Emerging legal issues in Cloud Computing Clouds on the horizon? id law partners / BGMA Malcolm Bain
WHO AM I? Malcolm Bain English Solicitor, Spanish lawyer Founding partner id law partners, boutique IP/IT law firm in Barcelona, (part of Brugueras García-Bragado Molinero & Associados) 99% my work: ICT legal advice Lecturer UOC, UDL, UPC (Catalonia universities) Member of Free Software Foundation Europe
CLOUD COMPUTING?
CLOUD COMPUTING? Cloud Computing III Unknown lawyer, 2010
Cloud concepts Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
Cloud computing models
Each use case needs analysing Cloud Computing Use Case Discussion Group
Cloud pros-cons
Cloud computing legal issues
Areas of concern 1. Privacy and confidentiality 2. Data ownership 3. Service Levels 4. Employment (employee!) issues 5. Abusive contract terms 6. Subcontracting 7. Security and Cybercrime 8. Exit-Strategy 9. Conflict Resolution 10..
Privacy and Confidentiality Where are my data? Who controls my data? Who has access to my data? Me, my company/entity, my authorised users, SaaS/IaaS/PaaS provider Third parties other governments? Are my data secure? Access controls Encryption/loss of encryption (when processed) what other uses are being made of my data? Services for me Services for the SaaS/IaaS/PaaS, provider or its trusted business partners
Privacy and Confidenciality Am I complying with local applicable Privacy laws? (as service provider or user ) Access control and data use International transfers of data Contract terms with SaaS provider/client Security measures and levels Diligence and control - audits? Subcontracting? Data subject rights Obligations to remove, block data Complications Multiple suppliers (layers) Multiple data centres Internacional transfers
Data ownership My data are mine, (I think)? Types of data in the cloud My data: Corporate data, etc. Client / patients / users data Transaction data Online activity data Use of data by SaaS/PaaS/IaaS suppliers No regulation (and not covered by SaaS contracts) Allegedly anonymised processing or not Significant data sales/sharing (anonymised or not)
Abusive user terms Data / content ownership IP - ownership, license to service provider Access Restrictions / service suspension? Audits (possibility to carry out this)? No service levels Or service levels with no teeth No warranties of quality, security, availibility, No warranties regarding privacy Differentiation: free service / paid-up service
Warranties and Reps Google Apps Google and partners shall not be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages resulting from any matter relating to Google Services Amazon Web Services We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of Your Content or Applications Salesforce.com We warrant that (i) the Services shall perform materially in accordance with the User Guide, and (ii) subject to Section 5.3 (third party Services), the functionality of the Services will not be materially decreased during a subscription term. For any breach of either such warranty, Your exclusive remedy shall be as provided in Section 12.3 (Termination for Cause) and Section 12.4 (Refund or Payment upon Termination) below.
Service Levels Availibility / Down time (access and use) Response times Backups (frequency, type) Security levels (infrastructure, platform, software) Support terms (response times, correction times) Reporting Penalties?
Service Levels Amazon: Availibility: 99.9% availability measured over a month for S3 and 99.95% availability over a year for EC2 (excluding force majeure downtime) Penalties: refund of 10%-25% of a customer s payment for the last billing period, paid in servicecredits. Need to document and prove downtime
Subcontracting Control/auditing/tracing of data and its processing Where are my data, who controls/accesses them? Chain of audit rigts Identification? Jurisdiction? Quality of Service (QoS) of subconractor Economic/finantial solvency Difuse chain of responsibilities Always the other person s fault Remedies against subcontractors? Not normally
Termination Causes By the supplier/by the client End of term (OK) For Breach (OK) For convenience (without cause) On notice (30 days to migrate..!) No refunds?
Security Negligent service design Weak security measures Opportunities for industrial spying, data theft, attacks (DoS) Variations between jurisdictions Lower consumer or privacy protection Tax evasion? Ability to hide source of attacks Crimes commited by employees (of service providers) Data theft, sabotage, attacks Sharing resources among clients (shared servers) Data leaks / involuntary accesses (ooops!) Large clouds, standard configuration, replicated Easier to attack, juicy targets.
Labour/employee issues Use of cloud services by employees Security (access, identification/authentication) Private use, etc. Employee supervision / monitoring? Privacy issues Acceptable use policy (of equipment and services) Security, monitoring, backups, etc.
Conflict resolution Identification of the cause of any damage Identification the person responsible for the cause Where to issue any proceedings? Place most connected to the event, place of damage, domicile of client/supplier Applicable law? Contract, tort, administrative law? Application of consumer protection? Aplicability? Limits? Collecting evidence Who has the evidence, how to access it (registers/logs), how to document this as legally admissible proof
Exit Strategy!!!! Lock-in Application Dependency (non-standard technology) Data Dependency (access to data in the cloud? Nonstandard forms?) Economic dependency (pre-payment) Colaboration / integration (business partners use the same platform) Strategies Regular offline backups Standard API/formats Use FOSS!!!! (naturally open and standard) Contract terms
Cloudy Issues
Solutions Cloud provider and model appropriate for each type of data/data processing: private, hybrid, etc. Trusted suppliers (contractually bound) E.g. Private cloud (your own cloud) Built on free software (control, auditing, standards compliance) OpenStack, Apache CloudStack, Ubuntu / Red Hat Cloud, Eucalyptus, Cloudera, Reservoir, OpenNebula, Abiquo
Regulation? Not as such technology change is probably too great and service providers move jurisdiction Horizontal areas of regulation: protecting the weaker party: Privacy Security Consumer Protection Cybercrime Specific sectors: Banking, Health, Security,
What happened to IP and Software? Lost in the cloud? Cloud computing means: For clients/end users: No software licensing, but service subscription agreements data and SLAs For cloud service providers: software licensing and IP issues for the infrastructure and platform/applications like any ICT service provider No or few copyright protection issues (except as to content processed in the cloud service) However some important relevant IP issues Patents over cloud computing methods and processes (online/offline backups, secure transmission, content streaming, database access, disaster recovery procedures, virtualisation) Trademark protection in multi-territories (for cloud provider) Territorial and jurisdictional issues for conflict resolution forum shopping?
CLOUD COMPUTING FREEDOM Freedom box http://freedomboxfoundation.org/ Personal server running a free software operating system, with free applications designed to create and preserve personal privacy (distributed social networking, email and audio/video communications) in the cloud We're building software for smart devices whose engineered purpose is to work together to facilitate free communication among people, safely and securely, beyond the ambition of the strongest power to penetrate. They can make freedom of thought and information a permanent, ineradicable feature of the net that holds our souls. (Eben Moglen)
Thank you malcolm.bain@id-lawpartners.com mbain@brugeras.com