What we think.

Using cloud-based services to manage your business has numerous benefits that make it a default choice for many companies from startup to mid-size. Not surprisingly though, not all clouds have a silver lining. There are some free-cloud risks.

The cost of free

Moving your business services to the cloud enables you to focus your talent on your core business rather than on developing and maintaining IT infrastructure. Depending on the services your business needs and cloud deployment model you choose, you can get cloud services with little or no initial capital outlay and no monthly fees. (This can be especially attractive if you’re bootstrapping a “fail fast” startup.)

But critically, what are you giving away when you offload your computing and hand over your data to the cloud? Because in business, nothing is ever really free.  

Cloud deployment models

Your “payment” depends on the cloud deployment model you sign up for. The most common cloud deployment models are private cloud and public cloud. A private cloud is a self-hosted server that’s controlled by your organization. Because it requires hardware (servers either on premise or rented) as well as staff to maintain them, this option carries a definite cost.

Google’s stock-market success underlines the value of the information you’ve traded away for access to the company’s cloud services.

Public clouds on the other hand are where another company or institution provides the cloud service – seemingly for free. Google Docs and Microsoft Office 365 are good examples.

Who’s paying?

Like most things that have become ubiquitous, public cloud services can appear to simply exist, like roads and bridges – or the internet. But we all know these services are run by businesses. So, how do they get funded if you’re paying nothing? It depends on what type of service you opt for.

Freemium: Some subscription-based service providers offer services for small users without asking for a dime. For example, WeTransfer offers a $0 subscription that allows you to transfer up to 2GB. These services operate as a loss-leader on the bet that some customers will come to rely on the service and eventually hit the limits of their zero-dollar subscriptions. The company profits as long as a sufficient percentage of customers eventually signs on to become paying customers.

Subscription: Some service providers offer services where a customer pays a monthly or yearly subscription fee. These services range from simple subscription-based streaming such as Netflix, or cloud backup services like Dropbox, to complete portfolios that include Infrastructure as a Service (IaaS) offerings such as Oracle Cloud.

In-kind: Public cloud companies – Google immediately comes to mind – offer zero-dollar access to a wide range of services in exchange for content and information. This is an “in-kind” payment to the company offering the service; you’re providing your data in exchange for their services.

All that data

When you pay for cloud services in-kind, the cloud service provider collects data about you and your company and sells it. In the case of Google, this isn’t limited to search data, but also includes their free services like Google Drive, Google Docs, and Gmail.

Google’s stock-market success is a testimony to the brilliance of this model. It also underlines the value of the information you’ve traded away for access to the company’s cloud services.

According to Google’s Privacy Policy the information it collects when you use its services includes:

• unique identifiers for your device, browser, and application, including their settings
• your OS, your phone number, and the network you’re using
• your search terms, the videos you watch, the ads you respond to and how, what you buy, your access to third-party sites, people you communicate with, and your browsing history
• your location, including your GPS coordinates, IP address, sensor data from your device, and information about nearby infrastructure, such as cell towers and Wi-Fi access points, as well as about other nearby devices with Bluetooth enabled

The same Privacy Policy states that Google uses this data to improve its services. Your immediate reaction may be: “Great! Google has great products, and they’ll get even better.” More soberly, we might ask: “Improve which services and how?”

Monetizing your information

If we remember that Google’s success comes primarily from the services it offers as an ad enabler, it becomes clear what Google is doing with all that data. Google abstracts high-value keywords and keyword relationships. Then, along with other data you have handed over to it in exchange for its cloud services, Google sells the information to advertisers.

Do you really trust cloud providers to always make the right decision when a bit of inside knowledge might impact their huge portfolio or otherwise unduly influence their behavior?

A 2020 Electronic Frontier Foundation article describes some of the ways in which Google makes money from the data you exchange.

Real-time bidding: Google uses the data it collects to build profiles. These profiles help advertisers target specific groups of people based on their profiles. The more accurately it can target an ad, the more valuable the data, so information about location, browser history, and cookies are valuable to both Google and advertisers.

Google then auctions off the data to advertisers, using an automated process called real-time bidding. Advertisers who win a bid get their ads up in front of their preferred audiences in milliseconds from searches. Ads may be hosted within other web pages or within mobile apps. Notably, the data feeding Google’s targeting algorithms aren’t just from web searches but from any of the Google properties you might be using.

Customer matching: Advertisers provide Google with lists of targeted customers and the information they need to reach them. These lists maintain potential customers’ anonymity, but a device ID or a phone number is sufficient for Google to serve up ads to them.

This means that an advertiser can choose a list of specific people, upload their email addresses, and then ensure that ads seen during browsing go directly to the advertiser’s website. The advertiser can then collect cookie IDs, IP addresses, locations, etc – all useful for knowing exactly who they’re targeting and then tailoring their ads to match.

Free cloud risks

We may shrug and say: “We can get these services for free; who cares if Google – or anyone else for that matter – knows what I’m googling or even what I’m uploading to my cloud storage? Ads that target me are often useful!”

But if you’re running a business, all the information you’re offering up is potentially sensitive information.

Imagine that you’re a designing a new product, say a low-cost lidar, to launch a new line of business. It’s a risky proposition, but if it’s successful it will catapult your company into the stratosphere. It’s therefore all hush-hush.

Your engineers are googling suppliers of lasers, microelectromechanical mirrors (MEMs), photodiodes and the like. They’re writing proposals with Google Docs, creating bill-of-materials estimates with Google Sheets, and uploading design documents to Google Drive. What are the free cloud risks?

• Advertiser access: Google (for example) sells an abstraction of the information you’ve offered up – high-value keywords and keyword relationships – to advertisers. Once your keyword data is incorporated into Google’s search algorithms, this allows ads to be directly targeted to you and your company. Keyword-frequency changes might also provide a sidelong glimpse into what’s happening within your company, even if it can’t be traced back to you directly.
• Internal use: With Google or the like hosting all of your data, they get to look over it. Google’s motto used to be “do no evil”. But do you really trust them to always make the right decision when a bit of inside knowledge might impact their huge portfolio or otherwise unduly influence their behaviour? It pays to be a bit cautious about the absolute purity of any company’s ethics when billions of dollars and hundreds of thousands of employees are under its care.
• Disgruntled employees: Let’s say there’s someone with a grudge against your company who works at Google. It might be a jilted love interest, an angry neighbour, or an annoyed acquaintance. What would prevent them from doxing your confidential company or personal information? While there may be safeguards in place, it’s clear it can still be done and goes on today.
• Corporate espionage: A competitor or a data pirate doesn’t have to breach Google’s servers to access your data. They could specifically target select people within your company with customer-matching ads. That could force their browsers to show individually tuned ads with virally malicious content, allowing the spying company to collect more than just IP addresses, sites visited, and cookies, but also steal files and install spyware.

The risk in all of these may in fact be low. However, using advertiser-paid cloud services is a risk that most people never think twice about before clicking through those long licensing terms.

Are there alternatives?

Of course, there are options. If you don’t want to trade free services for information monetization, there are a spectrum of other arrangements. One example that specifically avoids the dangers we’ve discussed are zero-knowledge cloud services. These zero-knowledge services (which may not be zero dollar) encrypt your data and only you have the keys, not the hosting company.

There is no obvious, one-size-fits-all solution. You need to look at your needs and your resources. You need to decide if the cloud services you are getting are worth the potential risk of exposing your information. It may not matter, say, if you’re running a local pizza delivery service. If you’re developing an AI-driven pizza delivery robot, it may matter a great deal.

Just remember, zero dollar doesn’t mean free. There are free-cloud risks, so read, understand, and be comfortable with your cloud service provider’s terms of use and privacy policies. Because you have the power of choice.