What are the Legal Implications of Cloud Computing?


To say that cloud computing is trendy would be an understatement: the topic is almost inescapable in the world of computing these days. I've written about it from the viewpoint of open source several times, because there are a number of important issues arising out of clouds: much of their infrastructure is based on free software, and there are interesting questions to do with licensing that clouds pose for applications. But one aspect almost never considered is even higher up the stack: the legal side of their use.

That's surprising, since clouds make already complex issues even more complicated - perfect material for lawyers. Indeed, I predict that this will ultimately prove a very rich vein for them and legal theorists in general. Meanwhile, we have a very useful first sketch of what the legal landscape of cloud computing will look like from Miranda Mowbray, who is Technical Contributor, HP Labs Bristol, UK (and “Not a lawyer” as she points out.)

Her article “The Fog over the Grimpen Mire: Cloud Computing and the Law” draws on a neat trope first used by a fellow journo, Bill Thompson:

In the real world national borders, commercial rivalries and political imperatives all come into play, turning the cloud into a miasma as heavy with menace as the fog over the Grimpen Mire that concealed the Hound of the Baskervilles in Arthur Conan Doyle’s story

Following this theme, Mowbray prefaces each section of her article with apposite quotations from the Conan Doyle story, which leavens the potentially heavy subject matter.

Some stuff is important, but pretty obvious:

A company using cloud computing may well find itself using hardware and software that are in different countries from its own physical location and the physical location of its customers. We are likely to see legal disputes arising from geopolitical and jurisdictional issues to do with these cases. There is also a potential market for geographically-restricted cloud computing services, where part of the service offering is an assurance that (for instance) the service will only process data in Europe, so as to conform with European privacy laws, or will only store data in Switzerland, so as to conform with Swiss data protection laws. Indeed, Amazon’s computing and storage services have an option for processing and storing in Europe rather than the US. Amazon added this option partly to reduce latency for European customers, but also because of data protection issues.

Other points are more subtle:

A cloud service provider may subcontract parts of the services, and this subcontracting will usually be invisible to the buyer. This raises issues and potential disputes that are also a problem of complex subcontracting agreements in other industries. These concerns include contracting and auditing requirements and questions of the distribution of payment if all goes well – and of liability if it does not. For instance, a problem may arise if two cloud computing subcontractors provide micro-services that are of good quality in themselves but do not integrate properly.

There are two factors in cloud computing that make these problems more acute than in other industries. The first is that the choice of subcontractor might be changed hourly according to availability and price. In this case the contracting and auditing involved with a change of subcontractor will need to be done rapidly and frequently, with as much automation of these processes as possible. To complicate matters, the new subcontractor may be in a different country from the old one, with the result that different laws may apply.

The second issue is that rather detailed data, which may be commercially valuable, flows from the customer to the vendor to the subcontractor. In other industries for which subcontracting is common, the subcontractors typically receive only a small amount of data about the customers, if they receive any at all. Suppose a cloud computing vendor goes bankrupt. Can the subcontractors hold onto the customer data as an asset? Can they threaten to publish sensitive data if they are not paid for their services? It is also not clear what rights a purchaser of the bankrupt vendor might have to the data.

Then there's this:

Cloud computing customers need to check what data their providers will release to third parties, and under what conditions. Businesses are generally very reluctant to enable their direct competitors to have access to their customer contact lists or detailed sales data. But even innocuous-seeming data might turn out to be commercially sensitive. For example, someone who obtained information about the load levels for a company’s hypervisor might be able to use this information for insider trading if the company used the cloud service for a crucial application. There is a particular issue about the sale of anonymised data. In the last few years there have been technical advances in the art of de-anonymisation (strictly speaking, de-pseudonymisation). Pseudonymised data is still proof against opportunistic thieves, but an attacker who is out to get a particular customer, already knows a small amount of data about him, and is prepared to do some data processing, may be able to recover all the data about him in a large pseudonymised data set. Previously used practices of selling cloud customers’ personal or sensitive data in pseudonymised form – and regulatory guidelines approving these practices – may have to be revised.

If you have are using or have been considering cloud computing services for you company, but haven't been thinking about these kinds of issues, it would be well worth your while reading this article as a kind of primer. It raises a number of legal questions that are only just beginning to emerge, but which could develop into major points of contention in years to come once lawyers really get their teeth into this vaporous but juicy subject.

Follow me on Twitter @glynmoody.