Jay P. Kesan
Carol M. Hayes
, all of Illinois, have written Consumer Privacy Choices, Informed Consent, and Baseline Protections to Facilitate Market Transactions in the Cloud. Here's the abstract:
As part of this work, we analyzed and categorized the terms of TOS agreements and privacy policies of several major cloud services to aid in our assessment of the state of user privacy in the cloud. Our empirical analysis showed that providers take similar approaches to user privacy, and were consistently more detailed when describing the user’s obligations to the provider than when describing the provider’s obligations to the user. This asymmetry, combined with these terms’ nonnegotiable nature, led us to conclude that the current approach to user privacy in the cloud is in need of serious revision.
Privacy and autonomy, values necessary for a free society, are threatened by the asymmetric terms and unawareness of parties agreeing to such terms. Based on analysis of the law, theories of privacy developed by scholars, findings of research into human-computer interaction, and an analogy to the ethical guidelines of informed consent followed by social science researchers, we propose the following modest but realistically achievable goals to advance user privacy in the cloud.
First, we suggest adopting a legal regime that requires companies to provide baseline protections for personal information and also take steps to enhance the parties’ control over their own data. We view data control as consisting of two parts: 1) data mobility, where consumers are assured the ability to move course-of-business data from one provider to a competing provider at will, without encountering lock-in problems due to formatting issues; and 2) data withdrawal, where consumers have the right to serve notice and takedown orders on entities that possess and use the consumer’s personal information against the consumer’s wishes.
Second, we argue that collectors and users of personal information in the cloud should be held to ethical guidelines mandating informed consent to facilitate informed contracting. Adopting an approach that is consistent with the informed consent standards required of social science researchers, we view informed consent as consisting of five elements: 1) disclosure, 2) competence, 3) comprehension, 4) voluntariness, and 5) agreement.
Third and finally, we propose that a multi-tiered approach to privacy be mandated by regulations, requiring companies to make heightened privacy protections available to consumers. By mandating choice, we are creating a market where consumers have meaningful choices regarding the level of privacy being afforded, and the existence of these privacy choices will facilitate market transactions. Ultimately, our goal with this piece is to apply established law and privacy theories to services in the cloud, and set forth a model for the protection of information privacy that recognizes the importance of informed users.