Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Tuesday 7 December 2010

Cloud, Copyright, Hosting and Jurisdiction

Computerworld UK has published a short piece by me on the jurisdictional issues of copyright and database infringement in the Cloud. I discuss the recent ruling on this point in Football Dataco v Sportradar and suggest an alternative model for determining where material is 'made available'.

Friday 3 December 2010

Wikileaks - Cloud's First PR Crisis?

This week has seen what may be a first for Cloud computing: the very public termination of service of a major customer for alleged terms-of-service violations. I refer of course to Wikileaks, thrown off of Amazon Web Services for a range of reasons relating to the controversial content Wikileaks was hosting there. Of course, organisations have had Cloud services terminated before, but this is by far the highest profile case I’m aware of. Equally high-profile has been the resulting criticism of Amazon, with many supporters of Wikileaks complaining that a company that is in the very business of promoting the free flow of knowledge is now engated in censorship. So, what was Amazon’s motivation here?

Amazon is still first and foremost an online shopping site (I would have said bookshop, but it is long past being just that). Its web services account for a little over one percent of its turnover, although that fraction is rapidly growing. But this doesn’t mean that Amazon is a bit player in the Cloud computing business. Far from it; Amazon Web Services is one of the market leaders and is the standard against which IaaS (Infrastructure as a Service) Cloud services are judged. A vast number of online services, including many other Cloud-based organisations, use one or more of AWS’s products; EC2 for on-demand computing power, S3 for flexible storage, or one of many others. Amazon lists an impressive array of businesses that use AWS; ironically, it includes Guardian News and Media - one of the main disseminators of the leaked cables - among many others.

It’s not hard to see that Amazon found itself in a difficult position when it became aware that it was hosting Wikileaks. (And yes, ‘became aware’ is probably how it happened – I’ll explain in a moment). Yes, there have been threats of a boycott from those upset that it has dumped Wikileaks. But if it had continued to host it, I don’t doubt that there would have been widespread calls for a boycott from those unhappy with Wikileaks – and there are a lot of people in that camp. On the figures above, Amazon would only have to lose 1% of their online retail business to wipe out their entire income from AWS, and someone in Amazon’s management probably made a pragmatic call that they’d lose a lot more business by continuing to host Wikileaks than by dropping it.

But that’s not the only consideration. Pretty much everywhere that has hosted Wikileaks has sooner or later seen denial-of-service attacks. You don’t even have to ascribe these to conspiracies; there are plenty of people out there who combine a political viewpoint at odds with Wikileaks with the technical knowledge needed to hire a botnet. (Which isn’t much, and in yet another irony botnet-based DDOS attacks are yet another form of Cloud computing). But if you start to DDOS an organisation hosted by a Cloud provider, then you risk causing a lot of collateral damage. We saw a version of this when Spamhaus started to block spam sites that had been set up on AWS, and in doing so inadvertently blacklisted numerous legitimate users of Amazon’s services. A DDOS attack on Wikileaks whilst it was hosted on AWS could well have knocked out many of those sites listed earlier. And if their lawyers could show that AWS knew that it was hosting a prime target for attack alongside them… well, it would be an interesting question as to how liable Amazon would be, but I dare say Amazon’s own lawyers may have suggested that finding out in the courts could be expensive.

In short, Amazon faced a lot of grief if it kept Wikileaks on board. And, under their Terms of Service, they were entitled to drop them. A lot has been written about whether Amazon’s explanation – a breach of Acceptable Use terms – holds water, but at the end of the day Clauses 3.4.1(vii) and (viii) of the AWS Customer Agreement give AWS very broad grounds for summarily terminating the use of even a paid account:

(vii) we receive notice or we otherwise determine, in our sole discretion, that you may be using AWS Services for any illegal purpose or in a way that violates the law or violates, infringes, or misappropriates the rights of any third party; (viii) we determine, in our sole discretion, that our provision of any of the Services to you is prohibited by applicable law, or has become impractical or unfeasible for any legal or regulatory reason;

Now, why didn’t AWS act sooner? This story suggests that Wikileaks started using AWS on Sunday 28 November. But it’s not as if Assange negotiated to use the service; one of the common characteristics of Cloud computing sites is that users can sign up online and pay via credit card. When Joe Lieberman asks, as he apparently has, for details of Amazon’s relationship with Wikileaks, the answer is that it was probably very like Transport for London’s relationship with me concerning my Oyster card. Yes, we have a contract, but it’s one I made by buying credits from a top-up point; TfL are barely aware in any meaningful sense that I exist. Amazon probably only realised they were hosting Wikileaks when they began to get complaints.

So what does this affair tell us about Cloud computing? It’s a big business, but still small in comparison with, for example, online retailing. It’s easy to sign up to, but it’s also easy to get booted off from, thanks to very permissive terms of service (and AWS’s terms are entirely typical of those we saw in the QMUL survey of Cloud terms). But perhaps the most important aspect of Cablegate for Cloud computing is the way that, by drawing attention to Amazon’s Cloud business, it’s put Cloud computing into the public eye.

Tuesday 16 November 2010

The Sound of Silence

As a supporter of the Royal British Legion (and an ex-serviceman myself) I'm pleased to see the RBL finding new and innovative ways of raising money. This year they have taken the novel step of releasing a single of the Two Minutes' Silence. You can see a short excerpt from the video here.

Now at this point I was suddenly reminded of John Cage's silent 4'33" and more specifically the legal case brought by Cage's UK publishers against Mike Batt (better known to many for the theme song of The Wombles) for allegedly infringing it. Batt included a one-minute silent track on an LP, crediting it to "Batt / Cage". The case settled out of court, reportedly for a substantial sum, although this denied the chance for some judicial enquiry into the extent to which copyright exists in silence.

For a detailed review of the legal issues see Cheng Lim Saw's very thorough analysis in 'Protecting the sound of silence in 4'33" - a timely revisit of basic principles in copyright law' [2005] EIPR 7:12. Cheng Lim Saw concludes that 4'33" very likely does not attract copyright protection under English law, although the question is not as trivial as it might at first appear. For example, the work is not simply a silent interval; it is meant to be performed (albeit very passively) so an audience will always be aware of background noise and environment. But what copyright was asserted in was not a specific recording of a near-silent performance, but the piece itself, and in Cheng Lim Saw's view this is where the copyright claim fails, for how can there be certainty in the identity of the work copied if the piece has no content to be identified?

So what about the RBL's track? Well, it is not a work of sound - or silence - alone. It is a video, featuring well-known personalities as well as injured soldiers as they observe silence. Although everyone in it is static there is no reason to believe that it is not a dramatic work, in terms of the composition and editing. And, as with 4'33" the soundtrack is not truly silent; rather it records the sounds of someone standing still.

In a sense the RBL video has a very important point in common with 4'33": it is meant to make the audience concentrate and reflect on the attempt at silence, although the two works do so in very different contexts. I agree that if the Batt case had gone to trial the copyright claim might well have failed, but were there other potential heads of claim that could have been more arguable? (False attribution, for instance, or passing off; Batt's real mistake may have been in putting Cage's name to his track.)

I very much doubt that the RBL are going to find themselves following Mike Batt in terms of receiving a claim for copyright infringement. A silent video, even if it's point is the depiction of silence, is not a performance of a 4'33", even if the later does enjoy copyright protection - which it probably doesn't. But part of me wishes that there was another case on this that went to litigation, because I would love to hear the legal arguments put forth.

Thursday 9 September 2010

I Aten't Dead

...as Sir Terry Pratchett's Granny Weatherwax would put it, although one might be forgiven for wondering, looking at this blog of late. My sole excuse is that I've been employed investigating and writing about IT law as my day job for the last few months, which has inclined me less to blog about it as a hobby.

However, that work has now borne fruit and so this is a good point at which to get LawClanger going again. The QMUL Cloud Legal Project has just produced 'Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services', by Simon Bradshaw, Christopher Millard and Ian Walden, and available for download from SSRN.

'Contracts for Clouds' is based upon a detailed survey I carried out of the Terms and Conditions (T&C) for 31 different Cloud computing services from 27 providers. It began as a baseline study to identify how Cloud providers made reference to some of the wider legal issues we are planning to address in other Cloud Legal Project papers, but it soon became clear that the results were worthy of a paper in their own right. Although there have been a few other reports looking at Cloud T&C, we believe ours is the first that provides a detailed, referenced review of a wide set of T&C together with a comparitive analysis of the terms found. And what we found makes for interesting (to put it politely) reading for prospective Cloud customers.

Many Cloud services, for instance, have clauses in their Terms & Conditions that disclaim all responsibility of the provider for keeping the user’s data secure or intact. Often, providers will reserve the right to terminate accounts for apparent neglect (important if they are used for occasional backup), for violation of the provider’s Acceptable Use Policy, or indeed for any or no reason at all. Customers more worried about their data being seen by others than being lost might also be concerned at some of the terms seen in the survey that related to third-party disclosure. Whilst some providers promise only to hand over customer data if served with a court order, others state that they will do so on much wider grounds – including it being in their own business interests to do so.

We also found that providers very commonly exclude any liability for loss of data or for damage arising from it, or seek to strictly limit the damages that can be claimed against them – damages which might otherwise be substantial if loss of data or services brought down an e-commerce web site, for instance. Customers who seek to challenge their Cloud provider in court might also be in for a surprise when they look at the relevant terms: such providers usually claim that the contract is made under the law governing their main place of business, which in many cases is a US state, and that any dispute must be heard in the provider’s local court.

This isn't to say that Cloud services are dangerous, or that providers are especially cavalier. The terms we saw most likely reflect a desire of many Cloud hosts to remain as much a 'mere conduit' of information services (even though they are clearly hosts) as possible, and to keep customers at arm's length. Whether such T&C evolve so as to be more aligned with customer expectations and interestes will be interesting to see, and indeed will be an ongoing point of study for the Cloud Legal Project.