PACE: Privacy-aware Cloud Ecosystems

Lead Research Organisation: Cardiff University
Department Name: Computer Science


With increasing take up of externally provisioned and managed services (from government, finance, entertainment), often hosted over Cloud computing infrastructure, there is a realisation that on-line electronic services can involve an interlinked range of providers. Gartner forecasts that cloud computing market will grow at a compound annual growth rate of 32% (2016-2019), with the potential for additional providers to emerge in the market place. Ofcom's "Communication Market Report" indicates total UK telecoms business revenue were 37.5bn in 2015, indicating significant contribution of mobile services to the UK economy. With the availability of additional mobile services and infrastructure, there is interest in new business models that can facilitate additional subscribers to make use of these services. However, from a user's perspective, trust in the use of these services remains limited, as highlighted in the Pew Research Centre report ("The Fate of Online Trust in the Next Decade", August 2017), which surveyed 1,233 respondents - 24% of these respondents predicted that trust in on-line services is likely to diminish over time. The report revealed that although billions of people use "cellphones" and the internet now, many still do not use that connectivity for shopping, banking, and other important transactions due to limited trust in on-line providers. Some of the respondents surveyed indicated that the use of new technology (such as Blockchains) and regulatory compliance (and industry changes) will help increase trust in on-line services.

As more people move online globally over the next decade, both opportunities and threats grow. It is now likely that due to the wide adoption of Cloud based provisioning, some of these mobile services will exist at the network edge. Consider, for instance, a coffee chain that initially provided Wifi services to customers, now working in collaboration with data centre providers to offer additional services to users (e.g. edge data storage, multimedia caching, etc). Such scenarios have been proposed by a number of organisations involved in Mobile Edge Computing (e.g. the European ETSI and the NIST "Big Data" Working Group). This project addresses security and privacy requirements of such environments, where multiple Cloud computing providers need to work collaboratively to offer services to a user. Users of these services only interact with a Web interface rather than the larger, distributed service ecosystem, and are often unfamiliar with the "ecosystem" of providers that are involved in offering them a particular capability. Their visibility beyond the first service provider is often missing, requiring them to "trust" the provider in handling and managing their data. This is a significant challenge, and according to a recent report from the Pew Research Centre, often deters the use of on-line services (especially for data providers which are new in the market place).

They often entrust their data and identity without realising that the service provider may share their data with several back-end services (Cloud hosted analytics, advertisers). While this has been a problem in the past, it will be greatly exacerbated by the expansion of internet connected devices. In order to address this, the General Data Protection Regulation (GDPR) will be implemented to ensure that non-expert users can make informed decisions about their privacy and thereby give 'informed consent' to the use, sharing and re-purposing of their personal data. There are a number of challenges to facilitating this, both for individuals who need to provide consent and for data controllers who need to obtain it. As a means of addressing this, we propose a technological solution in the form of a mobile software "container" that will ensure that all access instances are securely logged. This will improve transparency, enable an audit trail of providers and facilitate greater trust between users and service providers.

Planned Impact

The proposed project addresses cutting edge research problems with immediate economic benefits. We seek transformational impact on the target scientific community, while benefiting users in multiple sectors (core ICT, industry process management, and law) who deal with cloud services. We adopt a multi-faceted impact strategy, which will involve the following strands:

1. We will demonstrate the societal and industrial impact of the research by showcasing the development and implementation of real-world use cases made available by industry partner such as the Airbus Group.

2. We will establish an International Advisory Board involving industrial and academic leaders, to support and foster end user engagement, feedback, dissemination and exploitation.

3. We will jointly develop an industrial technology transfer strategy through our industry partners including Flexiops, T-Systems, and Simudyne.

4. We will jointly showcase the outcomes of the project to developers and practitioners in industry with the Data Innovation Research Institute, Cardiff, National Innovation Centre for Data, Newcastle, and PETRAS IoT Hub via Cardiff/UCL.

5. We will enhance academic impact by disseminating research results through papers in high quality conferences and journals, such as IEEE Trans. on Cloud Computing, IEEE Trans. on Services Computing, IEEE Trans. on Parallel and Distributed Systems, ACM CCS, IEEE/ACM CCGRID, etc.

6. We will build a community of practice around the techniques (e.g. Blockchain based immutable recording and container-based event management) developed in this project by making the resultant software framework accessible in Open Source form.

7. We will maximise national economic benefits from public investment in research through liaison with research commercialisation offices at Cardiff, Newcastle, and UCL.

8. We will enrich existing teaching and research programs at Cardiff, Newcastle, and UCL in the cross-disciplinary field of research targeted by this proposal.

9. We will bridge the gap between technology, law and public policy to fully explore the challenges of consent in data flows for the promotion of a resilient society and economy in the UK.

The research is supported by strategic industry partners:
(a) Airbus Group Limited: multinational corporation that designs, manufactures, and sells aeronautical, access to multi-cloud hosted application service for fleet maintenance, logistics, and supply chain; supporting strands 1, 2; (b) Flexiops: pioneers in developing cloud and IoT software platform, feedback on research directions and milestones; supporting strands 2, 3, 4; (c) T-Systems: expertise in production-scale cloud and experience in investigating migration of organisations to cloud computing, feedback on research directions and milestones; supporting strands 2, 3, 4; (d) Simudyne: expertise in developing cloud-based computational simulation models targeting diverse sectors, feedback on research directions and milestones, supporting strands 2, 3, 4. (e) Muckle LLP: UK's leading solicitor firm, feedback on research directions and milestones, supporting strands 2, 3, 4.

The project will also maintain a web and social media presence, and disseminate the outcome of the work through interaction with local organisations at both Newcastle, Cardiff and UCL through our existing collaborations (such as Newcastle University's Digital Institute (, Cardiff University's Data Innovation Institute/Innovation Network (
Description As most electronic services that we use today are hosted on cloud-based platforms (from e-commerce, to banking/finance, education), especially during Covid19, this project has focused on understanding GDPR (General Data Protection Regulation) compliance within an interlinked collection of cloud providers. The key objective has been to understand whether a user is fully aware of how their data is accessed, processed and moved by cloud service providers, especially when multiple providers are part of a bigger service deliver "chain". Usually the user only sees the first cloud provider they interact with. The outcomes achieved so far include:

i. Creating and understanding GDPR compliance for data hosted on cloud providers. This has been an increasingly challenging area, as often cloud providers do not provide transparency on how user data is handled. In this work, this is achieved through the use of submission of operations carried out on user data to a blockchain network that can subsequently be analysed to investigate compliance.
ii. A survey has been developed to better understand how users respond to "data privacy" concerns -- especially when balancing this against the convenience of accessing electronic services. The outcome of this survey will help us understand the economics behind supporting GDPR compliance.
iii. As cloud services and internet of things (IoT) devices increasingly merge, especially through the use of edge computing platforms that are often in proximity to users (e.g. directly connected to an IoT devices or on connected to the same local network), we have also investigate the implication of GDPR compliance when edge devices are used to host (partially) services closer to a user.
iv. GDPR legislation around data read, writes and migration have been encoded into rules (logic) that can then be automatically verified using data collected from specialist cloud-hosted containers.

Additional aspects considered -- not initially envisioned in the original proposal:
v. Comparison of GDPR legislation with similar data protection legislation used globally. We carried out a comparison between GDPR and other legislation to identify how our work could be applied and made use of more widely. This work was initially published as a technical report at Cardiff University ( -- but has now (Feb 2021) been accepted as a paper in ACM Computing Surveys (to appear later in 2021).

vi. We noticed significant change in user perception of data privacy due to Covid19 -- when many people were forced to work from home. Access to electronic (online) services is now a necessity to ensure that a distributed workforce is able to carry out their activities. We investigated the changing aspects of informed "consent" during Covid19 and the impact this has on data privacy for cloud-hosted services.
Exploitation Route The outcome of this work will help us develop a better understanding of data privacy concerns for mobile and edge computing services. This is a significant growth area in the distributed systems/cloud computing community. The outcomes of this work will also be relevant to develop a data driven approach which utilises performance metrics to understand how to partition applications across edge devices and data centre hosted cloud platforms. We have already started to publish in this area with our international collaborators, and plan to submit a proposal in this area for funding as a follow up to the existing work.
Sectors Digital/Communication/Information Technologies (including Software),Education,Energy,Government, Democracy and Justice,Security and Diplomacy

Description Investigating GDPR compliance for built environments -- especially which make use of specialist sensors to support individuals. As built environments can contain a variety of different types of sensors -- e.g. home appliances connected to smart plugs, energy system hubs (e.g. Google Nest or British Gas Hive), and video cameras -- there is increasing potential for individuals users to be tracked. This impact focuses on the GDPR implications on such IoT environments -- i.e. to what extent does the concept of user consent apply within such a context, and whether data feed aggregation can lead to user privacy violations. Since 2020: With many people working on-line (and from home) due to social distancing due to Covid-19, there has been a significant increase in the use of electronically provisioned services. This has meant that on-line users now have a very different perspective on data privacy. Increasingly, these electronic services are also provided via cloud environments hosted across a number of different data centers (an aspect closely investigated in this project). We presented our findings at a Science and Innovation Network (SIN) event focused specifically on this issue. This aspect was not something envisioned when this project started.
First Year Of Impact 2020
Sector Digital/Communication/Information Technologies (including Software),Education
Impact Types Societal