Making Clouds Open €“ and Secure

Share

There is a paradox at the heart of the increasingly-trendy cloud computing. It is almost axiomatic that cloud computing services use free software for their infrastructure: the costs involved with proprietary software mean that the business model simply does not scale, unless Microsoft starts offering a special fixed rate for cloud computing setups (something that seems inevitable if it wants to stay in the game).

And yet despite this preponderance of open source running the backend, such cloud computing services do not generally make changes to that code available, because providing a service is not deemed to trigger the usual distribution clause of free software. This means that cloud computing providers are in danger of turning into free riders, taking advantage of free software without giving back in the traditional way.

As a result, a number of people have been examining how the free software and open source definitions might be generalised to cloud computing. For example, Fabrizio Capobianco devised his Honest Public Licence, while Luis Villa put together a good discussion of the area.

Now the Open Knowledge Foundation has come up with its Open Software Service Definition (OSSD), which is remarkably simple:

An open software service is one:

1.Whose data is open as defined by the open knowledge definition (http://opendefinition.org/1.0/) with the exception that where the data is personal in nature the data need only be made available to the user (i.e. the owner of that account).

2.Whose source code is:
1.Free/Open Source Software (that is available under a license in the OSI or FSF approved list -- see note 3).
2.Made publicly available.

As this makes clear, the OSSD addresses another important issue alongside the one of ensuring that the underlying cloud computing code is made publicly available: that of data in the cloud. The problem here is that if you entrust your data to a cloud computing service, you need to be sure that you can get at it when you want, so the OSSD is certainly right to deal this facet, which it does by drawing on the Open Knowledge Foundation's earlier Open Knowledge Definition.

But there is another aspect of data that needs to be considered. If your data is being held by the provider of a cloud computing service, questions of privacy and security are also involved – as the recent brouhaha over Viacom's access to YouTube user data reminds us.

Another proposal for preserving freedom in the cloud from Clipperz address precisely this point – perhaps not surprisingly, given the company's activity in this sphere. Alongside access to code – which is handled by the GNU AGPL – Clipperz's Marco Barulli suggests the following approach to preserving privacy:

Web developers and web users are still largely ignoring the opportunity offered by browser-based cryptography to bring the privacy and security of traditional software programs to web applications.

At Clipperz we envisioned a new architecture paradigm called “zero-knowledge web apps” (here a more detailed description) that combines the idea of host-proof hosting with a set of rules focused on the “learn nothing” mantra.

The name was both an homage to cryptography (a “zero-knowledge proof” is a standard cryptographic protocol) and a promise of a specific relation between the application provider and the users. The server hosting the web app could know nothing of its users, not even their usernames! Clipperz applied this paradigm to implement its online password manager.

The idea of using encryption to ensure that your privacy is preserved is very attractive, even if implementation is likely to be non-trivial. It would be interesting to see the proponents of these two schemes talking to each other about merging their ideas to produce a simple, rigorous definition of open software services that are also secure and preserve privacy. Now is the time to do this before cloud computing becomes so established that changing its underlying rules becomes more difficult.