Privacy in the Cloud: Going Beyond the Contractarian Paradigm Masooda N. Bashir University of Illinois at Urbana-Champaign 1308 W. Main St. Urbana, IL 61801, USA +1-217-244-1139 mnb@illinois.edu Carol M Hayes University of Illinois at Urbana-Champaign 504 E. Pennsylvania Ave. Champaign, IL 61820, USA +1-217-333-0931 carol.mullins@gmail.com Jay P. Kesan University of Illinois at Urbana-Champaign 504 E. Pennsylvania Ave. Champaign, IL 61820, USA +1-217-333-0931 kesan@illinois.edu Robert Zielinski University of Illinois at Urbana-Champaign 1308 W. Main St. Urbana, IL 61801, USA +1-217-244-1139 zielins2@illinois.edu ABSTRACT Human life today has become entangled in the Internet. We access e-mail, store content, and use services online without a thought as to where data reside or how data are protected. The “cloud,” a conceptualization of how data reside on the Internet rather than locally, is the latest technological innovation or computing trend du jour. However, many concerns surrounding cloud computing remain unaddressed. How are the data we store online kept confidential? Who else has the right to access our private information? What kind of laws and policies offer us protection? We begin by evaluating the current situation by examining the Terms of Service (ToS) agreements and privacy policies from well-known cloud providers, and we describe the types of privacy protections (or lack thereof) that they offer. We conclude that a contractarian approach to privacy protection is likely to lead to a situation in which consumers end up trading their privacy without being well-informed about the implications and consequences of their choices. Next, we examine whether the applicable laws are adequate to protect the privacy of consumers in the cloud. We discuss privacy protections in the cloud by considering the Fourth Amendment, the Stored Communications Act, the Federal Information Security Management Act, and the USA PATRIOT Act, and we conclude that they are inadequate in according a minimum level of privacy to consumers in the cloud, setting the stage for a vigorous study of the form and substance of cloud computing-centric privacy legislation. Categories and Subject Descriptors General Terms Security, Standardization, Legal Aspects, Cloud Computing Keywords Cloud Computing contracts, Privacy, Legal Aspects 1. WHAT IS “CLOUD COMPUTING”? Cloud computing as a concept is not new, but it was not until fairly recently that the term arose to describe decentralized computing. The term is used quite often but lacks a commonly agreed-upon definition. Generally, cloud computing refers to the use of hardware, storage, and systems software located in large datacenters worldwide (Armbrust 2009, p. 4). Applications are hosted through and accessed over the Internet instead of residing on one’s own personal computer. The U.S. National Institute of Standards and Technology (NIST) describe cloud computing and its five main characteristics as follows: (1) on-demand self- service; (2) broad network access; (3) resource pooling; (4) rapid elasticity; and (5) measured service (Kerr, 2010, p. 4). Cloud computing exists in a variety of forms. For example, when a cloud is made available in a pay-as-you-go manner to the public, it is known as a public cloud. Current examples of public clouds include Amazon’s Elastic Compute Cloud (EC2), IBM’s Blue Cloud, Sun’s Cloud, Google’s AppEngine, and Microsoft’s Windows Azure. Private clouds, however, are the internal datacenters of individual businesses or organizations and are not made available to the public. NIST describes three cloud computing service models (Kerr, 2010, pp. 4-5):  Software as a Service (SaaS): the consumer-facing level, with which most users are familiar. SaaS refers to the applications delivered to the user over the Internet for purposes such as e-mail, file storage, word processing, social networking, and other software programs.  Platform as a Service (PaaS): a platform in the cloud, upon which applications can be developed and executed. PaaS allows developers to deploy applications Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ACSAC ‚Äô11 Dec. 5-9, 2011, Orlando, Florida USA Copyright 2011 ACM 978-1-4503-0672-0/11/12 ...$10.00. 