“Emerging legal issues in Cloud Computing”
Clouds on the horizon?
id law partners / BGMA
Malcolm Bain
English Solicitor, Spanish lawyer
Founding partner
id
law partners
, boutique IP/IT law
firm in Barcelona, (part of
Brugueras García-Bragado
Molinero & Associados)
99% my work: ICT legal advice
Lecturer UOC, UDL, UPC (Catalonia universities)
Member of Free Software Foundation Europe
CLOUD COMPUTING?
Cloud concepts
Software as a Service (SaaS
)
Platform as a Service (PaaS)Each use case needs analysing…
Cloud
Comput
ing
Use
Cas
e
Dis
c
uss
ion
Areas of concern…
1.
Privacy and confidentiality
2.
Data ownership
3.
Service Levels
4.
Employment (employee!) issues
5.
Abusive contract terms
6.
Subcontracting
7.
Security and Cybercrime
8.
Exit-Strategy
9.
Conflict Resolution
10.
….
Privacy and Confidentiality
¿Where are my data?
¿Who controls my data?
¿Who has access to my data?
Me, my company/entity, my “authorised users”,
SaaS/IaaS/PaaS provider
Third parties – other governments? Are my data secure?
Access controls
Encryption/loss of encryption (when processed)
¿what other uses are being made of my data?
Services for me…
Services for the SaaS/IaaS/PaaS, provider or its “trusted business partners”
Privacy and Confidenciality
¿Am I complying with local applicable Privacy laws? (as
service provider or user…)
Access control and data use
International transfers of data
Contract terms with SaaS provider/client
Security measures and levels
Diligence and control - audits?
Subcontracting?
Data subject rights
Obligations to remove, block data … Complications
Multiple suppliers (layers)
Multiple data centres
Data ownership
My data are … mine, (I think)? Types of data in the cloud
“My” data: Corporate data, etc.
Client / patients / users’ data
Transaction data
Online activity data
Use of data by SaaS/PaaS/IaaS suppliers
No regulation (and not covered by SaaS contracts)
Allegedly anonymised processing… or not
Abusive user terms
Data / content ownership
IP - ownership, license to service provider
Access Restrictions / service suspension?
Audits (possibility to carry out this)?
No service levels
Or service levels with no “teeth”
No warranties of quality, security, availibility,
No warranties regarding privacy
Warranties and Reps
Google Apps
Google and partners shall not be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages resulting from any matter relating to Google Services
Amazon Web Services
We will have no liability to you for any unauthorized access or use,
corruption, deletion, destruction or loss of Your Content or Applications Salesforce.com
We warrant that (i) the Services shall perform materially in accordance with the User Guide, and (ii) subject to Section 5.3 (third party
Services), the functionality of the Services will not be materially decreased during a subscription term.
For any breach of either such warranty, Your exclusive remedy shall be as provided in Section 12.3 (Termination for Cause) and Section 12.4 (Refund or Payment upon Termination) below.
Service Levels
Availibility / Down time (access and use)
Response times
Backups (frequency, type)
Security levels (infrastructure, platform, software)
Support terms (response times, correction times)
Reporting
Service Levels
Amazon:
Availibility: 99.9% availability measured over a month for S3 and 99.95% availability over a year for EC2 (excluding force majeure downtime)
Penalties: refund of 10%-25% of a customer’s payment for the last billing period, paid in servicecredits.
Subcontracting
Control/auditing/tracing of data and its processing
Where are my data, who controls/accesses them?
Chain of audit rigts
Identification? Jurisdiction?
Quality of Service (QoS) of subconractor
Economic/finantial solvency …
Difuse chain of responsibilities
Always the other person’s fault
Termination
Causes
By the supplier/by the client
▪ End of term (OK)
▪ For Breach (OK)
▪ For convenience (without cause)
▪ On notice… (30 days to migrate..!)
Security
Negligent service design
Weak security measures
Opportunities for industrial spying, data theft, attacks (DoS) Variations between jurisdictions
Lower consumer or privacy protection
Tax evasion?
Ability to hide source of attacks
Crimes commited by employees (of service providers)
Data theft, sabotage, attacks
Sharing resources among clients (shared servers)
Data leaks / “involuntary accesses” (ooops!)
Large clouds, standard configuration, replicated
Labour/employee issues
Use of cloud services by employees
Security (access, identification/authentication)
Private use, etc.
Employee supervision / monitoring?
Privacy issues
Acceptable use policy (of equipment and services)
Conflict resolution
Identification of the cause of any damage
Identification the person responsible for the cause …
Where to issue any proceedings?
Place most connected to the event, place of damage, domicile of client/supplier…
Applicable law?
Contract, tort, administrative law?
Application of consumer protection?
Aplicability? Limits?
Collecting evidence …
Who has the evidence, how to access it (registers/logs), how to document this as legally admissible proof…
Exit Strategy!!!!
Lock-in
Application Dependency (non-standard technology)
Data Dependency (access to data in the cloud?
Non-standard forms?)
Economic dependency (pre-payment)
Colaboration / integration (business partners use the same
platform)
Strategies
Regular offline backups
Standard API/formats
Use FOSS!!!! (naturally open and standard)
Solutions…
Cloud provider and model appropriate for each type
of data/data processing: private, hybrid, etc.
Trusted suppliers (contractually bound) E.g. Private cloud (your own cloud)
Built on free software (control, auditing, standards
compliance)
OpenStack, Apache CloudStack, Ubuntu / Red Hat Cloud, Eucalyptus, Cloudera, Reservoir, OpenNebula, Abiquo
Regulation?
Not as such… technology change is probably too
great – and service providers move jurisdiction
“Horizontal” areas of regulation: protecting the
weaker party:
Privacy
Security
Consumer Protection
Cybercrime
What happened to IP and Software?
Lost in the cloud…?
Cloud computing means:
For clients/end users: No software licensing, but service subscription agreements – data and SLAs
For cloud service providers: software licensing and IP issues for the infrastructure and platform/applications… like any ICT service provider
No or few copyright protection issues (except as to content processed in the cloud service)
However… some important relevant IP issues
Patents over cloud computing methods and processes (online/offline backups, secure transmission, content streaming, database access, disaster recovery procedures, virtualisation)
Trademark protection in multi-territories (for cloud provider)
Territorial and jurisdictional issues for conflict resolution – forum shopping?
CLOUD COMPUTING FREEDOM…
Freedom box
http://freedomboxfoundation.org/ Personal server running a free software
operating system, with free applications designed to create and preserve personal privacy (distributed social networking, email and audio/video communications) … in the cloud
We're building software for smart devices whose engineered purpose is to work together to facilitate free communication among people, safely and securely, beyond the ambition of the strongest power to penetrate. They can make freedom of thought and information a
permanent, ineradicable feature of the net that holds our souls. (Eben Moglen)