TRANSCENDING THE CLOUD : PRIVACY ISSUES IN CLOUD COMPUTING

SUBMITTED BY:
MRIDUSHI SWARUP, E-mail address- mridushi1611@gmail.com Postal Address- 21, Priyanka Nagar, Risali, Bhilai, Chattisgarh -490006. Mobile No. - 09407662280 & RITIKA BANERJEE Email Address ritika989@gmail.com Postal Address 8B, Sevak Baidya Street, Kolkata 700029. Mobile No. - 09752022147

Of

SEMESTER VIII, 4TH YEAR B.A. LL.B. (Hons.) 2011-2012

HIDAYATULLAH NATIONAL LAW UNIVERSITY VILLAGE UPPERWARA, TEHSIL ABHANPUR NEW RAIPUR CITY (C.G.)

NO.

OF

WORDS: 3036

1|Page

ABSTRACT
Cloud computing resources are offered as a service on as needed basis and the payment for the same is also either subscription based or pay as you use basis. There are several delivery mechanisms for cloud computing. Although there is no right specifically focused on personal data protection in India, there are several primary sources of Indian legislation that refer to this right for Indian citizens which primarily include Constitution and Information Technology Act, 2000. Also, Information Technology Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) do not completely solve the original purpose. In this article, it is aimed to outline the concept, rationale and the various models of cloud computing. An effort has been made to offer a better insight into the legal (especially data privacy and protection) and tax issues relating to cloud computing in India. Also, the scenario in U.S. has been discussed briefly so as to enable a better understanding of the topic at hand.

INTRODUCTION
Cloud computing has begun to revolutionize business practices by allowing users of cloud services to off-load significant overhead and expenses for information technology (IT) functions while obtaining scalable and flexible computing services that do not depend on a specific location. Due to the significant benefits offered by cloud computing, a large number of companies have been eager to hop on the cloud bandwagon. Hardware makers, software giants, and service providers alike have already released offerings such as: Amazon's Elastic Compute Cloud1, Microsoft's Cloud Services and Windows Azure2, AT&T's Cloud Services3, HewlettPackard's Cloud Assure4 and Cloud Consulting Services5, etc. The uptake of cloud computing is such that some believe a wide-scale adoption of cloud computing will occur in the near future.

Amazon Elastic Compute Cloud (Amazon EC2), Amazon Web Servs., http:// aws.amazon.com/ec2/ accessed 27 December, 2010 2 Microsoft Cloud Services, Microsoft, http://www.microsoft.com/cloud/ accessed 3 January, 2012 3 Extend Your Reach with AT&T Cloud Services, AT&T, http:// www.business.att.com/enterprise/online_campaign/cloud_computing accessed January 8, 2012 4 Press Release, HP, HP Unveils Cloud Assure to Drive Business Adoption of Cloud Services, http:// www.hp.com/hpinfo/newsroom/press/2009/090331xa.html accessed 6 January, 2012 5 HP Cloud Consulting Services, HP, http:// h20219.www2.hp.com/services/us/en/consolidated/cloudoverview.html accessed 4 January, 2012.

2|Page

As the hype continues to consider cloud computing as a viable business solution, it is interesting to look at the ability and opportunity for India to exploit this technological phenomenon. In this article, it is aimed to outline the concept, rationale and the various models of cloud computing. An effort has been made to offer a better insight into the legal (especially data privacy and protection) issues relating to cloud computing in India. WHAT IS CLOUD COMPUTING? Although the phrase cloud computing is relatively new, the elements of the concept have been around for some years now. In practice, cloud computing is not a new concept nor any new technology nor any new computing paradigm nor any new phenomenon. Cloud computing encompasses several technological practices that were in existence long before the phrase became popular.6 Although many definitions prevail with respect to cloud computing, there is no standard definition. In simplest terms, cloud computing can be defined as: An abstract computing and data storage business method wherein dynamic IT capabilities such as hardware (Infrastructure-as-a-service), software (Software-as-a-Service) and tools (Platformas-a-service) are provided by third parties/cloud service providers which enables users to store as well as access their data and applications from anywhere and through any connected device.7 It is also sometimes referred to as synonymous to server hosting. Cloud computing services are provided on demand as opposed to licensed or purchased software, tools or hardware. Cloud computing resources are offered as a service on as needed basis and the payment for the same is also either subscription based or pay as you use basis.8 The essential characteristics of cloud computing can be summarized as follows :

Chi-Chun Lo, Chun-Chieh Huang, Joy Ku, A Cooperative Intrusion Detection System Framework for Cloud Computing Networks, (ICPPW 10 Proceedings of the 2010 39th International Conference on Parallel Processing Workshops, IEEE Computer Society, pp. 280-284, Washington DC, USA, 2010. ISBN: 978-0-7695-4157-0). 7 Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Iacon, On technical Security Issues in Cloud Computing, (Proc. of IEEE International Conference on Cloud Computing (CLOUD-II, 2009), pp. 109-116, India, 2009) 8 Michael Kretzschmar, S Hanigk, Security management interoperability challenges for collaborative clouds, Systems and Virtualization Management (SVM), 2010, (Proceedings of the 4th International DMTF Academic Alliance Workshop on Systems and Virtualization Management: Standards and the Cloud, pp. 43-49, October 2529, 2010. ISBN: 978-1-4244-9181-0, DOI: 10.1109/SVM.2010.5674744)

3|Page

a. Pay as per use b. Use it as and when required c. Services provided by a third party service provider
d. No change in the ownership of the main property9

CLOUD COMPUTING IN USA PRIVACY ISSUES

According to a recent study by The Nielsen Company, the average American Internet user spends over fifty-five hours per month online.10 However, despite the wide range of possibilities offered by the Internet, Americans spend about half of their online time on social networks, games, e-mail, and instant messaging.11 As consumers are spending an increasing amount of time online and demanding convenient, instant access to more content, cloud computing is becoming a rapidly growing technology and the industry's new buzzword.
12

In a

nutshell, the idea behind cloud computing is that instead of having the software and data stored locally on a user's own computer, they can all be stored on Internet servers, or in the clouds, and accessed as a service on the Internet. Consumers and businesses alike are increasingly taking advantage of the possibilities offered by cloud computing and are already storing their private emails, photos, videos, files, and other data on the Internet instead of their own personal computer, thanks to online, cloud-based services such as Gmail13, Google Docs14, etc. Services such as popular social networking sites Facebook and Twitter also make use of cloud computing15. However, protecting the identity of consumers in the digital world is proving to be quite a challenge, as shown by the controversies

W. Li, L. Ping, X. Pan, Use trust management module to achieve effective security mechanisms in cloud environment, (2010 International Conference on Electronics and Information Engineering (ICEIE), Volume: 1, pp. V1-14 - V1-19, 2010. DOI: 10.1109/ICEIE.2010.5559829) 10 See Nielsen, June 2010: Top Online Sites and Brands in the U.S., Nielsen Wire (July 16, 2010), http://blog.nielsen.com/nielsenwire/online_ mobile/june-2010-top-online-sites-and-brands-in-the-u-s/ accessed 3 January, 2012 11 See Nielsen, What Americans Do Online: Social Media And Games Dominate Activity, Nielsen Wire (Aug. 2, 2010), http:// blog.nielsen.com/nielsenwire/online_mobile/what-americans-do-online-social-media-and-gamesdominate-activity/
12

13

Stephen Wildstrom, Cloud Computing: Understand the Risks, Bloomberg Business Week http:// www.businessweek.com/magazine/content/09_14/b4125000676483.htm accessed 4 January, 2012 14 Ibid. 15 Janna Q. Anderson & Lee Rainie, The Future of Cloud Computing, Pew Internet & American Life Project http://pewresearch.org/pubs/1623/future-cloud-computing-technology-experts accessed 4 January 2012

4|Page

surrounding Facebook's privacy settings16, Google's accidental capturing of some Internet users' unencrypted Wi-Fi traffic17, and even the hacking attacks on Twitter18 or Google's Gmail service19. Due to the lack of U.S. federal legislation in the field of privacy, some American Internet users have taken the issue to the courts. For instance, the U.S. District Court for the Northern District of California approved in March 2010 a $9.5 million settlement to a class action lawsuit challenging Facebook's Beacon program, an online advertisement system launched in late 2007 that monitored and published what users of the social networking site were buying on thirdparty sites such as Blockbuster.20 The class action lawsuit claimed that users were not given adequate information about Beacon and that the collection of personal information was done without their authorization or knowledge. Facebook has since shut down Beacon as part of the settlement. In addition, under the terms of the settlement, Facebook will contribute $9.5 million to set up a non-profit privacy foundation that will award grants to projects and initiatives that promote the cause of online privacy, safety and security.21 Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users. The law badly trails technology,
16

See Jon Swartz, Facebook Draws Protests on Privacy Issue, USA Today http://www.usatoday.com/money/media/2010-05-14-facebook14_ST_N.htm accessed 4 January 2012;. 17 See Cecilia Kang, Lawmakers Press FTC on Google Street View Privacy Lapse, Wash. Post http:// voices.washingtonpost.com/posttech/2010/05/us_lawmakers_press_ftc_on_inve.html accessed 3 January 2012 18 See Press Release, Fed. Trade Comm'n Office of Public Affairs, Twitter Settles Charges that it Failed to Protect Consumers' Personal Information; Company Will Establish Independently Audited Information Security Program http://www.ftc.gov/opa/2010/06/twitter.shtm accessed 3 January, 2012 19 See Google May Pull Out of China After Gmail Cyber Attack, BBC News http:// news.bbc.co.uk/2/hi/business/8455712.stm accessed 2 January, 2012
20

Findings of Fact, Conclusions of Law, and Order Approving Settlement, Lane v. Facebook, Inc., No. C 083845 RS, 2010 U.S. Dist. LEXIS 24762 (N.D. Cal. Mar. 17, 2010); see also David Kravets, Judge Approves $9.5 Million Facebook Beacon Accord, Wired (March 17, 2010), http:// www.wired.com/threatlevel/2010/03/facebook-beacon-2/ accessed % January, 2012; Edward Valdez v. Quancast Corp., No. CV10-5484 (C.D. Cal. July 23, 2010), http:// online.wsj.com/public/resources/documents/cookielawsuit073010.pdf accessed 4 January, 2012 ; see also Jennifer Valentino-DeVries, Lawsuit Tackles Files That Re-Spawn Tracking Cookies, Wall St. J. http:// blogs.wsj.com/digits/2010/07/30/lawsuit-tackles-files-that-re-spawn-tracking-cookies accessed 5 January, 2012; Ryan Singel, Privacy Lawsuit Targets Net Giants Over Zombie Cookies, Wired http:// www.wired.com/threatlevel/2010/07/zombie-cookies-lawsuit/ accessed 4 January, 2012; Compl., White v. Clearspring Techs. Inc., No. CV10-5948 (C.D. Cal. Aug.10, 2010), http:// www.archive.org/download/gov.uscourts.cacd.479876/gov.uscourts.cacd.479876.1.1.pdf accessed 7 January, 2012 21 The Ctr. for Democracy and Tech., Letter to Judge Seeborg http://www.wired.com/images_ blogs/threatlevel/2010/02/cdtfacebook.pdf accessed 4 January, 2012 (citing Settlement Agreement 4.19, Lane v. Facebook, Inc., No. C 08-3845 RS, 2010 U.S. Dist. LEXIS 24762 (N.D. Cal. Mar. 17, 2010));

5|Page

and the application of old law to new technology can be unpredictable. For example, current laws22 that protect electronic communications may or may not apply to cloud computing communications or they may apply differently to different aspects of cloud computing.23 Because of this legal uncertainty, a broad array of technology companies, civil rights organizations, think tanks, advocates from across the political spectrum, lawyers, and academics have banded together to launch the Digital Due Process (DDP).24 The DDP is a coalition focused on helping modernize current legislation governing how law enforcement agencies may gain access to electronic data25. In particular, the coalition is seeking a reform of the U.S. Electronic Communications Privacy Act of 1986 [FN108] (ECPA), calling for it to be updated to account for recent and emerging technologies, including email, social networking, and cloud computing.26

CLOUD COMPUTING AND PRIVACY IN INDIA

Existing Legal Framework Every country in the world individualizes privacy concepts to match history and culture. India has taken a sophisticated view toward privacy and has adopted regulations that are meant to protect a set of resources and to prevent its misuse. The regulations are primarily aimed at discouraging people from being involved in such behavior. A majority of Indians believe that the concept of privacy is about their own personal space rather than information privacy or identity theft. 27
22

The Privacy Act of 1974, 5 U.S.C. 552a.; The Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. 2510-2522, 2701-2712.; The Stored Communications Act of 1986 (SCA), 18 U.S.C. 2701-2712; The Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. 1681b; The Gramm-Leach-Bliley Act of 1999 (GLBA), 15 U.S.C. 6802; The Federal Information Security Management Act of 2002 (FISMA), Pub.L. 107 347; 23 See Robert Gellman, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, World Privacy Forum http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf accessed 24 December, 2011
24

See Press Release, Digital Due Process, Advocacy Groups, Companies Call for an Update of the Privacy Framework for Law Enforcement Access to Digital Information Broad Coalition Seeks to Balance Law Enforcement Needs, Privacy, and Innovation, http:// www.digitaldueprocess.org/index.cfm?objectid=3EFF6654383D-11DF-84C7000C296BA163 accessed 4 January, 2012 25 Ibid. 26 Electronic Communications Privacy Act of 1986 (ECPA), Pub. L. No. 99-508, Oct. 21, 1986, 100 Stat. 1848, (codified at 18 U.S.C. 2510 (2006)). 27 Aman Bakshi, Yogesh B. Dujodwala, Securing cloud from DDoS Attacks using Intrusion Detection System in Virtual Machine, (ICCSN 10 Proceeding of the 2010 Second International Conference on Communication Software and networks, pp. 260-264, 2010, IEEE Computer Society, USA, 2010. ISBN: 978-0-7695-3961-4)

6|Page

Although there is no right specifically focused on personal data protection in India, there are several primary sources of Indian legislation that refer to this right for Indian citizens. The sources are:
a. Article 21 of the Indian Constitution is about the general Right to Privacy.28 This right

covers the first generation of rights for Indian Citizens. The Information Technology Act of 2000 is based on a resolution that was adopted by the United Nations on January 30, 1997. This act is focused on e-commerce and cybercrime in general.
b. The Indian Contract Act basically deals with requiring Indian importers to pay a duty if

they are unable to protect data coming in from other countries. The Credit Information Act of 2005, on the other hand, imposes duties on credit information companies and credit institutions for any unauthorized sharing of an individuals credit information with external sources.29 c. The Information Technology Act of 2000 has explicitly stated penalties for the breach of data and privacy, at least in the domain of computers and cybercrime. For instance, a person gaining access to or downloading/changing information from a computer system without prior permission from the owner is subject to civil liability. Intentional tampering with a computer systems source code is punishable by up to three years imprisonment or a fine of up to two lakh rupees. The same penalty is applicable to anyone who is involved with hacking a computer system to cause wrongful loss of property. Four sections of the Information Technology Act specifically deal with penalties against breach and misuse of data in India. These are Sections 43, 65, 66, and 72. Specifically, these Sections offer protection to the consumer from damages to the computer or the computer system. They foresee civil liability for actions including but not limited to unauthorized copying, extraction, database theft, and digital profiling.30 These Sections also protect consumers against the tampering of computer source documents. They are applicable to intentional actions such as concealing, destroying, or altering of computer

28

First Analysis of the Data Protection Law in India, CRID, University of Namur, http://goo.gl/VO2wR accessed 5 January, 2012. 29 B. R. Kandukuri, R. V. Paturi and A. Rakshit, Cloud Security Issues, (2009 IEEE International Conference on Services Computing, Bangalore, India, September 21-25, 2009. In Proceedings of IEEE SCC'2009. pp. 517-520, 2009. ISBN: 978-0-7695-3811-2.) 30 Section 43, Information Technology Act, 2000

7|Page

source code and is punishable by either or combination of a fine of up to two lakh rupees and imprisonment of up to three years.31 Section 66, quoted in India as a data protection provision, deals with computer hacking and protects data users from intentional alteration/misuse of data on their computers diminishing the value of the data in the process. The penalty is the same as that for Section 65. Section 72 imposes a fine of one lakh rupees and an imprisonment term of up to two years for any breach of confidentiality and privacy of a persons material. To be clear, the existing regulatory framework does not offer complete protection from data breaches; however it is comprehensive enough to resolve a majority of the concerns in the Indian market. The introduction of new regulations does not show any distinct benefits. On the other hand, new regulations could pose definite and serious challenges for cloud computing and the functioning of the Internet itself. It will not only slow down the adoption rate for cloud computing and prolong the time to gain its benefits but also give rise to a feeling of confusion and panic in the Indian economy. New Indian Privacy Laws The most recent development by the Indian Government with respect to data privacy came in June, 2011, when it passed the 2011 Information Technology Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information). A key component of these rules was that any organization processing personal information in India requires written consent before undertaking certain activities and must implement reasonable security policies and procedures.32 These rules apply to organizations operating in India and are independent of whether the data originates in India or if it pertains to Indian citizens. It also enforces a disclosure obligation for privacy policies wherein an organization must clearly explain the purposes of processing the involved personal information. These laws make Internet Intermediaries responsible for harmful content on the Internet. 33 The intention of the Indian Government is to enhance the data security and privacy in the country and it feels that this is a crucial step to promote off-shoring in India. 34 However, the
31

Section 65, Information Technology Act, 2000 First Analysis of the Data Protection Law in India, CRID, University of Namur, http://goo.gl/VO2wR accessed 2 January, 2012 33 Russell Smith, Indias New Data Privacy Rules: Will They Help or Hurt Legal Outsourcing?, Law Without Borders , May 23 2011http://goo.gl/gUcfA accessed 3 January, 2012 34 In 1995, the European Parliament and Council adopted Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive applies to all 27 member states of the European Economic Area (EEA). Several sources have noted that the Directive has significant weaknesses and that many aspects of it are ineffective. See Neil Robinson, Hans Graux, et. al. , Review of the European Data Protection Directive, RAND Europe Technical Report (2009),
32

8|Page

actual nature of these rules does not completely solve the original purpose.35 The extensive requirements of the new rules are likely to increase the overhead of time, energy, and money to be spent by companies when off-shoring to India. The new privacy law is very new, and ultimately, it will be important for its interpretation and enforcement to be measured so as to allay the fears that have already been expressed by many multinational businesses.36

CONCLUSION
The analytical framework for resolving state tax issues related to Cloud Computing is simple, but applying antiquated laws to the analysis creates difficulty and uncertainty. For example, if tax is based on the location of the registered office of a cloud computing company, then they will move their virtual offices to the lowest tax area. Basically, the idea to tax at the point of usage, falls apart for those services that are free at the point of use. Business use of cloud computing is on the rise. Vendors continue to parry for market share as new services emerge and threaten the basic model of the in-sourced IT department by providing rapid scalability and distribution of services. In the civil litigation context, the use of cloud computing to store data that are critical to the business invites new complexity and new challenges. Although cloud computing is not a new idea, it has taken a while for standards, infrastructure and interest to meet, creating the perfect storm to make the idea technically and commercially viable. It has arrived, and the amount of interest from both vendors and users is considerable.

http://goo.gl/d9OUM accessed 5 January, 2012 35 Mani Malarvannan, New Privacy Laws To Impact Outsourcing to India, Outsource Portfolio , June 10 2011, http://googl/zGY5l accessed 5 January, 2012. 36 See Rama Lakshmi, India data privacy rules may be too strict for some U.S. companies, Washington Post , May 21, 2011, http://goo.gl/YFft2 accessed 4 January, 2012

9|Page