Home is Safer than the Cloud! Privacy Concerns for Consumer Cloud Storage

Iulia Ion, Niharika Sachdeva, Ponnurangam Kumaraguru, Srdjan Capkun

Cloud Storage

Wednesday 4 December 13 2 SOUPS 2011

Cloud Storage

Wednesday 4 December 13 3 SOUPS 2011

(Foreign) Governments

Hacker

Data Owner

Friend

Internet Service

Provider

Legal Courts

Law Enforcement

Third-Party

Storage Provider

“GOOGLE […] SHALL NOT BE LIABLE TO YOU FOR […] ANY LOSS OR DAMAGE”

“Dropbox may sell […] your Personal Information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.”

“Google reserves the right […] to pre-screen, review, flag, filter, modify, […] any Content”

Cloud Storage

Wednesday 4 December 13 4 SOUPS 2011

(Foreign) Governments

Hacker

Data Owner

Friend

Internet Service

Provider

Legal Courts

Law Enforcement

Third-Party

Storage Provider

Related Work

§  Enterprise studies: security and privacy are top concerns in cloud adoption [1]

§  No study looked into end-users’ practices and concerns §  Most previous privacy studies focused on US §  Known issue: users don’t read the privacy policies

Wednesday 4 December 13 5 SOUPS 2011

[1] E. Schindler. Cloud development survey. Evans Data Corporation, Strategic Reports, July 2010. http://www.evansdata.com/reports/viewRelease.php?reportID=27.

Our Contributions

§  Conducted interviews in India and Switzerland and an online survey

§  Showed that: § Users trust local storage more than the cloud § Users assume higher protection than actual § Cultural differences influence cloud privacy attitudes

Wednesday 4 December 13 6 SOUPS 2011

Cultural Differences

Wednesday 4 December 13 7 SOUPS 2011

Switzerland India

§  Individualistic vs. collectivist society §  Right to privacy guaranteed/not guaranteed by

constitution §  People accept that power is distributed equally/unequally

Agenda

§  Study setup/ Methodology §  Interview studies § Online questionnaires

§  Results § Current practices §  Perceived privacy §  Terms of service

§  Conclusions

Wednesday 4 December 13 8 SOUPS 2011

Online Survey

Swiss Indians All 132 190 402

Interviews

Delhi 20

Interviews

Zurich 16

Methodology

Wednesday 4 December 13 9 SOUPS 2011

Multiple choice

Likert scale

II. ONLINE SURVEY

1. Current practices

2. Privacy perceptions

3. Rights & guarantees

I. INTERVIEWS

Mann-Whittney test

Fisher’s exact test

Results

§  Current practices §  Perceived privacy §  Awareness of terms and conditions

Wednesday 4 December 13 10 SOUPS 2011

§  The cloud is my folder §  Email accounts are subfolders: private, official, spam

§  With further folders…

Current Practices

Wednesday 4 December 13 11 SOUPS 2011

Survey: Data Storage and Internet Attitudes

!"#

$!"#

%!"#

&!"#

'!"#

(!"#

)!"#

*#+,,-#./01.#

210+3-#

4/#5,65789,#

/6.76,#

:;6#<13.=#7<#

>10+,?#

4/#0/653@,A#

-A/=,08/6#

B=A/6C.D#ECA,,# B/@,;>1=#ECA,,# B/@,;>1=#F751CA,,# B=A/6C.D#F751CA,,#

G,A0,6

=1C,#/<#G1A807-16=5# !"#$%&'()*+*(!+,#*-%(*./(0.+%#.%+(12+"/%3(

Wednesday 4 December 13 12 SOUPS 2011

I try to keep local backups of every important document I store on the Internet. I try not to store important, sensitive documents on the Internet, and instead keep them offline, on my personal computers. If people put their private data on the Internet and it gets hacked, it is their own fault. They should know that nothing is really safe on the Internet. There is no such thing as consumer protection service or police on the Internet whom I could turn to, if I felt that my rights were violated.

Perceived Privacy

§  “Nothing on the Internet is safe” §  Anybody can see my data if they want to:

§ Hackers §  Employees § Governments

§  But I am not interesting to them §  “I am not criminal” §  “I am not Obama”

Wednesday 4 December 13 13 SOUPS 2011

Survey: My data is safer…

§  On my computer: §  I look after my

computer myself

§  I can go offline

§  In the cloud: § My computer

might crash

Wednesday 4 December 13 14 SOUPS 2011

0%

20%

40%

60%

80%

On my computer In the cloud Swiss Indians

Per

cent

age

of p

artic

ipan

ts

Users would pay for better privacy in the cloud

Wednesday 4 December 13 15 SOUPS 2011

“Dropbox may sell, transfer or otherwise share some or all of its assets, including your Personal Information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.”

Results

§  Current practices §  Perceived privacy §  Terms and conditions

Wednesday 4 December 13 16 SOUPS 2011

Results

§  Privacy concerns for users differ from those of companies §  Users are less concerned with:

§ Country of storage §  Storage outsourcing § Guaranteed deletion of data

§  Users have misconceptions about the cloud architecture §  The cloud/Internet is everywhere §  “Why would they keep a backup?”

Wednesday 4 December 13 17 SOUPS 2011

Survey: Does your webmail provider have the right to disable your account?

0%

10%

20%

30%

40%

50%

Yes Only with advanced notice & reason

Only if used for criminal purposes

No I don't know

Swiss Indians

Wednesday 4 December 13 18 SOUPS 2011

Yes, at any time, without advanced notice and without explanation. Yes, but only with advanced notice and a valid reason. Only if I am using it for criminal purposes. No.

Per

cent

age

of p

artic

ipan

ts

Survey: Does your webmail provider have the right to see or modify your email attachments?

0%

10%

20%

30%

40%

50%

No Can see, but not modify

Only in criminal cases

Yes I don't know

Swiss Indians

Wednesday 4 December 13 19 SOUPS 2011

They don't have the right to look at nor modify any of my documents. They can see them, but not modify them, because these are my documents and they belong to me, even if I store them there. They have the right to see and modify my documents only in criminal or terrorists cases.

They have the right to see and modify any of the documents I store.

Per

cent

age

of p

artic

ipan

ts

Survey: If your webmail provider lost some of your data, what would your rights be?

0%

10%

20%

30%

40%

50%

Pay me for damages

Pay me if not a free service

I have no rights

Don't care I don't know

Swiss Indians

Wednesday 4 December 13 20 SOUPS 2011

They should pay me for the damages, regardless whether it was a paid for or free service. We had a contract. If it is a free service, I have no rights, but if I paid for it, they would have to pay me for the damages. I have no rights even if it is a paid-for service. There are no guarantees. My data is lost anyway. I wouldn't care about money. An apology would be enough.

Per

cent

age

of p

artic

ipan

ts

Survey: Internet Surveillance Attitudes

!"#

$!"#

%!"#

&!"#

'!"#

(!"#

)!"#

*!"#

+,-..# /01-20.# +,-..# /01-20.#

+3450678#964::# +5;:,<23#964::# +5;:,<23#=-.264::# +3450678#=-.264::#

>:4?:0326:#5@#>24A?-B203.#

!"#$%&'$&()*+%#$,--.&/$)01(+2$34)*5,33)#36)7&2,.&3)

C5DE#2??:..#35#B4-D23:#15?.#-.#F21E# /03:40:3#;50-354-06#-.#6551E#

Wednesday 4 December 13 21 SOUPS 2011

If the government had access to every document users store on the Internet, that would be a major violation of individual privacy. It is good if the government monitors every Internet communication and all user accounts. National security comes first.

Conclusions

§  Users trust local storage more than the cloud §  Users assume to have more rights than stated in the

agreement §  Cultural differences influence privacy and attitudes and

behavior

Wednesday 4 December 13 22 SOUPS 2011

Recommendations

§  Provide stronger security mechanisms in the cloud §  Improve presentation of privacy policies §  Create consumer protection agencies for the cloud §  Investigate awareness of international laws

Wednesday 4 December 13 23 SOUPS 2011

Thank you!

Wednesday 4 December 13 24 SOUPS 2011

For any further information, please write to pk@iiitd.ac.in precog.iiitd.edu.in

Wednesday 4 December 13 25 SOUPS 2011