Who owns your data when it is moved to the cloud?

Engelsk ikke lige din kop te? det klare vi nemt – Klik på dette link for at finde en dansk version .

There is no escaping the reality that more and more personal information have made the moved to the Web. Everything from the public services to our bank information, from the clothing stores to dating services – the Web is the place where citizens interact and where businesses ply their trade. Unfortunately with this move, has come the uncomfortable realisation that the security and privacy of these services are not keeping pace. Laws are in place, primarily through the European Data Protection Directive, which establishes a framework for how data on European citizens are to be handled, however, our data is often moved beyond the European Economic Area, which limits text extent these provisions are able to secure the data. A good example of everyday applications where we lose control of our personal data is cloud storage applications like Dropbox, OneDrive and Google Drive. These applications have allowed us to access our data from anywhere with an internet connection at any time through the multitude of devices. But are you aware of what you forfit for this convenience?

Looking into the ownership issue, it seems apparent Google does not claim ownership of the data which is uploaded to its services. This is formulated in Google Terms of

For Google Drive er data ejerskab skrevet som:

…Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours. …

Section Your Content in our Services
From Google Terms of Service, In effect April 14, 2014.

So far so good, but the very next sections seems inconsistent with this:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored. …

Section Your Content in our Services
From Google Terms of Service, In effect April 14, 2014.

This means that while Google does not claim ownership of the files uploaded they retain the rights to do anything with the data in any purpose they deem it necessary for. Formulations such as creative derivative works seems extraordinarily vague and the rights to communicate, publish, publicly perform, publicly display and distribute such content are some of the most extensive you can come across. It does state that these rights are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones, but what does that really say. The formulation is again vague and rights to use user owned data to any Google service, present and future, is quite similar to all rights as Google is one of the largest and most wide spread corporations of our time. This is clearly an issue of a one-size-fits-all policy, which grants unreasonable amount of control over users data. The reasons for making such an policy seems fairly straightforward, as quite broad rights are needed to and could work as a top level policy, if more narrower and more specific policies existed for their individual products. From a data-controllers viewpoint, it is no way justifiable to grant Google these rights over personal data and as such this makes their Terms of Service incompatible with the Act.

So what are our options. Broadly speaking, we are left with three; 1) make sure we keep our private data away from the vulnerable places in the cloud – an approach that requires quite a bit of research, 2) Assume that the services we hand our data to would never think of doing anything inappropriate with it – the so-called ostrich approach 3) or you can try to ensure your data – a topic which I will discuss in future blog posts

Share Button
The following two tabs change content below.
Profile photo of Milo


CEO af Bootstrapper
Den akademiske hacker - kandidatgrader i Ethical Hacking & Computer Security fra Abertay University(Skotland) og i Datalogi fra Århus Universitet med fokus på kryptografi og hvordan skyen kan bruges i overensstemmelse med lov og etik. Think evil - do good.

Leave a Reply

Your email address will not be published. Required fields are marked *