Amazon's Wikileaks Rejection Raises Cloud Trust Concerns
When the Wikileaks "cablegate" scandal broke last week, those behind the whistle-blowing Website found their servers under heavy load. No surprise there, of course, but an additional DDoS hack attack didn't help.
To remedy the situation, Wikileaks did what anybody else would do by renting some elastic space in the cloud to take up the strain. They chose Amazon Web Services, which, although initially unperturbed by the move, yesterday removed Wikileaks' material without an explanation or apology. It appears Amazon came under political pressure to do so.
This raises big issues about First Amendment rights, but that aside, all businesses seriously need to consider this: In an idyllic future where we make heavy use of the cloud, what happens if a cloud service provider removes content it deems inappropriate, or just doesn't like?
What would a business do if this happened, bearing in mind that it could be tied into a service contract? Should the logistics of potentially sourcing an alternative provider be factored into any cloud migration plan? Indeed, should a business employ two cloud providers, used in parallel, with one kept as a strategic backup?
With questions like this, moving wholesale into the cloud is starting to seem a little naïve and hasty.
It boils down to what cloud providers consider to be objectionable material. Most service agreements are a little vague on this point, perhaps deliberately so. Amazon's Web Services Customer Agreement says the following, which is wildly open to interpretation and could theoretically let them remove just about anything:
11.2. Applications and Content. You represent and warrant: [...] (iii) that Your Content (a) does not violate, misappropriates or infringes any rights of us or any third party, (b) does not constitutes defamation, invasion of privacy or publicity, or otherwise violates any rights of any third party, or (c) is not designed for use in any illegal activity or to promote illegal activities, including, without limitation, use in a manner that might be libelous or defamatory or otherwise malicious, illegal or harmful to any person or entity, or discriminatory based on race, sex, religion, nationality, disability, sexual orientation, or age;
Even if the service agreements were crystal clear about what is and isn't acceptable content, there will be many borderline cases that could fall either way. Anybody using cloud services could potentially be at the mercy of unaccountable arbiters within the organization.
I formerly worked at a magazine publisher that employed models for the cover photographs. Typically we'd receive the model's portfolio to take a look at via e-mail, and often this would include nude photography. If that company had been working within a cloud environment, would storage of this material be objectionable?
Admittedly my example is specialized, but it's not hard to think of examples in other industries. Law firms frequently have to deal with extremely unpleasant materials as part of their work. Could they store horrific images and videos on a cloud service? Could they store potentially libellous materials?
Are cloud companies going to start making a distinction between storing materials that have a genuine business need (OK), and those that are stored solely for enjoyment (not OK)?
On the other hand, if cloud services do espect the First Amendment, would they be happy hosting content such as material for pedophilic Websites?
Where does their legal liability start and stop? Bearing in mind that cloud computing is a radically different prospect compared to simple Web hosting, will cloud computing need its own set of laws and regulations? Will the wise IT manager wait until various lawsuits have proved what is or isn't acceptable when it comes to the cloud?
The other issue raised is how easily cloud services will hand over material to government agencies when requested. Keeping a server computer within your premises allows property rights that prevent law enforcement getting their hands on it without significant hassle. How much hassle would law enforcement agencies need to go through to get Amazon to roll over?
Could law enforcement agencies deliberately cause disruption for a business by getting the cloud service to deactivate or suspect their account? It isn't hard to imagine, is it?
Encryption provides some solutions, of course, and no data should be stored unencrypted in the cloud. However, often there's a need to provide material to third parties in "clear" form. Yet a whole new set of questions about content is raised by encryption. Is objectionable content still objectionable when it's essentially a meaningless garble of data that makes sense only to somebody with a decryption key? Is a cloud service's ultimate legal defense going to be that it simply has no idea what's stored on its cloud?
There's a risk of navel gazing here, but following all logical and legal paths is something anybody involved in a migration to cloud computing will have to do. If not, they could be left very red-faced.
At the moment, it feels like we're at the beginning of the beginning of understanding the nature of cloud computing. Only the brave would dive in at this point in time.
Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas.