An article from University of Oslo
Hazy legal regulation of cloud computing
Legal ambiguity about the use of cloud computing is problematic. Experts want to clear the ground and use research to establish a new cloud.
University of Oslo
Norway is in the global forefront in applying digital solutions. Today, we expect to have access to data and to share data and information wherever we may be.
Cloud computing has therefore become exceedingly popular, and Dropbox and similar services are frequently and widely used.
However, not only you and I have seen the value of using cloud computing to share images and documents. Business, the health services and public authorities are also taking an interest in the opportunities that the cloud offers.
The cloud is hazy and opaque
But what happens to private data or information that organizations and businesses upload to the cloud? Is this a safe place for personal data, sensitive business information, health information and the like? Can we restassured that unauthorized parties will have no access to the information that we have uploaded?“
This is an issue we need to assess,” says Tobias Mahler, Associate Professor at the Faculty of Law, University of Oslo. He studies legal issues pertaining to cloud services.
“The cloud is still hazy and opaque with regard to safety and transparency. In addition, users tend to have little awareness of what happens to information that they upload to cloud services. The majority have no clue as to where the data are being stored and in what countries."
The use of Dropbox is one example. Amazon is a sub-contractor to Dropbox, renting out server space to them. The files you put in the Dropbox folder are most likely being stored on Amazon’s server, whose whereabouts you are unlikely to know. The server may be located in the USA, but most users have no insight into this or what legal implications follow from it.
When you upload content from Norway to a server in another country, regulations from both countries may apply regarding authorization of access to the information and what can be done with it.
European privacy legislation may say one thing, American law may say something completely different — for example that data can be submitted to the National Security Agency (NSA).
For example, in connection with the Snowdon case it has come to light that American intelligence services have access to information in the cloud.
Solutions for the next generation of cloud services
Protecting information and personal data is crucial for private individuals, authorities and businesses in all sectors.
The problems that Mahler and his team of legal researchers seek to solve are primarily related to confidentiality and the extent to which cloud services comply with relevant laws and regulations.
“Finding solutions that safeguard enterprise information, health data and other types of sensitive information while in the cloud will be extremely important in the time ahead,” Mahler states.
Technology and law hand in hand
In the project Coco-cloud, legal researchers and informatics experts have joined forces to find solutions for the next generation of cloud services through research and development.
Their assignment is to undertake research on how technical solutions and legal regulations in tandem can ensure that the cloud services of the future offer adequate data protection and safe sharing of sensitive information with others via the cloud.
The plan is to help develop cloud services whose design and function integrate these needs.
“We would like to see IT systems that ensure automatic compliance with legal regulations, by having IT systems that do not accept anything else. The legal regulations should be integrated into the system,” the researcher explains.
“Legal principles must thus be taken into account at an early stage of IT systems development, and that’s where we come in.”
“My lawyer colleagues and I will mainly investigate the legal aspects associated with the use of cloud services, as well as various legislative regimes for cloud services and sharing of sensitive data in different countries,” Mahler says.
Legislation pertaining to personal data is a key element of these efforts.
Safe exchange of health information
The project focuses on typical situations in which cloud services should be safely used.
One of the cases says that the health services should be able to upload x-ray images and other graphics to a cloud, so that the doctor and the patient can have access to them. The patient should be the one to decide who will have access to the information.
If you as a patient need to travel to another country for treatment, you should be able to safely share information in the cloud with doctors in that country.
You as a patient will be the one to decide for how long the doctor should be granted access, and the images and the information should not be communicated to others without your consent.
The objective is to improve information exchange in the health services, resulting in better treatment options.
“We collaborate with a Spanish supplier of health-related IT services. Here, the focus is on the needs for and use of cloud services by Spanish patients, but it is equally relevant for us here in the Nordic countries,” Mahler explains.
“Our wish is that the patient should grant access to the images for a specific purpose and define various limitations to this access, for example a time limit, and that others should be barred from copying the data or forwarding them to others.
This is an example of how we envisage patterns of use,” Mahler says.
User management is the key
The project also investigates two further cases. Both share the same principle: user management will be an essential element of future cloud services.
“You as a user should have a say in deciding who will have access to your information. You should have the key to this,” Mahler states.
He emphasizes that in their role as legal researchers, he and his colleagues will not develop any actual products.
“Our primary task is to do the research, and enterprises should take care of the systems. In a few years’ time we may initiate a critical review of these systems.”
“The project provides us with a magnificent opportunity to work with a group of developers, but we keep a certain distance. To be precise, our job is to do the research, while theirs is to develop a solution,” Mahler sums up.