4.1 Introduction

The cloud offers many advantages to organisations including greater efficiency and reduced data storage costs. The market for cloud computing is forecast to continue growth in 2020 with Gartner predicting a 17% increase to US$266.4 billion including an increase in the value of cloud management and security services from US$12 billion to US$13.8 billion (Gartner 2019). Today, we see cloud applications in all industries, at the consumer application level to city-wide infrastructures. However, the increasing ubiquity of cloud computing also represents new risks, not least information security and privacy vulnerabilities. Indeed, we have seen an alarming number of high-profile cloud data breaches including the largest cloud service providers. Most recently, the open Google database exposed the personal details of 200 million people (Forbes 2020). While the cloud itself is arguably more secure than physical infrastructures, human error is often the cause of these incidents. For instance, misconfiguration of cloud databases has resulted in an estimated 196 breaches from 2018–2019, leaving 33 billion records at risk, and costing organisations an estimated US$5 trillion over the two year period (DivvyCloud 2020). A single breach incident can be hugely costly to organisations. For example, Marriott could potentially be fined up to US$123 million in Europe alone for its recent cloud breach, which left the details of 5.2 million people at risk (Whittaker 2020). In addition to monetary costs, it is important to consider other implications for organisations involved in such breaches such as consumer perceptions of privacy and trust in the organisation itself.

This chapter focuses on exploring how organisations can avail of the advantages offered by the cloud, while preserving consumer privacy and addressing any privacy concerns consumers may have. The chapter proceeds with an outline of the importance of privacy and security in the cloud computing context. Next, the extant literature related to privacy in this domain and the broader Information Systems (IS) field are discussed. Potential solutions for enhancing privacy perceptions in the cloud and directions to empirically explore these solutions are outlined in the final sections of the chapter.

4.2 Cloud Computing: Privacy and Security Issues

Continual advances in information technology are furthering the proliferation of cloud computing in many new domains. The emergence of big data, and recent advances in areas such as IoT (Internet of Things) has massively increased the volumes of data generated by most organisations leading to an increasing need to outsource data storage to cloud service providers (Lowry et al. 2017). On the consumer level, the popularity and number of mobile applications downloaded by users has also resulted in a dependence on cloud computing to relieve storage issues; this is commonly referred to as mobile-cloud computing (Shropshire et al. 2015). This greater reliance on the cloud significantly exacerbates the risk of privacy and security incidents while also heightening the risks associated with more traditional security vulnerabilities (Lowry et al. 2017).

Privacy and security represent important challenges and potential barriers, both for organisations considering adopting and those currently relying on cloud services and cloud service providers (Alashoor 2014; Fauzi et al. 2012). A host of researchers have stressed the importance of addressing privacy in the cloud computing context (e.g. Pearson 2012; Wood 2012; Nikkhah et al. 2018). Indeed, the security and privacy issues within the cloud computing domain are far greater than those present when data is stored in a single location (Ramireddy et al. 2010). This is partly attributed to the fact that data stored in the cloud is often in unencrypted form and thus open to many vulnerabilities (Senarathna et al. 2016). Furthermore, the use of cloud computing often involves the movement of data beyond international borders requiring consideration of legal requirements in different jurisdictions while also complicating the organisation’s ability to observe and manage data flows and preserve consumer privacy (Lowry et al. 2017). Privacy also represents an important consideration for cloud end users, with recent research illustrating that consumers are willing to pay to limit data collection and to ensure deletion from a cloud database (Shropshire et al. 2015).

While Chap. 3 in this book outlines the legal requirements across different jurisdictions, this chapter focuses on the consumer aspect of privacy in the cloud computing context. In addition to the undeniable importance of privacy in this context, it is important to note the intertwined nature of privacy and security within existing academic discussions. While, the focus here is on privacy, it is worthwhile to differentiate and highlight important parallels between these concepts. Both security and privacy have been described as human constructed abstract notions which vary according to context and other factors (Lowry et al. 2017). For the purpose of the chapter, both concepts are defined and discussed in terms of their pertinence to cloud.

4.2.1 Information Security

Information security refers to the preservation of the three tenets of security; the confidentiality of information, the integrity information, and the availability of information, while also considering other risks such as reliability, authenticity, and accountability (Pearson 2012; ISO 2005). In the cloud computing context, the key security vulnerabilities warranting consideration include trust, encryption, multi-tenancy, and reliability (Ramireddy et al. 2010). In addition, these vulnerabilities result in serious security risks related to data integrity, confidentiality, data loss, and data authentication (Subashini and Kavitha 2011). Research has provided some initial support for the relevance of these risks. For example, in their study of the factors impacting public sector cloud adoption in South Africa, Scholtz et al. (2016) found that data accessibility was a concern for 90% of participants and cyberattacks represented a concern for 76% for participants. Security and privacy are inextricably linked, as any security incident puts the privacy of the individual’s data at risk (Sonehara et al. 2011). In addition, these security issues may lead to intangible risks or concerns such as loss in confidence of the reliability of the cloud and fears around access to personal data (Paquette et al. 2010).

4.2.2 Information Privacy

Privacy has been the subject of academic discourse for over two centuries in disciplines such as law, sociology and IS. Indeed, the first academic discussions of privacy are often credited to the 1890 Harvard Law Review article by Warren and Brandeis, in which they discuss privacy in terms of the need to balance individuals’ rights to be free from intrusion with the information needs of society (Warren and Brandeis 1890). From a sociological perspective, the seminal definition of privacy was developed by Alan Westin (1967, p. 7), who described privacy as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” These seminal works are the building blocks of conceptualisations across multiple disciplines, many of which place control at the centre (Kesan et al. 2013). However, advances in technology have shifted the focus from a predominantly physical construct to a digital one, and from organisational control to an individual’s control of their personal information. While discussions regarding the potential security and privacy issues within cloud computing are largely centered around adoption at an organisational level, there are many consumer issues which warrant consideration (Alashoor 2014). This chapter focuses on privacy from the IS perspective where privacy is defined as an individual’s ability to personally control information about themselves and how it is disseminated (Smith et al. 1996; Bélanger and Crossler 2011).

In the cloud computing context, there are many privacy issues that organisations should consider and seek to address including issues surrounding control, unauthorised secondary use of data, and improper access (Senarathna et al. 2014; Pearson and Benameur 2010). However, the majority of extant privacy research in the cloud computing domain focuses on the technical solutions to secure data in the cloud from both design and architectural perspectives (Nikkhah et al. 2018). It is important to move beyond this and understand the role of the privacy perceptions of consumers on their adoption anduse of cloud computing.

4.3 Examining Privacy Perceptions in the Cloud

The broader privacy literature within IS is well developed with a large number of studies conducted across multiple contexts over the past three decades. As privacy cannot be objectively measured or quantified, proxies are utilised to examine the role of privacy, with privacy concern representing the dominant approach in existing literature (Bélanger and Crossler 2011). Conceptualisations of privacy concern also differ across the myriad of existing studies with the emphasis often placed on fears around loss of privacy (Xu et al. 2011), or possible improper uses such as one’s personal data being disclosed online (Son and Kim 2008). As summarized in Table 4.1 below, four scales are predominantly used to measure information privacy concerns in the IS literature (Alashoor et al. 2017). While there is an absence of agreement on the most appropriate scale, each of these scales have been rigorously tested, validated and adapted to other contexts. Furthermore, across these scales six dimensions of concern are consistently included.

Table 4.1 Dominant privacy concern scales

While these privacy measures are commonly deployed in other contexts, the majority of extant cloud computing privacy studies do not use validated measures of privacy concern but instead explore privacy and security issues together using open-ended questions or single-item ranking questions. For example, in a study conducted by Scholtz et al. (2016), 90% of participants rated the privacy of data as important or very important. However, two related studies adapted Dinev and Hart’s (2006) PC measure (Nikkhah et al. 2018; Nikkhah and Sabherwal 2017). Validated measures of information privacy concern warrant consideration in future cloud computing privacy studies to provide a more nuanced view of privacy in the cloud and to allow comparisons to be drawn with privacy concerns in other contexts. Indeed, many of these dimensions represent core privacy issues highlighted by cloud researchers (e.g. Pearson and Benameur 2010). However, the extant empirical literature has not yet encompassed these dimensions. The relevance of these dimensions is briefly noted in terms of understanding consumers’ perceptions of privacy.

The collection dimension focuses on individuals’ concerns regarding an organisation’s collection and storage of a great deal of their personal information (Smith et al. 1996). Consumers often lack an awareness of how their data stored in the cloud is used and disseminated, and whether it is used for purposes other than those it was collected for (Nikkhah et al. 2018). For example, in some cases such as Google Drive or Dropbox, the storage of personal information in the cloud is the primary purpose of the service and therefore use is transparent. Other applications such as those in the Internet of Things (IoT) domain, are less clear. Data may be stored on the device, somewhere locally, or in the cloud, or a combination of one or more these. Consumers may not even be aware of where data is stored. It is important to explore whether cloud data storage generates consumer privacy concern and how this differs across applications and information types.

The Unauthorised Secondary Use dimension focuses on individuals’ concerns that information collected for one purpose is subsequently used for a secondary purpose without obtaining the individual’s permission (Smith et al. 1996). Consumer perceptions of unauthorised secondary use in the cloud context are highlighted in extant research (Pearson and Benameur 2010). The Improper Access dimension covers individuals’ concerns that an organisation does not have the measures in place to prevent unauthorised individuals from accessing their information (Smith et al. 1996). The recent media coverage around large cloud data breaches may heighten consumer awareness of potential improper access to their data stored in the cloud, and consequently, increase their concerns around such access. The Errors measure of concern focuses on individuals’ concerns that the organisation storing their personal information does not have the measures in place to prevent and correct errors in the data (Smith et al. 1996). This dimension may not be relevant in all consumer cloud contexts, but issues around controlling data flows which are inherent in the cloud may cause concern around organisations’ ability to track information, and as a result their capabilities to identify and remedy errors.

The Control dimension focuses on individuals’ concerns regarding the lack of control they have over their personal information (Malhotra et al. 2004). Issues around control over data has been highlighted as an important cloud privacy issue that warrants exploration (Sun et al. 2011; Pearson and Benameur 2010). The Awareness dimension centres around individuals’ concerns regarding their lack of awareness of how an organisation uses and protects their personal information (Malhotra et al. 2004). Awareness represents another core concern in the cloud context, with lack of transparency around where data is stored and the protection mechanisms in place (e.g. Singh et al. 2015). It is important to therefore examine (1) if consumers lack awareness of privacy practices in the cloud and (2) if a lack of awareness heightens concerns for the privacy of one’s personal information.

The broader privacy literature offers a rich theoretical base from which the role of privacy in cloud computing can be advanced. Privacy theories are typically discussed from five perspectives—(1) drivers of privacy concern, (2) behavioural consequences, (3) trade-offs, (4) institutional drivers and (5) individual factors (Li 2012). In contrast to the broader literature, the privacy research in the cloud context is relatively nascent. A review of the literature did not identify any studies leveraging theories in four of these five categories. However, two related studies drew on privacy calculus theory (PCT), a theory commonly utilised to understand the trade-offs between the benefits and the risks associated with the behaviour in question such as information disclosure or using a new technology (Culnan and Armstrong 1999). PCT posits that individuals engage in a cognitive comparison of the benefits and potential negative outcomes which may result from using a certain technology (Culnan and Armstrong 1999). According to this theory, individuals will utilise the technology as long as their perceptions of the benefits outweigh their risk perceptions (Culnan 1993). The first study focused on consumers’ willingness to disclose information in cloud-based mobile applications and found that privacy concerns reduced willingness to disclose information, whereas perceived usefulness of the apps and perceived trustworthiness both positively influenced willingness to disclose (Nikkhah and Sabherwal 2017), thereby supporting the use of PCT in this context. The second study focused on consumers’ intentions to continue use of cloud-based mobile applications and found that security and privacy interventions reduce privacy concerns and increase trust, and privacy and security concerns both indirectly influence willingness to continue to use apps through trust (Nikkhah et al. 2018), furthering support for PCT. These studies support the potential of privacy theories to advance our understanding of the role of privacy in this context and point to the need to further leverage this rich theoretical base.

4.4 Enhancing Privacy Perceptions in the Cloud

The focus of much of the privacy literature in the cloud domain has been on technical measures to secure data to enhance security in the hope of negating privacy issues. These are discussed further in Chap. 7 of this book. These studies focus on reviewing the efficacy of measures such as different approaches and anonymisation mechanisms (Sonehara et al. 2011). Recent works have also highlighted important security considerations in emerging cloud contexts such as IoT, stressing the need to consider secure communications, data identification measures, and certification approaches for example (Singh et al. 2015).

Drawing from the existing research in the cloud context and the broader privacy literature, it can be argued that organisations need to address three related consumer perceptions; (1) control (2) awareness and (3) trust. The first two perceptions relate specifically to privacy concern while the third represents a broader perception of the technology (as discussed in detail in Chap. 1). All three consumer perceptions can negatively influence individuals’ willingness to adopt new technologies (Li 2012) and as such, represent an important barrier to the continued success of cloud computing.

Perceived control is a primary concept within the information privacy literature. However, it is important to note that privacy and control are conceptually distinct (Laufer and Wolfe 1977) and negatively correlated. Control is a perception based variable and has been defined as an individual’s beliefs in their ability to manage the collection and use of their personal data (Xu et al. 2011). In the cloud context, it has been noted that consumers are afforded little or no control over their information (Alashoor 2014). In other contexts, a lack of perceived control can heighten privacy concerns (Dinev and Hart 2004), whereas if perceived control is high, individuals may be empowered to adopt technologies and disclose more personal information (Palmatier and Martin 2019). Closely related to control is consumers’ awareness of how their information is protected and used in the cloud. A lack of transparency is a commonly cited issue in the cloud context with many noting that cloud providers should engage in transparent communications to increase consumer awareness of how their personal data is used (Kesan et al. 2013). Awareness not only encompasses understanding of how data is protected, but where data is stored and how it is used.

Trust is often incorporated into privacy studies including those in the cloud context (e.g. Nikkhah et al. 2018). Consumers’ beliefs regarding the trustworthiness of an organisation relate to perceptions of the organisation’s benevolence, integrity and competence (van der Werff et al. 2019; Bélanger et al. 2002). In privacy contexts, trust often focuses on an individual’s willingness to be vulnerable when transacting or sharing personal information with an organisation (McKnight et al. 2002). In the cloud context, research supports the importance of trust in influencing consumers’ willingness to use cloud-based mobile applications and the relationship between privacy concern and trust (Nikkhah et al. 2018).

Central to addressing these consumer perceptions is improving organisational communications with consumers and building knowledge. Organisation’s current communication efforts largely involve privacy policies. Currently, privacy policies tend to be quite lengthy and difficult to read (Kelley et al. 2010). Indeed, the time to read the privacy policies of all websites visited by an average American Internet user was estimated as 201 hours annually (McDonald and Cranor 2008). Furthermore, when consumers read privacy policies, they often do not understand the contents (Martin 2015). These issues with readability and understandability, as well as lack of user engagement with privacy policies, has led to calls to develop new communication methods which better inform consumers how their information is used (Park et al. 2012). In addition to how organisations communicate, it is important to ensure consumers are equipped with the privacy knowledge needed to interpret these communications. Indeed, gaps in consumers’ privacy knowledge and self-efficacy has recently been highlighted as an important area to address in order to empower informed decision making (Crossler and Bélanger 2017). Thus, we present three approaches organisations can use to influence consumer perceptions related to privacy in the cloud namely institutional assurances, just-in-time interventions, and building privacy knowledge. The first two approaches directly relate to communication methods and the third approach focuses on building consumers’ privacy literacy and as a result their capacity to engage with organisation consumers regarding their privacy practices.

4.4.1 Institutional Assurances

Institutional assurances or privacy disclosures are communication efforts from organisations to consumers, regarding the organisation’s data privacy practices. Institutional assurances are often heralded as a solution to addressing privacy concerns, improving perceptions of control and enhancing trust beliefs in many contexts (Culnan and Armstrong 1999; Wu et al. 2012). Institutional assurances include privacy policies and visual approaches which combine text and icons such as privacy labels and trust labels. The privacy literature has found effective privacy policies address awareness issues by increasing perceptions of control (Xu et al. 2011) and improving understanding of privacy practices (Kelley et al. 2010). However, the weaknesses inherent in existing privacy policies led to the emergence of the nutritional privacy label (Kelley et al. 2010). In the cloud context, a cloud trust label providing relevant institutional assurances and privacy information has been found to impact decision makers’ perceptions of the trustworthiness of cloud service providers (van der Werff et al. 2019). The nutritional label is one possible approach to institutional assurances which could serve as a fruitful avenue for both cloud service providers and organisations leveraging the cloud. This approach should include all information required in GDPR compliant privacy notices and inform consumers of how their data is used, stored, protected, and the controls they can exercise over their data. In addition, the label should address the three dimensions of trust (benevolence, integrity and competence), and the core security considerations in the cloud context. The label approach combines many recommendations for effective communication from the UK Information Commissioner’s Office (ICO) including the use of recognisable icons and layering formats (ICO 2017). The content of the label should differ depending on the organisation and whether the label is consumer facing or used to influence perceptions of key decision makers in organisations. Based on findings in the cloud and other contexts, these labels may build awareness and strengthen perceptions of control and trustworthiness. Privacy labels are likely to be useful as a communication tool for prospective customers, and should be accessible to existing customers within the application or website settings.

4.4.2 Just-in-Time Interventions

In addition to detailed communication approaches such as privacy labels and notices, there is also a need for additional transparent communications with consumers as the need arises. The ICO advocates the use of just-in-time notices to inform consumers of changes in an organisation’s privacy practices (ICO 2017). For example, if an organisation plans to migrate to the cloud, they should inform their consumers of this change in a transparent manner. Additional reasons for just-in-time interventions include cases when an additional use arises for personal data and consumer consent is sought, as well as requests for updates to personal information, or requests for more information. In these interventions, organisations should be transparent and focus on explaining why the data is needed. The format of these interventions will vary depending on the level of the change and the technology in question. For mobile applications, a pop-up notification could be utilised to request consumer consent or additional data disclosure. For websites, individuals could be prompted to provide the requested information at log-in. The purpose of just-in-time interventions is similar to the privacy label approach in that they seek to overcome issues with awareness, while reminding consumers of the controls they have and seeking to enhance trust beliefs through transparency.

4.4.3 Building Privacy Knowledge

As repeatedly noted throughout this chapter, cloud consumers often lack awareness of how their data is stored and used. In the broader privacy literature, Crossler and Bélanger (2019) advocate the importance of understanding and addressing consumers’ privacy knowledge-belief gaps and the need to develop contextualised privacy self-efficacy i.e. individuals’ perceptions that they have the knowledge and skills needed to protect the privacy of their data as required. This work builds on findings around the privacy paradox, wherein consumers express high privacy concerns but do not engage in behaviours to protect their information privacy (Bélanger and Crossler 2011). In their recent study, Crossler and Bélanger (2019) found that context-specific privacy knowledge and privacy self-efficacy influence individuals’ privacy-protective behaviours. There is a need for organisations to consider consumers’ privacy knowledge and self-efficacy both for potential and existing customers. Any communication, be it a privacy label or app notification regarding privacy should consider the consumers’ knowledge, and be framed in ways which enhance their knowledge as opposed to obfuscate improper practices. In addition, organisations should provide supplementary information and resources which empower consumers to develop their privacy knowledge and self-efficacy. It is argued that this level of transparency will heighten perceptions of control and trustworthiness while building consumers’ privacy self-efficacy and thereby facilitating informed decision making.

4.5 Future Research Directions

As discussed earlier, consumer perceptions of privacy are influenced by past experience and the context in question (Li 2011). As such, pertinent privacy issues are likely to vary across different cloud contexts (Pearson 2012). At a high level, more privacy research is required that focuses on consumer perceptions of privacy in the cloud in general, among different cloud service provision models, in public/private cloud settings, and in different domains such as IoT. Table 4.2 below outlines a number of potentially fruitful directions for research that may enrich our understanding of privacy in the cloud. As per Li (2012), relevant theories popularised in other privacy contexts are listed alongside each area. These research directions represent an initial step in unravelling the role of the complex privacy construct in this multifaceted and evolving context.

Table 4.2 Future research directions

4.6 Concluding Remarks

The need to address privacy concerns in order to ensure the success of new information technologies has been argued in the broader privacy literature (Hong and Thong 2013). The importance of addressing privacy and security in the cloud is also well established (Wood 2012). However, literature focused on understanding consumer perceptions regarding privacy in the cloud is still emerging. This chapter argues for the need to move beyond technical solutions which address security first and privacy second, towards a focus on understanding and addressing the privacy perceptions of consumers. Given the proliferation of cloud computing, the potential privacy implications span multiple industries, and privacy may pose different challenges for each industry or application. Proactive approaches to communicate with consumers such as privacy labels can be useful in addressing privacy concerns, enhancing perceptions of control and building trust beliefs. In addition, efforts are needed to build the privacy literacy and self-efficacy of consumers in this context. The recommendations presented in this chapter emphasises the importance of organisations proactively understanding and positively influencing consumer privacy perceptions, over and above the compliance with legal requirements such as the GDPR. It is hoped that this chapter provides some useful recommendations for practice and presents some interesting avenues for research in this domain.