Cloud computing inherently implies that data will reside somewhere other than the user’s computer, frequently in one or more geographically distant places and possibly in a different country.

Built on trust

These computers aren’t owned by the user, who may be an individual, company or other organization. Generally this means that the cloud provider has access to both the user’s data and metadata. Such metadata includes information such as when and how a user accesses their data, and whom they share it with.

While the agreement that the provider will respect the privacy of the data is inherent in every contract, there are a variety of reasons for which such a guarantee cannot be ironclad. For example, governments generally have access to such data for national security or law enforcement reasons; dragnet-type access is much easier when the data is conveniently located in one place.

Big brother to big everyone

Equally significant is the potential for accidental access to user data while it’s being moved and aggregated, potentially resulting in deletions or changes that were never intended by the user. Finally, keeping data in the cloud of a major provider also makes it subject to unauthorized access by nefarious cloud administrators or any hacker who might successfully attack that provider.

Most cloud providers (and sometimes their business partners) also have the ability to observe the user’s metadata. Patterns can be observed and decisions made regarding usage, preferences, and common likes and dislikes. The power of this observation is obvious if you’ve ever been stalked by a company’s advertising on Facebook or as you move from website to website.

"Users must evaluate their own business processes and vulnerability of their infrastructure."

Is the cloud provider within their rights to use or sell this information? That question is still under discussion in most courts in the world. Users can decide for themselves if it’s okay with them or if they consider it an invasion of their privacy.

Drawing lines

When data stored by a cloud service provider may be highly virtualized, stored in multiple datacenters, or even multiple clouds in many locations with different regulations, the issue arises of who really owns the data. The lawyers are still struggling with issues of jurisdiction in the U.S.-EU Safe Harbor.

Does this mean cloud is a bad idea? Not at all. But it does mean that adoption of cloud should not be a monolithic, take-it-or-leave-it process. Users must evaluate their own business processes and vulnerability of their infrastructure. A company with less in-house technical capability will make a different decision regarding where they receive the greatest protection.

Encryption of the most important data places great burdens on the user, but is an option for companies with the skill set. Hybrid options where either certain data is kept in-house or all data is kept in-house except in overload situations can be considered. All companies and individuals will do well to explore their options when facing the issues of privacy and the cloud.