Like moths to a porch light (or trial lawyers to ambulances), many lawyers are finding the uncertain legal and regulatory terrain of cloud computing fertile ground for new legal analysis--and new legal business.
The effect of cloud computing on our legislative and regulatory world has long been a sub-interest of sorts for me. I have long been fascinated by the ways in which a truly dynamic, multiparty compute environment will challenge laws that assume that electronic assets behave the same as their paper or celluloid brethren--static, not easily duplicated and stored on the owner's premises.
The gap between the cloud and the current state of legislation is serious. Check out these examples from past posts:
The Stored Communications Act and Smith v. Maryland, and the effect these have on the rights of external cloud customers.
The latest update to the Cloud Computing Bill of Rights that I put together last year. Pay attention to the links in the comments at the beginning of the post, especially the huge liability created by the user agreements of the time. (Have things changed?)
The admission by a Microsoft VP that they were putting off dealing with the geopolitical consequences of cloud computing as long as they could.
The serious questions raised when the FBI seized computers from a co-location facility in Texas owned by customers that had nothing to do with the case being investigated.
Now an increasing number of lawyers are sharing their opinions about cyber crime, privacy rights, and what the law allows and disallows in the cloud. Each and every post or article I've read so far has been enlightening--and not always in a good way.
For example, take CNET's recent coverage of a panel on the effects of cloud computing on cyber crime at Symantec's Norton Cyber Crime Day. Matthew Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office, noted that "hacking" PCs by inserting software into the system by various means is being replaced by a new threat:
"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.
Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella.
Barry Reingold and Ryan Mrazik, members of the Privacy and Security practice group at law firm Perkins Coie, coauthored a very well written paper in Cyberspace Lawyer (a legal journal I hope I can afford). The paper, titled "Cloud Computing: The Intersection of Massive Scalability, Data Security and Privacy" (PDF), covers a wide swath of issues largely targeted at data and processing taking place in external clouds.
This is the first of three such papers from the pair, and as such seems mostly targeted at setting up the problem--and man are there some doosies. Take this list of cloud computing critiques:
Reliance on private agreement between users and cloud computing service providers as the primary means of legal enforcement
The ability of cloud computing service providers to change terms of service with little or no notice to users of the service
An alleged lack of enforceable remedies against providers who suffer a data breach
The "monopolization" and integration of Web 2.0 and cloud computing services
The possible centralization of user data with a few cloud computing firms
Exposure of data to seizure by foreign government and data subpoenas
The attraction to hackers of a "high value" target
Also of interest to me was a post by Daniel Schwartz of the Connecticut Employment Law Blog, titled "Cloud Computing and Employment Law: The Uncharted Sky". In this post, Schwartz asks some interesting questions regarding data stored in external clouds:
From an employment law perspective, I have not seen much, if anything on the subject. For example, Connecticut's wage and hour laws require employers to keep track of various records of the employee including hours worked, etc. The catch? Such records need to be kept at the employer's place of business for three years. Does storing the information in "the cloud" satisfy that?
And suppose an employee is fired for improper use of the Internet and you want to "image" (or copy) the computer that the employee has worked on to preserve the evidence. How do you do that when the computer you want to image may be in a server thousands of miles away?
Or consider the lawsuit filed by an employee and the call that needs to go out to your IT department to put a "litigation hold" on your data. How do you do that when it's based in the "cloud"?
These are just a few of the many examples that I have seen come across my path in the last few months. What does it all amount to? Some good advancement of the cloud legal discussion, in my humble opinion, which will hopefully lead to demands for new legislation that will make external clouds as safe a choice as leasing office space.
Of course, it could also lead to a whole new collection of cloud lawyer jokes...