Like moths to a porch light (or trial lawyers to ambulances), many lawyers are finding the uncertain legal and regulatory terrain of cloud computing fertile ground for new legal analysis--and new legal business.
The effect of cloud computing on our legislative and regulatory world has long been a sub-interest of sorts for me. I have long been fascinated by the ways in which a truly dynamic, multiparty compute environment will challenge laws that assume that electronic assets behave the same as their paper or celluloid brethren--static, not easily duplicated and stored on the owner's premises.
The gap between the cloud and the current state of legislation is serious. Check out these examples from past posts:
The Stored Communications Act and Smith v. Maryland, and the effect these have on the rights of external cloud customers.
The latest update to the Cloud Computing Bill of Rights that I put together last year. Pay attention to the links in the comments at the beginning of the post, especially the huge liability created by the user agreements of the time. (Have things changed?)
The admission by a Microsoft VP that they were putting off dealing with the geopolitical consequences of cloud computing as long as they could.
The serious questions raised when the FBI seized computers from a co-location facility in Texas owned by customers that had nothing to do with the case being investigated.
Now an increasing number of lawyers are sharing their opinions about cyber crime, privacy rights, and what the law allows and disallows in the cloud. Each and every post or article I've read so far has been enlightening--and not always in a good way.
For example, take CNET's recent coverage of a panel on the effects of cloud computing on cyber crime at Symantec's Norton Cyber Crime Day. Matthew Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office, noted that "hacking" PCs by inserting software into the system by various means is being replaced by a new threat:
"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.
Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella.
Barry Reingold and Ryan Mrazik, members of the Privacy and Security practice group at law firm Perkins Coie, coauthored a very well written paper in Cyberspace Lawyer (a legal journal I hope I can afford). The paper, titled "Cloud Computing: The Intersection of Massive Scalability, Data Security and Privacy" (PDF), covers a wide swath of issues largely targeted at data and processing taking place in external clouds.
This is the first of three such papers from the pair, and as such seems mostly targeted at setting up the problem--and man are there some doosies. Take this list of cloud computing critiques:
Reliance on private agreement between users and cloud computing service providers as the primary means of legal enforcement
The ability of cloud computing service providers to change terms of service with little or no notice to users of the service
An alleged lack of enforceable remedies against providers who suffer a data breach
The "monopolization" and integration of Web 2.0 and cloud computing services
The possible centralization of user data with a few cloud computing firms
Exposure of data to seizure by foreign government and data subpoenas
The attraction to hackers of a "high value" target
Also of interest to me was a post by Daniel Schwartz of the Connecticut Employment Law Blog, titled "Cloud Computing and Employment Law: The Uncharted Sky". In this post, Schwartz asks some interesting questions regarding data stored in external clouds:
From an employment law perspective, I have not seen much, if anything on the subject. For example, Connecticut's wage and hour laws require employers to keep track of various records of the employee including hours worked, etc. The catch? Such records need to be kept at the employer's place of business for three years. Does storing the information in "the cloud" satisfy that?
And suppose an employee is fired for improper use of the Internet and you want to "image" (or copy) the computer that the employee has worked on to preserve the evidence. How do you do that when the computer you want to image may be in a server thousands of miles away?
Or consider the lawsuit filed by an employee and the call that needs to go out to your IT department to put a "litigation hold" on your data. How do you do that when it's based in the "cloud"?
These are just a few of the many examples that I have seen come across my path in the last few months. What does it all amount to? Some good advancement of the cloud legal discussion, in my humble opinion, which will hopefully lead to demands for new legislation that will make external clouds as safe a choice as leasing office space.
Of course, it could also lead to a whole new collection of cloud lawyer jokes...
The good folks at Cloudiquity.com pointed me to a couple of Threat Level articles from last week that highlight yet another example of how public policy and the law are often at odds with running a business in the cloud.
The articles report that the FBI raided at least two Texas data centers last week, serving search-and-seizure warrants for computing equipment, including servers, routers and storage. The FBI was seeking equipment that may have been involved in fraudulent business practices by a handful of small VoIP vendors.
The problem is that they didn't just grab the systems belonging to the VoIP vendors, but also hundreds of servers that served a wide variety of businesses, the vast majority of which had never dealt with or even heard of the companies under investigation, according to Threat Level. Companies interviewed complained of losing millions of dollars in lost revenue and equipment with no warning whatsoever.
One company, auto vendor marketing and inventory management vendor Liquid Motors, filed suit in a U.S. district court seeking a restraining order against the FBI that would force the return of the company's servers.
In what has to be one of the most scary verdicts for cloud users everywhere, the district court sided with the FBI and supported its probable-cause argument for holding on to the servers. Although the FBI was kind enough to copy the disk drives for Liquid Motors (on drives Liquid Motors had to provide), the precedent set here sends a shiver down my spine.
The issue, I think, is one of how search and seizure laws are being interpreted for assets hosted in third-party facilities. If the court upholds that servers can be seized despite no direct warrants being served on the owners of those servers (or the owners of the software and data housed on those servers), then imagine what that means for hosting your business in a cloud shared by thousands or millions of other users.
As I noted in a blog post last fall, there are a series of legal issues that really need to be addressed before external cloud services can truly be trusted. Here is what I argue must happen:
... Read more
Amazon today used the Le Web 3 conference as an opportunity to announce the availability of EC2 in the European Union, along with several associated services. Details are available from the Amazon Web Services blog:
We've created a new region for Europe, separate and distinct from the existing region in the United States. For fault tolerance, data separation, and stability, each EC2 region is an entity unto itself; issues within one region won't affect the other one. This means that Amazon Machine Images (AMIs), security groups, and SSH keypairs must be created anew in each region. We're working on tools to make it easy to move this information between regions. Also, as we learn more about how customers use multiple regions, we will add APIs to make it even easier for them to do so.
With the exception of support for Microsoft Windows and for Amazon DevPay (both of which will be ready before too long), every feature of EC2 is available in the new region, including Elastic Block Storage and Elastic IP Addresses.
This announcement would actually be rather boring if it weren't for the importance of the EU's privacy regulations on cloud computing.
... Read more- prev
- 1
- next
