International In-house Counsel Journal Vol. 4, No. 14, Winter 2011, 1
Head in the Clouds: Navigating the Legal Cloud Nebula
JOSEPH J BAMBARA In-House Counsel, UCNY, Inc., USA
Table of Contents Head in the Clouds: Navigating the Legal Cloud Nebula Technology and the Cloud Review of Cloud Computing technology and types Benefits of Cloud Computing Surprise benefit of Cloud Computing technology: Security Risk / Rewards of Cloud Computing Risks of Cloud Computing Deeper Look at Risks associated with Cloud Computing Evidence control and the Cloud Danger of Cloud Computing technology: Lost Data Danger of Cloud Computing technology: Privacy Conclusion
In the world of computing and technology much has happened in a short time. This is especially true with respect to the new (sort of) technology known as “cloud computing”. This article will provide a brief review of cloud computing technology. After which, we will we continue a "deep dive“ treatment of cloud computing and the law with the objective of preparing the practicing attorney to navigate through this nebulous topic. The article (in two parts) will touch upon everything from updated privacy rights to enhanced deployment models as well as liability and contingency plans for the inevitable downtime. Review of Cloud Computing technology Legal considerations for businesses considering cloud computing. Identify legal risks of placing assets, such as data or key computing resources, in the hands of people who do not own them Review Intellectual property issues concerning ownership of and rights in information and services placed “in the cloud.” Some guidelines into what and whose law governs certain cloud services and the data they manage Some E-Discovery guidelines into possession, custody or control over data in the cloud that is sought in litigation Technology and the Cloud Review the “Timeline” diagram (see figure 1) to get an idea of emerging technology and the rapid evolution thereof. It is important to note that in 2010, there are 4 billion Mobile
International In-house Counsel Journal ISSN 1754-0607 print/ISSN 1754-0607 online 2 Joseph J Bambara phone subscribers (67% of world population) and 1.8 billion Internet users: (26.6% of world population). See See http://www.internetworldstats.com/stats.htm. The table has been set for the emergence in 2005 of a new paradigm “cloud computing (see figure 2).
Figure 1
Figure 2
Cloud computing is a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. The term “cloud” is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams and is an abstraction for the complex infrastructure it conceals. See http://en.wikipedia.org/wiki/Cloud_computing Although cloud computing seems new, the underlying concept of multiple users sharing computer resources is not new. In 1969, the U.S. Department of Defense's Advance Research Projects Agency (ARPA net) sought to expand the distances over which Cloud Computing 3 computers could reliably communicate. The ARPAnet project sought to create a platform that would allow distributed users to share their valuable computing resources and collaborate on documents. Using the ARPAnet, a user could access a computer located elsewhere on the network and function as a local user at the remote site. The ARPAnet mainly linked government agencies and universities( see figure3) , but it was out of the ARPAnet that what we now know as the Internet was originally developed. See, figure 4.
Figure 3
Figure 4 With the development of the operating system, stand-alone computers could perform multiple functions simultaneously for the first time. This opened the door for a single central server or computing device supporting several stand-alone personal computers or 4 Joseph J Bambara dumb terminals (keyboards and computer screens) housed in the same physical location. The terminals would connect to the central server, which would do the terminal's actual processing. Cloud Computing is an evolution from these previous efforts at shared computing. As prices for processing power and storage have fallen and high-speed internet connections have become ubiquitous, cloud computing has become an increasingly attractive option for many individuals and businesses
Figure 5 Cloud computing (figures 5 #1,#2,#3,#4) refers to data, processing power, or software stored on remote servers made accessible by the Internet as opposed to client computers. The term "the cloud" #3 comes from computer network diagrams which, because the individual computers #4 that formed its components were too numerous to show Cloud Computing 5 individually, depicted the Internet as a vast cloud at the top of the network chain. One of the key features of cloud computing is that the client does not own the technology they are using. All the hardware and software is owned by a cloud computing service, See #4 The user/client simply rents time or space. See #1 At the same time, cloud computing also creates dependency. The emergence of cloud computing services is structured around a re-imagining of the relationship between technology and end users. The client #1 must rely on the cloud service provider (#2,#3,#4) to ensure that data is kept secure and reliably accessible. They must also depend on the telecommunications infrastructure (between #1 and #2) that will act as the delivery and retrieval pathways for the flow of data to and from the cloud. In addition, once a client adopts a cloud computing arrangement it will be difficult to move back to a local computing platform.
Review of Cloud Computing technology and types
Figure 6 There are three basic types (service models) of Cloud Computing Services (see figure 6): 1. Software as a Service (SaaS) is the most common and widely known type of cloud computing. SaaS applications provide the function of software that would normally have been installed and run on the user's desktop. With SaaS, however, the application is stored on the cloud computing service provider's servers and run through the user's web browser over the Internet. Examples of SaaS include: Gmail, Google Apps, and Salesforce. 2. Platform as a Service (PaaS) cloud computing provides a place for developers to develop and publish new web applications stored on the servers of the PaaS provider. Customers use the Internet to access the platform and create applications using the PaaS provider's API, web portal, or gateway software. Examples of PaaS include: Saleforce's Force.com, Google App Engine, Zoho Creator. 3. Infrastructure as a Service (IaaS) seeks to obviate the need for customers to have their own data centers. IaaS providers sell customers access to web storage space, servers, and 6 Joseph J Bambara
Internet connections. The IaaS provider owns and maintains the hardware and customers rent space according to their current needs. An example of IaaS is Amazon Web Services. IaaS is also known as utility computing. So for new users considering the “cloud”, the fundamental issue is how do you maintain control of data. Data that is essential for you, your business, your clients must be controlled so that no failure cause loss of access or the data itself. Some facts and observations about data in the “cloud” include: When users place their data and applications on centralized servers, they lose the ability to maintain complete control of that information. With the rise of cloud computing, critical and sometimes sensitive information that was once safely stored on the businesses local computers now resides on the remote servers of the service provider. One of the biggest risks of storing data in the cloud is the possibility that this data will be accessed by unwanted third parties. For example, many email providers allow secondary advertising uses for e-mail communications. Legal rights and regulatory authority for the protection of the privacy of cloud computing users are not well defined. Data stored in the cloud may be subject to less stringent legal protection than data stored on a local computer. For example, under the U.S. Electronic Communications Privacy Act, data stored in the cloud may be subject to a lesser standard for law enforcement to gain access to it than if the data were stored on a personal computer. Health information services that store user medical information may not be subject to the privacy protections of the U.S.. Health Insurance Portability Protection Act (HIPPA). Even where it is clear that user data is protected, cloud computer service providers often limit their liability to the user as a condition of providing the service, leaving users with limited recourse should their data be exposed or lost. Storing data in the cloud means that access to that data is subject to the cloud computing service provider's terms. Often the terms of service allow the cloud computing service provider to terminate the service at any time. Imagine a data hostage scenario where a user needs to gain access to online information, but the data holder refuses that access without first receiving a payment or other compensation.
Benefits of Cloud Computing So if there are issues and risks then what are the pervasive benefits of Cloud Computing technology? The benefits include the following: Cloud Computing 7
Ability to work from anywhere, i.e. , device and location independence which enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile). Multi-tenancy enables sharing of resources and costs across a large pool of users thus allowing for: Centralization of infrastructure in locations with lower costs (such as real estate, electricity, etc.) Peak-load capacity increases (users need not engineer for highest possible load-levels) The bottom line benefit of Cloud Computing technology is the Return on Investment (“ROI”) Utilization and efficiency improvements for systems that are often only 10– 20% utilized. Reliability improves through the use of multiple redundant sites, which makes cloud computing suitable for business continuity and disaster recovery. Scalability "on-demand” provisioning of resources on a fine-grained, self- service basis near real-time, without users having to engineer for peak loads. Performance is monitored, and consistent Loosely-coupled architectures are constructed using web services as the system interface.
Surprise benefit of Cloud Computing technology: Security Security typically improves due to centralization of data, increased security-focused resources, etc. (make sure to research provider to be sure).Although concerns persist about loss of control over certain sensitive data, and the lack of security for stored kernels (Microsoft Danger T-Mobile), security can as good as or better than under traditional systems. This is so in part because providers devote resources to solving security issues that many customers cannot afford. Ownership, control and access to data controlled by "cloud" providers may be made more difficult, just as it is sometimes difficult to gain access to "live" support with current utilities. Under the cloud paradigm, management of sensitive data is placed in the hands of cloud providers and third parties. Make sure to get disclosure here. Trend conscious developers are implementing OAuth (http://oauth.net/), as it allows more granularity of data controls across cloud applications. OAuth is an open protocol, to allow secure API authorization in a standard method for desktop, mobile, and web applications.
Risk / Rewards of Cloud Computing So okay there are some significant benefits but that still leaves plenty of questions around the Cloud. Most organizations using business computing are aware of “cloud computing” as an option. The questions which are asked include: When will it be a safe place to operate? A simple answer is it will be safe when there are firm answers/guidelines from the Courts and resulting legislation which dictate and enforce acceptable standards for things like: Data protection/ Physical security: How does the provider segregate data? When at rest, where is data stored? What type of encryption is used to 8 Joseph J Bambara
prevent it from being compromised? When the data is in motion, how is it travelling from one point to another? Identity management: Are you able to integrate your existing identity scheme with the cloud vendor? Does the vendor support federation? Federation lets access-management functions for multi tenancy which defines the cloud. What standards does it support? Availability: What do they guarantee in the service-level agreement? Are they using other cloud providers? Are they transparent about downtime? Privacy: Who has access to the data? Compliance in the cloud: Whose responsible if law is broken ? Liability: What are the remedies available?
Risks of Cloud Computing So what does control mean in the Cloud? Cloud Computing means relying on a third party to maintain and control your data. It is critical to understand the implications of moving your data to the cloud. Who has access to it and under what circumstances? Who can alter it? How will system outages and service disruptions be rectified? What if the provider fails or departs the business? So what does security mean in the Cloud? Handing over important and potentially sensitive or proprietary data to another company is worrisome. Clients should ensure that cloud service providers have adequate encryption and other security controls in place that are regularly audited. So what does privacy mean in the Cloud? If someone can log in from anywhere to access data and applications, it is possible that your privacy could be compromised. Regulatory compliance may be impossible if your data is subject to any geographical storage restrictions, such as the European Union Data Protection Directive. http://epic.org/privacy/cloudcomputing/.
Deeper Look at Risks associated with Cloud Computing So let’s “drill down” into what the potential risks are when businesses and rest of user community starts to use the cloud.
Evidence control and the Cloud Parties have a duty to preserve evidence in their custody and control where it is foreseeable that the evidence may be relevant to threatened or pending litigation, as well as third-party subpoenas, investigations or regulatory requests for information. If your data is no longer in house, will cloud computing providers be able to implement your company s document retention policies as well as litigation holds? Cloud computing business models challenge the assumption that a company controls all the electronically stored information the law may impose duties to preserve and produce. Consequently, companies face substantial barriers to implementing cloud computing solutions if their compliance capabilities are compromised as a result. Conducting forensic examinations or establishing the authenticity and admissibility of clouded data; can also pose unique problems. So how do we handle this? As with any business relationship, moving to the cloud requires well-drafted service-level agreements with the third parties (IaaS, SaaS, PaaS ) that provide business processes, products and services. That said iterative due Cloud Computing 9 diligence should be performed on the service provider s internal privacy and information protection controls. Moreover, beyond assurances that that a service provider does not process, store or transfer information through jurisdictions whose laws do not provide for adequate information protection. This will be a recurring exercise, as clients to move from one cloud service provider to another as contracts expire and more favorable terms become available. See, http://www.mondaq.com/unitedstates/article.asp?articleid=85208.
Danger of Cloud Computing technology: Lost Data There are times when even the experts foul up. Microsoft acquired Danger for $500 million in February 2008. T-Mobile and Danger, the Microsoft-owned subsidiary that makes the Sidekick announced that they lost all user data that was being stored on Microsoft’s servers due to a server failure. All customer contacts, photos, calendars, or to-do lists that haven’t been locally backed up are gone. T-Mobile Sidekick users suffered a major outage all week, and that issue apparently hasn’t been resolved either. That T- Mobile /Microsoft Danger did not have a adequate backup is an early example what may go wrong in the cloud. The Sidekick is totally reliant on the cloud because it doesn’t store its data locally. T-Mobile had to send this to all of its Danger users the following communication: T-MOBILE AND MICROSOFT/DANGER STATUS UPDATE ON SIDEKICK DATA DISRUPTION: “Dear valued T-Mobile Sidekick customers: T-Mobile and the Sidekick data services provider, Danger, a subsidiary of Microsoft, are reaching out to express our apologies regarding the recent Sidekick data service disruption. We appreciate your patience as Microsoft/Danger continues to work on maintaining platform stability, and restoring all services for our Sidekick customers. Regrettably, based on Microsoft/Danger’s latest recovery assessment of their systems, we must now inform you that personal information stored on your device – such as contacts, calendar entries, to-do lists or photos – that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger. That said, our teams continue to work around-the-clock in hopes of discovering some way to recover this information. However, the likelihood of a successful outcome is extremely low. As such, we wanted to share this news with you and offer some tips and suggestions to help you rebuild your personal content. You can find these tips at the T-Mobile Sidekick Forums (http://www.t-mobile.com/sidekick ). We encourage you to visit the Forums on a regular basis to access the latest updates as well as FAQs regarding this service disruption. In addition, we plan to communicate with you on Monday (Oct. 12) the status of the remaining issues caused by the service disruption, including the data recovery efforts and the Download Catalog restoration which we are continuing to resolve. We also will communicate any additional tips or suggestions that may help in restoring your content. We recognize the magnitude of this inconvenience. Our primary efforts have been focused on restoring our customers’ personal content. We also are considering additional measures for those of you who have lost your content to help reinforce how valuable you are as a T-Mobile customer. We continue to advise customers to NOT reset their device by removing the battery or letting their battery drain completely, as any personal content that currently resides on your device will be lost.” 10 Joseph J Bambara
See http://www.techcrunch.com/2009/10/10/t-mobile-sidekick-disaster-microsofts- servers-crashed-and-they-dont-have-a-backup/ This outage and subsequent data loss is just one example of the dark side of "cloud computing" Users assumed that if data was "in the cloud" then it was stored with enough redundancy and fault tolerance to render such a massive data loss impossible. The execs at HP, Sun, Intel, IBM, Rackspace, Amazon, Google, and the rest of the growing list of cloud infrastructure and service providers don’t need this type of failure for a big player as cloud services must prove of reliability for potential enterprise customers. In a number of cloud computing threads in the Ars Server Room, and in the handful of webinars that we've done on the topic in recent months, reliability is the number one knock that IT pros have against anything "cloud"-related. Enterprise IT types have a natural distrust of any systems that they don't own and control, especially when those systems present themselves as a black box on which IT will build something for internal use. But, anecdotally, these periodic, high-profile service disruptions seem to loom fairly large in enterprise perceptions of the cloud's reliability, which is why this latest data loss is likely to translate into a revenue loss for more than just T-Mobile and Microsoft/Danger.
Danger of Cloud Computing technology: Privacy The U.S. Electronic Privacy Information Center (“EPIC”) is a public interest research organization incorporated in Washington, DC. EPIC’s activities include the review of government and private sector policies and practices to determine their impact on the privacy interests of the American public. In March ,2009 , before the Federal Trade Commission Epic submitted: In the Matter of Google, Inc. and Cloud Computing Services Complaint and Request for Injunction, Request for Investigation and for Other Relief. See, http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf. Google encourages users to "add personal information to their documents and spreadsheets," and represents to consumers that "this information is safely stored on Google's secure servers." Google states that "your data is private, unless you grant access to others and/or publish your information.“. On March 7, 2009, Google disclosed user‐generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files. (the "Google Docs Data Breach") This is just one of many example of known flaws with Google’s Cloud Computing Services. For example: researchers identified several security flaws in Google's Gmail service. The flaws allowed theft of "usernames and passwords for the 'Google Accounts' centralized log‐in service" and enabled outsiders to "snoop on users' email.“ In December 2005, researchers discovered a vulnerability in Google Desktop and the Internet Explorer web browser.31 The security flaw exposed Google users' personal data to malicious internet sites. The Google Docs Data Breach highlights the hazards of Google's inadequate security practices, as well as the risks of Cloud Computing Services generally. The FTC should hold accountable the purveyors of Cloud Computing Services, particularly when service providers make repeated, unequivocal promises to consumers regarding information security.
Conclusion Cloud computing is here to stay. So as practitioners we need to be ready to address the issues and legal ramifications which result from its use and abuse. In 2011 and beyond, we will undoubtedly start to see legislation, the courts using cloud terminology and analyzing the consequences of the spread of data (trade secrets, privileged information, PII) in the cloud. In the meantime, as always, technology races ahead of the law. Cloud Computing 11
Joseph J. Bambara is currently In House Counsel and a VP of technology architecture at UCNY, Inc. His e-mail address is [email protected]. For the last 12 years, he has been acting as Counsel for small to mid-size technology firms in the metro area. He has worked on outsourcing contracts, intellectual property as it pertains to mobile and enterprise software, SMS mobile marketing issues as well as trade/service marks. In addition to Lawline.com, he has done Continuing Legal Education courses on law and technology for New York County and City Bar Association. He was named The New York Enterprise Report Technology Attorney of 2010. Prior entrepreneurial career included developing applications systems for the financial, brokerage, manufacturing, medical, and entertainment industries in New York, Los Angeles and western European community including Java on the mobile, enterprise and database development. Mr. Bambara has a Bachelor's and a Master's degree in Computer Science. He holds a Juris Doctorate in Law and is admitted to the New York State Bar. He has taught various computer courses for CCNY's School of Engineering. He is member of the New York County Lawyers Association Cyberspace Committee and an active member in the International Technology Law Association. He has authored the following books: Sun Certified Enterprise Architect for J2EE Study Guide (Exam 310-051) (McGraw-Hill, 2007), J2EE Unleashed (SAMS 2001), PowerBuilder: A Guide To Developing Client/Server Applications (McGraw-Hill, 1995), Informix: Client/Server Application Development (McGraw-Hill, 1997), Informix: Universal Data Option (McGraw-Hill, 1998), SQL Server Developer's Guide (IDG, 2000). Over the past ten years, he has taught numerous courses and given many presentations on all aspects of the law and enterprise and mobile development in cities worldwide, including Los Angeles, Vienna, Paris, Berlin, Orlando, Nashville, New York, Copenhagen, Oslo, and Stockholm.
UCNY is an unified communications consulting and technology workforce acquisition firm, providing services to a global clientele since 1996. Their list of clients includes: Standard and Poor's, McGraw-Hill, Bank of New York, CNA Insurance, Deutsche Bank, Federal Reserve Bank of New York, Forbes, Goldman Sachs, JP Morgan Chase, Lewco, The New York Stock Exchange, Nestlé Waters. NYC (Mayors office & HPD), Merck, Merrill Lynch, OSI Pharmaceutical, PurchaseSoft, Roche, Schroder & Co., Salomon Smith Barney, SIAC, and Sony Time/Warner. The company is comprised of highly qualified and experienced professionals. They combine industry know-how, expertise in new technologies and proven approaches in order to solve business problems quickly and efficiently.