Making Modest Moves: Individual Users and Privacy in the Cloud

2 Pages Posted: 3 Apr 2012

See all articles by Carol Mullins Hayes

Carol Mullins Hayes


Jay P. Kesan

University of Illinois College of Law

Date Written: April 1, 2012


So many of our daily activities now take place “in the cloud,” where we use our devices to tap into massive networks that span the globe. Virtually every time that we plug in to a new service, the service requires us to click the seemingly ubiquitous box indicating that the user has read and agrees to the provider’s Terms of Service and Privacy Policy. If a user does not click on this box, he is denied access to the service.

It is generally accepted that no one reads these agreements. They click accept, because otherwise they could not use the service of their choice, and these terms are typically almost entirely disregarded as a factor when services are chosen. If a user is asked why he does not read these terms, he might offer reasons like the dense legalese, or the length of these agreements.

However, not reading these agreements can have negative effects. Some agreements contain binding arbitration provisions, limiting the agreeing party’s avenues for redress if the provider wrongs him. When a user is not informed about the terms of a privacy policy, she may be unknowingly consenting to the disclosure of her information to third parties with whom she would not want to share her information. These agreements can also affect the agreeing party’s legal rights. The Department of Justice has argued that violating a website’s Terms of Service amounts to a violation of the Computer Fraud and Abuse Act. Additionally, agreeing to overbroad privacy policy terms could reduce a party’s protections under the Stored Communications Act and the Fourth Amendment.

As part of this work, we analyzed and categorized the terms of TOS agreements and privacy policies of several cloud services to aid in our assessment of the state of user privacy in the cloud. Our empirical analysis showed that providers take similar approaches to user privacy, and were consistently more detailed when describing the user’s obligations to the provider than when describing the provider’s obligations to the user. This asymmetry, combined with these terms’ nonnegotiable nature, led us to conclude that the current approach to user privacy in the cloud is in need of serious revision.

Privacy and autonomy are often discussed as values necessary for a free society, and these values are threatened by the asymmetric terms and unawareness of parties agreeing to such terms. Based on analysis of the law, theories of privacy developed by scholars, and findings of research into human-computer interaction, and analogizing to the ethical guidelines of informed consent followed by social science researchers, we propose the following modest but realistically achievable goals to advance user privacy in the cloud. First, we suggest adopting a legal regime that requires companies to provide baseline protections for personal information, provide privacy enhanced services to customers that demand it, and also take steps to enhance the parties’ control over their own data. We further suggest applying laws governing fiduciary relationships in some circumstances. Second, we argue that collectors and users of personal information in the cloud should be held to ethical guidelines mandating informed consent. We argue that to remove the informational asymmetry, it is also essential that consumers become more informed about the contents of these agreements, and provide suggestions for how that can be accomplished. Ultimately, our goal with this piece is to apply established law and privacy theories to services in the cloud, and set forth a model for the protection of information privacy that recognizes the importance of informed users.

Keywords: privacy, privacy law, human computer interaction

Suggested Citation

Hayes, Carol Mullins and Kesan, Jay P., Making Modest Moves: Individual Users and Privacy in the Cloud (April 1, 2012). Available at SSRN: or

Jay P. Kesan

University of Illinois College of Law ( email )

504 E. Pennsylvania Avenue
Champaign, IL 61820
United States
217-333-7887 (Phone)
217-244-1478 (Fax)


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics