How is user trust in cloud computing affected by legal problems relating to data protection in cloud computing? and how can user trust in cloud computing be built?

  • Auntika Na Pibul

Student thesis: Doctoral Thesis


Over the past few years, cloud computing has become an increasingly popular service,providing Information Technology (IT) resources over the Internet. Many types of cloud services, ranging from simply offering an outsourced storage to a full external provision of hardware infrastructure is the main factor attracting people to adopt cloud computing. Nevertheless, the distinctive features of cloud computing pose some privacy and data protection (DP) risks to cloud users, and these risks have become their major concerns.Especially after the revelations about the United States (US) government's mas ssurveillance programme in 2013, many surveys have shown that individuals and small and medium-sized enterprises (SMEs) have been hesitate to entrust their data to cloud service providers (CSPs), especially to CSPs controlled from the US or which have servers located within the US, because their trust is affected by those risks.Accordingly, a range of CSPs, e.g. Google and Microsoft, have tried to build user trust in cloud computing by offering a variety of DP and privacy assurances.This situation may yet prove to be a tipping point in terms of showing how willing users are to place trust in cloud computing. As cloud computing has great potential to improve productivity and innovation, this lack of trust could affect the economic development not only of EU societies but also global societies as a whole, so that building user trust in cloud computing needs to be accomplished in order to increase the use of cloud computing;As legal problems relating to DP in cloud computing do pose risks and uncertainties for the privacy of EU cloud users, this thesis aims to explore how user trust in cloud computing is affected by these problems. However, this thesis focuses on just two main legal problems relating to DP: (1) legal problems regarding the application of the EU DP law to the processing of personal data in the cloud; and (2)legal problems regarding the EU and US legal frameworks governing access to personal data held in the cloud by law enforcement and national intelligence agencies.With regard to the theory of trust and a number of surveys showing the reasons why individuals and SMEs feel reluctant to place their trust in cloud computing, whether or not individuals and SMEs trust cloud computing seems to depend on three main factors: (1) transparency and control; (2) accountability; and (3) security. This research shows that the two legal problems identified do have an adverse impact on these three factors, as they (1) raise a number of uncertain issues, which then make it difficult for cloud users to exercise control over their data; (2) make it unclear whether CSPs will be held responsible and accountable for the personal data processing; and (3)pose security threats to personal data residing in the cloud. Finally, this thesis concludes that the two legal problems affect user trust in cloud computing, at least to some extent,and that this situation could potentially impede the use of cloud computing.;As a result, this thesis proposes both legal and non-legal approaches for building user trust in cloud computing. The legal solutions are mainly drawn from the new EU DP law (General Data Protection Regulation(GDPR)). Due to the fact that trust is a very subjective matter and it takes time for it to be built, legal approaches alone may not be powerful enough to build and/or rebuild trust in cloud computing. This thesis also proposes non-legal solutions (1) for enhancing transparency and ability to control over the data, i.e. icons and labels and transparency reports; (2) for improving accountability of CSPs, i.e. certification, trust marks and trust seals, internal codes of conduct or ethics; (3) for increasing security of data, i.e. technical approaches and localised cloud computing, as they are likely to help boost the possibility of individuals and SMEs placing their trust in cloud computing. All these approaches aim to fulfil three criteria for creating trust in cloud computing, as listed above, in order to enable users to be less concerned about their data residing in the cloud and let them be sufficiently confident to ignore any risks that might stem from those two legal problems and thus to be willing toplace their trust in cloud computing for the sake of benefiting from its advantages.
Date of Award28 Feb 2019
Original languageEnglish
Awarding Institution
  • University Of Strathclyde
SupervisorLorna Gillies (Supervisor) & Mel Kenny (Supervisor)

Cite this