Round Table: Key Legal Aspects for Putting your Business in the Cloud Chairs: Miquel Peguera
Controlling the provider Xavier Ribas, Landwell Global.
Increasing trend to outsource services at the enterprise, including some belonging to the core business. With cloud computing, even risk management is shared with or outsourced to a third party.
But, are you then losing control and even putting your firm in the hands of your providers? You lose control of the confidence chain, control of data, of the quality of service, of the available preventive measures, of reputation risk management (and there actually is an increase of risk of reputation loss), control of secondary and non-consented outsourcing, international data transfer, etc.
How to solve this? How to regain control over these issues? Possible clauses:
An obligations map should be drawn and agreed upon, including what happens once the relationship ends (e.g. what will happen to data in a blog once the service is discontinued?).
Manel Martínez Ribas, ID-LawPartners.
What is the difference amongst open source and open cloud? Is there any open source cloud?
The four freedoms of free software, do they still apply in cloud applications or services? More indeed: free software developers using cloud services, will they find their free code closed? This gives birth to new licenses where cloud service providers are able to use specific software, let it to the end user as software as a service (SaaS)… thus allowing for copyleft on one end and a sort of closeness on the other end.
Open cloud computing allows, as it happens with free software, to make modifications.
The Open Cloud Manifesto pretends to settle the debate and reach some agreement (equilibrium?) on how to respect the free software freedoms in cloud computing.
Avoid lock in.
Go on with initiatives according to the needs of the customer.
Teamwork and network.
It seems that cloud computing will be the main entry point for institutions to (at last) use free software massively. Same with software providers, that will shift from proprietary software to free software.
It really does not matter to read or not the terms of reference of cloud services: their providers will change them unilaterally and many without notice. So…
The problem is neither (only) that we do not know where our data are, but nor we know where our data pass through, because they constantly change paths.
A Cloud computing solution: self-service, broad access in the Net, full of resources, fast and easy, measurable and supervised. A solution which might be the end of corporate computing.
As said, one of the big problems is not only that data are elsewhere, but that they circulate across borders and jurisdictions. The European Directive, in this sense, looks more at what is happening, rather than trying to typify each and every procedure that takes place on the Internet. It nevertheless needs some updating as cloud computing has really challenged web usage as we knew it.
Information self-determination: the right to control one’s own data, to know who has our data, what is done with them, etc. Information self-determination is at stake with cloud computing.
IDC Enterprise Panel (august 2008) states the following challenges/issues of cloud computing: security, performance, availability, hard to integrate with in-house IT, not enough ability to customize, doubts about cost, bring-back in-house might be difficult, not enough major suppliers, etc.
Main challenges of Cloud Computing:
Decrease of control over information and services.
Data treatment and processing.
International movement of data.
Q: The Catalan Government is to move its education community to Google Applications. How are citizen rights guaranteed? Miralles: The problem can “easily” be solved by signing a contract. The problem is usually not as much as in privacy, but in transparency and availability of information by the user, to recover their information, etc.
Ramon Miralles: it makes no sense the distinction whether it is a human or a machine who processes the information, as this only creates legal defencelessness and insecurity. Indeed, it is in the core of data processing that it is automatized. So, we have to look at the essence of the data processing process, at what will be the end use, rather than at the how.
Manel Martínez: we have to differentiate between consented usage (contextual adds after reading your e-mail, as you agreed to that by accepting the terms of reference) and non-consented usage of data. Ramon Miralles: right, but the problem comes when the conditions are change unilaterally and, even if you are made aware of this, you are locked in and have really hard times migrating your data in a service you’re having difficulties to leave.
Q: how do we measure the cost of loss of reputation because a third party service failed? Xavier Ribas: this is very difficult to measure. It might be not very difficult to measure the non-returning customers, but it is definitely difficult to know how many new/potential customers will not use our services/products for the very first time after a reputation crisis has been suffered.
Jordi Vilanova: should not the WTO coordinate cloud computing services (in a legal and economic sense)? Miralles: it is clear that the traditional instruments to regulate economic activities (national and international regulation, contracts, etc.) might not perfectly fit in such activities as cloud computing. So, yes, WTO or another platform might be used to update regulation and procedures to brand new activities.
we do not to perform any backups, including software;
we have no more storage limitations, adding more storage room is quick and easy;
ubiquity, all services are available from anywhere.
Some problems with cloud computing that media repeat over time:
Closed applications that are difficult to expand or modify: you cannot change (add features, customize, etc.) Google Documents easily
Availability outsourced: to access a single Google Document we rely on our PC, our web browser, our Internet provider, Google, the government regulation (e.g. you depend on the Chinese government to allow Google to operate in China), etc.
But, where are our data? Where is our privacy? Most of our data/privacy is on Google, Microsoft and Amazon, the later the biggest provider of cloud platforms.
Indeed, some service providers cannot only access our data, but do have control over our devices:
What happened with Amazon’s Kindle and the novel “1984” affair: erased a novel from all books, got sued (and lost), but doubled their sales of Kindles.
Facebook will retain ownership of your photos: huge claims for intellectual property and privacy, but Facebook users in Spain almost tripled during the “scandal”.
The case of the accountability service that showed that no one reads the terms of service.
All in all: people do not read the terms of service and accept whatever terms. But the thing is that most service providers require this free access to data to be able to let data to third parties, the basis of the business plan.
Open Cloud Computing / Open Cloud Compliant: the services are in the cloud, but the user can choose where the data will be stored. At least, this allows for the user to know where their data are. It also avoids conflicts of interest: the one that provides the service is not the same that provides the infrastructure: the service provider will ensure that data are safe, and the infrastructures provider will ensure that the infrastructure supports the service.
We should then differentiate between infrastructure cloud computing and services cloud computing. Open cloud computing means that these are separate and there’s a possibility of choice, and closed means that they all come together with a single provider: in this case, privacy risks arise.
The average user prefers ‘easy’ to ‘nice’, even if ‘easy’ means ‘ugly’. This creates de facto standards. People prefer applications to be fast and easy, even if it is less powerful or less nice.
eyeOS is an open-source browser based web desktop, which means that it acts as a framework that, once the user is logged in, logs the user to whatever application runs on this desktop. Thus, the user does not need to remember where the applications are (what third parties’ services) and how to log in them.
(NOTE: here comes an interesting discussion about institutional and individual uses of open cloud services, the free software community, etc.)
Privacy in the Cloud, a Misty Topic? Ronald Leenes, Universiteit van Tilburg
An introduction to Cloud Computing
What is the relationship between Cloud computing, Grid computing, service oriented architecture (SOA) and Web 2.0?
Increasingly, data and applications are stored and/or run on a web server that hosts what usually was on your local machine. The web browser becomes the usual platform. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources.
If we talk about “resources”, the definition becomes broader, as we can also speak about computing power or computing time. And these resources are shared by many users, instead of having a dedicated machine. This provide rapid elasticity that allows for easy and quick scaling (up or down).
Software as a Service (Saas): e.g. webmail, online office applications; etc.
Platform as a Service (Paas): e.g. Amazon AWS platform;
Infrastructure as a Service (IaaS): all the power you might have in our PC, in the cloud.
Price: many cloud services are reee.
Reliability: redundancy of services and scalability makes the system more stable.
Accessibility: your services, everywhere.
Multiple business models: fees, ads, etc.
Always current version of the software, no needs to update.
Privacy and security issues
Privacy: bodily integrity, data protection, inviolability of the home, secrecy of communications. The later two are specially relevant for cloud computing.
Data protection goals aim at facilitating the free flow of information while providing a minimum level of data protection. Data aspects: confidentiality, integrity, availability. The three of them are (more or less) under control while data are stored in a PC. In the cloud it is certainly less so.
The first thing to state is that, in the cloud, you don’t know where your data exactly are. Indeed, those date are interlinkable by other services, which make them even more ubiquitous while difficult to locate.
Second is that, in “physical” life, one’s identity is made up of different and partial identities of one self. There is a certain control to segregate audiences according to what they can see of me. Not in the cloud. To a large extent, we’re evolving toward a world where you are who Google says that you are (JD Lassica).
As data travel from my browser (and through the Internet) to a cloud service, anyone can potentially intercept your travelling data. The way to avoid this is use encryption (HTTPS) but cloud services do not usually have the incentive to (unlike banks, that are liable for data loss or money stealing) and do have incentives not to (HTTPS requires much more server power and time to encrypt and decrypt, thus making it more expensive at the aggregate level).
Personal data: data that can lead to identification of a person (data subject). Thus, personal data can be taken very broadly as even an e-mail message can lead to identifiable individuals. A processor is a body that processes personal data. A data controller holds or stores personal data.
The DPD is applicable when the data controller is within the European Union jurisdiction, regardless of where the data processor is.
Thus, if Google just provides a platform where the user processes their data, then Google is not a controller, but a processor, which means it is being affected differently by the (European) law. But if data, after being processed, are stored in Google’s servers, then Google becomes a controller. So, cloud service providers can switch between data controlling and data processing or both at a time, with legal consequences.
DPD principles: transparency, legitimate purpose and proportionality.
Jordi Vilanova: are there any legal differences in privacy between individuals and institutions? A: legally, in strict sense it only applies to individuals. In the case of companies, we would be talking about intellectual property, trade secrets, etc.
Mònica Vilasau: to balance unequal distribution of bargaining power between service providers and users, what should be done? More regulation? Better contracts? Is the data protection directive enough for cloud computing? A: Contracts should suffice, as they are a very powerful tool. The difference is that in the EU privacy is a public good that needs to be protected, so the law will always be above any contract; while in the US privacy is something that can be bargained between contractors. The DPD is not enough for cloud computing, because its purpose was to regulate over the data controller, a very identifiable agent at a time (e.g. a hospital having data of you). But now, who is a data controller or a processor is very difficult to identify.
Q: Is one of the problems that cloud services are based in the US? A: Yes, of course, if data controllers, processors and subjects were in the same jurisdiction that would make things much easier.
Mònica Vilasau: what about cookies? A: if you accept cookies, you get less of your privay. If you do not, the service provider is no more a data controller (it is not storing data from you, because you refused the cookie) and then you are no more under the DPD. This is an ironic dichotomy.