based data
center”
So just when we thought we had
identified all the technical,
commercial and legal risks
associated with outsourcing and
offshore data processing …
…we have to tackle maritime law
…and the risk of meeting real
pirates on the high seas!
Kuan Hon

6. Data Protection 2011 Data Protection in the Clouds
Types of service
• Software as a Service (SaaS) (eg. Oracle CRM on demand; Gmail,
Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook,
Flickr)
• Infrastructure as a Service (IaaS) = delivery of servers, software,
storage, etc as a fully outsourced service, typically billed on a utility
computing basis (eg. Amazon Web Services, Rackspace)
• Platform as a Service (PaaS) = web-based environment for developing
and deploying applications (eg. Google App Engine, Microsoft Windows
Azure or Force.com which provides a set of tools and applications for
customising the Salesforce.com apps)
• Storage as a Service (also SaaS!) = convenient way of storing /
backing-up data online (eg. box.net)
• NB ecosystem of players – hardware, software, support, consultancy…
Possible architectures
From
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
Kuan Hon

7. Data Protection 2011 Data Protection in the Clouds
Deployment models:
private, community, public and hybrid clouds…
Data protection law
issues
Kuan Hon

8. Data Protection 2011 Data Protection in the Clouds
Key features for data protection law purposes
Storage and processing
May be split up and geographically-distributed (might in practice to be
local(ish), for latency reasons - but might not…)
Sharding – data may be fragmented
a fragment may contain personal data (or it may not?)
Data replication
Data deletion
Design and access – encrypted? Can provider access user’s
account? Internal controls on such access?
Multiple parties possible – transparency?
Other – shared “multi-tenant” infrastructure, eg. running same
application instance, sharing same database; reliance on provider
Foundational issues
What information in the clouds is regulated
under data protection laws? (“personal data”)
Who is responsible for personal data?
Where is personal data processed?
Whose laws apply in a dispute?
Issues may differ for cloud users, cloud
providers and data subjects
Kuan Hon

9. Data Protection 2011 Data Protection in the Clouds
What is regulated - “personal data” in the clouds
Not “personal data” = no data protection law restrictions
Processing “anonymised” data in the cloud:
By cloud user, after “anonymisation” eg. by aggregation
By cloud provider – may be integral to business model
Encrypted data – status?
Key-coded data analogy. Pro Life Alliance; Craigdale.
The “personal data” definition is critical – but
insufficiently clear
Anonymisation/encryption procedures – status?
Source Informatics.
Who is responsible for personal data in the cloud?
Cloud user
If data controller, remains data controller
Cloud provider
Metadata regarding cloud service usage, where cloud
user is individual etc - provider is controller
Personal data processed in the cloud by cloud user –
what’s the provider’s status?
o It depends on the facts! Advertising, sale…
Kuan Hon

10. Data Protection 2011 Data Protection in the Clouds
Who is actually responsible for data in clouds?
“...you acknowledge that you bear sole responsibility for
adequate security, protection and backup of Your Content and
Applications. We strongly encourage you, where available and
appropriate, to (a) use encryption technology to protect Your
Content from unauthorized access, (b) routinely archive Your
Content, and (c) keep your Applications or any software that you
use or run with our Services current with the latest security
patches or updates. We will have no liability to you for any
unauthorized access or use, corruption, deletion, destruction or
loss of any of Your Content or Applications.”
Q. Will that be good enough?
A. It depends what the cloud user is going to use the service for
(and how)
Where is data stored - can you control where your
data are stored in clouds?
• It depends!
• Some service providers can’t, for technical reasons, or won’t, for
commercial reasons, let you choose
• Other service providers are designing their clouds so as to offer customers
a choice between ‘regions’ (eg. Amazon Web Services)
• Other service providers, if asked, say they currently store customer data
by default in the customer’s local region (eg. Decho Mozy Inc)
• Geolocation may become a critical differentiator for customers concerned
about where their data are stored (eg. because of disclosure risks
associated with litigation or regulators) or subject to restrictions on data
transfers (such as national rules based on Articles 25 + 26 of the DP Dir.)
• An amorphous cloud may not be appropriate for regulated data, eg. if you
don’t know where the data will be processed and by whom
Kuan Hon

11. Data Protection 2011 Data Protection in the Clouds
But… should location of data really matter?
With storage virtualisation & sharding – will seizing one
server necessarily afford access to intelligible data…?
In practice, what may be more important is:
whether the system’s design allows the cloud provider to access
user data (eg. by logging into their account), cf. full encryption
(where provider has no access to decryption key), and
who can effectively assert jurisdiction over the provider (eg. the
location of the provider, rather than of its servers)
What about disclosure of cloud users’ data to third
parties?
Would a cloud user feel more comfortable signing up to this…
“The Receiving Party [Salesforce.com] may disclose Confidential
Information of the Disclosing Party [the customer] if it is compelled by
law to do so, provided the Receiving Party gives the Disclosing Party
prior notice of such compelled disclosure (to the extent legally
permitted) and reasonable assistance, at the Disclosing Party's cost, if
the Disclosing Party wishes to contest the disclosure.”
… or this?
“You authorize ADrive to disclose any information about You to law
enforcement or other government officials as ADrive, in its sole
discretion, believes necessary, prudent or appropriate, in connection
with an investigation of fraud, intellectual property infringement, or other
activity that is illegal or may expose ADrive to legal liability.”
Kuan Hon

12. Data Protection 2011 Data Protection in the Clouds
Whose laws apply if you have a cloud dispute?
Choice of law specified by cloud provider… Number *
US State: California (most common), Massachusetts (Akamai), 15
Washington (Amazon), Utah (Decho), Texas (The Planet)
English law, probably because service provider based there 4
English law, for customers in Europe / EMEA 4
Other EU jurisdictions (for European customers): eg. Ireland (Apple), 2
Luxembourg (some Microsoft services)
Scottish law (Flexiant) 1
The customer’s local law 2
No choice of law expressed or implied, or ambiguous choice 3
(eg. “UK Law” for g.ho.st)
* Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project
http://www.cloudlegal.ccls.qmul.ac.uk/
In practice
Location, location, location
In some situations, choose only provider that allows zoning?
Contract
procurement process?
the provider “stack”
Contract terms – standard (multiple sources); negotiate? Including:
Exclusions/disclaimers
Disclosure/monitoring
Data location
Encryption, encryption, encryption
Simple scenarios only – storage
o NB has provider access to key? (eg. for indexing/searching)
If cloud applications run on data – data must be decrypted before they
can be worked on, currently
Kuan Hon

13. Data Protection 2011 Data Protection in the Clouds
Forthcoming papers
Next few weeks –
What data is regulated as “personal data” in cloud computing?
Who is responsible for “personal data” in the cloud?
Published -
Information ownership in the cloud
http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37187.html
Cloud terms of service analysis
http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37188.html
Future –
Law enforcement access (soon)
International transfers of data
Governance
Thanks for listening!
Any questions…
Kuan Hon
Cloud Legal Project, CCLS,
Queen Mary, University of London
w.k.hon@qmul.ac.uk
www.cloudlegal.ccls.qmul.ac.uk
(or http://bit.ly/cloudlegal)
Kuan Hon