The third party provision of computational and network resources for the purpose of storing data and applications comes under the umbrella term of cloud computing. Conceptually, cloud computing can be thought of as a remote computing utility; an underlying delivery mechanism to enable data and software to be accessed remotely via the internet (M. Mowbray, 2009). The theories underpinning cloud computing have become increasingly popular over recent years, supported by a larger more general architectural shift within the computer industry towards increased flexibility, mobility, and cost efficiency (R. Buyya, C. S. Yeo, S. Venugopal, 2008). However, despite significant support for the theories behind cloud computing, it has been slow to develop in practice (Richard Chow et al., 2009). The main reason for the delayed progression stems from an air of fear and uncertainty surrounding the storage of sensitive data and applications outside of the user’s control (Richard Chow et al., 2009). These concerns discourage many companies from storing their data in the ‘cloud’, serving to impede momentum and may ultimately compromise the concept of cloud computing (R. Buyya, C. S. Yeo, S. Venugopal, 2008).
A key proprietor of the concerns surrounding cloud computing is the issue of data privacy laws differing across country borders. An organisation utilising cloud computing services is likely to find its data is stored in a different country to its own. The data is therefore bound by the privacy laws and jurisdiction of the country within which it is stored (M. Mowbray, 2009). Hence, in cases where data does not completely conform to these foreign laws, jurisdictional and legal disputes are going to arise. This is clearly an unattractive factor for organisations considering whether or not to add data to the ‘cloud’.
Additionally, encompassed within this wider jurisdictional issue is the potential for foreign governments to access the data; the data is put at the mercy of the data privacy laws of the country within which it is stored (M. Mowbray, 2009). This issue is exacerbated by the fact that much of the cloud computing services are based in countries such as the US, where laws exist to enable government officials to access data without notification to the data owners; for example the 2001 Patriot Act, in the USA (M. Mowbray, 2009). This point is illustrated by the reluctance of the French government to allow officials to use Blackberry email devices, since these devices use servers based in the US and the UK (M. Mowbray, 2009). Moreover, some regions such as the EU have stringent rules concerning the movement of data across borders (European Data Protection Act), which creates further problems (J. Kiss, 2011). Although this issue is unlikely to discourage organisations from accepting cloud computing, when considered as part of the wider jurisdictional issue, it is clear to see why many organisations are reluctant to participate.
A further reason for concerns about cloud computing stem from the highly one sided nature of current user agreements. The current trend for the user agreements of companies offering cloud computing services is to offer very little in terms of assurance should data be lost, or become corrupted (M. Mowbray, 2009). The aforementioned user agreements also ensure minimal liability with respect to the security of data, most simply offer ‘appropriate measures’ (Microsoft Terms of use, 02.05.2011). This point is nicely demonstrated by the Amazon Web Services terms of use, which accepts no liability “for any unauthorized access or use, corruption, deletion, destruction or loss of content or applications” (Amazon Web Services Terms of Use, 01.05.2011). This therefore serves to discourage those considering adding data to the ‘cloud’, since little responsibility is taken by cloud service providers to ensure the safety or security of the data they maintain. Essentially, users are losing control over all operational issues such as backing up data, and data recovery, without receiving any guarantees regarding data safety/security from service providers (L.H. Mills, 2009).
A further issue which serves to hinder the progress of cloud computing relates to the use of subcontractors and the sharing of information. Most cloud service providers sub-contract much of their data storage for efficiency and cost-minimisation purposes (M. Mowbray, 2009). Beyond potential integration issues, this sharing of data may potentially raise additional judicial issues if subcontractors are located in different countries (M. Mowbray, 2009). This is issue is amplified by the lack of user say with regards to the selection/use of subcontractors, since most cloud providers simply use stylised blanket statements, contained within the terms of use; the Google terms of service states “right for Google to make such content available to other companies, organisations or individuals with whom Google has relationships for the provision of syndicated services” (Google Terms of Service, 01.05.2011). More importantly, however, the sharing of data creates additional opportunities for the data get lost, corrupted, or stolen (Richard Chow et al., 2009). These factors therefore serve to increase fears regarding the loss of control and further discourage organisations from accepting the ‘cloud’ as the future of data storage.
In summary, it is clear that the concerns surrounding cloud computing stem from a perceived loss of control. This loss of control is routed in the jurisdictional issues arising from overseas data storage, coupled with heavily one sided user agreements which fail to provide adequate reassurance as to the safety and security of the data being maintained. For third party data storage to fully mature, ‘cloud’ providers such as Amazon and Microsoft need to bear a greater burden of responsibility in terms of the safety and security of stored data (Richard Chow et al., 2009), as this would alleviate many of the fears associated with cloud computing. As competition in cloud markets increases, this is likely to be the case, with providers seeking to differentiate themselves on service quality by offering more attractive guarantees. Additionally, measures may need to be taken to regulate cloud computing, to adequately mitigate the risks users are exposed to (P. T. Jaeger, J. Lin, J. M. Grimes, 2008).
Google Terms of Service, accessed at 13:47 01.05.2011, http://www.google.com/accounts/TOS
Michael Armbrust et al., 2005, A View of Cloud Computing, Communications of the ACM, April, Vol. 53, No. 4.
M. Armbrust et al., 2009, Above the clouds: A Berkeley View of Cloud Computing, February 10, University of California at Berkeley, Technical report no: UCB/EECS-2009-28, http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.html
Richard Chow et al., 2009, Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control, Proceedings of ACM CCSW’09, November 13, www.parc.com/publication/2335/controlling-data-in-the-cloud.html
M. Mowbray, 2009, "The Fog over the Grimpen Mire: Cloud Computing and the Law", 6:1 SCRIPTed 129, http://www.law.ed.ac.uk/ahrc/script-ed/vol6-1/mowbray.asp
Microsoft Terms of Use, accessed at 17:49 02.05.2011, http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/default.aspx
Amazon Web Services Terms of Use, accessed at 15:33 01.05.2011, http://aws.amazon.com/terms/
J. Kiss, 2011, Keeping your legal head above the cloud, January, the Guardian , accessed at 18:19 02.05.2011, http://www.guardian.co.uk/media-tech-law/cloud-computing-legal-issues
L. H. Mills, 2009, Legal Issues Associated with Cloud Computing, Nixon Peabody attorneys at law LLP, May, http://www.secureit.com/resources/Cloud%20Computing%20Mills%20Nixon%20Peabody%205-09.pdf
Posts
Great article! A really good insight into the legal aspect of cloud computing.
ReplyDeleteJust out of curiosity, what mark did you get for this assignment?! Just want to get an idea of the mark scheme. Thanks a lot!!! xx