So-called "cloud computing" has buzz. Seminars devoted to the subject attract large audiences; barely a day passes without a mention in the tech trade press. By some counts, more than 60 percent of all Internet users currently use the cloud for some of their computing, whether they know it or not.
But in the haste to jump into the clouds, it is important not to overlook the legal issues. Perhaps the cloud is not for everyone.
What Is It?
For starters, the term "cloud computing" is poorly defined. As used herein, "cloud computing" refers to the ability to use computing services, including messaging and storage, without having to manage the underlying technology. For example, a web-based email service such as Gmail or Yahoo! mail is a cloud service by this definition; users merely need a browser and Internet access. Processing and storage occur on the web. The user has no need to acquire and manage a client-based email software package.
"Cloud computing" is available for consumer-facing services such as web-based email, Flickr, Facebook, for business-to-business services and for government contractors. At the moment, "cloud computing" is having the most noticeable impact in the consumer and business communities. When a user posts photographs on Flickr or Facebook, or uses Google Docs to write a document, or uses an online email service, he or she is using the cloud. Rapidly expanding numbers of businesses are emerging to provide consumer-oriented cloud services.
Likewise, businesses lacking the capacity to manage a growing IT network or seeking a more cost-effective solution may choose instead to use cloud services. Perhaps it is for this reason that a group styled the Open Cloud Manifesto—which consists of cloud suppliers—touts as key characteristics of the cloud the ability to scale and provision computing power in a cost-effective manner and of the user to use that power without having to manage the underlying technology.
Businesses may use cloud computing to outsource processing needs, for electronic storage or for other computing purposes. Technology companies are urging government agencies to make greater use of the cloud as well. If an organization's computing demands more resemble peaks and valleys than steady streams, public and private cloud systems can manage those fluctuations so that the organization does not need to manage internally a system designed to handle peak loads.
Is This New?
This is not entirely new. At one level, people have engaged in "cloud computing" since the beginning of the Internet. Hosted websites and online email accounts are all variations of computing power that could be thought of to some degree as in the clouds—as opposed to residing on an in-house server.
Some readers may recall Application Services Providers (or ASPs) from a decade ago. Like "cloud computing," ASPs offered remote computing capabilities, including storage, thereby sparing businesses the costs of acquiring their own systems. Also, like "cloud computing," ASPs offered remote storage and data-processing capabilities.
So what is different now? Several things. One is the increasing availability online of basic applications, storage and data processing. A decade ago, Google Docs and similar offerings did not exist. Such services today help to meet the needs of a public whose members are now more comfortable in functioning without having the software housed within their own IT systems.
Second, "cloud computing" is more consumer-facing than were ASPs, although certainly not exclusively so. ASPs targeted the business community. In contrast, cloud computing is quite amenable to the Web 2.0 world of user-generated content. User-generated content today typically resides "in the clouds" in the form of online storage. When a user uploads photographs to online storage, he or she is using the cloud. Likewise, when a user sends an email via Gmail or Hotmail, he or she is in the cloud.
There is no general "cloud computing" law. In the absence of a law tailored to specific nuances of the cloud, "cloud computing," like other areas of Internet law, is subject to the universe of laws that apply to Internet-based services. Some of these date from several decades ago and, as often is the case, the old wineskins do not work well with new wine.
Privacy and Data Security
Many of the legal issues—such as those relating to software licensing, service level agreements, intellectual property, privacy, data security and jurisdiction—are common to Internet services. However, "cloud computing" offers unusual twists.
First, consumer-facing services, such as websites that allow the posting of user-generated content, face obvious privacy and data security issues. These were highlighted in March by the filing by the Electronic Privacy Information Center (EPIC) of a complaint with the Federal Trade Commission (FTC) seeking an investigation into the privacy and security safeguards applicable to Google's cloud computing services—which include Gmail, Google Docs, and Picasa.
The EPIC complaint was prompted by recent publicity regarding a security breach in Google Docs. Obviously, maintaining the security of data stored in the cloud is a major issue. EPIC's larger concern appears to be that the increasingly widespread use of cloud computing services, especially web-based email and online data storage, brings with it increased dangers of privacy breaches. The matter now is in the hands of the FTC.
Who Has Jurisdiction?
A second vastly important legal issue in "cloud computing" is jurisdiction. Bits and bytes stored in the cloud do actually physically reside on a server somewhere. The location of that server can have dramatic legal effects.
Regardless of what private agreement may exist between the cloud host and the user regarding governing law, several jurisdictions might claim authority over the data. For example, law enforcement officials in the location in which a particular server is housed likely would assert jurisdiction over the server, even if neither the user nor the cloud host has a major presence in that locale. In some cases, the jurisdiction in which a user is located might assert jurisdiction. Users may be surprised to discover that their documents and images stored in the cloud turn out to be subject to laws not of their home state, but instead—or in addition to—some distant state with, perhaps, less protective laws. This is similar to the situation today in which the U.S. asserts criminal jurisdiction over offshore website operators that accept online gambling from users located in the U.S.
Or perhaps the host state's laws are more protective. For example, if data are stored in a part of the cloud that happens to be in Europe, then the restrictions of the European Union data privacy directive would likely apply. Users—and businesses operating consumer-facing e-commerce and social networking sites—located in the U.S. might be surprised to learn that their ability to access, process and transfer personal data could be subject to a rather different legal regime than at home.
Resolving these questions, which involve the reach of long-arm statutes not only in the U.S., but possibly abroad as well, will take some time. Expect some legal surprises in the meantime.
Contracting Issues
In business-to-business situations, "cloud computing" can generate critical legal issues at the contracting stage. A business looking to move much of its computing into the cloud should consider a number of issues in the contract with its cloud vendor. Many of these issues—service level agreements, backups, price and access to the data—are standard issues in business contracting.
What makes contracting for "cloud computing" more interesting are issues relating to data security, as the cloud services are accessed via a typical web browser. What access controls/authentication will be in place? What steps will the parties take to prevent DNS spoofing of the vendor's site? And, importantly, what are the respective obligations of the customer and the vendor to maintain security? While many individuals seem to have little concern with storing their photographs, their emails (such as via Gmail) and, on social networks, much of their lives on the cloud, businesses may feel differently about their trade secrets and other confidential information. What assurances can the Chief Technology Officer give the Chief Executive Officer that their data are "safe" in the cloud?
Finally, "cloud computing" has progressed less to date in the government contracting marketplace. This will change. One factor holding back the development is a lack of uniform standards. However, the National Institute of Standards and Technology is currently at work on developing more uniform requirements for private firms seeking to offer cloud services to the government, which should help. Cloud providers will also need to be able to accommodate specific government data security restrictions.
A threshold question for government agencies, many of which routinely handle very sensitive data, is whether data are more secure in the cloud (when operated by private companies with extensive IT capabilities) or in government-owned databases. Private firms often may have greater IT capabilities and financial resources; on the other hand, while government agencies may not always have the optimal resources, they may have a superior understanding of the agency's mission requirements and believe that the safer course is to house data locally, rather than in the cloud. However, data security issues afflict both private firms and government agencies, and the choice may vary according to the circumstances.
There are many other legal issues implicated by "cloud computing"; this summary merely touches on some of the more prominent ones.
