European Commission sets out to tame privacy issues in the cloud

Next week a new expert group convened by the European Commission will start its work on the legal taming of cloud computing. One major aim of the group, according to the Commission, is to come up with fair and transparent contractual provisions for small and medium sized cloud users. The group could well be at work developing model contracts if the recommendations point in that direction. But while this is unfolding a group of researchers who just received the Networking Research Prize of the Internet Engineering Task Force shows, there is already diversity in cloud services, and it is up to users to place their choices.

Technical experts have mocked the Commission's “cloud affinity“ and said it was a form of reconciliation with plain “internet services“ like hosting your data at some place or using “software as a services“ remotely. Yet with more and more communication, business and entertainment moving to the net, there is a need to consider user/customers' rights and cross-jurisdictional issues. The new expert group tasked to propose user-friendly standards and transparent model contracts has been announced in the European Commission's strategy on “Unleashing the potential of cloud computing in Europe“. It was adopted a year ago.

However it took the revelations of Edward Snowden and, according to the Commission, a clear call from the European Council to spur the effort. The 30 designated members of the group for which there was obviously a slight preference for French corporate representatives (four out of 30) is expected to file results in Spring 2014. Prior to the new expert group there have been reports by a Cloud Select Industry Group on Service Level Agreements, a Cloud Select Industry Group on Certification Schemes, and a Cloud Select Industry Group on Code of Conduct.

More recently, at a high level event at the Fraunhofer Fokus Institute in Berlin on November 14 and 15, a 9,8 million Euro research project, which includes 23 partners in 11 countries, was launched. The goal, according to the organisers is “to give a clear view on the public sector requirements and usage scenarios for cloud computing.” Neelie Kroes there spoke out against “a new centralised European super infrastructure.” The president of the Republic of Estonia and chair of the European Cloud Partnership Steering Board, Toomas Hendrik Ilves, said that “violating the integrity of data is the biggest threat and the European Union member states must ensure a safe system for the citizen that can fend off any kind of malevolent attacks, protect everyone's online identity and ensure data integrity.”

Legal framework to solve the cloud tussle

The new expert working group certainly might be quite busy if it attempts to sift through the paper produced to date, which, according to the Commission aims “to explore ways to improve the legal framework for cloud computing contracts for consumers and SMEs [small and medium enterprises] (IP/13/590), so as to strengthen consumers’ and SMEs’ confidence in using cloud computing contracts.“

“A legal framework or guidelines how to handle cloud data and what rights and obligations users and companies have, in my opinion can be helpful,“ Frank Karlitschek, Chief Technology Officer at owncloud - a German provider of a free and open-source web application for personalised cloud storage - said. Karlitschek at the same time recommends to the new expert group, when looking at the issue from the user and SME point of view to take a hard look at the User Data Manifesto. Signed by a list of close to a dozen providers and projects including owncloud, the manifesto has some clear, short and simple language addressing trust issues with the cloud:

1. Own the data
2. Know where the data is stored
3. Choose the storage location
4. Control access
5. Choose the conditions
6. Invulnerability of data
7. Use it optimally
8. Server software transparency

A tamper-proof solution for cross-border scenarios – a user in country A uses a server in country B to share data created in country C with another user in country D, with the data transiting country E on its way, that would value these principles, Karlitschek thinks, would be “very intriguing“.

Choose your own solution

That users have a choice to address some of these issues already, is made clear by research about different services in existence. A group of researchers around Italian/Brazilian network specialist Idilio Drago, just awarded with the network research prize by the Internet Research Task Force, has been comparing the personal cloud storage service Dropbox with alternatives like Google, Skydrive, Cloud Drive and Wuala.

Dropbox certainly was ahead technically in some respects, for example with regard to synchronisation, for which it only pushed updates and not the complete text to the storage server, thereby boosting performance and reducing traffic.

Wuala on the other hand offers encryption and a server network in data privacy friendly locations (Germany and Switzerland). Dropbox uses servers in the San Jose area, as well as Amazon's cloud servers.

Performance of the more privacy friendly solution was in general good, benefiting from the “nearby data centres“ from the point of view of the research group. Yet the big runner-up to Dropbox is not Wuala and the like, but large providers like Google who try to catch Dropbox by trading their “capillary infrastructure and private backbone“ which allows for short network latency.

The Dropbox-Wuala-Google story therefore is telling in different respects, according to Drago. There is room for small start-ups (in internet services) despite the seeming market domination from companies like Google or Amazon. At the same time, users so far still seem to prefer ease of use over privacy-friendliness. Perhaps the expert working group might want to talk to the researchers – and the services measured – to understand what can be done to make the privacy-friendly – and Europe based – services more attractive to everybody.