When it comes to contracting for a computer service, there is little choice but hoping for the best. Small or mid-size companies, especially those located outside the United States, are betting they’ll never have to go to court – usually one located 11,000km and thousands of dollars in legal fees away. Let’s face it: contracting with a large American company is a jump into the unknown. Agreements are written in an obscure form of English, often presented in PDF format, transparently implying modifications are out of question. Should you consider litigating, be prepared to make your case before a judge located on the West Coast of the United States. The not-so-subliminal reading of such contracts: ‘Sue me…’, with a grin.
The Cloud’s rise to prominence makes things worse. A growing number of companies and individuals handle their data to a remote infrastructure offering little hope of any legal leverage. The Cloud is the ultimate form of the outsourcing cascade. A US-based company rents capacity wherever electric power is cheap, connections reliable, and climate friendly to server farms cooling towers. As world connectivity expands, so do eligible regions. (While doing research for this column, I found Greenland was for served by a 960 Gbps (Gigabit per second) undersea cable linked to Iceland. In turn, the volcano island is linked to the rest of the world via a the huge 5 Tbps “Danice” cable). Datacenters are sprinkled over a number of countries and workload moves from one server farm to another as capacity management dictates. At this point, no company knows for sure where its data reside. This raises further legal hurdles as Cloud operators might be tempted to deploy datacenters in less stable but cheaper countries with even looser contractual protections.
European lawyers are beginning to look at better ways to protect their clients’ interests. A couple of weeks ago, I discussed the legal implications of Cloud Computing with Guillaume Seligmann, the lead tech attorney at the law firm Cotty Vivant Marchisio & Lauzeral. (He is also an associate professor at l’Ecole Centrale a prominent French engineering school). ‘When it comes to Cloud Computing, the relationship between the service provider and the customer is by nature asymmetrical’, he says. ‘The former has thousands if not millions of customers and limited liability; in case of litigation, it will have entire control over elements of proof. As for the customer, he bears the risk of having his service interrupted, his data lost or corrupted — when not retained by the supplier, or accessed by third parties and government agencies)’.
In theory, the contract is the first line of defense. ‘It is, except there is usually little room for negotiation on contracts engineered by expert American attorneys, based on US legislation and destined to be handled by US judges. Our conclusion is that solely relying on contracts is largely insufficient because it may not offer efficient means of sanctioning breaches in the agreement’.
The CVML partner then laid out six critical elements to be implemented in European legislation. These would legally supersede US contractual terms and, as a result, better protect European customers.
1 / Transparency. Guillaume Seligmann suggests a set of standard indicators pertaining to service availability, backup arrangements and pricing – like in the banking industry for instance. In Europe, a bank must provide a borrower with the full extent of his commitments when underwriting a loan. (Some economists say this disposition played a significant role at containing the credit bubble that devastated the US economy).
2 / Incident notifications. Today, unless he is directly affected, the customer learns about outages from specialized medias, rarely though a detailed notification from the service provider. Again, says Seligmann, the Cloud operator should have the obligation to report in greater details all incidents as well as steps taken to contain damage. This would allow the customer to take all measures required to protect his business operations.
3 / Data restitution. On this crucial matter, most contracts remain vague. In many instances, the customer wanting to terminate his contract and to get back his precious data, will get a large dump of raw data, sometimes in the provider’s proprietary format. ‘That’s unacceptable’, says the attorney. ‘The customer should have the absolute guarantee that, at any moment of his choosing, he we have the right to get the latest backed-up version of his data, presented in a standard format immediately useable by another provider. By no means can data be held hostage in the event of a lawsuit’.
4 / Control and certification. Foreign-headquartered companies, themselves renting facilities in other countries, create a chain fraught with serious hazards. The only way to mitigate risks is to give customers the ability to monitor at all times the facility hosting their data. Probably not the easiest to implement for confidentiality and security reasons. At least, says Guillaume Seligmann, any Cloud provider should be certified by a third party entity in the same way many industries (energy, transportation, banking) get certifications and ratings from specialized agencies – think about how critical such provisions are for airlines or nuclear power plants.
5 / Governing laws. The idea is to avoid the usual clause: “For any dispute, the parties consent to personal jurisdiction in, and the exclusive venue of, the courts of Santa Clara County, California”. To many European companies, this sounds like preemptive surrender. According to Seligmann’s proposal, the end-user should have the option to take his case before his own national court and the local judge should have the power to order really effective remedies. This is the only way to make the prospect of litigation a realistic one.
6 / Enforceability. The credibility of the points stated above depends on their ability to supersede and to render ineffective conflicting contractual terms imposed by the service provider. In that respect, the European Union is well armed to impose such constraints, as it already did on personal data protection. In the US, imposing the same rules might be a different story.
The overall issue of regulating the cloud is far from anecdotal. Within a few years, we can bet the bulk of our hard drives – individual as well as collective ones – will be in other people’s large hands: Amazon S3 storage service now stores 339 billion objects – twice last year’s volume.
We’ll gain in terms of convenience and efficiency. We should also gain in security.
— frederic.filloux@mondaynote.com
Related columns:
- “Cloud Computing is bad for you”… TweetSo says Richard Stallman the father of the Free Software Foundation. He makes a simple argument: By using Cloud Computing applications you surrender your life (data) to some big company you can’t trust. You’re no longer in control. Conversely, if you keep everything on your (Linux) desktop, you’re the master of your own destiny. . [...]...
- Markitecture (take 2) — Google descends from the Cloud TweetGoogle’s markitecture isn’t so different from Microsoft’s. Just like the old champion, Google tells us we can have the best of both worlds: Everything in the Cloud, applications and data. What? You want to work off-line? No problem, we can do that too. Your data and your applications also on the desktop, re-connect and everything [...]...
- Catching The iPad Wave: Seven Thoughts Tweet1. Design The iPad is all about design, and interface expectations. From a graphic design standpoint, with the iPad, the quantum leap is its ability to render layouts, typefaces, page structure. No more web HTML lowest common denominator, here. What comes out from an art director gets WYSIWYGed on the iPad — if the implementation [...]...
- Microsoft mesh — Caught Between The Desktop And The Cloud, Part II: The Markitecture Solution TweetLast week’s column asked how you’d like to be Microsoft’s CEO, caught between the aging desktop and the emerging cloud. How do you grab a significant (Microsoft likes “dominant”) share of Cloud Computing. without cannibalizing your desktop business? Imagine shutting off the Divine Earnings Stream, the immense profits from desktop applications, Microsot Office, mostly before [...]...
- Caught Between The Desktop And The Cloud TweetHow would you like to be the head of Microsoft? Yesterday, you were the emperor of the desktop. Riding Moore’s Law, microprocessors doubling their power every 18 months, microcomputers became personal and made IBM’s mainframes passé. Microsoft Office, Windows on the desktop, Windows servers running Exchange became the industry standards. The resulting dominant position (some [...]...
9 Comments
This doesn’t seem to really bother European subscribers. And if it indeed does, why don’t we see a flurry of European services competing with the ones setup by american companies? If there is money to be made, a better service to be provided (at least with better and required protections for the subscribers), then what is preventing European entrepreneurs from creating their own offer? Is it the lack of cash? Possible. Or is it that they could not compete with the prices of the existing offers, in a market where no one wants to pay a higher price for better services?
In short, cloud computing has airy legal grounds !
“Agreements are written in an obscure form of English” then what about using Bliss? http://fr.wikipedia.org/wiki/Bliss_(langage) or a pivot language?
All the matter treated in this article is very important. Why it’s not the focus of political meeting (like the G8 or G20)? or if it’s better to let the private entrepreneurs make their rules they should present them.
I feel this issue is overstated. A few comments:
Redundancy. Rule #1 for protecting your data is redundant backups. It’s foolish to rely on one source, including some high-falutin’ cloud service. We use multiple modes of backup, with security of each mode related to how critical the data is.
Competition. Won’t cloud services compete to offer all the features you want European laws to ensure? Transparency, notification, restitution, access, etc. Which approach—market-based or government-based–will better stay on top of market and tech developments? If services start playing lawyer games with customers, customers will flee to competitors who grasp customer service.
Unending proliferation. Most stuff that is backed up is garbage or duplicates. I estimate that 90% of the data we have backed up should be purged. Data glut—and subsequent inability to access what we’re looking for—is a hundred times more costly than loss caused by backup or security breakdown.
In short, excellent article.
@Mike
Just waiting for the market to auto-magically correct the service agreement issue is calling for trouble, or a deliberate attempt at keeping the current trend as it is. This was already witnessed countless times, especially in IT (so many industrial software are still sold as if there were a mere “art form” with no guarantee nor any liability, which is simply an abusive practice from the software industry).
Whenever the “market norm” is stabilizing at the provider’s advantage, it will remain so (or worsen) for a long period. There is no incentive for any actor, new or incumbent, to “kill the golden goose” by loosening the unlimited protection of such asymmetrical practices.
Although a bit outside of this monday note’s scope, your comment on data glut is completely correct, and a good reminder of another issue in these thrifty green days.
Well I do apologize but I will tout my own horn for a second here. One big issue among others with cloud services is transparency and auditability of work performed.
Relative link follows , I would greatly appreciate comments.
http://angelicquotes.wordpress.com/2011/04/06/cloud-transparency-service/
Marc has got this 100% right. Why beat up US providers? If you want to be protected by European law then host in Europe with a European company. If an affordable option doesn’t exist then you’ve hit a great business opportunity (after all, as you note, a lot of US companies put their data centres outside of the US to save money, so it must be possible).
Keep up the good work. Best of luck. From http://www.rightgadgets.in/items_subcat.asp?Category=Digital%20Camera_India_Online&cid=2&scat=3*
Great article. As someone who works in a rather large US company, I can confirm firsthand how complicated an issue this is. You’d also be surprised how many companies sign contracts without reading them.
I think most companies don’t even realize the legal implications of signing these contracts, on the rare occasions we do get pushback, a common theme is that it’s more marketing related than about legal concerns (i.e. the company doesn’t want to risk bad press by having it revealed their user data is sent and stored to the US). If and when more European companies wake up to this problem, this could be a real game changer for either those who can adapt to European legislation the quickest or European startups that suck up all the business US companies forsake.
One Trackback
[...] in a 3-screen world they are just as well positioned as anyone else to monetize the content. Catching the Cloud A growing number of companies and individuals are handling their data needs on a remote [...]