Cloud-based storage privacy concerns

By Nicholas Merker

Companies using cloud-based storage providers should understand how stored content is secured or may be used for purposes outside of the product’s core functionality.

Google released its new cloud-based backup service named Google Drive on April 24, 2012. Google Drive marks the company’s entrance into a growing cloud-based storage market with players such as Dropbox, iCloud, SkyDrive, and Ubuntu One. Nevertheless, Google’s entrance into the arena has prompted privacy concerns from users due to Google’s over-arching Terms of Use and Privacy Policy for its products. Namely, consumers are concerned that documents and files uploaded to Google Drive may be misappropriated by Google for other purposes.

The section from Google’s Terms of Use that is drawing concern is as follows:

“When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

At first blush, this section of Google’s Terms of Use states that Google may take files uploaded to Google Drive and release them to the public, create derivative works from such files, and otherwise communicate the files publicly regardless of any privacy settings a user may have set. Nevertheless, Google’s Privacy Policy curbs this issue by stating that Google only shares information and content provided for a set of limited purposes and that Google will “ask for consent before using information for a purpose other than those that are set out in [Google’s] Privacy Policy.”

This language effectively mimics language from other providers in the same market. For example, Dropbox’s Terms of Use state the following:

“To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others…for any purpose unless you direct us to.”

In another example, Apple’s iCloud Terms of Use state the following:

“[B]y submitting or posting such Content on areas of the Service that are accessible by the public or other users with whom you consent to share such Content, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you.”

Cloud-based storage providers appear to want to provide a product that consumers can trust. In addition to the forgoing language surrounding sharing content and files uploaded, almost every cloud-based storage provider mentions that the provider takes steps to secure uploaded content. Nevertheless, the security of information and files uploaded to these products may not be the only privacy concern for its users.

Google Drive presents a unique privacy concern through its potential for targeted advertisements based on content uploaded to the service. In addition to the section quoted above from Google’s Privacy Policy, the following language is included:

“We also use [information we collect] to offer you tailored content – like giving you more relevant search results and ads.”

Although Google’s Privacy Policy notes that Google may not share content uploaded to Google Drive publicly without consent, the Privacy Policy seems to provide for a practice in which Google could scan uploaded content in order to provide targeted advertisements. For example, if a user uploads a presentation to Google Drive that includes a market analysis of potential vendors to choose in a project, it appears that Google’s Privacy Policy would allow Google to scan such content and offer ads that direct the user to a vendor who paid for advertisement placement.

However, users should understand that this practice by Google is not new. Gmail users may remember targeted ads within emails directing the user to websites based in part on the body of the email. Google search users may recall the use of AdWords and Sponsored Links directing the user to websites based on search terms. Google’s business model for its free products appears to revolve around providing users with the most relevant advertisements to the user possible, and this is achieved through targeted advertisements based on the specific user’s use of Google’s products.

In sum, companies using Google Drive, iCloud, Dropbox, and other cloud-based storage providers may wish to understand how content stored within such providers is secured from the public and what, if any, ways each cloud provider may use stored content for purposes outside of the product’s core functionality. For example, would Google’s potential practice of scanning content uploaded to Google Drive impact standing confidentiality obligations through contract between businesses?

About the author

Nicholas Merker
Nick is an attorney in Ice Miller’s Litigation and Intellectual Property Group where he leads their data security and privacy practice. He advises clients on complex privacy and data security issues arising from emerging technologies, including, most notably, Internet-based applications. Nick also focuses his practice on general legal issues found in Internet technologies, namely, new uses of social media and cloud services. He provides counsel to clients in developing, modifying, and implementing processes, architecture, and policies that fit regulatory compliance regimes. He may be reached at nicholas.merker[at]