A Cloudy Forecast: Divergence in the Cloud Computing Laws of the United States, European Union, and China

• Publication year: 2013
• Citation: Vol. 41 No. 2

A CLOUDY FORECAST: DIVERGENCE IN THE CLOUD COMPUTING LAWS OF THE UNITED STATES, EUROPEAN UNION, AND CHINA

Tina Cheng^*

[Page 481]

TABLE OF CONTENTS

I. INTRODUCTION...............................................................................482

II. CLOUD COMPUTING........................................................................483

A. Defining Cloud Computing......................................................483
B. Benefits of Cloud Computing...................................................483
C. Privacy Issues in the Cloud......................................................484

III. DATA PRIVACY LAWS AND THE NEED FOR REFORM IN THE UNITED STATES, EUROPEAN UNION, AND CHINA...........................487

A. European Union.......................................................................487
B. United States............................................................................491

1. The Judicial Perspective....................................................492
2. The Electronic Communications Privacy Act and the Stored Communication Act................................................493
3. The Computer Fraud and Abuse Act.................................495

C. China........................................................................................496

IV. CORPORATE COMPLICITY...............................................................500

V. INTERNATIONAL SOLUTIONS..........................................................502

A. Barriers to International Cooperation.....................................502
B. Proposals to Ensure Privacy in Cloud Computing..................503

VI. CONCLUSION...................................................................................505

[Page 482]

I. Introduction

In early 2011, China announced plans to build a "city-sized cloud computing and office complex that will include a mega data center," signaling a rapid growth in information technology (IT) spending.¹ Meanwhile, Facebook is building a 300,000-square-foot "server farm" in northern Sweden to store the personal data of its European users.² In late 2011, U.S.-based company Amazon.com announced the release of its Kindle Fire tablet, a device that not only backs up all of the user's information in the cloud, but also uses the cloud to log all of that user's activity.³

As the world becomes increasingly digitalized, concerns arise about the security and privacy of personal and commercial information. This information is being steadily moved to "the cloud," an Internet-based service that "provide[s] consumers with vast amounts of cheap, redundant storage and allow[s] them to instantly access their data from a web-connected computer anywhere in the world."⁴ However, this convenience comes with risks such as exposure to hackers and privacy invasion.

This Note will argue that the government regulations currently in place in the U.S., European Union (EU), and China are inadequate to protect the privacy of cloud consumers. The Note begins by defining cloud computing and its ramifications on the privacy of its users. It will then set out laws that govern cloud computing in the U.S., EU, and China, and demonstrate how they are outdated and insufficient to protect cloud users. Finally, this Note will recommend that countries adopt a uniform, updated definition of cloud computing while continuing to develop privacy policy according to their own national and regional interests.

[Page 483]

II. CLOUD COMPUTING

A. Defining Cloud Computing

The cloud computing model is perceived to be "the future of computing."⁵ However, a debate exists over the formal definition of "cloud computing."⁶ The National Institute of Standards & Technology describes cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."⁷ Generally speaking, cloud computing is the idea that software and data can be accessed as a service on the Internet rather than stored locally on one's own computer.⁸ Cloud computing pledges to overcome problems presented by the "dispersed computing" structure, the traditional model of computing in which each user stores and accesses his personal information on one computer.⁹ Electronic mail was the first to transition,¹⁰ closely followed by companies like Google, Amazon, and eBay.¹¹ The global cloud computing industry is still developing, with a majority of technology experts predicting that by 2020 "most people will access software applications online and share and access information through the use of remote server networks."¹²

B. Benefits of Cloud Computing

Cloud computing offers five major benefits to both commercial and individual consumers: reduced cost, increased storage, alleviated the depended on information technology (IT) personnel, augmented reliability,

[Page 484]

and expanded accessibility.¹³ First, most cloud services are "either free or significantly cheaper than more traditional desktop offerings."¹⁴ Second, cloud computing has eliminated user concerns about a computer's storage capacity, memory, and updates since applications run directly from the cloud.¹⁵ Thus, hard disk space that would have been taken up by traditional software is available for other uses.¹⁶ Third, business users benefit because IT personnel no longer need to be concerned with keeping software up to date.¹⁷ Fourth, cloud-based services regularly back up files stored on multiple servers so that users never have to worry about losing their data in the event of a hardware failure.¹⁸ Fifth, cloud-based systems allow users to access their information from anywhere in the world where there is an Internet connection.¹⁹

C. Privacy Issues in the Cloud

Although cloud computing offers many advantages to business and consumer users, significant risks come with the massive amounts of sensitive data handled by cloud providers.²⁰ One such risk is vulnerability to computer hackers as user data is often transmitted via unencrypted network connections, making the access to obtain users' private information easy for hackers.²¹ Although encryption protecting against hackers is used in some cases of lower-priority cloud services such as email, it only applies during the initial login phase and not during subsequent data transfers.²² For example, the risk of data breach is increased when users are connected to unsecured public wireless networks, such as those at coffee shops.²³ In addition, because a cloud provider might store the data of multiple users on the same physical equipment, cloud users face the risk of isolation failure,

[Page 485]

i.e., an attack on one person may lead to a "guest-hopping" attack as a result of the inadvertent or intentional commingling of data.²⁴

A factor that exacerbates this issue is the changing societal attitude toward online privacy.²⁵ Younger users "have much less concern about online privacy than older generations," and "are more likely to embrace the Internet's interconnectedness and convenience by participating in social networking, sharing digital content, and using cloud services."²⁶ To them, "values such as cost, convenience, efficiency, and networking" outweigh privacy concerns.²⁷

Cloud users also face possible exposure from cloud providers.²⁸ Institutions such as banks and online merchants are legally liable for online fraud, so they have an incentive to encrypt customers' data as it is transmitted over the Internet.²⁹ Cloud providers, however, have no such liability concerns even though an email account may have information that is just as sensitive as the information in a bank account.³⁰ One way cloud providers could be forced to standardize encryption is through market pressure. However, due to "widespread (yet understandable) ignorance" of most users³¹ and the current societal attitudes,³² "[t]here simply isn't sufficient market demand for these providers to allocate the considerable financial and engineering resources required to [provide] encryption by default for all of their products."³³

Since data is stored on servers worldwide, cloud-based services also bring into play the question of jurisdiction.³⁴ The existing legal structure intended to protect data that flows around the globe is insufficient to protect end users.³⁵ Data privacy laws are not globally uniform, and, as such, "data that might be secure in one country may not be in another."³⁶ The determination

[Page 486]

of whose law applies to information stored in the cloud may depend on factors such as "the type of user, the location of the user's computer, the location of the cloud provider's server(s), or some combination of these variables."³⁷ Due to these variables, a user's privacy may "vary significantly with the terms of service and privacy established by the cloud provider," leading to the abuse and exploitation of that user's information.³⁸

Another threat to consumer privacy stems from the "ease with which the government can force an application provider to insert a backdoor or flaw in its own products."³⁹ For example, China, notorious for its rigid censorship of the Internet,⁴⁰ recently demonstrated the extent to which the government could regulate Internet activities. Skype is a "voice-over-IP software program that lets users make free peer-to-peer phone calls and conduct instant messaging over the Internet."⁴¹ In China, Skype operates through TOM-Skype, a joint venture with Tom Group, and it dominates the Chinese market.⁴² The year after TOM-Skype was released, the company admitted that the software contained "a filtering mechanism that prevents users from sending text messages that include banned phrases such as 'Falungong' and 'Dalai Lama.' "⁴³ Skype executives then confirmed that they had simply been complying with local Chinese law, and that other cloud...