Lawyers shine light on real cloud concerns

Like moths to a porch light (or trial lawyers to ambulances), many lawyers are finding the uncertain legal and regulatory terrain of cloud computing fertile ground for new legal analysis--and new legal business.

The effect of cloud computing on our legislative and regulatory world has long been a sub-interest of sorts for me. I have long been fascinated by the ways in which a truly dynamic, multiparty compute environment will challenge laws that assume that electronic assets behave the same as their paper or celluloid brethren--static, not easily duplicated and stored on the owner's premises.

The gap between the cloud and the current state of legislation is serious. Check out these examples from past posts:

• The Stored Communications Act and Smith v. Maryland, and the effect these have on the rights of external cloud customers.

• The latest update to the Cloud Computing Bill of Rights that I put together last year. Pay attention to the links in the comments at the beginning of the post, especially the huge liability created by the user agreements of the time. (Have things changed?)

• The admission by a Microsoft VP that they were putting off dealing with the geopolitical consequences of cloud computing as long as they could.

• The serious questions raised when the FBI seized computers from a co-location facility in Texas owned by customers that had nothing to do with the case being investigated.

Now an increasing number of lawyers are sharing their opinions about cyber crime, privacy rights, and what the law allows and disallows in the cloud. Each and every post or article I've read so far has been enlightening--and not always in a good way.

For example, take CNET's recent coverage of a panel on the effects of cloud computing on cyber crime at Symantec's Norton Cyber Crime Day. Matthew Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office, noted that "hacking" PCs by inserting software into the system by various means is being replaced by a new threat:

"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.

Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella.

Barry Reingold and Ryan Mrazik, members of the Privacy and Security practice group at law firm Perkins Coie, coauthored a very well written paper in Cyberspace Lawyer (a legal journal I hope I can afford). The paper, titled "Cloud Computing: The Intersection of Massive Scalability, Data Security and Privacy" (PDF), covers a wide swath of issues largely targeted at data and processing taking place in external clouds.

This is the first of three such papers from the pair, and as such seems mostly targeted at setting up the problem--and man are there some doosies. Take this list of cloud computing critiques:

• Reliance on private agreement between users and cloud computing service providers as the primary means of legal enforcement

• The ability of cloud computing service providers to change terms of service with little or no notice to users of the service

• An alleged lack of enforceable remedies against providers who suffer a data breach

• The "monopolization" and integration of Web 2.0 and cloud computing services

• The possible centralization of user data with a few cloud computing firms

• Exposure of data to seizure by foreign government and data subpoenas

• The attraction to hackers of a "high value" target

Also of interest to me was a post by Daniel Schwartz of the Connecticut Employment Law Blog, titled "Cloud Computing and Employment Law: The Uncharted Sky". In this post, Schwartz asks some interesting questions regarding data stored in external clouds:

From an employment law perspective, I have not seen much, if anything on the subject. For example, Connecticut's wage and hour laws require employers to keep track of various records of the employee including hours worked, etc. The catch? Such records need to be kept at the employer's place of business for three years. Does storing the information in "the cloud" satisfy that?

And suppose an employee is fired for improper use of the Internet and you want to "image" (or copy) the computer that the employee has worked on to preserve the evidence. How do you do that when the computer you want to image may be in a server thousands of miles away?

Or consider the lawsuit filed by an employee and the call that needs to go out to your IT department to put a "litigation hold" on your data. How do you do that when it's based in the "cloud"?

These are just a few of the many examples that I have seen come across my path in the last few months. What does it all amount to? Some good advancement of the cloud legal discussion, in my humble opinion, which will hopefully lead to demands for new legislation that will make external clouds as safe a choice as leasing office space.

Of course, it could also lead to a whole new collection of cloud lawyer jokes...

[MadLyb]

This is not really a new topic, but I guess it is getting more focus.

It is one of the primary drivers for a weak enterprise adoption. Any Enterprise IT team worth it's salt would evaluate these risks and find CC severely lacking, especially for business critical apps.

It will take a new paradigm in data and application management that takes these risks into account before the very justified fears of business are mollified.

Not really new? Seems as old as computers to me. Could someone explain to me how this is any different then all the outsourced IT that's been going on since the 1950's? SaaS, CC, whatever you want to call it is just a delivery mechanism across a medium. The end result is still an application providing a service. Not anything new. Data centers sharing application and data space used to be across leased or dial up phone lines. Just because the communication is now over an internet packet doesn't really change anything. Data centers had to worry about intrusion, data integrity and exclusivity, uptime, etc. Every concern listed in the article has been dealt with for years. So what's the big deal? You hit on it early in the article - people creating a market for their services by serving up FUD. Crisis capitalism.

[gggg sssss]

Can you imagine if Bernie Madof kept his records on Google? Amazon? *** ever? Of course he is fried, but all of thoese people that stole a bit off teh top on each transaction woudl be right there is plain sight. ROTFLMAO

[colinmathews]

I agree that it may take some legal evolution to make cloud computing and SaaS offerings as safe as agreements with brick-and-mortar operations. When done correctly, SaaS offerings are a brilliant way to reduce costs, improve reliability, and enjoy high-quality services.