Emerging legal issues in Cloud Computing Clouds on the horizon?

“Emerging legal issues in Cloud Computing”

Clouds on the horizon?

id law partners / BGMA



Malcolm Bain



English Solicitor, Spanish lawyer



Founding partner

id

law partners

, boutique IP/IT law

firm in Barcelona, (part of

Brugueras García-Bragado

Molinero & Associados)



99% my work: ICT legal advice



Lecturer UOC, UDL, UPC (Catalonia universities)



Member of Free Software Foundation Europe

CLOUD COMPUTING?

Cloud concepts

 _{Software as a Service (SaaS}

)

Each use case needs analysing…

Cloud

Comput

ing

Use

Cas

e

Dis

c

uss

ion

Areas of concern…

1.

Privacy and confidentiality

2.

Data ownership

3.

Service Levels

4.

Employment (employee!) issues

5.

Abusive contract terms

6.

Subcontracting

7.

Security and Cybercrime

8.

Exit-Strategy

9.

Conflict Resolution

10.

….

Privacy and Confidentiality

 ¿Where are my data?

 _{¿Who controls my data?}

 ¿Who has access to my data?

 Me, my company/entity, my “authorised users”,

 SaaS/IaaS/PaaS provider

 Third parties – other governments?  Are my data secure?

 Access controls

 Encryption/loss of encryption (when processed)

 ¿what other uses are being made of my data?

 Services for me…

 Services for the SaaS/IaaS/PaaS, provider or its “trusted business partners”

Privacy and Confidenciality

 ¿Am I complying with local applicable Privacy laws? (as

service provider or user…)

 Access control and data use

 International transfers of data

 Contract terms with SaaS provider/client

 Security measures and levels

 Diligence and control - audits?

 Subcontracting?

 Data subject rights

 Obligations to remove, block data …  Complications

 Multiple suppliers (layers)

 Multiple data centres

Data ownership

 My data are … mine, (I think)?  Types of data in the cloud

 “My” data: Corporate data, etc.

 Client / patients / users’ data

 Transaction data

 Online activity data

 Use of data by SaaS/PaaS/IaaS suppliers

 No regulation (and not covered by SaaS contracts)

 Allegedly anonymised processing… or not

Abusive user terms



Data / content ownership

 IP - ownership, license to service provider



Access Restrictions / service suspension?

Audits (possibility to carry out this)?



No service levels

 Or service levels with no “teeth”



No warranties of quality, security, availibility,

No warranties regarding privacy

Warranties and Reps

 Google Apps

 Google and partners shall not be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages resulting from any matter relating to Google Services

 _{Amazon Web Services}

 We will have no liability to you for any unauthorized access or use,

corruption, deletion, destruction or loss of Your Content or Applications  Salesforce.com

 We warrant that (i) the Services shall perform materially in accordance with the User Guide, and (ii) subject to Section 5.3 (third party

Services), the functionality of the Services will not be materially decreased during a subscription term.

 For any breach of either such warranty, Your exclusive remedy shall be as provided in Section 12.3 (Termination for Cause) and Section 12.4 (Refund or Payment upon Termination) below.

Service Levels



Availibility / Down time (access and use)

Response times



Backups (frequency, type)



Security levels (infrastructure, platform, software)

Support terms (response times, correction times)

Reporting

Service Levels



Amazon:

 Availibility: 99.9% availability measured over a month for S3 and 99.95% availability over a year for EC2 (excluding force majeure downtime)

 Penalties: refund of 10%-25% of a customer’s payment for the last billing period, paid in servicecredits.

Subcontracting



Control/auditing/tracing of data and its processing

 Where are my data, who controls/accesses them?

 Chain of audit rigts



Identification? Jurisdiction?



Quality of Service (QoS) of subconractor

Economic/finantial solvency …



Difuse chain of responsibilities

 Always the other person’s fault

Termination



Causes

 By the supplier/by the client

▪ End of term (OK)

▪ For Breach (OK)

▪ For convenience (without cause)

▪ On notice… (30 days to migrate..!)

Security

 Negligent service design

 Weak security measures

 Opportunities for industrial spying, data theft, attacks (DoS)  Variations between jurisdictions

 Lower consumer or privacy protection

 Tax evasion?

 Ability to hide source of attacks

 _{Crimes commited by employees (of service providers)}

 Data theft, sabotage, attacks

 Sharing resources among clients (shared servers)

 Data leaks / “involuntary accesses” (ooops!)

 _{Large clouds, standard configuration, replicated}

Labour/employee issues



Use of cloud services by employees

 Security (access, identification/authentication)

 Private use, etc.



Employee supervision / monitoring?

 Privacy issues



Acceptable use policy (of equipment and services)

Conflict resolution



Identification of the cause of any damage



Identification the person responsible for the cause …

Where to issue any proceedings?

 Place most connected to the event, place of damage, domicile of client/supplier…



Applicable law?

 Contract, tort, administrative law?



Application of consumer protection?

 Aplicability? Limits?



Collecting evidence …

 Who has the evidence, how to access it (registers/logs), how to document this as legally admissible proof…

Exit Strategy!!!!



Lock-in

 Application Dependency (non-standard technology)

 _{Data Dependency (access to data in the cloud?}

Non-standard forms?)

 Economic dependency (pre-payment)

 _{Colaboration / integration (business partners use the same}

platform)



Strategies

 Regular offline backups

 Standard API/formats

 Use FOSS!!!! (naturally open and standard)

Solutions…



Cloud provider and model appropriate for each type

of data/data processing: private, hybrid, etc.

 _{Trusted suppliers (contractually bound)}  E.g. Private cloud (your own cloud)



Built on free software (control, auditing, standards

compliance)

 OpenStack, Apache CloudStack, Ubuntu / Red Hat Cloud, Eucalyptus, Cloudera, Reservoir, OpenNebula, Abiquo

Regulation?



Not as such… technology change is probably too

great – and service providers move jurisdiction



“Horizontal” areas of regulation: protecting the

weaker party:

 Privacy

 Security

 Consumer Protection

 Cybercrime

What happened to IP and Software?

 Lost in the cloud…?

 Cloud computing means:

 For clients/end users: No software licensing, but service subscription agreements – data and SLAs

 For cloud service providers: software licensing and IP issues for the infrastructure and platform/applications… like any ICT service provider

 No or few copyright protection issues (except as to content processed in the cloud service)

 However… some important relevant IP issues

 Patents over cloud computing methods and processes (online/offline backups, secure transmission, content streaming, database access, disaster recovery procedures, virtualisation)

 Trademark protection in multi-territories (for cloud provider)

 Territorial and jurisdictional issues for conflict resolution – forum shopping?

CLOUD COMPUTING FREEDOM…

Freedom box

http://freedomboxfoundation.org/  Personal server running a free software

operating system, with free applications designed to create and preserve personal privacy (distributed social networking, email and audio/video communications) … in the cloud

We're building software for smart devices whose engineered purpose is to work together to facilitate free communication among people, safely and securely, beyond the ambition of the strongest power to penetrate. They can make freedom of thought and information a

permanent, ineradicable feature of the net that holds our souls. (Eben Moglen)

Thank you

malcolm.bain@id-lawpartners.com