28 October 2015

Cloud Conditions

The 71 page 'Privacy in the Clouds: An Empirical Study of the Terms of Service and Privacy Policies of 20 Cloud Service Providers' (Queen Mary School of Law Legal Studies Research Paper No. 209/2015) by Dimitra Kamarinou, Christopher Millard and W. Kuan Hon is an empirical study of the Terms of Service and Privacy Policies of 20 cloud providers.

The authors state
Our study focuses on the ways these 20 cloud providers treat various key rights that individuals have under data protection law, either when they contract directly with a cloud provider or when they access cloud services through a business or institution, such as their employer, including the right to have their personal data processed fairly and lawfully, the right to be informed about the collection of data, the specific purposes of processing and the way their data may be shared with or disclosed to third parties, including law enforcement agencies. We also look at the right to access, correct or erase personal data, the right to object to processing, the right to object to direct marketing, and the right to have personal data processed securely and be protected from accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to data. In addition, this paper discusses the providers’ approach to disputes arising out of the use of their cloud service and their approach to compensation and indemnification. This paper also uncovers common approaches adopted by providers and mismatches between their various legal documents, and highlights the advantages and disadvantages of various practices found in the study. Finally, we make some suggestions for more effective transparency and redress options for individuals, and conclude the paper with a number of practical findings arising from the review.
'The Challenge of Bitcoin Pseudo-Anonymity to Computer Forensics' by  Edward J. Imwinkelried and  Jason Luu in (2016) Criminal Law Bulletin (Forthcoming) argues
Digital forensics must constantly adapt to new technological developments. The advent of Bitcoin is such a development. Bitcoin represents a new model for financial transactions. In many cash transactions between strangers, the underlying model is parties-unknown/transaction-unknown. There is no ledger record of the transaction. In contrast, PayPal illustrates the parties-known/transaction-known model. An intermediary will record both items of information. Bitcoin differs from both of these models; Bitcoin uses a parties-unknown/transaction-known model. The Bitcoin block chain records the transaction, but the user’s Bitcoin address is not expressly tied to an identity. Thus, Bitcoin users enjoy pseudo-anonymity.
As the recent experience with Silk Road demonstrates, there is a downside to this pseudo-anonymity. Precisely because of that feature, Silk Road served a marketplace for vendors to sell illegal narcotics, forged identifications, and other illicit goods and services. Given that danger, law enforcement authorities have a felt need to develop techniques to penetrate the pseudo-anonymity. To do so, they have turned to digital forensics experts.
This article evaluates two techniques that have been proposed for this purpose. The first is traffic analysis. This technique relies on the entry nodes that users employ to access the Internet. The second is transaction graph analysis. This technique clusters transactions to identify natural chokepoints in the Bitcoin economy, that is, service islands where, for example, the user might convert Bitcoins to fiat currency. The chokepoints becomes a target for a law enforcement subpoena to learn the user’s IP address.
After describing each technique, the article assesses the research conducted to date. In particular, the article reviews Alex Biryukov’s research into traffic analysis and Sarak Meiklejohn’s work with transaction graph analysis. The article applies the standards announced in Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993) to determine whether, given the available data, expert testimony based on either technique would be admissible today. The article explains that it is doubtful whether testimony based on either technique would survive a Daubert admissibility challenge. The article concludes that further research is needed to enable law enforcement authorities to effectively penetrate the pseudo-anonymity of the new parties-unknown/transaction-known model.