This week has seen what may be a first for Cloud computing: the very public termination of service of a major customer for alleged terms-of-service violations. I refer of course to Wikileaks, thrown off of Amazon Web Services for a range of reasons relating to the controversial content Wikileaks was hosting there. Of course, organisations have had Cloud services terminated before, but this is by far the highest profile case I’m aware of. Equally high-profile has been the resulting criticism of Amazon, with many supporters of Wikileaks complaining that a company that is in the very business of promoting the free flow of knowledge is now engated in censorship. So, what was Amazon’s motivation here?
Amazon is still first and foremost an online shopping site (I would have said bookshop, but it is long past being just that). Its web services account for a little over one percent of its turnover, although that fraction is rapidly growing. But this doesn’t mean that Amazon is a bit player in the Cloud computing business. Far from it; Amazon Web Services is one of the market leaders and is the standard against which IaaS (Infrastructure as a Service) Cloud services are judged. A vast number of online services, including many other Cloud-based organisations, use one or more of AWS’s products; EC2 for on-demand computing power, S3 for flexible storage, or one of many others. Amazon lists an impressive array of businesses that use AWS; ironically, it includes Guardian News and Media - one of the main disseminators of the leaked cables - among many others.
It’s not hard to see that Amazon found itself in a difficult position when it became aware that it was hosting Wikileaks. (And yes, ‘became aware’ is probably how it happened – I’ll explain in a moment). Yes, there have been threats of a boycott from those upset that it has dumped Wikileaks. But if it had continued to host it, I don’t doubt that there would have been widespread calls for a boycott from those unhappy with Wikileaks – and there are a lot of people in that camp. On the figures above, Amazon would only have to lose 1% of their online retail business to wipe out their entire income from AWS, and someone in Amazon’s management probably made a pragmatic call that they’d lose a lot more business by continuing to host Wikileaks than by dropping it.
But that’s not the only consideration. Pretty much everywhere that has hosted Wikileaks has sooner or later seen denial-of-service attacks. You don’t even have to ascribe these to conspiracies; there are plenty of people out there who combine a political viewpoint at odds with Wikileaks with the technical knowledge needed to hire a botnet. (Which isn’t much, and in yet another irony botnet-based DDOS attacks are yet another form of Cloud computing). But if you start to DDOS an organisation hosted by a Cloud provider, then you risk causing a lot of collateral damage. We saw a version of this when Spamhaus started to block spam sites that had been set up on AWS, and in doing so inadvertently blacklisted numerous legitimate users of Amazon’s services. A DDOS attack on Wikileaks whilst it was hosted on AWS could well have knocked out many of those sites listed earlier. And if their lawyers could show that AWS knew that it was hosting a prime target for attack alongside them… well, it would be an interesting question as to how liable Amazon would be, but I dare say Amazon’s own lawyers may have suggested that finding out in the courts could be expensive.
In short, Amazon faced a lot of grief if it kept Wikileaks on board. And, under their Terms of Service, they were entitled to drop them. A lot has been written about whether Amazon’s explanation – a breach of Acceptable Use terms – holds water, but at the end of the day Clauses 3.4.1(vii) and (viii) of the AWS Customer Agreement give AWS very broad grounds for summarily terminating the use of even a paid account:
(vii) we receive notice or we otherwise determine, in our sole discretion, that you may be using AWS Services for any illegal purpose or in a way that violates the law or violates, infringes, or misappropriates the rights of any third party; (viii) we determine, in our sole discretion, that our provision of any of the Services to you is prohibited by applicable law, or has become impractical or unfeasible for any legal or regulatory reason;
Now, why didn’t AWS act sooner? This story suggests that Wikileaks started using AWS on Sunday 28 November. But it’s not as if Assange negotiated to use the service; one of the common characteristics of Cloud computing sites is that users can sign up online and pay via credit card. When Joe Lieberman asks, as he apparently has, for details of Amazon’s relationship with Wikileaks, the answer is that it was probably very like Transport for London’s relationship with me concerning my Oyster card. Yes, we have a contract, but it’s one I made by buying credits from a top-up point; TfL are barely aware in any meaningful sense that I exist. Amazon probably only realised they were hosting Wikileaks when they began to get complaints.
So what does this affair tell us about Cloud computing? It’s a big business, but still small in comparison with, for example, online retailing. It’s easy to sign up to, but it’s also easy to get booted off from, thanks to very permissive terms of service (and AWS’s terms are entirely typical of those we saw in the QMUL survey of Cloud terms). But perhaps the most important aspect of Cablegate for Cloud computing is the way that, by drawing attention to Amazon’s Cloud business, it’s put Cloud computing into the public eye.
Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.