Archive for May, 2011

Cloud Computing and the risk of Data Ransom

There have been lots of articles about cloud computing by lawyers. Most of them: i) have a dodgy pun in the title; and ii) bang on about data protection and the risk that your data is outside Europe.

That is not what I am going to write about. Partly because it’s been done to death, and partly because I think DP law is dull (sorry Grant and other data law lovers).

I am going to talk about data ransom in a cloud or hosted environment. That is the risk that your supplier goes bust and you have to buy your data from an administrator/receiver, or that you get into a commercial dispute with your supplier and they either turn off your service or ransom your data.  Both are possible scenarios.

Remember that administrators are legally bound recover as much money as possible for the creditors. They are also not too bothered what your contract with the insolvent company says.  These facts can make them quite interesting to deal with!

On the commercial dispute side it is traditional for purchasers to manage suppliers by withholding payment on invoices or similar. But with cloud or hosted apps the power has shifted – if the purchaser withholds payment then the supplier can probably turn off the service. Gulp!  Worse imagine you have decided not to renew the contract, and your supplier starts being “sticky” about handing over your data to the new supplier. Remember “sticky” could include giving the new supplier all your data, but in an incomprehensible format.

So what do you do ?

Contractually

  • Have an obligation to get a weekly or daily back-up of your data delivered to you in a format you could decode.
  • In fact why not take advantage of virtualisation technology and get a virtual copy of “your environment” and related rights to run it on your servers. (I have been putting this in contract for about a year – so far I have not seen anyone else do this).
  • Have strong exit management provisions (preventing the supplier mucking you around on exit).
  • Have a source code escrow agreement.  Note from a “self-help” basis these are probably useless (partly) because you may not have the object code; but having the right to get the source code will give you bargaining position against an administrator/receiver *.

Practically

  • Actually Enforce any of the contractual rights described above (it is probably too late to start enforcing them once the “ransom” starts).
  • Make sure your lawyer really understands concepts such as cloud, source code and virtualisation (this is an undercover sales pitch).

Not one dodgy pun!

*  I find a lot of lawyers still ask for source code escrow in a hosted app environment (where the client doesn’t even have the object code) not because of the reasons I have outlined but simply because the turnkey contract they are using as a style has an escrow clause in it. This strikes me as fairly dumb. Rant over.

Bribery Act 2010 – have you reviewed your policies and procedures?

When the Bribery Act finally comes into force on 1 July 2011 it will be the most substantial change to the UK’s corruption laws since 1916. The Bribery Act creates a new offence for commercial organisations. This is a key development for companies and other commercial organisations as an organisation will be guilty of an offence where a person “associated” with it bribes another person to obtain business or a business advantage.

Why is the new Act relevant to procurement?
The new Act is relevant not just to the “sales” side of businesses, but also to procurement, where those involved in tendering, purchasing, and procurement need to be aware of what might constitute the receipt of a bribe (and therefore an offence) under the new legislation.

Importantly, the commercial organisation will be presumed guilty if they do not have “adequate procedures” in place designed to prevent bribery.

What should we be doing?
Businesses should put in place “adequate procedures” now to minimise the risk of criminal prosecution when the Act comes into force. Your adequate procedures should set out clearly your company’s approach to, amongst other things, the giving and receiving of corporate hospitality and the rules governing your procurement processes (which may need to be updated to reflect the new laws).

How can Brodies help?
Our Regulatory Compliance team can help your organisation to plan for the Bribery Act, for example by assisting with the development of internal policies and providing training to help ensure your business is protected when the Act comes into force. If you would like to discuss this further then please send me an email or get in touch with your usual TIO Group contact.

For more information, see my colleague Susheela Math’s blog post over on Brodies’ PublicLawBlog, or our Regulatory Compliance team’s recent legal update.

Giggs, Twitter and Unmasking Anonymous posters

There are lots of interesting legal angles to the current storm in relation to super injunctions, and the Brodies’ public law team has already blogged about some of them (including the question of whether the Sunday Herald was caught by an English super-injunction).

However, I wanted to pick up on the action taken by Ryan Giggs against Twitter in order to get Twitter to give details of the Twitter users who were naming him as a super injunction holder.

This is not unusual. Quite often a party (or brand owner) objects to on-line comments made under cover of a user name (such as @BrodiesTechBlog on twitter).   However, in order to go to Court against that user you need more than a username, you need the actual name and address of the poster.

How do you get that name and address?

Well, you could ask the hoster, i.e. the person who hosts the relevant forum (in the Giggs case Twitter), to disclose the name and address. However, most hosters won’t give up this information unless compelled to by a Court Order (because of the fear of breaching data protection law).

So you raise proceedings against the hoster to get that court order.   Typically the hoster won’t defend that action (in order to minimise costs).   (In fact yesterday the European boss of Twitter confirmed  that Twitter would comply with any court order to disclose personal details of users. )

In England these orders against hosters are known as Norwich Pharmacal orders (after the first case in which they were used).   Scotland provides for a largely parallel type of order.

My experience is that because the actions are not typically defended by the hoster you can get the order quite quickly/cheaply, and when presented with a Court order the hoster will cough up the information fairly quickly.

Of course all that legal work only gets you the name and address of the person you actually want to sue!  It also assumes that the information the hoster holds is complete and accurate (it’s pretty easy to set up a fake email address).

One final word of caution. Quite often suing an online “nutter” is much more trouble than it is worth because the nutter will: (i) become more determined/vitriolic; and (ii) use the fact that you are taking court action to paint you as a bully or having “something to hide”. To put it another way, when thinking about enforcing legal rights always remember the PR angle (something that certain footballers would be well advised to consider in the future).

New cookies law – update from the ICO on timetable for compliance and example consent mechanism

I promised an update and here it is.

Following my blog last Friday, the UK Information Commissioner has this morning announced that website operators will have a period of one year to comply with the new rules on cookies.

As flagged in the Commissioner’s previous guidance note, that does not mean that website operators can wait 364 days before making the changes though. The new laws come into force tomorrow (26 May), but provided a website operator can show that it is taking steps towards compliance, the Commissioner is unlikely to take enforcement action during the one year transition period.

Example of how to obtain consent under the new rules
The ICO website also gives an example of how organisations can modify their websites to ensure that consent is obtained in accordance with the requirements of the new rules. In the ICO’s case, a pop-up box appears at the top of the webpage, giving details of cookies used, a link to more information, and tick box consent.

The site looks like this:

The ICO’s privacy policy also gives an example of the level of detail that the ICO presumably expects website operators to provide to users in relation to the cookies used on a site. Amusingly, once of the ICO’s cookies is a cookie that records a user’s acceptance of the use of cookies!

Should I follow the ICO’s approach?
Whilst the ICO is not mandating that organisations follow its approach (accepting that cookies are used in different ways on different sites, and that its approach may not be the best one*), it does provide some helpful guidance. The information in the pop-up window used by the ICO is not as detailed as I had expected. It is also clear from the ICO’s approach that it is still acceptable to have an “all or nothing” approach to cookies, rather than having to give the user the detailed options on accepting some but not other cookies on a website. You can find an explanation of the ICO’s approach on its website.

*Rather unhelpfully, the ICO already accepts that its approach may not be perfect, and is effectively reserving its right to change its approach – in a Tweet a few moments ago, it said “Our response to cookie rules is our solution for now – we think it’s a good start but not perfect. Other ideas welcome!” If the regulator openly admits that it cannot decide on how best to comply with a law, then its not surprising that it is giving organisations a year to comply.

New rules on the use of cookies and apps

The UK Information Commissioner’s Office (ICO) has published some much-needed guidance for website operators on compliance with recently published amendments to the e-privacy regulations governing the use of cookies and apps.

Background
Cookies are commonly used to help websites deliver a better user experience, for example by identifying the user and therefore providing a more personalised experience, for example by remembering the user’s settings, avoiding the need to log-in to a website, remembering the contents of a shopping basket, or providing more intuitive results in search engines. However, by their very nature, cookies invariably involve the collection of data from and about the user.

In November 2009, a new EC directive was passed, requiring member states to implement a number of new rules in relation to telecoms and privacy. The rules, which the directive requires be implemented by 25 May 2011, include new rules in relation to seeking consent from users in relation to the use cookies and similar technologies that store or allow access to information stored on a user’s device, for example apps installed on smartphones and other mobile devices that circumvent the need for a conventional web browser.

Following a period of consultation, the UK government finally published the amending regulations in late April, which will come into effect on 26 May 2011.

What do the new regulations say?
Under the old, 2003, regulations, website operators were simply required to provide users with information about the use of cookies and give the user the opportunity to “refuse the storage of or access to that information.” Under the 2009 directive, as implemented, this has changed. The law now requires that a user:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information [ie the cookie]; and
(b) has given his or her consent.

The effect of new limb (b) is that users now need to give prior consent to the use of cookies.

Ok, so what does that mean?
Historically, website operators have generally sought to comply with the 2003 regulations by putting information on cookies in their privacy policies and allowing users to use browser controls to opt out.

Whilst new regulation 3A expressly contemplates that the consent may be capable of being signified “by a [user] who amends or sets controls on the internet browser”, the UK government’s opinion that current cookie controls in web browsers are not sufficient to meet the new test for limb (b) above as they do not have the necessary level of sophistication to distinguish between different types of cookies. The UK government is working with browser manufacturers, presumably as part of a pan-European approach, to to discuss how cookie controls can be modified.

In order to help website operators comply with the new rules, the UK ICO has recently published a guidance note.

Here are the key points.

Exceptions to the rule
Consent is not required when a cookie is “strictly necessary for the provision of an information society service requested by the subscriber or user” – the ICO gives this a narrow interpretation (the example given is for an online shopping basket), that specifically excludes cookies that simply make a website more attractive or easier to use. It’s not clear how this might apply to apps.

Audit and review
The ICO recommends a three stage approach:

  • audit whether cookies are needed, and how they are currently used
  • assess how intrusive its use is; and
  • decide on the best solution for obtaining consent.

Methods of obtaining consent
Acknowledging that current browser controls are not sufficient, the ICO suggests a number of methods for satisfying the consent test:

  • using a pop-up window or similar technique when the user first logs on to a website or installs an app;
  • using terms and conditions by obtaining, positive, up front acceptance from the user to terms and conditions that clearly set out how cookies are used before the cookie is deployed;
  • settings-led consent for cookies that remember a user’s settings;
  • feature-led consent by asking for consent at the point at which a feature/function is first utilised by the user
  • functional uses (for analytic cookies) by displaying a prominent/highlighted message notifying the user and providing a link to more information and how to make a choice (although its not clear how the ICO invisages that the user rejects this particulr type of cookie)
  • third party cookies – although the ICO rather unhelpfully says here that it is complex and “everyone has a part to play” in working out a solution here.

Further details on each of these approaches are discussed in more detail in the ICO’s guidance note.

So how long do I have to comply with the new rules?
As noted above, the new regulations come into force on 26 May, but the ICO acknowledges that there needs to be a phased approach to implementation, and therefore that in the event of a complaint the important thing is that the organisation can show that it is taking steps to comply with the new rules. However, it is not clear for how long this grace period will apply.

The ICO has said that it will issue further guidance in due course, so watch this space or follow @ICOnews on Twitter.

Updated 25/05/11 – the ICO has today announced that website operators will have a period of one year to make the necessary changes to their websites.

“Midnight Movies”, ACS Law and the ICO

The Information Commissioner has been criticised for levying a monetary penalty of just £1,000 against a law firm whose severe security shortcomings led to the sensitive personal data of 6,000 people being made available online.

ACS: Law, led by solicitor Andrew Crossley, was conducting a widespread speculative invoicing campaign which involved accusing thousands of people of illegal file sharing and charging fines (which Douglas discussed a few months ago).  However, the scheme came unstuck when “hacktivism” group Anonymous took umbrage with Mr Crossley’s tactics and launched a “denial of service” attack.   The attack made the ACS: Law website “collapse”, revealing details of individuals accused of illicit filesharing which had previously been hidden from unauthorised access.

Reports of the incident have suggested that the breach was aggravated because it revealed details of illegally downloaded pornographic films, meaning that not just any old personal data was disclosed, but “sensitive personal data” as defined under the Data Protection Act 1998, pertaining to individuals’ sexual lives.

Of course, as all diligent data protection lawyers know, details of the commission (or alleged commission) of any offence already constitutes “sensitive personal data” under the DPA. So I’m not really sure why the “midnight movies” needed to be mentioned at all. It wouldn’t be just to make an article about data protection seem a wee bit saucier, would it?

Information Commissioner Christopher Graham said that the severity of the breach would have warranted a fine of £200,000, but he believed that Mr Crossley was not in a position to pay. (The ICO does not have the power to audit people’s accounts, but instead obtained a sworn statement from Andrew Crossley on the state of his finances.)

Privacy campaigners are now concerned that the decision introduces a loophole for companies wishing to evade ICO monetary penalties. I’m not convinced. Surely pretending to be bankrupt is even worse for your reputation that failing to protect personal data?

The forecast: clouds, with grey linings, perhaps turning to silver later

Samsung has today announced the first publicly available laptop based on Google’s Chrome OS. The laptop is aimed at both consumers and corporate users.

What’s different?
Unlike many laptops and netbooks, Samsung’s new laptop comes with only 16 GB of (solid state) storage for files. By way of comparison, my MacBook that I bought last year came with a 320GB hard drive (20 times larger). Of that 320GB, approximately 70GB of that is taken up by photos, music and videos (including a staggering 25GB of which relates to photos and video from my wedding and honeymoon last year).

So why is the storage space on a Chrome laptop so small? The reason is that users won’t store any files on the laptop itself. Instead, the user will use remotely hosted applications like Google Docs and store its files in a “secure” space in the Cloud. Google and Samsung cites a number of advantages of this approach – if the laptop breaks or is stolen, then the data won’t be lost, and because applications and files are hosted remotely, the computing power required at the user end is much less; ergo a Chrome OS laptop is much cheaper to buy.

We are seeing an increasing interest in clients (both large and small) adopting cloud computing and virtual desktops – finally realising the dream that Sun had for its thin JavaStation clients back in 1996 (I remember this well – I wrote a dissertation on it when doing Higher Computer Studies). As applications and files are hosted on a remote server, it means that users require only a very basic computer, meaning lower upfront and support costs and more flexibility to support various ways of working.

Dark clouds on the horizon
But as we saw a couple of weeks ago, the Cloud is not infallible. Leaving aside a reliance on patchy (and often slow) 3G coverage and wifi for mobile users in the UK, there are a number of risks. Users of Amazon’s EC2 cloud computing service suffered a major outage, leading to some users being affected for up to four days. The outage knocked out a number of businesses and arose notwithstanding a number of failover systems that Amazon claimed to have in place to prevent this sort of thing from happening.

Whilst a consumer may consider such an outage to be a risk worth taking given the cost and convenience benefits of using the Cloud, I suspect that businesses may take a different view. Reports have confirmed that because of the way the outage occurred, Amazon’s outage didn’t actually trigger a breach of Amazon’s service level agreement, meaning that users had no automatic entitlement to service credits (although on this occasion Amazon has made a discretionary award of compensation to affected customers). That’s a tough one for a CIO to explain to his CEO – not only did the service fail, but there isn’t even a right to any service credits.

Raining on the Cloud’s parade
The Amazon outage also highlights the risks of, to mix some more metaphors, putting all your eggs in one cloud. If a business is dependant upon the Cloud in order to trade or for its employees to carry out their day to day duties (because all data is hosted remotely), and is also dependant upon a single cloud vendor, then it needs to look very carefully at the business continuity, and DR provisions that the cloud vendor has in place and consider if those are sufficient.

Similarly, if all your data is hosted by a third party in the cloud, then you may be reliant upon that third party to ensure that your data is backed up, and may also need to consider how you can get it out of the Cloud at the end (particularly when using software as a service applications). See Damien’s previous blog on this.

Wrapping up a bad couple of weeks for the Cloud, the hacking attack and theft of data from Sony’s PlayStation network also emphasises the importance of ensuring the security of data (personal or otherwise) held in the Cloud. Just playing some Rolling Stones isn’t going to be enough.

I don’t doubt that the Cloud will continue to grow in importance, but these recent events show the legal and commercial risks associated with cloud computing, and a number of the issues that cloud providers need to overcome before the market will fully mature. In the meantime, businesses seeking to move to Cloud will need to ensure that they read the small print and carry out appropriate diligence on their proposed supplier(s).

Upcoming Seminars involving Techbloggers

There are a few seminars coming up where our Techbloggers are speaking.

First on Thursday 5th May John McGonagle and Iain Rutherford are presenting a seminar called “Contract clauses guaranteed to get you into trouble…and how to fix them”, The seminar is in Brodies’ offices in Glasgow, with breakfast from 0830 and the seminar properly kicking off at 0900. 

There are still places available.

You can use this link to register for this seminar, and the others seminars mentioned below.

All the seminars are free to attend.

John and Iain are re-running the seminar in Edinburgh on Thursday 12th May (same times).

Finally Iain is doing a separate seminar with Cambell Newall, Trade Mark Agent of Marks and Clerk and Robin Gribbon, Forensic Accountant, HW Forensic.  This seminar in called ” Protecting the brand – Trademark registration and enforcement”. It’s in Edinburgh on Wednesday 11th May starting at 1730 and running to 1900.

Hope to see you there.


Twitter: @BrodiesTechBlog feed

May 2011
M T W T F S S
« Apr   Jun »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

%d bloggers like this: