Kuan Hon, research consultant to the Cloud Legal Project, recently came to CERN, near Geneva, Switzerland, to discuss the work she and her project colleagues have been doing. She tells iSGTW why it's important for researchers, businesses, and citizens alike to better understand the legal implications of entering into cloud computing contracts.
What is the Cloud Legal Project?
Since 2009, the Cloud Legal Project has been investigating the legal and regulatory implications of cloud computing. The research team is based at the Centre for Commercial Law Studies at Queen Mary University of London, UK.
How did the project start?
In 2008, Christopher Millard, professor of privacy and information law at Queen Mary University of London, was approached by Microsoft, who were keen to set up an academic research project about cloud computing. The project is actually funded through charitable donations from Microsoft, but it's academically independent.
Why is it important that researchers, companies, and citizens better understand the legal implications of cloud computing?
People need to better understand their liabilities and rights. In some ways, the issues around cloud computing are similar to those businesses face with traditional outsourcing, but in other ways they can also be very different - especially because of so-called 'layering' of clouds.
Could you perhaps explain how you feel cloud computing can differ from traditional forms of outsourcing? And what are the legal ramifications of this?
Well, a lot of data protection laws for example are based on 1970s-style computer service bureaus, where you hand over your data and simply tell them what you'd like them to do with it. They then actively process the data in accordance with your instructions and send it back to you when no longer needed. But cloud computing is not really like this: it's much more like 'self-service'.
The analogy I like to use to explain all of this is cooking: using traditional outsourced data processors is like hiring a caterer to cook food for you. However, using cloud is much more like renting a kitchen where you can cook food yourself - I suppose that would really be the equivalent of 'infrastructure as a service' (IaaS). With 'platform as a service' (PaaS), it would be more like renting a kitchen that's specifically equipped to produce, say, Indian food. And with 'software as a service' (SaaS), it would be like getting a ready meal and then cooking it yourself.
It can be very difficult to properly apply the laws that were designed for traditional outsourcing (hiring caterers) to cloud computing (renting kitchens), because it's an entirely different beast - the laws really don't translate very well.
Do you think these problems stem from a lack of expertise in this field among lawmakers?
Law always lags behind technology - just look at copyright issues for instance. And, because the pace of technological change is now so fast, it's getting even harder for the law to catch up. Nevertheless, it's important for businesses to know what the laws are and do the best they can to comply with them.
My colleagues and I published a research paper about negotiating cloud contracts in Stanford Technology Law Review in 2012. In this paper, we reported on anonymous interviews we'd conducted with business users, cloud providers and other cloud market players such as integrators and law firms, discussing in depth the issues that were most hotly-negotiated in relation to cloud contract terms. Some interviewees reported that certain users would simply take a calculated risk and use cloud computing even when they may be in danger of breaking laws, because of the difficulty or even impossibility of complying with pre-digital laws in the cloud.
As well as conducting these interviews, what other methods and approaches have you been using within the project? And what are the other specific legal issues you've been investigating?
Well, the first big round of research we did looked at the standard terms of cloud providers' contracts. We compared these standard terms for about 30 different cloud providers and then we repeated this exercise again just last year. This was interesting, because it revealed patterns in how these terms have changed over time. Following on from that, we also conducted research into negotiated cloud contracts.
All of that's just one strand of what we've been doing though. Additionally, we've conducted research into and have published papers on the UK G-Cloud program, ownership of information in clouds, competition law, access to cloud data by law-enforcement agencies, data protection (four papers), consumer protection, and cloud governance. The results have been collected and updated in a book published by Oxford University Press in late 2013, Cloud Computing Law (edited by Christopher Millard).
What have been the main findings of the project so far?
For cloud users, the take home message is that you should make sure that you always really know what the contract terms are and that they suit your risk profile. It's also vital to carry out a risk assessment in which all departments of your business are involved, such as procurement, IT, risk and legal. Too many organizations have found their employees engaging in 'bring your own cloud', directly using cloud services with just a credit card or for free, without going through procurement. This is invariably on the cloud provider's standard terms, which involves legal risks for the business.
When businesses adopt cloud computing solutions, it's important to involve lawyers at the earliest possible stage of negotiating the contract. Businesses may be reluctant to do so because of the cost involved, but it can be much more expensive for the organization if something goes horribly wrong.
How important is education in all of this? How can you make businesses, researchers, and citizens more aware of these issues you've raised?
Education and awareness-raising are really important in all of this. People need to know about the importance of backing up data, encryption where possible, checking the liability positions of cloud service providers, and so on and so forth. Security awareness also needs to be improved, too. Of course, it's easy to say all of this, but how you actually go about raising people's awareness of this can be very tricky. The European Commission has said it wants to take action on raising awareness and promoting skills in its 2012 communication on unleashing the potential of cloud computing in Europe, while entities like The Cloud Security Alliance are trying to promote best practices and provide education on cloud security.
Finally, what's next for the Cloud Legal Project?
We've recently started a collaboration with Cambridge University's Computer Laboratory, which I'm very excited about. This should provide lots of opportunities for multi-disciplinary projects and papers. It's still very early days yet, but the computer scientists at Cambridge can delve into the technologies involved in cloud computing, while we can do the same in terms of the laws surrounding the use of these technologies, and hopefully our joint research will yield new insights.