2010-12-03 05:51:41
Keir Thomas Keir Thomas Thu Dec 2, 1:31 pm ET
When the Wikileaks "cablegate" scandal broke last week, those behind the
whistle-blowing Website found their servers under heavy load. No surprise
there, of course, but an additional DDoS hack attack didn't help.
To remedy the situation, Wikileaks did what anybody else would do by renting
some elastic space in the cloud to take up the strain. They chose Amazon Web
Services, which, although initially unperturbed by the move, yesterday removed
Wikileaks' material without an explanation or apology. It appears Amazon came
under political pressure to do so.
This raises big issues about First Amendment rights, but that aside, all
businesses seriously need to consider this: In an idyllic future where we make
heavy use of the cloud, what happens if a cloud service provider removes
content it deems inappropriate, or just doesn't like?
What would a business do if this happened, bearing in mind that it could be
tied into a service contract? Should the logistics of potentially sourcing an
alternative provider be factored into any cloud migration plan? Indeed, should
a business employ two cloud providers, used in parallel, with one kept as a
strategic backup?
With questions like this, moving wholesale into the cloud is starting to seem a
little na ve and hasty.
It boils down to what cloud providers consider to be objectionable material.
Most service agreements are a little vague on this point, perhaps deliberately
so. Amazon's Web Services Customer Agreement says the following, which is
wildly open to interpretation and could theoretically let them remove just
about anything:
11.2. Applications and Content. You represent and warrant: [...] (iii) that
Your Content (a) does not violate, misappropriates or infringes any rights of
us or any third party, (b) does not constitutes defamation, invasion of privacy
or publicity, or otherwise violates any rights of any third party, or (c) is
not designed for use in any illegal activity or to promote illegal activities,
including, without limitation, use in a manner that might be libelous or
defamatory or otherwise malicious, illegal or harmful to any person or entity,
or discriminatory based on race, sex, religion, nationality, disability, sexual
orientation, or age;
Even if the service agreements were crystal clear about what is and isn't
acceptable content, there will be many borderline cases that could fall either
way. Anybody using cloud services could potentially be at the mercy of
unaccountable arbiters within the organization.
I formerly worked at a magazine publisher that employed models for the cover
photographs. Typically we'd receive the model's portfolio to take a look at via
e-mail, and often this would include nude photography. If that company had been
working within a cloud environment, would storage of this material be
objectionable?
Admittedly my example is specialized, but it's not hard to think of examples in
other industries. Law firms frequently have to deal with extremely unpleasant
materials as part of their work. Could they store horrific images and videos on
a cloud service? Could they store potentially libellous materials?
Are cloud companies going to start making a distinction between storing
materials that have a genuine business need (OK), and those that are stored
solely for enjoyment (not OK)?
On the other hand, if cloud services do espect the First Amendment, would they
be happy hosting content such as material for pedophilic Websites?
Where does their legal liability start and stop? Bearing in mind that cloud
computing is a radically different prospect compared to simple Web hosting,
will cloud computing need its own set of laws and regulations? Will the wise IT
manager wait until various lawsuits have proved what is or isn't acceptable
when it comes to the cloud?
The other issue raised is how easily cloud services will hand over material to
government agencies when requested. Keeping a server computer within your
premises allows property rights that prevent law enforcement getting their
hands on it without significant hassle. How much hassle would law enforcement
agencies need to go through to get Amazon to roll over?
Could law enforcement agencies deliberately cause disruption for a business by
getting the cloud service to deactivate or suspect their account? It isn't hard
to imagine, is it?
Encryption provides some solutions, of course, and no data should be stored
unencrypted in the cloud. However, often there's a need to provide material to
third parties in "clear" form. Yet a whole new set of questions about content
is raised by encryption. Is objectionable content still objectionable when it's
essentially a meaningless garble of data that makes sense only to somebody with
a decryption key? Is a cloud service's ultimate legal defense going to be that
it simply has no idea what's stored on its cloud?
There's a risk of navel gazing here, but following all logical and legal paths
is something anybody involved in a migration to cloud computing will have to
do. If not, they could be left very red-faced.
At the moment, it feels like we're at the beginning of the beginning of
understanding the nature of cloud computing. Only the brave would dive in at
this point in time.
Keir Thomas has been writing about computing since the last century, and more
recently has written several best-selling books. You can learn more about him
at http://keirthomas.com and his Twitter feed is @keirthomas.