In Technology We Trust: Cloud Computing, Technical Breakdowns and the Protection of Privacy by Brian Clarke A thesis submitted to the Faculty of Graduate and Postdoctoral Affairs in partial fulfillment of the requirements for the degree of Master in Sociology Carleton University Ottawa, Ontario © 2014 Brian Clarke i Abstract This thesis looks at the ‘trade-off’ that users of cloud computing services must make: convenience of use in exchange for outsourcing the protection of private data. In particular, it looks at the relationship of trust that must exist in this exchange. Using concepts from actor-network theory, I explore how this trust in a technological entity is formed, maintained and broken. Using Dropbox as a case study, I analyze the relationship between a cloud computing service and its users by performing a textual analysis of privacy policies and other official communications, as well as threads on user help forums.
I find that the cloud computing provider (Dropbox) works to establish its reliability and trustworthiness and it is only in instances of breakdown – when this reliability is questioned – that the privacy ‘trade-off’ and issues of protecting personal data become contested. ii Acknowledgements First and foremost, I would like to thank Dr. Carlos Novas for his continued guidance, and patience, as well as his immense knowledge provided while supervising this thesis. I would also like to express gratitude to my other committee members, Dr.
Michael Mopas and Dawn Moore. I would also like to express thanks to my many peers and colleagues, particularly Derek Silva, Justin Tetrault, Alex Castleton, Rhys Williams and Ben Todd, who through many discussions and debates have helped my thinking abilities to grow over the past two years. And last but not least, I’d like to thank my wife, Simona Maliszewska, for her ongoing patience and encouragement, and for not allowing the stresses of graduate work to overwhelm me. iii iv Table of Contents 1 Introduction 1 2 Approaches to Understanding Cloud Computing and Data Privacy 15 3 Deconstructing Privacy: Theory and Methods from Actor-Network Theory 42 4 Dropbox’s User Scripts 59 5 When Trust Fails: De-Scription, Margins and Breakdown 80 6 Discussion 100 References 107 v List of Appendices Appendix A: Dropbox Community Forum Threads 116 vi 1 Introduction In 2010, the Office of the Privacy Commissioner (OPC) of Canada (2011) held consultations and published a report regarding the risks, benefits and governance of cloud computing.
The OPC concluded that while there are certainly benefits to using cloud computing, particularly for organizations; however they also present a number of privacy risks that are often misunderstood and underestimated. In particular, privacy protection and the handling of personal data are outsourced to a third party, often in another jurisdiction. The OPC summarizes these issues: “When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so.
There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada)” (Office of the Privacy Commissioner of Canada 2011). In other words, if data availability or data confidentiality are compromised “customers could incur substantial losses” to their privacy and personal information, which could include financial information, intellectual privacy, or personal or organizational secrets (Das, Classen, and Davé 2013: 21). These consultations led to increased research and reporting from the OPC on cloud computing and the changing landscape of data privacy, and likely influenced the recommended changes to Personal Information Protection and Electronic Documents Act (PIPEDA) brought before Parliament in 2013.
If we follow the simple assumptions of Bijker and Law (1992: 3) that all technologies involve social relations and that “always 1 embody compromise” then in the case of cloud computing, this compromise involves a ‘trade-off’ of the use of cloud computing services in exchange for personal data and privacy risks. This trade-off is often explicitly laid out in two important documents that most cloud computing services provide to their users: the terms of agreement and privacy policy (Bodle 2011). These documents represent the contract between the service provider and users, who agree to give up some rights to their personal data in order to use the service. However, as I will discuss in Chapter Two, several scholars have highlighted issues with these contracts, arguing that they do not function well as a contract between two equal parties.
Using Dropbox as a case study of a cloud computing service, the thesis seeks to understand the nature of this trade-off of use for privacy risks. I propose to incorporate actor-network theory to look at how this trade-off can be understood as a negotiation between a technology and its users. In doing so, I look at trust as a particularly important mechanism in this trade-off. In other words, rather than understanding this trade-off as an exchange in which privacy is the currency, I seek to explore the role trust plays and how privacy itself is fragmented, contextual and negotiable in this interaction between technology and users.
I ask how Dropbox prescribes a particular set of privacy values to users and how these users might interpret, accept, negotiate or resist these scripts. What is cloud computing? First, I will provide a brief review of what cloud computing is and further explain why privacy is an issue. Cloud computing is defined by the United States National Institute of Standards and Technology (NIST) as: “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e., networks, servers, storage, 2 applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (National Institute of Standards and Technology 2011) In a similar vein, Mather, Kumaraswamy and Latif (2009) add that there are five common attributes of all cloud computing services: shared resources, massive scalability, elasticity, pay as you go and the self-provisioning of resources. While these definitions are technical and bureaucratic, they do provide some starting points to discuss what cloud computing is and how it can be analyzed sociologically.
In simpler terms, cloud computing broadly refers to computing services, software and platforms that are not owned individually by users and installed locally on their personal computer, but rather accessed via an Internet connection. For example, common cloud-based applications include cloud storage services, such as this project’s case study: Dropbox. These services allow users to store files on an external, shared server rather than on their own hard drives. These types of services highlight the benefits and risks of cloud computing: they give users access to online storage space that can be accessed conveniently from any computing device, but also delegates the responsibility of protecting one’s privacy and securing one’s data to an unknown third party.
An important idea regarding cloud computing is that it is not a static entity, but rather a fluid, broad and overarching concept. Cloud computing is not necessarily a new technology, but rather a new idea. It is not one technological artefact but is rather the result of several technological improvements (Mather, Kumaraswamy, and Latif 2009). It is not a homogenous technology but rather a heterogeneous network of technologies, corporations, users and governments that has allowed this new thing – cloud computing – to emerge.
Additionally, there are many different uses for cloud computing services, 3 ranging from simple web email clients and online file storage services to whole operating systems offered through an Internet connection. For these reasons, once again following the actor-network approach outlined by Bruno Latour, John Law and others (Latour 1992; Law 1991), I want to avoid thinking about cloud computing as a technology or as a single artefact, but rather think of it as an assemblage that is composed of many heterogeneous elements: computing hardware and software, social and political actors, and discourses and ideas. These heterogeneous actors and associations that comprise ‘cloud computing’ may be more or less stabilized. One goal of this project is to explore the relative stability of this assemblage.
Instead of seeing privacy as an inherent social value that is being exchanged for use of the cloud computing service, this project works from the assumption that privacy values are multiple and contextual. Can we understand cloud computing as a stable network in which users must adhere to standard practices and understandings of privacy? Or is this cloud computing network one in which user subjectivities are multiple, contested and negotiated? From these characteristics of cloud computing, two ideas are of sociological significance. First, the idea of “convenient, on-demand” (National Institute of Standards and Technology 2011) services fits into the idea of what some authors have called a ‘convenience culture.’ For example, Tierney (1993) argues that one of the defining features of modernity is the consumption of ‘conveniences.’ He defines convenience as an “ability to mitigate the effects of bodily limits”; for something to be convenient it must make easy and simple an action that was previously difficult, impossible or troublesome (Tierney 1993: 38-39). Modern subjects, argues Tierney (1993: 6), consume new 4 technologies in a way that satisfies a desire for ease which leads to the development of a technological culture or what he calls “technological fetishism.” The advances and development of cloud computing are certainly compatible with this argument; the benefits of consumption or use of cloud computing relate to this value of convenience.
Something that was previously limited – file and data storage and access across multiple platforms – now becomes easy and simple. Users are able to easily, quickly and conveniently access computing services across multiple times, locations and devices, rather than being limited to one personal computer. Tierney (1993) argues that for an object to be convenient it must be suitable with the self or the subject. It must be comfortable and readily usable for the user in his or her daily life.
The benefits and marketing of cloud computing services are often framed in similar language: modern individuals are meant to be always connected to the Internet, to their work and to their social networks across multiple computing devices and cloud computing suits this lifestyle by synchronizing these devices. In other words, cloud computing can be understood as a technological development within this culture of convenience. Second, the idea of “shared pool of… resources” (National Institute of Standards and Technology 2011) highlights the social aspect of cloud computing. While I am starting from the assumption of the actor-network school of thought that all technology is inherently social (Bijker and Law 1992; Latour 1991; Latour 1992), cloud computing services particularly highlight the importance of sociological analysis of a new technology.
As the above definition and characteristics of cloud computing show, cloud computing is never used in isolation. Since users are using the technology through an Internet connection, they are always using the technology in connection with other actors: 5 most notably the corporation running the service, but also indirectly other users. In other words, because cloud computing represents a ‘shared pool of resources,’ users are never completely isolated from important social relations. A final, important distinction to make is that between private and public clouds.
Public clouds (Mather, Kumaraswamy, and Latif 2009) are defined as cloud services available to anyone (e.: webmail), as compared to private clouds that are only available to users within the organization that owns the technology (ex: an internal corporate email system) (Office of the Privacy Commissioner of Canada 2011). As Mather and his colleagues show (2009), most small organizations do not have the resources to implement a private cloud and therefore use public cloud services, sacrificing some security benefits for affordable services.