Cloud privacy and security issues beyond technology: championing the cause of accountability

Cloud computing provides IT service providers increased efficiency of resource utilization while enabling consumers to benefit from innovative advantages like access to up-to-date IT resources and low upfront investment. A significant hindrance to adoption of cloud computing is the lack of trust arising from worries over privacy and security when data resources of cloud service consumers are handled by third parties. A key factor in fostering cloud privacy and security is accountability, which increases trust by obligating an entity to be answerable for its actions. This paper uses a hermeneutic literature review to investigate (i) the prevailing methods and strategies of fostering privacy and security through accountability, (ii) the key actors in championing cloud accountability and (iii) the key barriers to cloud accountability. This literature review provides insight into current practices associated with championing cloud accountability and contributes to cloud service provider awareness of ways to improve cloud computing trustworthiness

European Privacy by Design [védés előtt]

Three competing forces are shaping the concept of European Privacy by Design (PbD): laws and regulations, business goals and architecture designs. These forces carry their own influence in terms of ethics, economics, and technology. In this research we undertook the journey to understand the concept of European PbD. We examined its nature, application, and enforcement. We concluded that the European PbD is under-researched in two aspects: at organizational level (compared to the individual level); and mainly in the way it is enforced by authorities. We had high hopes especially with regards to the latter, and eager to bring significant scientific contribution on this field. We were interested to learn if data protection authorities are having such impacts looking at European PbD, that can pioneer new approaches to privacy preservation. This is why we elaborated on possible ways to measure their activity, in a manner that both legal and non-legal experts can understand our work. We promised a response to the research question can the enforcement of European PbD be measured and if yes, what are possible ways to do so? We conducted data analytics on quantitative and qualitative data to answer this question the best way possible. Our response is a moderate yes, the enforcement of PbD can be measured. Although, at this point, we need to settle with only good-enough ways of measure and not dwell into choosing the most optimal or best ways. One reason for this is that enforcement of PbD cases are highly customized and specific to their own circumstances. We have shown this while creating models to predict the amount of administrative fines for infringement of GDPR. Clustering these cases was a daunting task. Second reason for not delivering what could be the best way of measure is lack of data availability in Europe. This problem has its roots in the philosophical stance that the European legislator is taking on the topic of data collection within the EU. Lawmakers in Europe certainly dislike programs that collect gigantic amounts of personal data from EU citizens. Third reason is a causal link between the inconsistent approach between the data protection authorities’ practices. This is due to the different levels of competencies, reporting structures, personnel numbers, and experience in the work of data protection authorities. Looking beyond the above limitations, there are certainly ways to measure the enforcement of European PbD. Our measurements helped us formulate the following statements: a. The European PbD operates in ‘data saver’ mode: we argue that analogous to the data saving mode on mobile phones, where most applications and services get background data only via Wi-Fi connection, in Europe data collection and data processing is kept to minimal. Therefore, we argue that European PbD is in essence about data minimization. Our conviction that this concept is more oriented towards data security have been partially refuted. b. The European PbD is platform independent: we elaborated in the thesis on various infrastructures and convergent technologies that found compatibility with the PbD principles. We consider that the indeed the concept is evolutionary and technology –neutral. c. The European PbD is a tool obligation: we argue that the authorities are looking at PbD as a tool utilization obligation. In a simple language, companies should first perform a privacy impact assessment in order to find out which tools are supporting their data processing activities and then implement these, as mandated PbD. d. The European PbD is highly territorial: we reached the conclusion that enforcement of PbD is highly dependent on geographical indicators (i.e. countries and counties). The different level of privacy protection cultures are still present in Europe. On a particular level, what is commonly true across all countries is that European PbD mandates strong EU data sovereignty