Washington, D.C. – Consumers are increasingly entrusting family photos, documents, and personal information to cloud computing services such as Gmail, Flickr and Facebook. Businesses and government agencies are also using cloud computing services, which store users’ data on remote servers and make it available to them through the Internet or other connections, to reduce costs and improve efficiency. According to the Consumer Federation of America, while cloud computing services can offer many benefits such as providing access to one’s data from any computer, making data sharing easier, and keeping data more secure than it would be on one’s own computer, the growing use of the cloud also creates challenges for consumer protection and privacy. For instance, consumers could lose their data if the cloud service provider has inadequate procedures or shuts down on short notice, or they may find that contract terms or lack of interoperability make it difficult to move their data from one cloud service to another. Consumers may also be unaware that a cloud computing service intends to use their data for marketing purposes or that law enforcement might have access to it without notice to them.
Today, CFA is addressing these challenges in a new report, Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing. The best practices emerged from a two-day retreat that CFA held in June 2010 which brought together representatives from consumer and privacy organizations, academia, government and business from the United States and Europe. “In the cloud, people’s expectations, companies’ practices, and even the law are unclear,” said Susan Grant, Director of Consumer Protection at CFA. “Our goal in holding this meeting and releasing the report is to encourage cloud service providers to be transparent, fair and responsible in their dealings with consumers.” The best practices specifically focus on business-to-consumer cloud computing services, but CFA hopes that companies that outsource customer data to the cloud will also consider them in their decision making and contractual agreements with cloud service providers. Chris Hoofnagle, reporter to the group and author of the report, added, “The best practices articulated in the report will focus consumers’ attention on the important factors in evaluating cloud service providers, and encourage providers to compete on the basis on these factors.”
Participants at the CFA retreat did not agree on every single issue related to cloud computing. There were differing views, for instance, about whether service providers should be able to use data that consumers place in the cloud for secondary purposes such as marketing. The recommended best practices, however, represent the consensus view of the participants on those issues:
- Law Enforcement Access to Data. Where not prohibited by law, users should receive notice of criminal and civil requests for information. Secondary Uses.
- Secondary use must be clearly disclosed and identified as “technical justifications” or “business justifications” for use of data.
- Portability and Interoperability. Portability is key for competition in cloud services; cloud service providers should not interfere with interoperability.
- Data Security. Cloud service providers must demonstrate operational safeguards and security mechanisms through expert audit and certification.
- “Free” Services. “Free” services should have the same consumer protection standards as forfee services.
- Deletion. Consumers should be able to delete information they upload to the cloud.
- Transparency. Basic information such as the level of service provided, the business model of the cloud service provider, what legal protections apply to data, and who to contact if questions arise should be provided.
The report includes a model disclosure for this information. The report is available at www.consumerfed.org/pdfs/Cloud-report-2010.pdf. CFA urges consumers who are considering using cloud computing services to read the terms of service carefully and contact the service provider if they have any questions or concerns. Consumers should look for cloud computing services that follow these recommended best practices.
Contact: Susan Grant, CFA, 202-387-6121; Chris Hoofnagle, Berkeley Center for Law & Technology, 510-643-0213
The Consumer Federation of America is an association of nearly 300 nonprofit consumer organizations that was established in 1968 to advance the consumer in