We all think we know what Cloud computing is. We all use it in our private lives, in our business, or both. One question that we forget to ask ourselves in the rush to jump on the latest and greatest thing; who actually owns all that data? As we are beginning to learn, in most cases it is not you. Although it may not be popular, nor may it be the most politically correct answer, we are all starting to see what little control we have over the information about our business and us. The other big revelation is how little responsibility or accountability those who host or house this data have in securing it.
Data ownership - in most cases it comes down to how it was created and who created it. This can be a very complicated process to understand, but in some cases, the platform can be as important as who created the data. Cisco predicted that 60% of data would be created in software as service programs in 2018. This means that you are using the tools, templets and software of a hosted application in order to create data either within your personal life or within your business. This is where it gets muddy, since you are using the tools owned by a platform provider, are they entitled to ownership of the work process used to create that data? The answer is maybe.
There are some clear-cut answers to parts of this, one being if you take a picture, then you are clearly the owner of that picture and therefore protected by copyright laws. Data created before uploading into the cloud has clear ownership and intellectual property claims by the creator or someone working on a paid basis for a business or organization. Data that has been created within the cloud could come with some strings attached. Making sure that you properly claim and protect your data and intellectual property is becoming more difficult as the legal processes have not really caught up with the pace of technology.
Now that cloud based computing has become part of our lives, we have all started to become somewhat numb to the fact that we are being tracked and our activity monitored. Only when we find out it has been data mined and sold/used for something we do not agree with do we notice. Marketing and web based systems have been tracking your activity for years, this is why the advertisements we get when we are on the internet or social media always seem to be related to your recent online activity. The problem may be bigger in the business world. What really happens to all those backups to the cloud? If you are using a service to back up your data what kind of protections do you have? How is that data being protected? What about transferability from one location to another or one vendor to another? Do my intellectual rights and data ownership claims follow the data? These are all very good questions and they all reside in the grey area of the legal system.
Social media, the number of social media sites, and the data we are putting on them are contributing to the greatest data collection process ever. This is not limited to just personal data put there by us, our kids, our friends and relatives, but now add in some business data. That business data could include marketing, promotions, public relations, new or former employees. The bottom line is we have created a data collection process that we simply don’t understand and the exposure of data we have yet to fully grasp.
In researching this topic on several popular systems, I found a common phrase within the service or social media licensing agreements - you know that legal stuff that you just scroll down to the bottom and click, “I Agree”. As I was reading through them I found myself thinking they do have very specific language around the client having ownership of the data. I was actually impressed, but then I found this common language “ah ha” moment. The language does vary from site to site but the meaning is pretty consistent…“To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve products and services, you grant a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services. If you publish Your Content in areas of the Service where it is available broadly online without restrictions, Your Content may appear in demonstrations or materials that promote the Service. Some of the Services are supported by advertising.”
Congress has taken steps to protect the intellectual rights and data ownership of data stored in the cloud with the Stored Communications Act or SCA. With any legislation, there are several parts to this, in one section it specifically states that when data resides on a cloud provider’s infrastructure, the user owner rights cannot be guaranteed. This goes back to the point of: just because you created it, the privacy of that data cannot be assured. The SCA also permits the government to seize data of American companies even if it is stored overseas. This section of the SCA is what lead Microsoft to take the U.S. Government to court to challenge if the government could use the SCA to pursue and seize data that is stored beyond the boundaries of the United States.
Microsoft’s challenge of the SCA could have far reaching impacts to the cloud based industries and the manner which data is stored. In 2013, the government used the SCA to issue a warrant in New York to search email accounts held by Microsoft. The server that the government obtained a warrant to search was housed inside a data center in Ireland. Microsoft challenged the warrant based on their feeling that the government could not search a server that was housed in another country. Ultimately, Microsoft’s challenge was denied based on what is called a hybrid warrant, which is similar to a subpoena, and the courts ruled that since government agents don’t actually have to enter the premises of the provider housing the server it saw no reason to invalidate the warrant. However, in July of 2016 a panel of three judges did in fact rule in favor of Microsoft. This has since been appealed to the United States Supreme Court, which is expected to make a decision sometime in 2018.
There are many critics to the SCA, as with a lot of legislation, many feel that the SCA has not kept up with the advances in technology making it difficult to apply to today’s standards. Another concern is due to the ambiguity in the law. It has put undue burden on Internet Service Providers and hosting companies to remain in legal compliance, appease both international and domestic governments, along with meeting the needs of their customers. Further criticism is based on the feeling that since the SCA has not kept up with current standards, that the courts have been forced to stretch the legislatives intent in order to meet evolving standards - making it less applicable.
In March of 2018, the Cloud Act took effect. This intended to be a legislative fix to the SCA and to help further define data ownership and the responsibilities of Internet Service Providers. However, I am not sure if it actually achieved what they thought it would or if it just makes things more confusing. The Cloud act actually stands for Clarifying Lawful Overseas Use of Data Act, and it is a response to the current Microsoft verse United States court case. The Cloud act is actually an amendment to the SCA where its intent was to clarify the concerns of Microsoft and other ISPs to try and bring those more in line with foreign privacy acts. Keep in mind this is based on the FBI’s attempt to gain access to data stored on a server in Ireland through the use of an SCA based warrant. The Cloud act has many provisions that organizations oppose, like the Electronic Frontier Organization, The American Civil Liberties Union, Amnesty International and the Human Rights Watch. Much of the criticism is based around giving the Executive branch the ability to enter into bi-lateral agreements with foreign governments to provide data requested as it relates to its citizens. Opposition to the Cloud act say that it strips away protections under the fourth amendment against illegal searches and seizures.
The Patriot Act also gave the government a lot of latitude when it came to the collection and seizure of electronic data. Although the Patriot Act expired in June of 2015 due to the lack of approval to renew by congress, the government did find a way to renew key elements through the USA Freedom Act. These two acts of legislation do appear to show that data created in the cloud or a cloud based platform is owned by the cloud provider or platform owner. When data breaches happen that we feel that we should be protected against, these government requests for data are requested to the provider of the service and not to the end user.
What are some of the things we have learned that can protect our data and intellectual property? Start with making sure that you fully understand what kind of service you are signing up for, it is like buying a car, there are many manufactures, makes, and models to choose from so make sure that you understand the options and choices. Also, you must understand the difference between software as a service and private services such as infrastructure hosting. It is very important that you and your team understand when it comes to using a software platform, which could include using the tools, templates, and processes of a platform provider, that you may be giving up some of your rights to the intellectual properties you are creating. There are many options when it comes to software, cloud based applications, hosting and app development, and they all have value and great intentions, however, make sure that you are claiming your work product and the data created by it.
Some other basic guidelines to follow are:
• Always read the Terms of Service and ask questions - don’t assume you understand them
• If you are considering using a platform for development or work process management it might be a good idea to engage legal counsel to ensure your data intellectual rights and data ownership rights are protected.
• Never stop backing up locally - this goes to claiming your data if you are concerned about the backup and having control, this could give you legal grounds to show you did not give up your claim.
• Check to see if your data is encrypted and that when passed back and forth that it is being done so in a secure manner.
• Know where your data is stored - laws vary from place to place, nation to nation, so make sure that you are protected.
• Verify that your agreements clearly state you own the data, and that you are not giving anyone (for any reason) the right to use, transmit, or mine your data without your permission.
Data rights are confusing and complicated, it is only going to get worse as technology moves forward and we continue to expand the use of cloud based applications and platforms. Like many things in life, you have to claim what is yours. Put processes in place to make sure you are not giving up your rights to that data by instituting work processes that continuously reinforce your claims.
Some of the basic common sense things you can do that sometimes we take for granted are:
• Have written corporate policies, acknowledged by employees and vendors, that you are not implied or otherwise giving up your rights to the data or intellectual property.
• Use software that helps you manage and monitor your data and limits user’s ability to move, copy, or delete files without your permission.
• Do not allow the use of personal file sharing applications or programs that are not controlled and owned by the company.
• Do not allow the use of external storage devices that can be removed from company control.
• Limit access to data archives and data retention systems only to those who need access to perform their daily functions.
So let’s ask the question again…Who owns your data? This is a grey area, with legislation not keeping up with modern technology or the use of that technology. The real protection comes with your willingness to claim and protect what is yours by having good agreements in place and showing through work process and policy that you are claiming your rights to that data. Someday congress and the courts will catch up and most likely clarify or at least set some legal precedence to guide us. Until that happens it is up to you to protect and own your data or someone else will.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management and support of technology resources. Learn more about Winning Technologies by calling 877-379-8279.