Is cloud computing inherently evil?

Electronic Frontier Foundation chairman Brad Templeton weighs in on the dark side of cloud computing

Sometimes data in the cloud is protected by statutes. E-mails and medical records have their own statutory protections, which is good, but not enough. We need a push to insure that my data (such as a spreadsheet I make in Google docs) is counted as "my papers" and fully protected by the 4th amendment even though it sits on a Google owned server. I'm not saying your cloud files are totally unprotected today, but the standard is much less than the protection given the files on your own computer -- we would like it raised.

It's also important to understand that even when they do need a warrant to get at your data, the warrant will be served on the hosting company, not you. Many hosting companies will fight for your rights, but nobody is as interested in challenging the warrant as you are. When data is outside your hands, you can lose that opportunity.

If we can't get a general expansion of the expectation of privacy, we may be able to see if the courts will accept contractual nuances. Perhaps we can define it so that Google is renting me, or even selling me, a strip of disk, making it mine the way a rented appartment is mine. But this is tough. The law has to change -- or people designing cloud applications need to worry about this.

Strictly I am talking about applications and data hosted in a cloud. The more basic definition of cloud computing, where one company rents computing resources by the hour from a big hosting company, that doesn't have quite as many negative consequences. It's more like outsourcing.

Several people have proposed a "partly cloudy" solution to cloud privacy, where user data is stored locally but processing occurs in a cloud. What's the Electronic Frontier Foundation's opinion of this approach? Is it a solution or just a Band-Aid?

This improves things, in that your data is only out there in 3rd party hands temporarily. It needs a strong warrant (a wiretap) to get at it. But your data is still out there where others can get it, without having to go through you; without giving you the right to legally oppose their seizure of it.

My personal view is we might want to go a step further. Do your storage locally and your processing locally, but take in the software code and other needed data from the cloud. I call this approach "data hosting." If you owned the server on which it took place, that would give you Fourth Amendment protection. If you just bought services on that machine, it might not, but it seems like that's an easier fight to win, where rental facilities count as yours. (After all, a rented home is your home as far as the Fourth Amendment is concerned.)

There is another advantage to data hosting, as it turns out: Any new application can scale without effort if the users are providing the CPU and bandwidth resources for it, one by one. And in addition, a user who wants better performance can pay for it. The hard part is security.