Sunday, 15 May 2011

The cloud: who's fault is it when errors occur, and what is the way forward?

When considering a situation in which data is stored with a third party data service (in a ‘cloud’), if the data becomes lost or corrupted it can be difficult to determine who is at fault. Hence, when determining which party caused the problem it is necessary to examine each case independently.

To assess how the culprit of a data problem is determined, it is necessary to examine different potential data problem scenarios. For instance, if data was to become lost or corrupted because of an operational error such as failing to back up the data, or a hardware failure such as a server crash, it is clear that blame should primarily reside with the service provider, since such issues are out of the user’s control. However, it is also possible that the user could be partly responsible; if an inappropriate technical system design was in place. For instance, critical data which cannot tolerate down time should be part of an architecture which prevents down time. Thus it is possible that both the user and the provider are to blame. This was the case when the Amazon network, in particular the Elastic Compute Cloud, failed. Only users with inappropriate system architectures suffered significant data problems as a result of the downtime (K. Maurer, 2011). Hence, both Amazon and user’s with inappropriate IT structures were at fault (K. Maurer, 2011). In addition, there are cases where data loss/corruption can be entirely the fault of the user. For instance, the user could directly cause data problems through the use of a problematic system architecture, or the inappropriate use of the provided services. Furthermore, it is possible that neither party are responsible for the loss or corruption of data. Consider the situation of a external phishing attack which breaks through reasonable security measures, whilst the fault lies at the providers end, it is largely not the providers fault; both the service provider and user are victims. Such was the case when the Playstation Network was hacked in April, earlier this year (BBC News, 2011). Therefore, it is clear that the blame regarding the genesis of the problem could lie with either the user or the service provider, or possibly both. This therefore further emphasises the need to play the blame game on a case by case basis.

Whilst it is not possible to draw blanket conclusions regarding who is to blame for data loss/corruption problems, it is possible to deduce where liability lies. In the majority of cases, regardless of who is to blame, the user is likely to be held responsible (M. Mowbray, 2009). This is largely due to the heavily one sided user agreements, which typically demonstrate judicious application of disclaimers to ensure minimal responsibility is accepted (M. Mowbray, 2009). Consequently, the user will have to bear responsibility for the majority of failures, without compensation, even if they are void of blame. This issue is demonstrated by the recent news headlines involving Sony and the hacking of the Playstation Network (BBC News, 2011). Although both parties were victims in this instance, since Sony cannot be held liable for the security failure (Sony is only required to take “appropriate measures” (Sony Playstation, 03.05.2011)) it is the Sony user’s who must bear responsibility of the failure. Further examples of responsibility falling on to users include the collapse of Linkup in 2008 (Richard Chow et al., 2009) as well as the loss of personal information by Danger in 2009 which affected millions of T-Mobile customers (J. Kincaid, 2009). In both cases, the users were held responsible despite being completely void of blame. Hence whilst it is possible in some cases to determine that the provider is to blame, it is very unlikely that they will be held responsible.

In summary it is clear that there is a great deal of asymmetry with respect to where responsibility lies. Clearly for significant progress to be made, a shift to a more balanced system must take place. Such a shift would make it easier to determine whether the provider is at fault through more transparent guarantees, and may also reduce the occurrence of data errors in the long run by encouraging a greater quality of service (Richard Chow et al., 2009). The way forward therefore involves greater legal obligations regarding data security and service provision, such as a promise to utilise cryptography. In addition, mechanisms, such as business insurance, may be needed to mitigate the risk associated with greater contractual obligations.





References:


M. Mowbray, 2009, "The Fog over the Grimpen Mire: Cloud Computing and the Law", 6:1 SCRIPTed 129, http://www.law.ed.ac.uk/ahrc/script-ed/vol6-1/mowbray.asp

Richard Chow et al., 2009, Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control, Proceedings of ACM CCSW’09, November 13, www.parc.com/publication/2335/controlling-data-in-the-cloud.html

K. Maurer, 2011, Amazon’s Cloud Collapse: The Blame Game and the Future of Cloud Computing, April, http://blog.contentmanagementconnection.com/Home/32236

J. Kincaid, 2009, T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have a Backup, October, http://techcrunch.com/2009/10/10/t-mobile-sidekick-disaster-microsofts-servers-crashed-and-they-dont-have-a-backup/

L. H. Mills, 2009, Legal Issues Associated with Cloud Computing, Nixon Peabody attorneys at law LLP, May, http://www.secureit.com/resources/Cloud%20Computing%20Mills%20Nixon%20Peabody%205-09.pdf

BBC News Technology, 2011, Playstation outage caused by hacking attack, 25 April, http://www.bbc.co.uk/news/technology-13169518

Sony Playstation, accessed at 15:46 03.05.2011, http://legaldoc.dl.playstation.net/ps3-eula/psn/e/e_privacy_en.html

No comments:

Post a Comment