Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Thursday 9 September 2010

I Aten't Dead

...as Sir Terry Pratchett's Granny Weatherwax would put it, although one might be forgiven for wondering, looking at this blog of late. My sole excuse is that I've been employed investigating and writing about IT law as my day job for the last few months, which has inclined me less to blog about it as a hobby.

However, that work has now borne fruit and so this is a good point at which to get LawClanger going again. The QMUL Cloud Legal Project has just produced 'Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services', by Simon Bradshaw, Christopher Millard and Ian Walden, and available for download from SSRN.

'Contracts for Clouds' is based upon a detailed survey I carried out of the Terms and Conditions (T&C) for 31 different Cloud computing services from 27 providers. It began as a baseline study to identify how Cloud providers made reference to some of the wider legal issues we are planning to address in other Cloud Legal Project papers, but it soon became clear that the results were worthy of a paper in their own right. Although there have been a few other reports looking at Cloud T&C, we believe ours is the first that provides a detailed, referenced review of a wide set of T&C together with a comparitive analysis of the terms found. And what we found makes for interesting (to put it politely) reading for prospective Cloud customers.

Many Cloud services, for instance, have clauses in their Terms & Conditions that disclaim all responsibility of the provider for keeping the user’s data secure or intact. Often, providers will reserve the right to terminate accounts for apparent neglect (important if they are used for occasional backup), for violation of the provider’s Acceptable Use Policy, or indeed for any or no reason at all. Customers more worried about their data being seen by others than being lost might also be concerned at some of the terms seen in the survey that related to third-party disclosure. Whilst some providers promise only to hand over customer data if served with a court order, others state that they will do so on much wider grounds – including it being in their own business interests to do so.

We also found that providers very commonly exclude any liability for loss of data or for damage arising from it, or seek to strictly limit the damages that can be claimed against them – damages which might otherwise be substantial if loss of data or services brought down an e-commerce web site, for instance. Customers who seek to challenge their Cloud provider in court might also be in for a surprise when they look at the relevant terms: such providers usually claim that the contract is made under the law governing their main place of business, which in many cases is a US state, and that any dispute must be heard in the provider’s local court.

This isn't to say that Cloud services are dangerous, or that providers are especially cavalier. The terms we saw most likely reflect a desire of many Cloud hosts to remain as much a 'mere conduit' of information services (even though they are clearly hosts) as possible, and to keep customers at arm's length. Whether such T&C evolve so as to be more aligned with customer expectations and interestes will be interesting to see, and indeed will be an ongoing point of study for the Cloud Legal Project.