Cloud computing is growing at an unprecedented rate, and it is estimated that cloud services will reach a global market value of $411 billion annually by 2020 with annual growth exceeding 15 per cent (Columbus 2019; Gartner 2019). Cloud computing services allow businesses the flexibility of accessing data storage and software resources according to their needs without costly investments in technology hardware. However, users are concerned that providers will use their data in unwanted ways and that their data will be compromised through hacker attacks. Such concerns are not unfounded, as attacks on cloud data have been all too common in recent history. For example, Dropbox, a file sharing cloud service provider, experienced data breaches in 2012 that resulted in the exposure and posting for sale of millions of users’ login information on the dark web (Turner 2016). In 2014, hackers illegally accessed and exposed numerous celebrities’ private photos stored on Apple’s cloud service, iCloud (Lewis 2014). Recently, more than 200,000 CVs originating from two online recruiting firms were exposed after hacking attacks on their cloud storage service (Yahoo News 2019). Such data breaches highlight the importance of understanding the measures cloud providers have in place for data privacy and security before rushing into the cloud.
First, we examined what policies say about the information that is collected and its disclosure. Results indicate that cloud service providers commonly collect details about the users themselves (e.g., their names and addresses), server logs or cookies, details about the services being provided, and details about users’ mobile devices. Most of the policies we examined (81 per cent) state that they disclose information to third-party business partners. Information is also commonly disclosed to a third-party if there is a merger or acquisition or if there is a law enforcement request or court order.
Figure 1. Percentage of words in each content category
Policies may also address what happens to data after users terminate service, what information is provided about data transfer, and what procedures are in place for complaints. Slightly more than half of the policies examined included detailed data retention procedures describing what happens to data in the cloud if customers decide to terminate the service. In terms of data transfer, several frameworks exist that outline methods for companies to transfer personal data between countries in a manner that is consistent with relevant laws. Our results indicate that 68 per cent of the providers indicate that they follow U.S./EU and U.S./Swiss frameworks for transferring data, while only 4 per cent indicate that they follow the Asia Pacific Economic Cooperation (APEC) framework. Most cloud service providers list contact information for clients to use for reporting data concerns and complaints. However, very few providers explain what actions they will take or their process for investigating and responding to reported concerns.
We next examined the linguistic characteristics of privacy policies to understand whether cloud providers are effectively conveying the content in the policies. Figure 2 illustrates the observed readability across the five content areas based on the Flesch Reading Ease scale, where a higher score (out of 100) indicates greater readability. Overall, the readability analysis indicates that cloud service providers’ privacy policies are overly difficult to read, especially when describing data security and integrity measures and procedures for data retention and transfer.
In privacy policies, an abundance of words associated with uncertainty (e.g., indefinitely, maybe, occasionally, possibly, etc.) may give readers the impression, whether warranted or not, that the cloud service provider is not confident in its ability to protect users’ private information. We find the highest occurrence of uncertainty words in sections of policies describing the disclosure of users’ information, which may amplify users’ concerns about who will have access to their data and where their information will be disclosed.
Figure 2. Readability in each content category
- This blog post is based on the authors’ paper A Content Analysis of the Privacy Policies of Cloud Computing Services. Journal of Information Systems, in press.
- The post gives the views of its author(s), not the position of LSE Business Review or the London School of Economics.
- Featured image by Blue Coat Photos, under a CC-BY-SA-2.0 licence
- When you comment, you’re agreeing to our Comment Policy
Lei Gao is an assistant professor of accounting at the University of Akron where he has been a faculty member since 2017. Lei completed his Ph.D. at Virginia Commonwealth University and his master’s degree of accounting and information systems at Virginia Tech. His research interests lie in the area of judgment and decision-making in accounting, ethics and fraud, and the role of technology in accounting information disclosure.
Alisa G. Brink is the KPMG Teaching Excellence professor in the department of accounting at Virginia Commonwealth University. She teaches courses in financial accounting and experimental accounting research. Dr. Brink’s primary research interests include judgment and decision making in managerial and financial accounting. Her specific research topics of interest include creativity, incentive framing, participative budgeting, whistleblowing, and accounting education.