When Max Schrems, an Austrian privacy activist, requested to see his personal data that Facebook stored on its servers, he was mailed a CD-ROM containing a 1,222-page document. That file, which would stretch nearly a quarter of a mile if printed and laid end-to-end, offered a glimpse into Facebook’s appetite for the private details of its 1.65 billion users. The information included phone numbers and email addresses of Mr Schrems’ friends and family; a history of all the devices he used to log in to the service; all the events he had been invited to; everyone he had “friended” (and subsequently de-friended); and an archive of his private messages. It even included transcripts of messages he’d deleted. But Mr Schrems, who says he only used Facebook occasionally over a three-year period, believes a sizeable chunk of information was withheld from him. He received data records for about 50 categories, but believes there are more than 100, he tells the BBC. “They withheld my facial recognition data, which is a technology that can identify me through my pictures. They don’t disclose tracking information either, which is the even creepier stuff they do – things like whether you’ve read a webpage about a sports car and how long you read it for.” Facebook can even track non-members’ internet usage through the use of cookies place on their machines, as a recent legal decision in Belgium confirmed. Mr Schrems’ experience vividly illustrates the challenges we face in a digital age full of messaging apps, social networks, tailored search engines, email clients, and banking apps, all collecting personal data about us and storing it, somewhere, in the cloud. But where is all this data exactly, how is it being used, and how secure is it? The big four: More than half of the world’s rentable cloud storage is controlled by four major corporations. Amazon is by far the biggest, with about a third of the market share and more than 35 data centres throughout the world. The next three biggest providers are Microsoft, IBM and Google, and each of them adopts a similar global pattern of server farms. Several of these major public cloud providers habitually duplicate user data across their networks. It means that information uploaded to the cloud in, say, the UK or the US, is likely to be transferred at some point to servers in major cities around the world, from Sydney to Shanghai. The problem with this, says Prof Dan Svantesson, an internet law specialist at Bond University, Australia, is that “there is always a risk that the country your data goes to doesn’t have the same level of protection [as your own]. “If your data ends up in another country, it can be unclear who has access to it, be it network providers or law enforcement,” he says. Benjamin Caudill, a cybersecurity consultant at Rhino Security Labs in Seattle, also has concerns about how this data is distributed. “No-one really quite knows how the sausage is made,” says Mr Caudill, whose work includes testing firms’ defences though “ethical hacking”.