privacy and data security issues in cloud computing

©2013 Vinson & Elkins LLP Confidential & Proprietary

Privacy and Data Security Issues in Cloud Computing

November 11, 2013


• What is Cloud Computing

• Privacy and Data Security Laws and Regulations

• Data Breaches

• How Can Cloud Consumers Manage Risks

Roadmap

2


• “complete gibberish”?

• In a nutshell, using a network of remote servers hosted on

the Internet (i.e., “cloud”) to store, manage, and process

data.

• NIST definition

Cloud computing is a model for enabling convenient, on-demand

network access to a shared pool of configurable computing

resources (e.g., networks, servers, storage, applications, and

services) that can be rapidly provisioned and released with minimal

management effort or service provider interaction.

What is Cloud Computing

3


Essential Characteristics

4

• On-demand self service

• Broad network access

• Resource pooling

• Rapid elasticity

• Measured service


Actors in Cloud Computing

5

• Cloud Provider

– Makes a service available to Cloud Consumers

• Cloud Consumer

– Uses service from Cloud Providers

• Cloud Auditor

– Conducts independent assessment of cloud services, including

security audit and privacy impact audit

• Cloud Carrier

– provides connectivity and transport of cloud services from Cloud

Providers to Cloud Consumers


• Software as a Service (SaaS)

– e.g., Google Gmail, Google Docs, Facebook

• Platform as a Service (PaaS)

– e.g., Salesforce, Google App Engine

• Infrastructure as a Service (IaaS)

– e.g., Amazon Web Services, Rackspace, IBM Computing on Demand

Service Models

6


Level of Control and Responsibility Across Different Service Models

7

Cloud Provider

SaaS

Paa

S

laaS

Cloud Consumer

SaaS

Paa

S

laaS

Application

Platform Architecture

Virtualized Infrastructure

Hardware

Facility


Deployments Models

8

Public

Private

On or off Premises

Off Premises

Hybrid

Public




• Data Breaches


Roadmap

9


• The Fourth Amendment

• Electronic Communication Privacy Act (ECPA)

• Compliance with sector specific laws

• Federal Trade Commission as the enforcer

• Borders within the cloud: transferring data outside the EU

• Understanding the NSA programs

Privacy and Data Security Laws

10


“The right of the people to be secure in their persons, houses,

papers, and effects, against unreasonable searches and

seizures, shall not be violated, and no Warrants shall issue,

but upon probable cause, supported by Oath or affirmation, and

particularly describing the place to be searched, and the persons

or things to be seized.”

• The two prong Katz test

–Governmental action must contravene an individual’s actual,

subjective expectation of privacy

–Expectation of privacy must be reasonable, in the sense that

society in general would recognize it as such.

Katz v. United States, 389 U.S. 347 (1967)

The Fourth Amendment

11


• Enacted in 1986

– Before WWW (1990) and the first web browser (1994)

• Amended the Wiretap Statute of 1968 and expanded the

protections to electronic data disclosure

• Regulates conduct between

– provider and customer

– government and provider

– different users

ECPA

12


• Warrant

– “probable cause”

• Court Orders under Section 2703(d)

– “specific and articulable facts”

• Subpoena

– reasonable relevance

– No judicial review required

• Higher-order process always valid

Three Standards

13


The Contents of an Email Can be Treated Differently at Various Times

14

Type of Communication Required for Law

Enforcement Access

Statute

Email in Transit Warrant 18 U.S.C. § 2516

Email in Storage on Home

Computer

Warrant 4th Amendment, US

Constitution

Email in Remote Storage,

opened

Subpoena 18 U.S.C. § 2703


unopened, stored for 180

days or less

Warrant 18 U.S.C. § 2703


unopened, stored more

than 180 days

Subpoena 18 U.S.C. § 2703


• The 180-day rule and distinction between open/unopened

emails are outdated

– Based on the traditional email server

– No longer as relevant today when customers have access to nearly

unlimited cloud storage

• Constitutional challenges

– 6th Circuit:Portions of the SCA unconstitutional to the extent that the

SCA enabled the government to obtain email content without a

warrant. See United States v. Steven Warshak et al., 631 F.3d 266 (6th Cir. 2010).

– Google Transparency Report: “requires an ECPA search warrant for

contents of Gmail and other services based on the Fourth

Amendment to the U.S. Constitution”

Cloud Computing Makes the Need for ECPA Reform More Urgent

15


• Electronic Communications Privacy Act Amendments Act of

2013

– Introduced by Senators Patrick Leahy and Mike Lee

– “only if the governmental entity obtains a warrant ... that is issued by

a court of competent jurisdiction directing the disclosure”

– eliminates the “180-day rule” and the distinction between

opened/unopened e-mails

– stricter notice requirements

Current ECPA Reform Proposals

16


• Plaintiffs’ ECPA claim

– Gmail system intentionally intercepted the content of emails that

were in transit to create user profiles and provide targeted advertising

• Google moves to dismiss

– “Ordinary course of business” exception

– Consent

• explicit consent from Gmail users under its terms of service

• implied consent from non-Gmail users for communicating to Gmail

user

ECPA Claims: In Re: Google Inc. Gmail Litigation

17

In re: Google Inc. Gmail Litigation, 13-MD-02430-LHK (N.D. Cal. Sept. 26, 2013)


• Plaintiffs have plausibly alleged that the interceptions fall

outside Google's ordinary course of business

– “the ordinary course of business exception is narrow”

– “Google’s alleged interception of email content is primarily used to

create user profiles and to provide targeted advertising — neither of

which is related to the transmission of emails”

– “The court further finds that plaintiffs’ allegations that Google violated

Google’s own agreements and internal policies with regard to privacy

also preclude application of the ordinary course of business

exception.”

Court: “Ordinary Course of Business” Argument Rejected

18


• No explicit consent from Gmail Users

– “those policies did not explicitly notify the plaintiffs that Google would

intercept users’ emails for the purposes of creating user profiles or

providing targeted advertising.”

– Google’s Terms of Service

• “advertisements may be targeted to the content of information stored on the

Services, queries made through the Services or other information”

• collects “user communications . . . to Google” for purposes of “the display of

customized content and advertising” and “improve our services (including

advertising services)” (emphasis added by Court)

• “give Google . . . a world wide license to use . . . , create derivative works (such as

those resulting from translations, adaptions or other changes we make so that your

content works better with our Services)”

• No implied consent from non-Gmail Users

Court: Consent Argument Rejected

19


Compliance with Sector Specific Laws

20

• Financial Institutions

– Gramm-Leach-Bliley Act (GLBA): Regulate how financial

institutions collect and share information about consumers

• Educational Institutions

– Family Educational Rights and Privacy Act (FERPA): Regulate

schools’ disclosure of students’ records

• Health Care

– Health Insurance Portability and Accountability Act (HIPAA)

– Health Information Technology For Economic and Clinical Health

(HITECH) Act


Federal Trade Commission as the Enforcer

21

• Federal Trade Commission Act Section 5

– ‘‘unfair or deceptive acts or practices in or affecting commerce.’’

• Most of the cases settle

– Voluntary compliance

– Administrative complaint See In the Matter of Facebook, Inc., FTC File No.

0923184

– Seek injunctive relief in court See U.S. v. Google Inc., Case No. 5:12-cv-04177-

HRL (N.D. Cal. 2012)

• Obtained orders against Google and Facebook

– Require the companies to obtain consumers’ affirmative express

consent before materially changing certain of their data practices

– Require adoption of strong privacy programs subject to

independent third-party audit for 20 years


Borders in the Cloud: Transfer Data Outside EU

22

• EU Data Protection Directive

– Personal data may only be transferred to third countries if that

country provides an adequate level of protection.

• U.S.–EU Safe Harbor Framework

– Approved by the EU in 2000

– Organizations must comply with the seven Safe Harbor Privacy

Principles

• Notice

• Choice: affirmative or explicit (opt in) choice for sensitive information

• Onward Transfer (Transfer to third parties)

• Access

• Security

• Data Integrity

• Enforcement: FTC


• Telephone metadata program

– Records of over 120 million Verizon subscribers

• PRISM

– Collects data directly from Cloud Providers

• MUSCULAR

– Tapping the Google and Yahoo private clouds outside the U.S

Understand the NSA Programs

23


• Signed into law in 2001

• Added the business records provision to Foreign

Intelligence Surveillance Act (FISA)

• Allows access to certain business records with a court

order

– “reasonable grounds to believe that the [records] are relevant to an

authorized investigation . . . to protect against international terrorism”

– The court order must be reviewed and reapproved by the federal

judges in the FISA court every 90 days.

Telephone Metadata Program: Section 215 of USA PATRIOT Act

24


PRISM

25

• A wide range of data

are collected, including

contents of emails

• The details vary by

provider.

http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/


• Authorize a broad program of electronic surveillance

– “the targeting of [non-U.S.] persons reasonably believed to be

located outside the United States”

• “reasonably believed” defined by the NSA to require a 51 percent

confidence

• May compel an electronic communication service

provider to

– “immediately provide the Government with all information, facilities,

or assistance”

– “in a manner that will protect the secrecy of the acquisition”

• No individualized court orders required

– Only need FISA court’s approval of the required targeting protocols

and minimization procedures

PRISM: Section 702 of FISA Amendment Act 2008

26


MUSCULAR: Getting Around the Limitations imposed by FISA?

27

• Rely on an unnamed

telecommunications provider

(“Cloud Carrier”) to offer

secret access to the traffic

• Take place overseas, where

the NSA is allowed to

presume that anyone using a

foreign data link is a

foreigner

• “It's an arms race” -- Eric Grosse, Google’s VP for security engineering




• Data Breaches


Roadmap

28


The Dreaded Security Breach

29

• Cloud computing arrangements raise significant security

breach concerns

– Lack of control and visibility into abstracted resources

– Lack ways to measure the security services of the cloud

providers

– Cloud Consumers’ legal obligations to take appropriate security

measures to protect personal data

• Major 2012 security breaches

– Zappos 24 million customer accounts compromised

– LinkedIn 6.5 million passwords breached


State Security Breach Notification Laws

30

• Following California data security breach notification law,

all but four states have enacted similar laws

– Exceptions: Alabama, Kentucky, New Mexico, and South Dakota

• Usually require notification of consumers of a breach of

personal information

– “as soon as possible, without unreasonable delay”

• The “owner” of the data, usually the Cloud Consumer, is

ultimately responsible for the breach notification.

• Exceptions

– Encrypted data; publicly available government data

– Some states: immaterial breach


Data Breaches are Costly

31

• Cost of investigation, notification, and possibly credit

monitoring for affected individuals

• Class /private civil action lawsuits

• Regulatory action by state Attorneys General or other

regulators

• Damage to reputation

• Business partner costs/lawsuit/indemnification


Prepare for the Inevitable

32

• Assessment

– Understand the data and the legal obligations

• Prevention

– Negotiate contractual provisions with service providers to secure

data and limit liability

– Adopt measures to maximize security of the data, e.g.,

encryption, password management

• Incidence Response Plan

– Identify the scope of affected data and the source of the intrusion

– Disclosure

– Communication (internally and externally)




• Data Breaches


Roadmap

33


• Compliance with applicable Federal, State, and

international privacy and security laws

• Data security breach notification

• Data access by the government or Cloud Providers

• Termination

Use Contracts to Manage Risks

34


• Clear definition of an actual or suspected “breach” or

“security incidence”

• Timeframe for notification of breach upon discovery

• Notification duties

• Costs

– Legal; Investigation; Reputational

• Indemnification

– Typically covers only third party claims, e.g. credit monitoring

Data Security Breach Notification Provisions

35


• Add a notification obligation on the Cloud Provider before it

makes a disclosure to the government

– Unless the Cloud Provider is prohibited by law from doing so

• Carefully review the uses contemplated by the Cloud

Provider

– “as necessary to operate this service or any other Provider service;”

“to protect Provider’s rights;” or “in order to improve Provider’s

products”

– Consider whether to seek specific limitations on such uses

Use of Data by the Government or the Cloud Provider Provisions

36


• Expressly state whether a data security breach incident is

to be considered a material breach of the contract

• Secure destruction of customer data at termination

– Specify the secure disposal methods

– Compliance with data disposal state laws

• Require entities to destroy, dispose, or otherwise make personal

information unreadable or undecipherable when the records are no

longer to be retained.

• Termination assistance provision

– Require the Cloud Provider to assist with the orderly transition either

back to the customer or to a new vendor

Termination Provisions

37


Case Study: Los Angeles – CSC/Google Contract

38

• Fall 2009

– Los Angeles awarded a contract to Google Apps for 30,000 users

• December 2011

– LAPD bails on Google Apps because of security and privacy

concerns as it fails to follow the federal security guidelines

• October 2013

– Giving clouding computing another try!

– The city published a new Request for Proposal for a replacement

solution as Google’s contract expires in November 2013.


• Private cloud for sensitive data

• Mandatory data encryption

• Data storage only in U.S.

• Data access limited to U.S. citizens with high-level security

clearances

Case Study: Los Angeles – CSC/Google Contract

39


• Perform a comprehensive data protection risk assessment

for cloud computing solutions before engaging them

• Use contract to ensure that a cloud computing solution

satisfies organizational security and privacy requirement

• Review the service and contract periodically to identify if

anything has changed

In Summary

40


Hong Shi [email protected]

Thank you for attending.

Questions?

privacy and data security issues in cloud computing

Documents