Digital Marketplaces Unleashed

by Claudia Linnhoff-Popien

  Despite the ruling in the Microsoft Ireland case and its possible consequences many German companies prefer a cloud solution hosted and registered in Germany. Some cloud services providers acknowledge the particular requirements for protecting personal data. Microsoft for example responded to this demands with the “Microsoft Cloud Deutschland”, as part of the Azure‐Cloud. As its data centers are situated in Germany (Frankfurt & Magdeburg), data will be stored and processed in Germany only according to German law. The data centers are not managed by Microsoft itself, instead T‐Systems acts as a data trustee, monitors all access on the customer data and ensures its legality while Microsoft has no access to the data or even the data centers. However, this impacts the achievable scalability/elasticity of cloud services and will certainly have an impact on pricing.

  Cloud providers headquartered in Germany are subject to the Federal Data Protection Act (Bundesdatenschutzgesetzt, BDSG) when processing personal data. The Data Protection Act states that the cloud provider only performs contracted data processing. Responsible for personal data and its protection is still the client/cloud user (§11 BDSG). And he has the right and obligation to ensure that the cloud provider complies with the German data protection rules. A certification of the data center according to e. g. ISO/IEC 27001 already covers a considerable part of the legal requirements.

  An EU‐wide regulation for data protection is the Data Protection Directive of the European Union1. It describes the minimum standards for data protection that have to be ensured in all EU member states. Personal data may be forwarded to third party states from EU member states only if they have a data protection standard comparable with the EU legislation. As the Data Protection Directive is in force since 1995 it is outdated today and will be replaced by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) which was published on 4 May 2016 and shall apply from 25 May 2018. With the GDPR the Commission intends to strengthen and harmonize the data protection laws for individuals across the European Union (EU). The primary objectives of the GDPR are to give citizens more control over and easier access to their personal data and to unify the regulation within the EU to facilitate international business. The regulation applies if the data processor or the data subject is based in the EU but it also applies (unlike Directive 95/46/EC) to an organization based outside the EU that processes personal data of EU residents. That means that the future EU data protection laws will also apply to cloud providers like Amazon and Google. Also the GDPR strengthens the so called “right to be forgotten” which refers to the right to have one’s data deleted or not further disseminated after a fixed period of time [13].

  For international business and data transfers the Safe Harbor Privacy Principles were the most important agreements. They were signed between the European Union and the United States to enable the legal transatlantic movement to and storage of personal data in the United States. US companies storing personal data of EU citizens would self‐certify that they adhere to 7 principles and therefore comply with the data protection requirements of the EU. However, Safe Harbor came under much criticism because it could be bypassed by the US Patriot Act which allowed U.S. intelligence to gain access to the stored data of U.S. companies (via court order). So on October 24, 2015 the Safe Harbor Privacy Principles were overturned by the European Court of Justice. This resulted in new talks between the European Commission and the US authorities to develop “a renewed and sound framework for transatlantic data flows” [14] – the birth of the EU‐US Privacy Shield. The Privacy Shield is a framework for the transatlantic exchange of personal data for commercial purposes between the European Union and the United States. It aims to protect “the fundamental rights of individuals where their data is transferred to the United States and ensure legal certainty for businesses” [15]. This new arrangement imposes strong obligations on U.S. companies to monitor and enforce the protection of personal data of EU citizens. The Privacy Shield includes written commitments and assurance by the U.S. that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalized access [15].

  Apart from the Safe Harbor Privacy Principles the USA PATRIOT Act has also been suspended. The provisions expired on June 1, 2015 and since then have been replaced by the USA FREEDOM Act (H.R. 2048, Pub.L. 114–23) which restored in a modified form several provisions of the Patriot Act. Its supporters claim that the Freedom Act imposes new limits on the bulk collection of telecommunication data on U.S. citizens by American intelligence agencies like the National Security Agency (NSA). But critics argue that the Freedom Act actually has produced only very marginal gains for privacy and that the mass surveillance program continues (e. g. the collection of call records) just under slightly changed circumstances.

  When it comes to media law there are no regulations dealing with cloud computing directly. But of course existing media laws also apply to the usage of cloud (services). Copyright laws, personal rights, license agreements and film rights, which can come with strict requirements on security and access protection, must be observed in the cloud as well.

  64.5.2 Implications on Broadcasters and Media Companies

  The legal framework addresses personal data and data associated with the personality of individuals. The consequences may not be always immediately obvious. For instance, there is the notion that an IP‐address used by an individual to communicate with a server is regarded “personal data”. Also logging into a cloud service for maintenance and configuration creates “personal data”.

  The legal framework on personal data substantially affects the media domain as e. g. all on‐demand services and personalization include processing of personal data. For on‐demand services (e. g. VoD) cloud services are commonly used. Also (big) data analytics relevant for personalization maps well to cloud services. With the usage varying significantly over the day the load either for transcoding, data IO, data base access etc. varies sharply over the day as well. Thus the scalability of the cloud is a huge advantage.

  While in the former example personal data is stored and processed, personal data is being created as well when using cloud services in the context of media production. Think of a non‐linear editing tool in the cloud. Each time the cutter uses the tool, this usage and the information who is using it establishes personal data as well, which requires protection according to the legal framework.

  In media there is another source of “personal data”. The protection level of sensitive information about investigative research or data that may require identity protection of sources or informants must even be higher than for personal data. As a potential access of cloud systems by government authorities or criminals cannot be ruled out, it is advisable not to use in particular public cloud systems.

  For media prior to using a public cloud (service) it needs to be evaluated and precisely defined what personal data shall and is permitted to be stored there. Also a data classification by required level of protection should be conducted. But note that the legal framework for protecting personal data applies also to any in‐house processing, e. g. in a private cloud.

  The legal framework poses particular requirements on personal data. But the media file itself requires a high level of protection as well. For media companies and broadcasters theft or loss of their media assets is the main concern when thinking about cloud usage. There have been some incidents recently that made headlines e. g. the iCloud hack in 2014 where celebrity photos were stolen. But as the hack of Sony pictures in 2014 shows you can also suffer from a cyber‐attack in your own data center. The cloud does not have to be less secure than your own data center. In fact public clouds are highly secure. Most of th
em meet various different international and industry‐specific compliance standards (like ISO 27001, HIPAA or SOC 1 and 2) and are audited by third‐parties regularly. Most company data centers cannot by far compete with that. So sometimes it is more a question of perceived security and trust. But it may be true that the risk of secret access by governments or intelligence services to your data may be higher in the public cloud.

  Generally, for media data that is moved into the cloud encryption and keeping encryption and key management in one’s own hands should be the key principal. This is probably the only way to guarantee an end‐to‐end encryption and to safely store your data in the cloud.

  64.6 Conclusions

  The cloud has already arrived in broadcast operations and among viewers – as a private cloud in one’s own data center with virtualized servers, as a service of a central service provider for several production sites in a secure corporate network, or indeed in the form of services in a public cloud. Cloud is common for OTT linear and on‐demand media distribution. The functions range from IaaS to SaaS – with SaaS being especially relevant in the private area, but also for complete solutions addressing the professional media market. Deployments in media houses that build in IaaS or PaaS, or those who build on single services and orchestrate these modules as part of an own (cloud based) integration work, are much less frequent, since they require deep technical planning knowledge and maintenance efforts by the media house itself.

  Creative user focus on a comfortable availability of functionalities required for investigation, search, media acquisition, finishing and distribution of media, regardless whether this can be achieved by using clouds or by more traditional concepts. The comfort using services on smartphones and so on sets the expectation bar also for professional usage.

  Business models still need to prove their sustainability or even to be developed. However, the chance for quick deployments, a high degree of scalability and the potential of a very high utilization of resources in public clouds of major vendors strengthen confidence that clouds will have their established position in media houses. In particular for (public) broadcasters the shift from CAPEX to OPEX is important to note.

  The performance and wide availability of high bandwidth network connections to public clouds will play a key role for acceptance. However, bandwidth demands also highly depend on the genre of media production or the application, with decreasing requirements from live production, file based “near live” (news) or offline feature production, down to supporting functions like search and planning.

  In principle, clouds bear a certain risk for security and privacy, but some cloud vendors have already reacted on new European legislation initiatives and offer solutions fitting specific national legislation requirements. Moreover, the level of security reached in a cloud has always to be compared with the level of security that can in practice be achieved in private solutions.

  Clouds, however, do not necessarily replace traditional broadcast technology but expand it with new possibilities and thus will open new workflow opportunities. The flexibility of cloud based applications will certainly impact today’s workflows. Technologies for carrying live audio and video in “studio quality” across larger IP networks into the cloud further extend application ranges, but still need further development and validation. The task is to take the opportunity to also “think in clouds conceptually”, to perceive the associated new and very flexible solutions and to implement the appropriate applications based on the individual needs regarding security and privacy, process reliability, maintainability, effort to minimize the risk of cloud vendor lock‐in, personnel structure and training expenditure. Cloud‐based concepts definitely offer opportunities for broadcast – and good knowledge of all aspects helps to avoid risks and to implement tailor‐made solutions.

  References

  1.

  National Institute of Standards and Technology, “The NIST Definition of Cloud Computing,” NIST, Gaithersburg, 2011.

  2.

  Federal Office for Information Security (BSI), “Security Recommendations for Cloud Computing Providers,” BSI, Bonn, 2012.

  3.

  M. Verhovnik, “www.​irt.​de,” [Online]. Available: https://​www.​irt.​de/​fileadmin/​media/​downloads/​veranstaltungen/​2016/​Trimedialitaet-Praesentation1_​IRT-Kolloquium.​pdf. [Accessed 06 September 2016].

  4.

  R. Schäfer, “Medienfabrik 4.0”, IRT Jahresbericht 2015, pp. 8–10, [Online]. Available: http://​www.​irt.​de/​webarchiv/​showdoc.​php?​z=​ODExNCMxMDA2MDE3​I3BkZg=​=​. [Accessed 07 September 2016].

  5.

  C. Pfeifer, “IP-netzwerke für die Live-Produktion,” FKT, pp. 500–504, 2014.

  6.

  M. Schneider und P. Schut, “IEEE 802.1 AVB: Video über Ethernet in Produktionssystemen,” FKT, pp. 527–?, 2013.

  7.

  K. W. Rößel, “Vernetzte Produktionsabläufe – ‘Anywhere’ für Video,” FKT, pp. 631–635, 2014.

  8.

  “www.​make.​tv,” [Online]. Available: www.​make.​tv. [Accessed 29 08 2016].

  9.

  “YouTube Statistik,” [Online]. Available: https://​www.​youtube.​com/​yt/​press/​de/​statistics.​html. [Accessed 01 09 2016].

  10.

  S. Siepe, “www.​fktg.​org,” [Online]. Available: https://​www.​fktg.​org/​argos-datenschutzkonfo​rme-qualitaetsueberp​ruefung-von-streaming-angeboten. [Accessed 06 September 2016].

  11.

  C. Ziegler, “Second screen for HbbTV — Automatic application launch and app-to-app communication enabling novel TV programme related second-screen scenarios,” 2013 IEEE Third International Conference on Consumer Electronics Berlin (ICCE-Berlin), Berlin, pp. pp. 1–5, 2013.

  12.

  M. Stiller, “www.​irt.​de,” [Online]. Available: http://​www.​irt.​de/​webarchiv/​showdoc.​php?​z=​NjY2OCMxMDA1MjE3​I3BkZg=​=​. [Accessed 07 September 2016].

  13.

  European Commission, “European Commission – Fact Sheet, Questions and Answers – Data protection reform,” [Online]. Available: http://​europa.​eu/​rapid/​press-release_​MEMO-15-6385_​en.​htm. [Accessed 29 08 2016].

  14.

  European Commission, “European Commission – Speech – [Check Against Delivery], Commissioner Jourová’s remarks on Safe Harbour EU Court of Justice judgement before the Committee on Civil Liberties, Justice and Home Affairs (Libe),” [Online]. Available: http://​europa.​eu/​rapid/​press-release_​SPEECH-15-5916_​de.​htm. [Accessed 29 08 2016].

  15.

  European Commission, “European Commission – Fact Sheet, EU-U.S. Privacy Shield: Frequently Asked Questions,” [Online]. Available: http://​europa.​eu/​rapid/​press-release_​MEMO-16-2462_​en.​htm. [Accessed 29 08 2016].

  Footnotes

  1Officially called: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  © Springer-Verlag GmbH Germany 2018

  Claudia Linnhoff-Popien, Ralf Schneider and Michael Zaddach (eds.)Digital Marketplaces Unleashedhttps://doi.org/10.1007/978-3-662-49275-8_65

  65. Data & IT Security, a Challenge for the Cloud Computing Trend

  Ralf Rieken1

  (1)Uniscon GmbH, Munich, Germany

  Ralf Rieken

  Email: ralf.rieken@uniscon.de

  65.1 Introduction

  Experian, the world’s leading information services group, has released a “Data Breach Industry Forecast 2016” report that substantiates the following: the most important and greatest global challenge in cloud computing is to be able to fulfill data privacy and compliance demands and ensure IT security. In order for businesses to be able to rise to this challenge, economies need clear data protection and compliance laws that keep up with technical developments,
as well as technology with which to actually be able to enforce those demands [1].