Tag Archives: cloud computing

What’s new in research: full-access papers on machine learning with personal data, the ethics of Big Data as a public good

Today pdpecho inaugurates a weekly post curating research articles/papers/studies or dissertations in the field of data protection and privacy, that are available under an open access regime and that were recently published.

This week there are three recommended pieces for your weekend read. The first article, published by researchers from Queen Mary University of London and Cambridge University, provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

The second article is the view of a researcher specialised in International Development, from the University of Amsterdam, on the new trend in humanitarian work to consider data as a public good, regardless of whether it is personal or not.

The last paper is a draft authored by a law student at Yale (published on SSRN), which explores an interesting phenomenon: how data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. The paper underlines that the US privacy law system lacks protection for individuals whose data are sold in this scenario and proposes a solution.

1) Machine Learning with Personal Data (by Dimitra Kamarinou, Christopher Millard, Jatinder Singh)

“This paper provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

We look at what profiling means and at the right that data subjects have not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or significantly affect them. We also look at data subjects’ right to be informed about the existence of automated decision-making, including profiling, and their right to receive meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

The purpose of this paper is to explore the application of relevant data protection rights and obligations to machine learning, including implications for the development and deployment of machine learning systems and the ways in which personal data are collected and used. In particular, we consider what compliance with the first data protection principle of lawful, fair, and transparent processing means in the context of using machine learning for profiling purposes. We ask whether automated processing utilising machine learning, including for profiling purposes, might in fact offer benefits and not merely present challenges in relation to fair and lawful processing.”

The paper was published as “Queen Mary School of Law Legal Studies Research Paper No. 247/2016″.

“International development and humanitarian organizations are increasingly calling for digital data to be treated as a public good because of its value in supplementing scarce national statistics and informing interventions, including in emergencies. In response to this claim, a ‘responsible data’ movement has evolved to discuss guidelines and frameworks that will establish ethical principles for data sharing. However, this movement is not gaining traction with those who hold the highest-value data, particularly mobile network operators who are proving reluctant to make data collected in low- and middle-income countries accessible through intermediaries.

This paper evaluates how the argument for ‘data as a public good’ fits with the corporate reality of big data, exploring existing models for data sharing. I draw on the idea of corporate data as an ecosystem involving often conflicting rights, duties and claims, in comparison to the utilitarian claim that data’s humanitarian value makes it imperative to share them. I assess the power dynamics implied by the idea of data as a public good, and how differing incentives lead actors to adopt particular ethical positions with regard to the use of data.”

This article is part of the themed issue ‘The ethical impact of data science’ in “Philosophical transactions of the Royal Society A”.

3) What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers (by Theodore Rostow)

Privacy scholarship to date has failed to consider a new development in the commercial privacy landscape. Data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. This practice creates an avenue for a new type of privacy harm — “insider control” — which privacy scholarship has yet to recognize.

U.S. privacy laws fail to protect consumers from the possibility of insider control. Apart from two noteworthy frameworks that might offer paths forward, none of the viable reforms offered by privacy scholars would meaningfully limit consumers’ vulnerability. This Note proposes changes to existing privacy doctrines in order to reduce consumers’ exposure to this new harm.”

This paper was published as a draft on SSRN. According to SSRN, the final version will be published in the 34th volume of the Yale Journal on Regulation.

***

Find what you’re reading useful? Please consider supporting pdpecho.

Advertisements

Academic Paper: Personal Jurisdiction and Choice of Law in the Cloud

Authors: Damon C. Andrews, John M. Newman

Abstract:

Cloud computing has revolutionized how society interacts with, and via, technology. Though some early detractors criticized the “cloud” as being nothing more than an empty industry buzzword, we contend that by dovetailing communications and calculating processes for the first time in recorded history, cloud computing is — both practically and legally — a shift in prevailing paradigms. As a practical matter, the cloud brings with it a previously undreamt-of sense of location independence for both suppliers and consumers. And legally, the shift toward deploying computing ability as a service, rather than a product, represents an evolution to a contractual foundation for all relevant interactions.

Already, substantive cloud-related disputes have erupted in a variety of legal fields, including personal privacy, intellectual property, and antitrust, to name a few. Yet before courts can confront such issues, they must first address the two fundamental procedural questions of a lawsuit that form the bases of this Article — first, whether any law applies in the cloud, and, if so, which law ought to apply. Drawing upon novel analyses of analogous Internet jurisprudence, as well as concepts borrowed from disciplines ranging from economics to anthropology, this Article seeks to supply answers to these questions. To do so, we first identify a set ofnormative goals that jurisdictional and choice-of-law methodologies ought to seek to achieve in the unique context of cloud computing. With these goals in mind, we then supply structured analytical guidelines and suggested policy reforms to guide the continued development of jurisdiction and choice of law in the cloud.

Full text: Digital Commons Network

 

Forrester: Most “private clouds” aren’t really clouds at all

Computerworlduk.com wrote about private clouds and how they are not exactly … clouds.

If an enterprise data centre has a highly virtualised environment, a web portal for business users to request and access virtual machines and a method for tracking how many of those resources are being used… that’s not quite a private cloud.

If there is enough capacity to supply employees with almost any amount of compute resources they need, and scale that capacity up and down dynamically, but it requires IT workers to provision the systems, then sorry that’s not a private cloud either.

The line between virtualisation and a private cloud can be a fuzzy one, and according to a new report by Forrester Research, up to 70% of what IT administrators claim are private clouds are not. “It’s a huge problem,” says Forrester cloud expert James Staten. “It’s cloud-washing.”

Why’s it such a big deal? Staten says if you call a highly virtualised environment a cloud, but it doesn’t have one or more of the key characteristics of a private cloud, then the IT department is setting an unrealistic expectation for users. If users are disappointed when they find out the environment doesn’t have self-provisioning, or an elastic resources pool, they can get discouraged. The next time they need a VM on the fly, where will they turn? The pseudo-private cloud IT has set up, or Amazon Web Services, which IT could have no control over.

Read the whole analysis HERE.

 

GigaOm: Fear of lock-in dampens cloud adoption

Data portability — the ability to move your information between clouds (or in and out of clouds) with relative ease — is a key concern of companies considering a cloud move.

It’s become a truism to say that data is the new gold –but that doesn’t mean there are easy answers about where to store this gold. For now, many corporate customers will hold back on full cloud computing adoption until they’re convinced that they can move their data off a given cloud as easily as they put it there in the first place. Face it: fear of vendor lock-in is not limited to the on-premises IT world and it’s time enlightened vendors get this problem in hand.

The advent of cloud computing should make it easy to mix and match services from multiple vendors within a cloud and to let data flow in and out of parts of the clouds as needed. But that’s not necessarily the reality now.

“When you move to cloud, you should be increasing your choices, not decreasing them. You don’t buy three on-premises apps but you can use three services from three vendors in the cloud,” said Robert Jenkins, co-founder and CTO of Cloud Sigma, the Zurich-based cloud provider.

Bill Gerhardt, director of Cisco Systems’ internet solutions group’s service provider practice, agreed. “We need to sort out data portability. Customers ask: ‘If I give you all this data, how do I retrieve that data if I want to go somewhere else? Many cloud companies don’t have a clear exit route.”

Read the whole story HERE.

For the opinion that the right to data portability, in reality, hampers competition, see Peter P. Swire and Yanni Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, available HERE.

For the opinion that the right to data portability adds value both to privacy and competition, see G. Zanfir, The right to data portability in the context of the EU data protection reform, abstract available HERE, full text upon access, HERE.

US Department of Health and Human Services, asked to get involved in guidance for handling patient data

Healthcareitnews.com writes that Texas-based advocacy group called Patient Privacy Rights asked DHH to create cloud-computing guidelines around the issues of secure infrastructure, security standards and business associate agreements with regard to the protection of patients’ personal data.

♣ In April, the Department of Health and Human Services reached a $100,000 HIPAA settlement with Phoenix Cardiac Surgery, after the small physician practice had managed clinical and surgical appointments, between 2007 and 2009, using an Internet-based calendar that also happened to be publicly-available.

♥ The Internet being the most ubiquitous form of cloud computing, an Austin, Texas-based advocacy group called Patient Privacy Rights is pointing to the Phoenix Cardiac Surgery HIPAA violation as an example of why HHS should regulate, or at least guide, cloud use in healthcare.

♠ In a letter to the HHS Office for Civil Rights, Patient Privacy Rights founder and chair Deborah Peel, MD, wrote that “Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected”.

♦ Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed “if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.”

Read the whole story HERE.

Financial Supervisory Authority issues circular for Hungarian financial institutions on the use of cloud computing technologies

Márton Domokos writes for “The Privacy Advisor” that On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.

Regulatory considerations

The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.

Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.
Data classification

According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.

Read the whole text HERE.

Is Privacy in the Cloud only an illusion?

Is Privacy in the Cloud only an illusion? Technewsworld.com thinks so. They published a large article today arguing that “Laws around the world allow governments free access to data in the cloud. What may come as a surprise is that Mutual Legal Assistance Treaties facilitate cooperation across international boundaries. Under these MLATs, the U.S. and EU member states allow law enforcement authorities to request data on servers of cloud providers located in any countries that are part of the MLATs.”

If you ask me, the article brings nothing new under the sun, as it is built on the conclusions of Hogan & Lovell’s White Paper published in May this year (you can also find it on this blog).

Regarding the main topic, my comment would be that your personal data in the Cloud is as secure as your personal data deposited in any other way, from a governmental access point of view. The laws that allow governments to have access to personal data on account of fighting terrorism are not especially made for the Cloud, but for all sorts of information, personal data, mere anonymized data or whatever data you could think of, stored anywhere and by whoever.

However, what complicates a bit privacy things with the Cloud is that the effort made by governments to have access to data stored there is perhaps smaller than it would be to travel to a certain address and grab a certain device which contains data.

It is also possible I am terribly wrong by not taking into account information I do not know. If you have thoughts about this, or more information, please leave a comment 🙂

New research shows that most Western governments have access in the cloud, not only the US government

In a White Paper (“A Global Reality: Governmental Access to Data in the Cloud”) published by Hogan Lowells, which you can find HERE, a not so surprising conclusion arises:

The White Paper reveals that every jurisdiction examined vests authority in the government to require a Cloud service provider to disclose customer data. It explains why the access provisions of the USA Patriot Act are narrower than commonly thought.

The White Paper also reveals that, unlike in the United States where the law specifically protects cloud data from access by the government without legal process, data stored in the Cloud may be disclosed to governmental authorities voluntarily in some jurisdictions, without legal process and protections.

You can find the original news HERE.

I have no idea if the US government had anything to do with this study, but it’s definitely worth to have a look into the White Paper. It is indeed the US government that most of the privacy aware individuals accuse of being over-intrusive, especially after the enactment of the Patriot Act. However, it comes with no surprise that other governments have wide access to data stored in Clouds.

On the other hand, it remains a fact that the US has no unitary legal mechanism for protection of personal data, unlike the European countries analyzed in this report, which are bound by several European Union directives and by Art. 8 of the Charter of Fundamental Rights of the European Union to protect the right to the protection of personal data. This right of course has its limitations, and public interest in various forms is the most important one. There are also exceptions regarding journalistic purposes or research purposes.

It should also be noted that the Obama administration has made some efforts into this direction, by publishing this year the Consumers Privacy Bill of Rights, even though its provisions are not directly applied in disputes but are meant to guide the enactment of further legislation in this field and self-regulatory statues of companies.

Personal data, the new online currency?

The New York Times writes today about how could personal data become the new online currency.

The main idea is that personal data have become so valuable for marketing companies – to say the least, that its potential value is already exploited by a few start-ups. “A number of start-ups allow people to take control — and perhaps profit from — the digital trails that they leave on the Internet”, writes NYT.

I think that handled carefully, with prudence, this idea could be the new big thing in online marketing.

Also have in mind that such innovations would impact cloud computing and data portability. The EU data protection reform presupposes the existence of a right to data portability in favor of the data subject (See Article 18 of the proposed Regulation).

First of all, this would mean that a right to data portability will propagate soon in other jurisdictions. Second of all, it means that the data subject gains more control on the set of data directly connected to he or she, being able to keep all of it in one place, as long as he or she knows he or she will be able to move the set of data whenever he or she finds a better service provider, or a better suited one for his or her needs. All of these indicates that value could be added to the set of one’s available personal data. So this is a trend to be observed in the future.

Note: Photo source – http://www.moneymakingsuccesssite.com