💾 Archived View for gmi.noulin.net › mobileNews › 2672.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2023-01-29)

-=-=-=-=-=-=-

Amazon's Wikileaks Rejection Raises Cloud Trust Concerns

Keir Thomas Keir Thomas Thu Dec 2, 1:31 pm ET

When the Wikileaks "cablegate" scandal broke last week, those behind the

whistle-blowing Website found their servers under heavy load. No surprise

there, of course, but an additional DDoS hack attack didn't help.

To remedy the situation, Wikileaks did what anybody else would do by renting

some elastic space in the cloud to take up the strain. They chose Amazon Web

Services, which, although initially unperturbed by the move, yesterday removed

Wikileaks' material without an explanation or apology. It appears Amazon came

under political pressure to do so.

This raises big issues about First Amendment rights, but that aside, all

businesses seriously need to consider this: In an idyllic future where we make

heavy use of the cloud, what happens if a cloud service provider removes

content it deems inappropriate, or just doesn't like?

What would a business do if this happened, bearing in mind that it could be

tied into a service contract? Should the logistics of potentially sourcing an

alternative provider be factored into any cloud migration plan? Indeed, should

a business employ two cloud providers, used in parallel, with one kept as a

strategic backup?

With questions like this, moving wholesale into the cloud is starting to seem a

little na ve and hasty.

It boils down to what cloud providers consider to be objectionable material.

Most service agreements are a little vague on this point, perhaps deliberately

so. Amazon's Web Services Customer Agreement says the following, which is

wildly open to interpretation and could theoretically let them remove just

about anything:

11.2. Applications and Content. You represent and warrant: [...] (iii) that

Your Content (a) does not violate, misappropriates or infringes any rights of

us or any third party, (b) does not constitutes defamation, invasion of privacy

or publicity, or otherwise violates any rights of any third party, or (c) is

not designed for use in any illegal activity or to promote illegal activities,

including, without limitation, use in a manner that might be libelous or

defamatory or otherwise malicious, illegal or harmful to any person or entity,

or discriminatory based on race, sex, religion, nationality, disability, sexual

orientation, or age;

Even if the service agreements were crystal clear about what is and isn't

acceptable content, there will be many borderline cases that could fall either

way. Anybody using cloud services could potentially be at the mercy of

unaccountable arbiters within the organization.

I formerly worked at a magazine publisher that employed models for the cover

photographs. Typically we'd receive the model's portfolio to take a look at via

e-mail, and often this would include nude photography. If that company had been

working within a cloud environment, would storage of this material be

objectionable?

Admittedly my example is specialized, but it's not hard to think of examples in

other industries. Law firms frequently have to deal with extremely unpleasant

materials as part of their work. Could they store horrific images and videos on

a cloud service? Could they store potentially libellous materials?

Are cloud companies going to start making a distinction between storing

materials that have a genuine business need (OK), and those that are stored

solely for enjoyment (not OK)?

On the other hand, if cloud services do espect the First Amendment, would they

be happy hosting content such as material for pedophilic Websites?

Where does their legal liability start and stop? Bearing in mind that cloud

computing is a radically different prospect compared to simple Web hosting,

will cloud computing need its own set of laws and regulations? Will the wise IT

manager wait until various lawsuits have proved what is or isn't acceptable

when it comes to the cloud?

The other issue raised is how easily cloud services will hand over material to

government agencies when requested. Keeping a server computer within your

premises allows property rights that prevent law enforcement getting their

hands on it without significant hassle. How much hassle would law enforcement

agencies need to go through to get Amazon to roll over?

Could law enforcement agencies deliberately cause disruption for a business by

getting the cloud service to deactivate or suspect their account? It isn't hard

to imagine, is it?

Encryption provides some solutions, of course, and no data should be stored

unencrypted in the cloud. However, often there's a need to provide material to

third parties in "clear" form. Yet a whole new set of questions about content

is raised by encryption. Is objectionable content still objectionable when it's

essentially a meaningless garble of data that makes sense only to somebody with

a decryption key? Is a cloud service's ultimate legal defense going to be that

it simply has no idea what's stored on its cloud?

There's a risk of navel gazing here, but following all logical and legal paths

is something anybody involved in a migration to cloud computing will have to

do. If not, they could be left very red-faced.

At the moment, it feels like we're at the beginning of the beginning of

understanding the nature of cloud computing. Only the brave would dive in at

this point in time.

Keir Thomas has been writing about computing since the last century, and more

recently has written several best-selling books. You can learn more about him

at http://keirthomas.com and his Twitter feed is @keirthomas.