Archive for the 'Cloud' Category

Cloud computing and “data ransom” – it’s not a myth

Here on TechBlog we have mentioned on a couple of occasions (here and here) that one of the biggest risks arising out of the use of cloud computing/third party hosted services is the concept of “data ransom”.

That is, in the event that the contract terminates or the supplier becomes insolvent the customer is unable to get its hands on its data without handing over a chunk of cash.

According to a story in Computing Weekly last Friday about the insolvency of acquisitive data centre operator 2e2, that risk is no longer a hypothetical one.

Last week, the administrators of 2e2 contacted its customers (including a number of NHS Trusts) and told them that they required its customer base to provide nearly £1m of funding in order for the business to continue providing services. This is presumably in addition to the charges that the customers are obliged to pay.

The joint administrators’ letter to customers states that this funding is required in order to enable 2e2 to continue trading and allow customers to access their data and migrate to another provider:

As you will understand, we have received a number of requests from customers seeking to gain access to their data immediately and to transition services to alternative providers. Unfortunately, the levels of data held in the Companies’ Data Centres are such that this process could take up to 16 weeks and we will need to ensure that the integrity of third party data and security is maintained.

If its customers do not pay then:

We will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations.

For “without any managed wind-down” read “we will switch off the service without notice and without any assistance to help you access your data and transition elsewhere.” For any business that depends on the operation of the data centre for its livelihood, that’s a pretty frightening prospect.

Warning signs
In the case of 2e2, it seems that it had been suffering financial problems for some time.

In 2012, it was in court twice following the late payment of debts. It was also revealed that the annual interest payments on its debt were more than £20m a year (as against a turnover of around £40m).

A fortnight before the adminstrators were actually appointed, Channel Register also reported that 2e2 had breached its banking covenants in December and had reached its credit limits with suppliers.

These should all have acted as warning signs to customers that things weren’t looking good, and that action was required.

Contracting for cloud services
So what can you do?

  • First of all, don’t use a traditional IT services contract to contract for critical cloud/hosting services. It will likely be deficient. As will the supplier’s standard terms. It’s also essential that your lawyer understands how the cloud works, terminology, and why the risk profile is different to that for other ICT. If not, then your contract is unlikely to deal with those risks.
  • Carry out financial diligence on your supplier (and its parent company). How solvent is it? How much debt is it carrying? Can you get a parent company guarantee? Does the supplier actually own its kit/premises or is it leased? What happens if the supplier defaults on lease payments and the lessor wants its kit back?
  • Keep financial diligence under review by carrying out regular checks on the supplier.
  • Ensure that the contract allows you to terminate in the event that things look bad. Once a supplier has entered insolvency it will be much harder to transition away from the supplier. If the business isn’t viable as a going concern then the administrator is unlikely to be interested in your problems.
  • Ensure that your contract includes exit assistance provisions and that a draft exit plan is actually developed (and maintained) whilst things are going well.
  • Ensure that you have internal business continuity plan in place to deal with supplier insolvency. How critical is the supplier? What is your strategy? How do you mitigate the risks? Do you have dual suppliers (potentially expensive)?
  • Consider other technical measures. Source code escrow is pretty pointless for cloud (your immediate requirement is the object code and data, not the source code). How about ensuring that you get a regular of the data or a copy of virtual server?

Finally, think about auditing your existing contracts for cloud services. What do they say? Are you comfortable that you can quickly (and safely) transition away from the supplier? If not, now is the time to review them and ensure that you have appropriate provisions in place. Remember – the time to repair a roof is when the sun is shining.

Martin Sloan

iHard: Bruce Willis and ownership of downloaded content

It seems that last week’s widely-repeated story that Bruce Willis was preparing to sue Apple for ownership of songs downloaded from iTunes was unverified and probably untrue.

Journalists can be forgiven for hedging their bets however, as resale of digital assets a complex subject. In fact, you could say it is pretty “iHard” to understand.

A licence to use
When you buy a music download you are actually paying for a contractual right – a licence – to permit you to do something with that copyright work that would otherwise be contrary to the author’s copyright. (For further discussion of the bundle of rights which protect songs, read this Tech Blog from last September.) 

The licence will set out what you can do with the copyright work, e.g. listen to it in private, burn it to CD/download it to other devices up to a set number of times etc. If what you are doing is not expressly permitted under the licence then you are probably infringing copyright.

In this respect the rights obtained by a purchaser of a music download from iTunes are no different to the rights acquired by a purchaser of a CD from a high street store. If you buy a CD you own the physical CD, but you don’t own the songs on it.

The practical differences are that:

  1. the licensed products are embodied in a physical CD, permitting easy transfer; and
  2. the first-sale doctrine applies to CDs.

The first-sale doctrine provides that once copyright products embodied in a physical object are introduced in the market in a given territory, the right holder loses control of them, and they can be freely resold, lent, or given away by the purchaser. In other words, the purchaser of a CD containing songs has the right to resell, lend or give away their copy of the songs (although not copies of their copy – which is an important distinction.)

The first-sale doctrine
There are various historical justifications for the first-sale doctrine (market failure; the free movement of goods; the impossibility of controlling the uses of a purchased copyright work; enhancing the circulation of culture), and a very similar concept called “exhaustion of rights” exists in the EU.

The catch is that the World Intellectual Property Organization Copyright Treaty (the international treaty on copyright law adopted by the member states of the World Intellectual Property Organization, including the US and, through the Council of the European Union, the EU) limits application of the first-sale doctrine to “fixed copies that can be put into circulation as tangible objects- not intangible content distributed over the internet”.

This means that if the licence for a digital copyright work prevents making copies of it, or prevents transfer of the licence, then reselling, lending or giving away that work is forbidden. (The degrees to which major players such as Amazon and Apple explicitly forbid such transfer is a matter of licence interpretation, and tends to be debated amongst lawyers and academics.)

Posited potential “workarounds”, particularly in the case of death of the owner, include: creating a legal trust (though this seems far-fetched – you can’t change a licence through a trust); burning your media onto a device and bequeathing that device in your will; or writing down the password. As noted above, the legality of these methods will depend on interpretation of particular licence terms.

The distinction between physical and digital content appears increasingly untenable
The European Court of Justice recently ruled that, in relation to a computer program, the rights of the copyright owner Oracle in relation to a copy of is software had been exhausted – even though the software had been downloaded from the internet. 

The judgment addressed the distinction between tangible or intangible forms of the computer program, concluding (via a rather circuitous route that deeemed the Computer Program Directive to be a lex specialis of the Copyright Directive):

it must be considered that the exhaustion of the distribution right under [the Computer Program Directive] concerns both tangible and intangible copies of a computer program”

In theory therefore, although the judgment’s treatment of the tangible/intangible issue is far from the most robust reasoning you will ever read, this suggests that in certain circumstances exhaustion of rights in “used” digital content may be possible.  (If resale of software is an issue of particular interest to you, please read my colleague Martin Sloan’s in-depth summary of the judgement and his key points.)

Similarly, there is forthcoming litigation in the US regarding the legality of reselling of “used” digital songs. Capitol Records is suing ReDigi, a Massachusetts start-up which runs an online marketplace where individulas can resell music files. The legality of ReDigi’s business model will probably turn on whether it is making a copy of the song when it moves the “used” files it to its cloud servers. Capitol has insisted in its filing that copies are being made, claiming: 

While ReDigi touts its service as the equivalent of a used record store, that analogy is inapplicable: used record stores do not make copies to fill up their shelves”

As discussed above, making copies of copies isn’t protected by the first-sale doctrine, so ReDigi will have to prove that only a single copy of a song is being used throughout its entire sales process (as well as finding its own way around the tangible/intangible goods issue).

Hudson Hawk
In the meantime, I appreciate you may have been lured to this blog post on the promise of Bruce Willis, and been subjected to law instead.  So, in a wonderful scene from the unfairly maligned Hudson Hawk, let’s round things off by enjoying Swinging on a Star.

Reselling “used” software licences – what does the Oracle decision allow you to do?

Last week, the European Court of Justice (ECJ) published its decision in a long-running German case between a company called UsedSoft and the US software giant Oracle.

The case hit the headlines because the ECJ held that a software company such as Oracle could not stop a licensee from reselling his “used” licences for software distributed by means of a download from a website.

If you have already read a summary of the decision, or aren’t interested in the background facts, then skip down to the key points below.

The background
Under the directive on the legal protection of computer programs, the licensor of a computer program loses his right to control onward distribution of a copy of that program when that copy is first sold in the EU. This is known as the principle of exhaustion.

So, if I go to PC World and buy a copy of a Microsoft product on a CD, then Microsoft cannot stop me subsequently selling that copy on to someone else. This has led to a bouyant market for, amongst other things, second hand computer games, where national retailers sell second hand games alongside “new” games.

UsedSoft’s business provided a means of users selling unused licences for Oracle software.

Under the licence granted by Oracle for its client server software, licensees download the computer prgram from the Oracle website. The user is then licensed to store that program permanently on a server and allow up to 25 users to access it, downloading it onto their workstations.

Oracle argued that UsedSoft’s business breached the terms of its licence, as the licence contractually restricts the licensee from transferring its rights to a third party, and that the provisions in the EU software directive did not apply to downloads.

The ECJ’s decision
The ECJ disagreed with Oracle’s argument, holding that the principle of exhaustion applies regardless of the means by which software is distributed.

In other words, the licensor of a computer program (whether on CD or a download) cannot stop a user in the EU from “selling” on his licenced copy to a third party, and any licence term purporting to vary that right is invalid.

The principle behind the decision is good news for those that buy computer programs online (pretty much anyone these days). Remember – this applies not just to enterprise software like Oracle, but also to games, consumer software and mobile apps.

Key points to note
There are some key points to note from this decision:

  • The decision only applies to software that is licensed on a perpetual basis – this point appears to have been overlooked in many commentaries. In other words it applies only to licences that are not limited in duration. So this decision does not apply to any software that is, say, subject to renewal by payment of an annual licence fee.
  • This means that many organisations’ Microsoft licences may fall outside its scope – for example, where those products are licensed under Microsoft’s Software Assurance model, as the licence under SA only becomes a perpetual licence at the end of the SA contract and upon satisfaction of certain conditions.
  • The principle established by the court applies to the copy of the program “as corrected and updated”. So the copy that may be transferred is the version as updated under any maintenance agreement, even if that agreement has now expired.
  • The principle does not extend so as to allow a licence for multiple users to be subdivide a licence (such as the block of 25 licences sold by Oracle) and resell only part of it, but depending on how the licence is structured you may be able to sell a number of seats where the software is licensed on a per seat basis.
  • Once you have sold your licence for a downloaded program to a third party, you have to delete it from your device and stop using it. This should go without saying (and applies equally to software that has been installed from a CD that is subsequently resold), but it’s worth re-emphasing the point. It may be easier said than done. How will software companies manage the risk that licensees just skip this step and sell on the licence regardless?
  • This decision has no impact on applications provided on a SaaS or cloud basis, even where the user has locked into that cloud vendor's service for a fixed period of time.

Will software companies change their licensing/distribution models?
The move to providing software through website downloads allowed vendors to try and avoid some of the legal issues associated with distributing a copy of their software in a tangible form, such as a CD or DVD. Restricting the ability of users to sell on licences for downloaded software has provided vendors with another revenue stream.

With this ruling, it will be interesting to see whether software vendors once again restructure their distribution models to try and regain control over the rights of users to dispose of surplus licences.

For that reason, I wouldn’t be surprised if perpetual licences for enterprise software become a thing of the past for some vendors, with a move towards combined licence and maintenance agreements that are subject to ongoing payments.

Will the decision affect the price of software?
It will also be interesting to see what impact this has on the price of both “new” and “second-hand” licences.

I remember attending a talk a few years ago by the chief economist at the PRS, who highlighted the impact that Amazon’s marketplace had on the price of new CDs on Amazon, as the (cheaper) price of the second-hand CD was displayed alongside the cost of buying the CD new. From a user’s perspective, there is no degradation in quality, so why buy the more expensive “new” copy? Conversely, the cost of the new CD included the artist’s royalties, production costs and other commissions for the record label, which did not need to be factored into the cost charged by the seller of a second-hand CD.

Could similar economics impact upon the cost of software?

Law Society cloud computing guidance: extra tips

The Law Society of Scotland recently issued guidance on cloud computing services following consultation with law firms, in-house counsel and cloud providers.

While some of the guidance inevitably reflects the particular duties that law firms owe to clients and regulators, the advice is clear and legible, there are no rubbish cloud puns, and overall it’s a valid read for any individual or organisation considering the acquisition of cloud computing services.  

There are however a few extra tips which it won’t hurt to mention.

Applicable law

Surprisingly, the guidance doesn’t mention applicable law and/or jurisdiction. Even a largely favourable contract may not be worth the paper it’s written on if you have to travel to a foreign country to enforce it, and the vast majority of cloud providers will typically offer the law of a particular US state as the choice of law in their standard terms.

Choice of law is usually more significant for UK SMEs or corporate customers because, unlike consumers, they won’t necessarily be protected from terms imposing a foreign legal system. (A further disadvantage of contracting on terms governed by US law is that they usually contain very broad disclaimers of warranty and/or limitations of liability.)

Data back-up

The Law Society guidance refers to back-up of data, noting that “you should carefully examine the SLA for the frequency the cloud provider will back up your data to a separate site”. I would go slightly further and say that you should check whether there is an obligation on the provider to back up data at all!

Some providers state that data integrity will only be guaranteed where the customer has paid for additional backup services, while others expressly disclaim the fitness of their services for back-up purposes! It’s therefore important that you understand who is responsible for maintaining back-ups, and if the provider’s offering is not sufficient what alternative steps can be taken.


Under the heading “responsibility for security” the Law Society guidance encourages firms to understand “the measures you can take to protect the security of your data “. Again, it may be necessary to go even further, and make sure that there are no express statements in provider terms which either disclaim any duty of confidentiality, or oblige the customer to use encryption.

If I have piqued your interest in the cloud, the Law Society is holding a Cloud Computing Glasgow event next Tuesday. I may see you there.

Apps and privacy – who is responsible?

California’s attorney general last week announced a new rule, seemingingly agreed with the major apps vendors (Apple, Google/Android, RIM, Windows, HP and Amazon), requiring mobile apps to have in place clearly displayed privacy policies.

Of course, for those of us in Europe, this is nothing new; European data protection laws have required this for years.

However, to date many app providers have paid little attention to privacy rules.

I think this is down to a number of factors:

  • Apps are generally sold through app stores operated by Apple, Google and Microsoft etc – but these companies only act as agents in the sale. When you buy an app, you are buying a licence from the company that made the app – not Apple/Google etc (unless it is one of their own apps). The app store providers are not responsible for that app or how it is used. They just provide the app store infrastructure and provide payment processing services;
  • The app store environment has made it very easy for anyone to create and sell apps – a genuine cottage industry, where a niche app can suddenly become very successful. But many small start-ups will launch an app without properly considering legal and regulatory requirements;
  • App stores tend to operate on a global basis. This means that most app providers are unlikely to be aware of local law requirements in many of the countries in which their app is sold. Use of Apple’s App Store in the UK may be subject to UK specific terms and conditions, but the licence governing the user’s use of the app will often still be subject to US law, with little attention paid to local laws.

In relation to this last point, data protection law is a good example. There is currently some debate as to whether or not cookies deployed by websites hosted outside the EEA are subject to EU data protection rules. The position with apps is analogous with apps sold by providers outside the EEA. As part of the proposed reform of EU data protection law, the European Commission is pushing to make clear that EU data protection laws will apply to all websites and apps used by users in Europe – even where the website or app provider is located outside the EEA.

As I note above, app store providers are not generally responsible at law for ensuring that apps on their platform comply with data privacy rules. It is the provider of the app itself. However, it seems that recent incidents (for example tracking of geolocation data and uploading of address books) has led the Californian Attorney General to go after the people best placed to force app providers to improve the privacy of their apps. We can assume that following this undertaking privacy settings will now form part of the app approval process.

So what should I do if I am designing an app?
First of all, you should have in place a privacy policy, which sets out what information your app collects, what is done with that information, why it is collected, and who it is disclosed to.

However, it’s not enough to simply provide a privacy policy.

  • The privacy policy needs to be written in a way that is clear and transparent.
  • Particular consideration needs to be given to sharing of data with third parties and ensuring that the third party’s privacy policy is incorporated and accepted – for example, an app that overlays data on a Google Maps interface.
  • The user’s informed consent needs to be obtained. The privacy policy cannot be hidden deep in the app. Some revised rules on obtaining consent were issued last year.
  • In particular, if the app collects/uses geolocation data then you need to consider how consent is obtained from the user.

Do you need to collect the data in the first place?
In her speech announcing the new rules, the Californian Attorney General said that the new rules do not change what a mobile app can or cannot do, but instead simply require the app to be upfront about what it is doing.

This may be the case under Californian privacy law, but one of the key principles of European data protection legislation is that the data collected is not excessive, and that the processing is fair and lawful. This means that you need to consider whether the data that you are collecting and the processing that you are carrying out is reasonable – do you need to track a user’s location or upload his address book just because you can? You can’t simply rely upon a user’s consent.

Privacy by design
Finally, app developers should bear in mind forthcoming changes in EU data protection laws.

Under the proposed EU regulation, the requirement for privacy by design/privacy by default will be formalised. Under this concept, data controllers should design their systems (such as apps and websites) so that privacy is considered from the outset and the default setting is that the minimum amount of data is collected from the user, unless he agrees otherwise. If privacy by design is considered from the outset, then many potential privacy issues can be avoided.

You can find some more top tips for app developers (covering other legal issues as well as privacy) by following this link.

PS I’m pleased to see that the GSMA have just endorsed my recommendations that app designers take heed of the Commission’s privacy by design initiative, with the launch of new app privacy guidelines for apps developed by GSMA members. The guidance is well worth reading if you are involved in app development.

Not all clouds have silver linings – how information security varies between cloud providers

You may have read in the press that Google has entered into its biggest cloud-hosting deal to date. And surprisingly this deal is with one of Spain’s largest banks, BBVA.

The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

Leigh Kirktpatrick

Targeted online advertising – are you aware of how it works?

A couple of weeks ago, I was looking at flights and hotels for a trip to Reykjavik this January. One of the websites that I visited was, following a link from the Tripadvisor website.

This morning, I read an article on the Guardian website about the recent overhaul of the Independent website. At the foot of that article was the following advert:

Screenshot on Guardian website of advert for hotels in Reykjavik

Is it simply a coincidence that the advert the ad server served up (perhaps based on my Google search history) happened to be for hotels in Reykjavik from one of the websites that I visited when booking that trip?

Or does behavioural advertising now go deeper than I thought, and was this served up by based upon my recent searches on the website?

How does the system work?
Delving into the Guardian’s privacy policy, it appears that it is the latter.

The Guardian is a member of an online behavioural advertising system provided by a company called Audience Science. Audience Science appears to have many partners – from media/news sites to retailers (although doesn’t appear to be on the list of advertisers, it is mentioned in a recent press release), each of whom share information on your use of their websites to allow the others to provide targeted advertising.

What I hadn’t previously considered, and find slightly disturbing about this is that the (very wide-ranging) list of partners in Audience Science’s network will continue to expand. However, once you’ve opted in to the system and accepted the cookie, you are unlikely to be aware of subsequent changes (or really have much idea about what information is being shared and with whom). This means that you could be using one website unaware that your browsing habits could subsequently influence advertisements served up on another site. There is no “Audience Science member” flag.

Retargeted advertising
But I don’t think that the advert I saw this morning was served up through the Audience Science system. I think it was another system used on the Guardian website called “retargeted advertising”, provided by an organisation called Criteo. Here is what the Guardian’s privacy policy says about it:

For example, if you have visited the website of an online clothes shop you may start seeing ads from that same shopping site displaying special offers or showing you the products that you were browsing. This is allows companies to advertise to website visitors who leave their website without making a purchase.

Again, I don’t ever remember consciously opting in to this system. Clearly, I must have accepted a cookie at some point (or passively accepted’s privacy policy), but wasn’t aware that by doing so was going to chase me around the Internet.

Interestingly, according to Criteo’s privacy policy, the only way of opting out of the Criteo program is to accept a permanent cookie. So if you don’t like cookies, but don’t like your Internet usage being tracked then tough.

Maybe the European Commission is right about the lack of transparent information for users and the recent change to laws governing the use of cookies isn’t so crazy after all?

What do you think? Is behavioural advertising A Bad Thing? Do you think it impedes on your privacy? Is it ok provided that you understand how it is being used?

PS I got the Hotel Thingholt much cheaper on Expedia.

PPS Luckily, the trip wasn’t intended to be a surprise.

PPPS The Internet Advertising Bureau allows you to centrally control your behavioural advertising preferences for services provided by its members here.

Cloud Computing and the risk of Data Ransom

There have been lots of articles about cloud computing by lawyers. Most of them: i) have a dodgy pun in the title; and ii) bang on about data protection and the risk that your data is outside Europe.

That is not what I am going to write about. Partly because it’s been done to death, and partly because I think DP law is dull (sorry Grant and other data law lovers).

I am going to talk about data ransom in a cloud or hosted environment. That is the risk that your supplier goes bust and you have to buy your data from an administrator/receiver, or that you get into a commercial dispute with your supplier and they either turn off your service or ransom your data.  Both are possible scenarios.

Remember that administrators are legally bound recover as much money as possible for the creditors. They are also not too bothered what your contract with the insolvent company says.  These facts can make them quite interesting to deal with!

On the commercial dispute side it is traditional for purchasers to manage suppliers by withholding payment on invoices or similar. But with cloud or hosted apps the power has shifted – if the purchaser withholds payment then the supplier can probably turn off the service. Gulp!  Worse imagine you have decided not to renew the contract, and your supplier starts being “sticky” about handing over your data to the new supplier. Remember “sticky” could include giving the new supplier all your data, but in an incomprehensible format.

So what do you do ?


  • Have an obligation to get a weekly or daily back-up of your data delivered to you in a format you could decode.
  • In fact why not take advantage of virtualisation technology and get a virtual copy of “your environment” and related rights to run it on your servers. (I have been putting this in contract for about a year – so far I have not seen anyone else do this).
  • Have strong exit management provisions (preventing the supplier mucking you around on exit).
  • Have a source code escrow agreement.  Note from a “self-help” basis these are probably useless (partly) because you may not have the object code; but having the right to get the source code will give you bargaining position against an administrator/receiver *.


  • Actually Enforce any of the contractual rights described above (it is probably too late to start enforcing them once the “ransom” starts).
  • Make sure your lawyer really understands concepts such as cloud, source code and virtualisation (this is an undercover sales pitch).

Not one dodgy pun!

*  I find a lot of lawyers still ask for source code escrow in a hosted app environment (where the client doesn’t even have the object code) not because of the reasons I have outlined but simply because the turnkey contract they are using as a style has an escrow clause in it. This strikes me as fairly dumb. Rant over.

“Midnight Movies”, ACS Law and the ICO

The Information Commissioner has been criticised for levying a monetary penalty of just £1,000 against a law firm whose severe security shortcomings led to the sensitive personal data of 6,000 people being made available online.

ACS: Law, led by solicitor Andrew Crossley, was conducting a widespread speculative invoicing campaign which involved accusing thousands of people of illegal file sharing and charging fines (which Douglas discussed a few months ago).  However, the scheme came unstuck when “hacktivism” group Anonymous took umbrage with Mr Crossley’s tactics and launched a “denial of service” attack.   The attack made the ACS: Law website “collapse”, revealing details of individuals accused of illicit filesharing which had previously been hidden from unauthorised access.

Reports of the incident have suggested that the breach was aggravated because it revealed details of illegally downloaded pornographic films, meaning that not just any old personal data was disclosed, but “sensitive personal data” as defined under the Data Protection Act 1998, pertaining to individuals’ sexual lives.

Of course, as all diligent data protection lawyers know, details of the commission (or alleged commission) of any offence already constitutes “sensitive personal data” under the DPA. So I’m not really sure why the “midnight movies” needed to be mentioned at all. It wouldn’t be just to make an article about data protection seem a wee bit saucier, would it?

Information Commissioner Christopher Graham said that the severity of the breach would have warranted a fine of £200,000, but he believed that Mr Crossley was not in a position to pay. (The ICO does not have the power to audit people’s accounts, but instead obtained a sworn statement from Andrew Crossley on the state of his finances.)

Privacy campaigners are now concerned that the decision introduces a loophole for companies wishing to evade ICO monetary penalties. I’m not convinced. Surely pretending to be bankrupt is even worse for your reputation that failing to protect personal data?

The forecast: clouds, with grey linings, perhaps turning to silver later

Samsung has today announced the first publicly available laptop based on Google’s Chrome OS. The laptop is aimed at both consumers and corporate users.

What’s different?
Unlike many laptops and netbooks, Samsung’s new laptop comes with only 16 GB of (solid state) storage for files. By way of comparison, my MacBook that I bought last year came with a 320GB hard drive (20 times larger). Of that 320GB, approximately 70GB of that is taken up by photos, music and videos (including a staggering 25GB of which relates to photos and video from my wedding and honeymoon last year).

So why is the storage space on a Chrome laptop so small? The reason is that users won’t store any files on the laptop itself. Instead, the user will use remotely hosted applications like Google Docs and store its files in a “secure” space in the Cloud. Google and Samsung cites a number of advantages of this approach – if the laptop breaks or is stolen, then the data won’t be lost, and because applications and files are hosted remotely, the computing power required at the user end is much less; ergo a Chrome OS laptop is much cheaper to buy.

We are seeing an increasing interest in clients (both large and small) adopting cloud computing and virtual desktops – finally realising the dream that Sun had for its thin JavaStation clients back in 1996 (I remember this well – I wrote a dissertation on it when doing Higher Computer Studies). As applications and files are hosted on a remote server, it means that users require only a very basic computer, meaning lower upfront and support costs and more flexibility to support various ways of working.

Dark clouds on the horizon
But as we saw a couple of weeks ago, the Cloud is not infallible. Leaving aside a reliance on patchy (and often slow) 3G coverage and wifi for mobile users in the UK, there are a number of risks. Users of Amazon’s EC2 cloud computing service suffered a major outage, leading to some users being affected for up to four days. The outage knocked out a number of businesses and arose notwithstanding a number of failover systems that Amazon claimed to have in place to prevent this sort of thing from happening.

Whilst a consumer may consider such an outage to be a risk worth taking given the cost and convenience benefits of using the Cloud, I suspect that businesses may take a different view. Reports have confirmed that because of the way the outage occurred, Amazon’s outage didn’t actually trigger a breach of Amazon’s service level agreement, meaning that users had no automatic entitlement to service credits (although on this occasion Amazon has made a discretionary award of compensation to affected customers). That’s a tough one for a CIO to explain to his CEO – not only did the service fail, but there isn’t even a right to any service credits.

Raining on the Cloud’s parade
The Amazon outage also highlights the risks of, to mix some more metaphors, putting all your eggs in one cloud. If a business is dependant upon the Cloud in order to trade or for its employees to carry out their day to day duties (because all data is hosted remotely), and is also dependant upon a single cloud vendor, then it needs to look very carefully at the business continuity, and DR provisions that the cloud vendor has in place and consider if those are sufficient.

Similarly, if all your data is hosted by a third party in the cloud, then you may be reliant upon that third party to ensure that your data is backed up, and may also need to consider how you can get it out of the Cloud at the end (particularly when using software as a service applications). See Damien’s previous blog on this.

Wrapping up a bad couple of weeks for the Cloud, the hacking attack and theft of data from Sony’s PlayStation network also emphasises the importance of ensuring the security of data (personal or otherwise) held in the Cloud. Just playing some Rolling Stones isn’t going to be enough.

I don’t doubt that the Cloud will continue to grow in importance, but these recent events show the legal and commercial risks associated with cloud computing, and a number of the issues that cloud providers need to overcome before the market will fully mature. In the meantime, businesses seeking to move to Cloud will need to ensure that they read the small print and carry out appropriate diligence on their proposed supplier(s).

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: