Now and again an intellectual property case will result in a decision that causes considerable head scratching within the IP profession. Perhaps more commonly these days such a decision will cause wider confusion and outrage in the online community, especially those parts of it which espouse a sceptical attitude towards IP. In Temple Island Collections v New English Teas [2012] EWPCC 1 HHJ Birss of the Patents County Court seems to have achieved the impressive feat of delivering a judgment that does both.
The case concerned a photograph showing a red double-decker London bus against a monochrome background of the Houses of Parliament. Skimming slightly over earlier litigation, the defendant had declined to licence the claimant's image and instead had sought to arrange a version taken independently. The claimant then asserted that the second version of the image infringed its copyright in the original. HHJ Birss held that it did, even though the second image was a recreation rather than a copy as such of the first.
To say that this decision has caused consternation would be putting it mildly. Reports on the case at sites such as Amateur Photographer and Boing Boing have seized upon the idea that somehow this judgment will stop photographers from taking pictures that replicate any prior similar image and it has been characterised as a precedent that will result in a monumental rights–grab by the owners of large photographic portfolios. Within the profession the response has been somewhat more muted but nonetheless respected commentators have expressed some concern and surprise at the decision. In particular, as Jane Lambert explains in an excellent post at NIPClaw, it seems at first sight hard to reconcile the decision in this case with that of Mr Justice Floyd in Creation Records v News Group Newspapers [1997] EWHC Ch 370. A measure of the interest that this case has given rise to is seen by the way that the 1709 Blog has organised a seminar on the case within weeks of judgement being handed down and to be addressed by leading Counsel for the claimant.
To take the more alarmed views first, it would perhaps have helped if some of the commentators on the case had taken the trouble to read the judgment. HHJ Birss goes to considerable effort to explain how narrow his decision actually it is. To begin with, there is no suggestion that if two people standing next to one another take the same photograph the one who pressed the shutter momentarily later will somehow be infringing the copyright in the photograph taken earlier. Copyright infringement requires copying, and although such copying maybe indirect or even unconscious it is still necessary to show a causal link between the original work and the allegedly infringing copy.
But what about the suggestion that this decision means that any photograph of a bus on Westminster Bridge with the Houses of Parliament in the background infringes the copyright in Temple Islands' image? After all, there are plenty of earlier such photographs. This issue was addressed by HHJ Birss at paragraphs 17 to 29 of his judgment. To somewhat paraphrase the judge’s argument, where a picture is taken of a commonly-photographed scene then, although that picture will no doubt enjoy copyright, the only aspects of that picture whose copyright might be infringed by another, similar image are those where the photographer has achieved originality.
As he explains at paragraph 22 such originality may arise from technical skill in photography (e.g. composition), the staging of a particular scene or from the simple fact of being in the right place at the right time. In other words, although a commonplace photograph will be protected by copyright against simple copying, if there is nothing distinctive about it in comparison with other, similar photographs then there is no copyright in anything distinctive and original that will be infringed by someone taking yet another similar photograph. But if the photograph shows original elements then those elements will be protected by copyright against specific imitation.
As such, neither casually snapping tourists nor enthusiastic photographers need worry about being sued for copyright infringement if they happen to take a photograph of a bus in front of Parliament. HHJ Birss found here that the claimants had a photograph with identifiable specific original features; as he explains at paragraphs 51 to 54 there are particular elements of composition and visual processing that he found to be original in that image. On that basis, given that it was clear from the facts that the defendant had set out to recreate the claimant's image there was a clear causal link between the two and the original elements of the first image had been reproduced in the second. The defendant's image thus infringed copyright in the claimant's.
Put that way the decision seems less unreasonable and the more dramatic claims of what it might prevent clearly have no basis in fact or law. But nonetheless the decision does still give rise to concerns, some legal and some practical. In particular, how does one reconcile it with Creation Records?
Creation Records involved the unauthorised photography of a temporary arrangement of items set up for the cover of a new album by Oasis. The allegedly infringing image was taken by a photographer who had inveigled himself into the main photo session and it was taken alongside the “original" image. As explained at paragraph 3 of Mr Justice Floyd's judgement the unauthorised photographer was standing some 15 to 20 feet to the left of the official one and they were both taking photos at the same time. The question of whether the unofficial photograph infringed the official one was dealt with by the judge very quickly at paragraph 15:
“Next, Mr Merriman contended that Mr Seeburg's photograph was itself a copy of the official photograph taken by Mr Jones, regardless of the order in which the two were taken. I do not see how that can be argued. If the subject matter is not itself copyright, in principle two different photographers can take separate photographs of the same subject without either copying the other. Of course copyright subsists in the official photograph and if it were the only source of the scene it would be an infringement to copy that, either by a direct copying process or by the scene being recreated and a fresh photograph taken of that recreation. But it is a basic proposition of copyright law that two works created from a common source do not by reason of that fact involve copying one of the other, however similar they are. Nothing in Bauman v Fussell [1978] R.P.C. 485 is inconsistent with this.”
The judge’s reference to Bauman v Fussell relates to a case where a painter painted a picture inspired by a photograph, in which it was held that the painting – not a direct copy – did not infringe the copyright in the original photograph. What is more of note is that Mr Justice Floyd specifically addresses the situation where a photograph is restaged and retaken and holds that this is equivalent to direct copying.
It is therefore clear that the situation in Creation Records is rather different to that in Temple Island. This was not the re-enactment or restaging of a photograph but rather an example of simultaneous taking of pictures. Indeed, if one goes on to read the full judgement in Creation Records the bulk of the legal argument was taken up either by attempts to establish that the staged scene being photographed somehow enjoyed its own copyright (unsuccessful) or that there was a duty of confidentiality breached by the unofficial photographer (successful). Although superficially similar in that they both involve one photograph alleged to be a copy of the other, the manner in which the second photograph came about is quite different in the two cases and there is in fact little in Creation Records relevant to Temple Island beyond dicta that actually supports HHJ Birss’ decision in the latter. Indeed, it may be that this was such common ground between the parties and so obvious to the judge that neither he nor counsel thought it necessary to refer to Creation Records, hence explaining its apparently surprising omission from the judgement.
HHJ Birss’ decision thus appears to be legally sound, or at the very least not in conflict with well-established law in the area. But that doesn't mean that it's not problematic. Even on the relatively narrow application that I have outlined above it is still possible to see how a photographer could find himself or herself facing threats of legal action over a seemingly commonplace image.
I am a moderately keen photographer myself and I own a number of books on the subject. Many photographic books and courses clearly aim to teach techniques that involve some level of imitation of the styles and methods of established photographers. For that matter, if as an aspiring photographer you see a particularly striking image it is natural to want to work out how it was taken and to seek to replicate it, or at least some of the more interesting and novel aspects of it.
I can provide a personal example of this. Consider the photograph below, of the Forth Rail Bridge. I consider it to be one of my better photographs and indeed it is by far and away the most heavily viewed picture on my Flickr account; it is also the only picture that anybody else has ever asked to use.
I was inspired to take the picture after I saw similar images in photographic shops in and around Edinburgh. The bridge was shown at or near sunset and the sea had an unusual, almost misty effect that I recognised as being achieved through a long exposure. I thought it would be interesting to try to replicate these elements of the images so I went down to South Queensferry, set up my tripod near the south end of the bridge, and using a graduated neutral density filter I took a number of photographs. After some effort with Photoshop to clean the pictures up and correct the colour I achieve the results above. I don't think that it is perfect; it is not quite as sharp as I would like and would not stand much enlargement, and given the date at which I took it the bridge itself is festooned with scaffolding. But I could not deny that there was a causal link between it and the earlier photographs that had inspired me. Were there a single, specific image with these qualities that it could be shown I had set out to replicate, then on the basis of Temple Island I would be held to have infringed its copyright.
If the decision in Temple Island was such as to deter photographers like me from carrying out such exercises for fear of liability for copyright infringement then I would be concerned at the effect upon the hobby. Photography is in large part a skill that you learn through practice and imitation and I would not want to think that photographers seeking to develop their skills might be deterred from doing so. As a lawyer I am aware that in practice it is commercial exploitation that is likely to attract legal attention but the forthcoming reforms to IP litigation procedure following the Hargreaves Report will substantially lower the barrier to this. Although I am generally very much in favour of the forthcoming Small Claims track for copyright disputes – I know several photographers who until now have had little recourse against blatant copying and commercial reuse of their images – I would be worried if it led to a spate of threats of proceedings in respect of what one might term innocently imitative images.
Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.
Wednesday, 1 February 2012
Tuesday, 29 November 2011
A tempting target, but a dubious tactic
A few days ago a friend retweeted a link to a campaign that took an unusual approach to expressing distaste at The Sun's campaign against benefit fraudsters.
Pride's Purge - Help Fight Back Against Murdoch’s Benefit ‘Scroungers’ Hotline
The blog's author, Tom Pride, is encouraging people to report 'fat-cat bankers' to the Sun email hotline. Or, more specifically, he is encouraging people to do this so much that the hotline is overwhelmed:
"Simply by repeatedly sending as many emails as possible with the names of scrounging bankers who have used taxpayers money to pay themselves massive bonuses, the hotline can be crashed."
Now I have no love for the Sun - about the only good thing I can say for it is that it is not quite as revoltingly toxic as the Daily Mail. But I do have a concern about Tom Pride's campaign, because it is encouraging people to break the law. My particular worry is that most people who like the look of this and feel tempted to join in probably won't have any idea that this is, in fact, illegal.
When the Computer Misuse Act 1990 was originally enacted its Section 3 created the offence of 'unauthorised modification of a computer'. The intent was clearly to create an offence of hacking, but as time went on it became clear that a computer might be attacked in a manner that was not obviously 'unauthorised modification'. In particular, Denial-of-Service (DOS) attacks were, some commentators suggested, not caught by s.3. Matters came to a head in 2005 when David Lennon carried out a mail-bombing attack on the email server of Domestic & General plc. At his trial Mr Lennon's defence was that his actions had not been unauthorised, because an email server is specifically intended to receive emails, so he had done nothing to it that he had not implicitly been authorised to do. The judge struck out the case against Mr Lennon on this basis, but the Director of Public Prosecutions appealed and so the Court of Appeal considered the meaning of s.3 CMA 1990. Mr Justice Jack, in giving the Court's judgment that the prosecution should continue, considered that the authorisation had implied limits:
"I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system."
Even before the Court of Appeal had given its ruling though, Parliament was already planning to revise the CMA to close this loophole. The Police and Justice Act 2006 amended s.3 CMA 1990 so that the offence it created was instead one of an unauthorised act impairing a computer's operation. No longer was in necessary to show that there had been some change made to a computer; it is now enough to show that the computer, even if doing what it was intended to do (e.g. receive emails) has been impaired in that function. The amendment also extended the offence to include reckless, as well as deliberate, impairment. So, both by statutory amendment and by case law (Lennon) it is now clear that mail-bombing a mail server to the extent that it is no longer usable is a criminal offence (and other forms of DOS attack, including distributed DOS, are similarly offences.)
What this means, I'm afraid, is that fun though it may be to suggest burying the Sun hotline in irate email, it's actually against the law to do this. It's directly illegal to send such emails, although to be pragmatic the likelihood of prosecution for sending a particular email is pretty low. (I wouldn't be so sanguine if anyone used a mail-bombing app, though.) It's also illegal, under the long-standing rule against 'aiding, abetting, counselling or procuring an indictable offence', to encourage other people to do this - as, it seems, the blog author here has. (In the comments to the post, Tom Pride says this isn't a DDOS attack. With respect, as I've tried to explain here, in the eyes of the law it is.)
As the two young men who tried to organise riots via Facebook found, it's very easy to get into a lot of trouble by saying something online. There's a good argument that it's far too easy, as Paul Chambers found out in the ongoing saga of the Twitter Bomb Joke trial. But as it is, it's worth pausing for thought - and perhaps a check of the law - before seeking to unleash the wrath of the Internet on a target, however deserving it may seem.
Pride's Purge - Help Fight Back Against Murdoch’s Benefit ‘Scroungers’ Hotline
The blog's author, Tom Pride, is encouraging people to report 'fat-cat bankers' to the Sun email hotline. Or, more specifically, he is encouraging people to do this so much that the hotline is overwhelmed:
"Simply by repeatedly sending as many emails as possible with the names of scrounging bankers who have used taxpayers money to pay themselves massive bonuses, the hotline can be crashed."
Now I have no love for the Sun - about the only good thing I can say for it is that it is not quite as revoltingly toxic as the Daily Mail. But I do have a concern about Tom Pride's campaign, because it is encouraging people to break the law. My particular worry is that most people who like the look of this and feel tempted to join in probably won't have any idea that this is, in fact, illegal.
When the Computer Misuse Act 1990 was originally enacted its Section 3 created the offence of 'unauthorised modification of a computer'. The intent was clearly to create an offence of hacking, but as time went on it became clear that a computer might be attacked in a manner that was not obviously 'unauthorised modification'. In particular, Denial-of-Service (DOS) attacks were, some commentators suggested, not caught by s.3. Matters came to a head in 2005 when David Lennon carried out a mail-bombing attack on the email server of Domestic & General plc. At his trial Mr Lennon's defence was that his actions had not been unauthorised, because an email server is specifically intended to receive emails, so he had done nothing to it that he had not implicitly been authorised to do. The judge struck out the case against Mr Lennon on this basis, but the Director of Public Prosecutions appealed and so the Court of Appeal considered the meaning of s.3 CMA 1990. Mr Justice Jack, in giving the Court's judgment that the prosecution should continue, considered that the authorisation had implied limits:
"I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system."
Even before the Court of Appeal had given its ruling though, Parliament was already planning to revise the CMA to close this loophole. The Police and Justice Act 2006 amended s.3 CMA 1990 so that the offence it created was instead one of an unauthorised act impairing a computer's operation. No longer was in necessary to show that there had been some change made to a computer; it is now enough to show that the computer, even if doing what it was intended to do (e.g. receive emails) has been impaired in that function. The amendment also extended the offence to include reckless, as well as deliberate, impairment. So, both by statutory amendment and by case law (Lennon) it is now clear that mail-bombing a mail server to the extent that it is no longer usable is a criminal offence (and other forms of DOS attack, including distributed DOS, are similarly offences.)
What this means, I'm afraid, is that fun though it may be to suggest burying the Sun hotline in irate email, it's actually against the law to do this. It's directly illegal to send such emails, although to be pragmatic the likelihood of prosecution for sending a particular email is pretty low. (I wouldn't be so sanguine if anyone used a mail-bombing app, though.) It's also illegal, under the long-standing rule against 'aiding, abetting, counselling or procuring an indictable offence', to encourage other people to do this - as, it seems, the blog author here has. (In the comments to the post, Tom Pride says this isn't a DDOS attack. With respect, as I've tried to explain here, in the eyes of the law it is.)
As the two young men who tried to organise riots via Facebook found, it's very easy to get into a lot of trouble by saying something online. There's a good argument that it's far too easy, as Paul Chambers found out in the ongoing saga of the Twitter Bomb Joke trial. But as it is, it's worth pausing for thought - and perhaps a check of the law - before seeking to unleash the wrath of the Internet on a target, however deserving it may seem.
Saturday, 15 October 2011
SCL Conference 2011-Day 2
Balancing risk in outscoring contracts -Mark Crichard, Andrew Collyer, Richard Bligh. Interesting comments on and insights into some of the complexities of developing outsourcing contracts. To what extent has the Centrica case made it necessary to clearly specify what will be considered as direct and indirect losses? Do customers understand the difference between losses that are indirect and those that are simply remote? And how do you cater for customers who want to outsource but to host their data and services on their own systems? (A: with carefully worded exclusion clauses, so it seems.)
Social Media: strategy for business - Gillian Cordall, Nina Barakzai, Chris Reed. How to best use social media? Engage with customers by talking not just about yourself but about developments potential clients are interested in. Dangers of getting it wrong, e.g. recent Toyota social marketing lawsuit - over-focussed campaigns may damage your reputation with other customers. And who 'owns' the contact list for successful social media - the front face of the media, or the employer?
Social media strategy can be reactive and responsive, e.g. Dell's 'Global Listening' - engage with commenters and respond. Does work better if you have the resources to monitor, filter and resound to social media, but for a well-known brand can have significant impact!
It's important to have clear policies and codes of conduct (especially re transparency) and to comply with relevant laws. Above akk, you have to engage, not just broadcast.
Litigation: the cancer of disclosure - Ben Rooney, Alexander Carter-Silk, Edward Rippey, Kim Lars Mehrbrey. A US, English and German lawyerwalk into a bar discuss discovery/disclosure. US discovery can take years and cost millions, but you go into a case knowing pretty much everything. German civil law barely has disclosure: parties present their case based on what documents they choose. English disclosure is very much based on proportionality, albeit subject to the risk of costs penalties for improper disclosure. Which is 'best'? Modern search tools make it almost impossible for someone to convincingly hide evidence, but can this lead to over-enthusiastic searching and excessive preparation costs. We are also seeing forum-shopping, as litigants look for the jurisdiction with the disclosure regime most favourable to their case.
Social Media: strategy for business - Gillian Cordall, Nina Barakzai, Chris Reed. How to best use social media? Engage with customers by talking not just about yourself but about developments potential clients are interested in. Dangers of getting it wrong, e.g. recent Toyota social marketing lawsuit - over-focussed campaigns may damage your reputation with other customers. And who 'owns' the contact list for successful social media - the front face of the media, or the employer?
Social media strategy can be reactive and responsive, e.g. Dell's 'Global Listening' - engage with commenters and respond. Does work better if you have the resources to monitor, filter and resound to social media, but for a well-known brand can have significant impact!
It's important to have clear policies and codes of conduct (especially re transparency) and to comply with relevant laws. Above akk, you have to engage, not just broadcast.
Litigation: the cancer of disclosure - Ben Rooney, Alexander Carter-Silk, Edward Rippey, Kim Lars Mehrbrey. A US, English and German lawyer
Friday, 14 October 2011
SCL Conference 2011 - Day 1
I'm at the Society for Computing and Law's 2011 Conference in Bath, with the theme of New Technology v High Risk. I'll aim to blog updates on the sessions as we go along, so refresh for details.
Technology, Risk and Law - Dr Andrew Martin, University of Oxford.
A heartfelt plea for professionalism in the IT industry, in the context of properly understanding what risk is and what technology can and cannot do. Andrew Martin observed how we are increasingly reliant on security entities we have no knowledge of (eg certification authorities) and, with more and more of our household devices not only being connected to the Internet but having multiple sets of our credentials, this poses risks of security failures it is hard to be aware of, let alone properly quantify. He put forward three wishes for the genie that we have let out of the bottle: better technology, in the sense of understanding and removing vulnerabilities; more realism as to what IT can and can't do; and more focus on reliability and robustness in place of pushing the state of the art.
Cyber-crime - Prof Ian Walden (QMUL), Det Sup Charlie McMurdie (Met Police), Neil Hare-Broom (QCC Forensics)
Cyber-crime is getting more sophisticated; we are seeing seized PCs with over a dozen virtual machines, or more than 8TB of data to be examined. Some suspects have literally dozens of online IDs. The problem is made worse by the declining effectiveness of anti-malware protection, the growing pressure (from economy and convenience) for businesses to allow use of employee devices for work, and the jurisdictional challenges of cloud computing. The panel couldn't offer a simple answer, with views from "it can only get worse" to "we have to do what we can to help ordinary users and shouldn't just accept that this happens". Again, the question of how much we accept poor reliability in software came up - should we extend consumer protection law to cover the quality of software security? Ditto for enforcing pervasive use of encryption to protect payment details. Interestingly, the police officer was wary of adding more and more laws, on the basis that threats of prosecution can deter reporting - carrots are better than sticks.
Technology, Risk and Law - Dr Andrew Martin, University of Oxford.
A heartfelt plea for professionalism in the IT industry, in the context of properly understanding what risk is and what technology can and cannot do. Andrew Martin observed how we are increasingly reliant on security entities we have no knowledge of (eg certification authorities) and, with more and more of our household devices not only being connected to the Internet but having multiple sets of our credentials, this poses risks of security failures it is hard to be aware of, let alone properly quantify. He put forward three wishes for the genie that we have let out of the bottle: better technology, in the sense of understanding and removing vulnerabilities; more realism as to what IT can and can't do; and more focus on reliability and robustness in place of pushing the state of the art.
Cyber-crime - Prof Ian Walden (QMUL), Det Sup Charlie McMurdie (Met Police), Neil Hare-Broom (QCC Forensics)
Cyber-crime is getting more sophisticated; we are seeing seized PCs with over a dozen virtual machines, or more than 8TB of data to be examined. Some suspects have literally dozens of online IDs. The problem is made worse by the declining effectiveness of anti-malware protection, the growing pressure (from economy and convenience) for businesses to allow use of employee devices for work, and the jurisdictional challenges of cloud computing. The panel couldn't offer a simple answer, with views from "it can only get worse" to "we have to do what we can to help ordinary users and shouldn't just accept that this happens". Again, the question of how much we accept poor reliability in software came up - should we extend consumer protection law to cover the quality of software security? Ditto for enforcing pervasive use of encryption to protect payment details. Interestingly, the police officer was wary of adding more and more laws, on the basis that threats of prosecution can deter reporting - carrots are better than sticks.
Monday, 4 July 2011
Dropbox Terms of Service not actually that evil
There's an old saying that there's no such thing as bad publicity, but I'm not sure that Dropbox believe that right now.
It was embarrassing enough a couple of months ago when in response to security concerns Dropbox had to concede that their much-vaunted claim for totally secure encrypted hosting of data via the cloud wasn't quite as totally secure as most people assumed. Dropbox's explanation made sense - in order to allow web-based access, they need the ability to decrypt user files - and they reiterated assurances that there were procedural safeguards against their staff snooping such content. But trust in Dropbox took a dent.
Nothing like the dent it took the other week though, when a technical glitch left all Dropbox accounts open to access for several hours. Dropbox management were at least quick to concede fault and to advise users to check their account logs for unexpected activity, but this incident seriously tarnished Dropbox's reputation.
Which is probably why Dropbox are now in the news again, following a recent revision of their Terms of Service. When you've heard two lots of worrying news about a company, it's easy to believe the worst when a third story comes along. Now, ToS of cloud service providers are a particular interest of mine, so as a somewhat concerned Dropbox user myself I was keen to see whether there was genuine cause for concern.
What Dropbox have done is to make a generally admirable attempt to make their ToS as comprehensive, open and at the same time easy to understand as possible. I can well imagine why, in light of recent problems, they'd want to do this, although it's a difficult balancing act to try to achieve at the best of times. As Facebook found out, with its infamously longer-than-the-US-constitution privacy policy, detail and readability don't always go together. But having said that I think Dropbox have made a pretty good attempt at it, and their revised ToS are certainly a lot more concise and accessible than many I've had to review.
The particularly contentious part comes under the heading Your Stuff and Your Privacy. It says:
We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.
It was embarrassing enough a couple of months ago when in response to security concerns Dropbox had to concede that their much-vaunted claim for totally secure encrypted hosting of data via the cloud wasn't quite as totally secure as most people assumed. Dropbox's explanation made sense - in order to allow web-based access, they need the ability to decrypt user files - and they reiterated assurances that there were procedural safeguards against their staff snooping such content. But trust in Dropbox took a dent.
Nothing like the dent it took the other week though, when a technical glitch left all Dropbox accounts open to access for several hours. Dropbox management were at least quick to concede fault and to advise users to check their account logs for unexpected activity, but this incident seriously tarnished Dropbox's reputation.
Which is probably why Dropbox are now in the news again, following a recent revision of their Terms of Service. When you've heard two lots of worrying news about a company, it's easy to believe the worst when a third story comes along. Now, ToS of cloud service providers are a particular interest of mine, so as a somewhat concerned Dropbox user myself I was keen to see whether there was genuine cause for concern.
What Dropbox have done is to make a generally admirable attempt to make their ToS as comprehensive, open and at the same time easy to understand as possible. I can well imagine why, in light of recent problems, they'd want to do this, although it's a difficult balancing act to try to achieve at the best of times. As Facebook found out, with its infamously longer-than-the-US-constitution privacy policy, detail and readability don't always go together. But having said that I think Dropbox have made a pretty good attempt at it, and their revised ToS are certainly a lot more concise and accessible than many I've had to review.
The particularly contentious part comes under the heading Your Stuff and Your Privacy. It says:
We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.
Is this a massive rights-grap by Dropbox? Well, no. This particular term is very common in cloud, blogging and social-networking services. It arises because in any cloud-based service the provider has to copy your data in order to store it and make it available, and indeed has to publish it if you share that data with friends or the world at large. Whilst there are good legal arguments that you are implicitly granting Dropbox (or any other provider) permission to do this by the act of signing up to the service, for entirely understandable reasons Dropbox prefer to make it clear in your user agreement that this is what they're going to do, and that you the user are happy with it. As one of the comments to the Slashdot story I linked to explains, the scary-looking language is actually quite reasonable given how the service is used:
Worldwide = Dropbox provide a globally-available service.
Non-Exclusive = Dropbox can't and don't prevent you from licensing your data in other ways.
Royalty-Free = You won't charge us for this!
Sublicensable = Dropbox need to allow technology partners to copy your data too.
The caveats in the terms make it clear that Dropbox are invoking this licence only for the purposes of providing the service to users. In that respect it's narrower than, say, Facebook's corresponding term (here, clause 2.1), which sets no limits on the use Facebook may make of data that you share online.
What I know has concerned some people though is the rider at the end of Dropbox's clause about 'You must ensure you have the rights you need to grant us that permission.' Does this mean that you can only store content on Dropbox if you either created it or have licensed it on terms that allow you to copy it?
I think that the practical answer to this is that you are probably fine so long as you don't go beyond the implied scope of what you are supposed to do with the material in question. To take an example, I quite often use my Westlaw access to download a case report or journal article. Westlaw give me the option to email it to myself - an activity which necessarily creates transient and, via webmail, not-so-transient copies of the copyright work in question. But nobody else has access to those, and they are incidental to my approved use of the service. I consider that saving such reports or articles to my Dropbox folder is equally legitimate. What would not be legitimate is sharing or publishing links to them - that would be outside the scope of what Westlaw is letting me use the service for.
In a similar vein, just because Dropbox is in a very technical sense 'publishing' your content back to you when you view it via a web interface, that is not what I, or anyone, would normally regard as 'publishing'. If you store the manuscript of your novel on Dropbox, you aren't publishing it by doing so; indeed, you still aren't even if you share it with a circle of test readers. As such, you're not breaking any exclusivity clause with your actual publishers by doing so.
There's a lot of concern about the security of cloud and social networking services and the fine detail of what can be found in their ToS (often with very good reason). However, if you do find a scary-looking clause, look to see if it's a common one, and if so find out what it actually means. It may well be a lot less alarming than you might at first think.
Labels:
Cloud computing,
social networks,
terms of service
Monday, 24 January 2011
And it's going to be a Trilogy!
I started this blog with a post about Lucasfilm v Ainsworth, and just over a year ago I discussed the appeal, in which Mr Ainsworth - former prop-maker for the original Star Wars and now manufacturer of replica Stormtrooper attire - had not only maintained his victory on the copyright points but had overturned the decision that Lucasfilm's US judgment was enforceable against him. I felt at the time that there was every prospect of the case going all the way to the then-new Supreme Court and it turns out sure enough the Supreme Court website is now listing Star Wars III: The Revenge of the Claimant to begin on 7th March. (In fact the news came out a good fortnight ago, but I will plead the start of pupillage as an excuse for not noticing at the time.)
More details have been supplied by The Lawyer. George Lucas has deployed the big guns this time around, with Jonathan Sumption QC joing Robert Bloch QC, counsel in the original hearing and the appeal. That Sumption - reputedly one of the most expensive members of the Bar - has been instructed is indicative of the seriousness with which Lucasfilm is taking what it will see as a serious threat to its merchandising rights. As this article puts it, "Hollywood believes the outcome will have major implications for the UK film industry and the movie moguls came out in force in support of Lucas’s fight to have the case heard by the Supreme Court."
It would be a mistake though to see this as a case entirely about copyright. Indeed, my own prediction is that the Supreme Court will not disturb the well-reasoned argument of Mr Justice Mann about the definition of sculpture under CDPA 1988, as endorsed by Lord Justice Jacob, the Court of Appeal's leading specialist on IP matters. What the case may by now be focussing more on is the question of jurisdiction and enforceability of judgments, the area where the Court of Appeal reversed the original decision. Writing in the Cambridge Law Journal, Pippa Rogerson has made a cogent argument that the Court of Appeal misapplied the Brussels 1 Regulation in holding that a copyright dispute in the USA is not justiciable in England. (See CLS [2010] 69(2), 245-247.) If the Supreme Court accepts this view, then Ainsworth may well find his case being assessed under the copyright law pertaining in California, under which it is apparently clear that he would have infringed Lucasfilm's rights. Such a decision could have far wider-ranging implications though, potentially making it far easier for US-based rights-holders to sue for copyright infringement in England.
Whatever happens, one firm prediction I'll make is that this case will get even more coverage this time around. Brace ourselves for more Star Wars themed legal humour, we must.
More details have been supplied by The Lawyer. George Lucas has deployed the big guns this time around, with Jonathan Sumption QC joing Robert Bloch QC, counsel in the original hearing and the appeal. That Sumption - reputedly one of the most expensive members of the Bar - has been instructed is indicative of the seriousness with which Lucasfilm is taking what it will see as a serious threat to its merchandising rights. As this article puts it, "Hollywood believes the outcome will have major implications for the UK film industry and the movie moguls came out in force in support of Lucas’s fight to have the case heard by the Supreme Court."
It would be a mistake though to see this as a case entirely about copyright. Indeed, my own prediction is that the Supreme Court will not disturb the well-reasoned argument of Mr Justice Mann about the definition of sculpture under CDPA 1988, as endorsed by Lord Justice Jacob, the Court of Appeal's leading specialist on IP matters. What the case may by now be focussing more on is the question of jurisdiction and enforceability of judgments, the area where the Court of Appeal reversed the original decision. Writing in the Cambridge Law Journal, Pippa Rogerson has made a cogent argument that the Court of Appeal misapplied the Brussels 1 Regulation in holding that a copyright dispute in the USA is not justiciable in England. (See CLS [2010] 69(2), 245-247.) If the Supreme Court accepts this view, then Ainsworth may well find his case being assessed under the copyright law pertaining in California, under which it is apparently clear that he would have infringed Lucasfilm's rights. Such a decision could have far wider-ranging implications though, potentially making it far easier for US-based rights-holders to sue for copyright infringement in England.
Whatever happens, one firm prediction I'll make is that this case will get even more coverage this time around. Brace ourselves for more Star Wars themed legal humour, we must.
Tuesday, 7 December 2010
Cloud, Copyright, Hosting and Jurisdiction
Computerworld UK has published a short piece by me on the jurisdictional issues of copyright and database infringement in the Cloud. I discuss the recent ruling on this point in Football Dataco v Sportradar and suggest an alternative model for determining where material is 'made available'.
Friday, 3 December 2010
Wikileaks - Cloud's First PR Crisis?
This week has seen what may be a first for Cloud computing: the very public termination of service of a major customer for alleged terms-of-service violations. I refer of course to Wikileaks, thrown off of Amazon Web Services for a range of reasons relating to the controversial content Wikileaks was hosting there. Of course, organisations have had Cloud services terminated before, but this is by far the highest profile case I’m aware of. Equally high-profile has been the resulting criticism of Amazon, with many supporters of Wikileaks complaining that a company that is in the very business of promoting the free flow of knowledge is now engated in censorship. So, what was Amazon’s motivation here?
Amazon is still first and foremost an online shopping site (I would have said bookshop, but it is long past being just that). Its web services account for a little over one percent of its turnover, although that fraction is rapidly growing. But this doesn’t mean that Amazon is a bit player in the Cloud computing business. Far from it; Amazon Web Services is one of the market leaders and is the standard against which IaaS (Infrastructure as a Service) Cloud services are judged. A vast number of online services, including many other Cloud-based organisations, use one or more of AWS’s products; EC2 for on-demand computing power, S3 for flexible storage, or one of many others. Amazon lists an impressive array of businesses that use AWS; ironically, it includes Guardian News and Media - one of the main disseminators of the leaked cables - among many others.
It’s not hard to see that Amazon found itself in a difficult position when it became aware that it was hosting Wikileaks. (And yes, ‘became aware’ is probably how it happened – I’ll explain in a moment). Yes, there have been threats of a boycott from those upset that it has dumped Wikileaks. But if it had continued to host it, I don’t doubt that there would have been widespread calls for a boycott from those unhappy with Wikileaks – and there are a lot of people in that camp. On the figures above, Amazon would only have to lose 1% of their online retail business to wipe out their entire income from AWS, and someone in Amazon’s management probably made a pragmatic call that they’d lose a lot more business by continuing to host Wikileaks than by dropping it.
But that’s not the only consideration. Pretty much everywhere that has hosted Wikileaks has sooner or later seen denial-of-service attacks. You don’t even have to ascribe these to conspiracies; there are plenty of people out there who combine a political viewpoint at odds with Wikileaks with the technical knowledge needed to hire a botnet. (Which isn’t much, and in yet another irony botnet-based DDOS attacks are yet another form of Cloud computing). But if you start to DDOS an organisation hosted by a Cloud provider, then you risk causing a lot of collateral damage. We saw a version of this when Spamhaus started to block spam sites that had been set up on AWS, and in doing so inadvertently blacklisted numerous legitimate users of Amazon’s services. A DDOS attack on Wikileaks whilst it was hosted on AWS could well have knocked out many of those sites listed earlier. And if their lawyers could show that AWS knew that it was hosting a prime target for attack alongside them… well, it would be an interesting question as to how liable Amazon would be, but I dare say Amazon’s own lawyers may have suggested that finding out in the courts could be expensive.
In short, Amazon faced a lot of grief if it kept Wikileaks on board. And, under their Terms of Service, they were entitled to drop them. A lot has been written about whether Amazon’s explanation – a breach of Acceptable Use terms – holds water, but at the end of the day Clauses 3.4.1(vii) and (viii) of the AWS Customer Agreement give AWS very broad grounds for summarily terminating the use of even a paid account:
(vii) we receive notice or we otherwise determine, in our sole discretion, that you may be using AWS Services for any illegal purpose or in a way that violates the law or violates, infringes, or misappropriates the rights of any third party; (viii) we determine, in our sole discretion, that our provision of any of the Services to you is prohibited by applicable law, or has become impractical or unfeasible for any legal or regulatory reason;
Now, why didn’t AWS act sooner? This story suggests that Wikileaks started using AWS on Sunday 28 November. But it’s not as if Assange negotiated to use the service; one of the common characteristics of Cloud computing sites is that users can sign up online and pay via credit card. When Joe Lieberman asks, as he apparently has, for details of Amazon’s relationship with Wikileaks, the answer is that it was probably very like Transport for London’s relationship with me concerning my Oyster card. Yes, we have a contract, but it’s one I made by buying credits from a top-up point; TfL are barely aware in any meaningful sense that I exist. Amazon probably only realised they were hosting Wikileaks when they began to get complaints.
So what does this affair tell us about Cloud computing? It’s a big business, but still small in comparison with, for example, online retailing. It’s easy to sign up to, but it’s also easy to get booted off from, thanks to very permissive terms of service (and AWS’s terms are entirely typical of those we saw in the QMUL survey of Cloud terms). But perhaps the most important aspect of Cablegate for Cloud computing is the way that, by drawing attention to Amazon’s Cloud business, it’s put Cloud computing into the public eye.
Amazon is still first and foremost an online shopping site (I would have said bookshop, but it is long past being just that). Its web services account for a little over one percent of its turnover, although that fraction is rapidly growing. But this doesn’t mean that Amazon is a bit player in the Cloud computing business. Far from it; Amazon Web Services is one of the market leaders and is the standard against which IaaS (Infrastructure as a Service) Cloud services are judged. A vast number of online services, including many other Cloud-based organisations, use one or more of AWS’s products; EC2 for on-demand computing power, S3 for flexible storage, or one of many others. Amazon lists an impressive array of businesses that use AWS; ironically, it includes Guardian News and Media - one of the main disseminators of the leaked cables - among many others.
It’s not hard to see that Amazon found itself in a difficult position when it became aware that it was hosting Wikileaks. (And yes, ‘became aware’ is probably how it happened – I’ll explain in a moment). Yes, there have been threats of a boycott from those upset that it has dumped Wikileaks. But if it had continued to host it, I don’t doubt that there would have been widespread calls for a boycott from those unhappy with Wikileaks – and there are a lot of people in that camp. On the figures above, Amazon would only have to lose 1% of their online retail business to wipe out their entire income from AWS, and someone in Amazon’s management probably made a pragmatic call that they’d lose a lot more business by continuing to host Wikileaks than by dropping it.
But that’s not the only consideration. Pretty much everywhere that has hosted Wikileaks has sooner or later seen denial-of-service attacks. You don’t even have to ascribe these to conspiracies; there are plenty of people out there who combine a political viewpoint at odds with Wikileaks with the technical knowledge needed to hire a botnet. (Which isn’t much, and in yet another irony botnet-based DDOS attacks are yet another form of Cloud computing). But if you start to DDOS an organisation hosted by a Cloud provider, then you risk causing a lot of collateral damage. We saw a version of this when Spamhaus started to block spam sites that had been set up on AWS, and in doing so inadvertently blacklisted numerous legitimate users of Amazon’s services. A DDOS attack on Wikileaks whilst it was hosted on AWS could well have knocked out many of those sites listed earlier. And if their lawyers could show that AWS knew that it was hosting a prime target for attack alongside them… well, it would be an interesting question as to how liable Amazon would be, but I dare say Amazon’s own lawyers may have suggested that finding out in the courts could be expensive.
In short, Amazon faced a lot of grief if it kept Wikileaks on board. And, under their Terms of Service, they were entitled to drop them. A lot has been written about whether Amazon’s explanation – a breach of Acceptable Use terms – holds water, but at the end of the day Clauses 3.4.1(vii) and (viii) of the AWS Customer Agreement give AWS very broad grounds for summarily terminating the use of even a paid account:
(vii) we receive notice or we otherwise determine, in our sole discretion, that you may be using AWS Services for any illegal purpose or in a way that violates the law or violates, infringes, or misappropriates the rights of any third party; (viii) we determine, in our sole discretion, that our provision of any of the Services to you is prohibited by applicable law, or has become impractical or unfeasible for any legal or regulatory reason;
Now, why didn’t AWS act sooner? This story suggests that Wikileaks started using AWS on Sunday 28 November. But it’s not as if Assange negotiated to use the service; one of the common characteristics of Cloud computing sites is that users can sign up online and pay via credit card. When Joe Lieberman asks, as he apparently has, for details of Amazon’s relationship with Wikileaks, the answer is that it was probably very like Transport for London’s relationship with me concerning my Oyster card. Yes, we have a contract, but it’s one I made by buying credits from a top-up point; TfL are barely aware in any meaningful sense that I exist. Amazon probably only realised they were hosting Wikileaks when they began to get complaints.
So what does this affair tell us about Cloud computing? It’s a big business, but still small in comparison with, for example, online retailing. It’s easy to sign up to, but it’s also easy to get booted off from, thanks to very permissive terms of service (and AWS’s terms are entirely typical of those we saw in the QMUL survey of Cloud terms). But perhaps the most important aspect of Cablegate for Cloud computing is the way that, by drawing attention to Amazon’s Cloud business, it’s put Cloud computing into the public eye.
Tuesday, 16 November 2010
The Sound of Silence
As a supporter of the Royal British Legion (and an ex-serviceman myself) I'm pleased to see the RBL finding new and innovative ways of raising money. This year they have taken the novel step of releasing a single of the Two Minutes' Silence. You can see a short excerpt from the video here.
Now at this point I was suddenly reminded of John Cage's silent 4'33" and more specifically the legal case brought by Cage's UK publishers against Mike Batt (better known to many for the theme song of The Wombles) for allegedly infringing it. Batt included a one-minute silent track on an LP, crediting it to "Batt / Cage". The case settled out of court, reportedly for a substantial sum, although this denied the chance for some judicial enquiry into the extent to which copyright exists in silence.
For a detailed review of the legal issues see Cheng Lim Saw's very thorough analysis in 'Protecting the sound of silence in 4'33" - a timely revisit of basic principles in copyright law' [2005] EIPR 7:12. Cheng Lim Saw concludes that 4'33" very likely does not attract copyright protection under English law, although the question is not as trivial as it might at first appear. For example, the work is not simply a silent interval; it is meant to be performed (albeit very passively) so an audience will always be aware of background noise and environment. But what copyright was asserted in was not a specific recording of a near-silent performance, but the piece itself, and in Cheng Lim Saw's view this is where the copyright claim fails, for how can there be certainty in the identity of the work copied if the piece has no content to be identified?
So what about the RBL's track? Well, it is not a work of sound - or silence - alone. It is a video, featuring well-known personalities as well as injured soldiers as they observe silence. Although everyone in it is static there is no reason to believe that it is not a dramatic work, in terms of the composition and editing. And, as with 4'33" the soundtrack is not truly silent; rather it records the sounds of someone standing still.
In a sense the RBL video has a very important point in common with 4'33": it is meant to make the audience concentrate and reflect on the attempt at silence, although the two works do so in very different contexts. I agree that if the Batt case had gone to trial the copyright claim might well have failed, but were there other potential heads of claim that could have been more arguable? (False attribution, for instance, or passing off; Batt's real mistake may have been in putting Cage's name to his track.)
I very much doubt that the RBL are going to find themselves following Mike Batt in terms of receiving a claim for copyright infringement. A silent video, even if it's point is the depiction of silence, is not a performance of a 4'33", even if the later does enjoy copyright protection - which it probably doesn't. But part of me wishes that there was another case on this that went to litigation, because I would love to hear the legal arguments put forth.
Now at this point I was suddenly reminded of John Cage's silent 4'33" and more specifically the legal case brought by Cage's UK publishers against Mike Batt (better known to many for the theme song of The Wombles) for allegedly infringing it. Batt included a one-minute silent track on an LP, crediting it to "Batt / Cage". The case settled out of court, reportedly for a substantial sum, although this denied the chance for some judicial enquiry into the extent to which copyright exists in silence.
For a detailed review of the legal issues see Cheng Lim Saw's very thorough analysis in 'Protecting the sound of silence in 4'33" - a timely revisit of basic principles in copyright law' [2005] EIPR 7:12. Cheng Lim Saw concludes that 4'33" very likely does not attract copyright protection under English law, although the question is not as trivial as it might at first appear. For example, the work is not simply a silent interval; it is meant to be performed (albeit very passively) so an audience will always be aware of background noise and environment. But what copyright was asserted in was not a specific recording of a near-silent performance, but the piece itself, and in Cheng Lim Saw's view this is where the copyright claim fails, for how can there be certainty in the identity of the work copied if the piece has no content to be identified?
So what about the RBL's track? Well, it is not a work of sound - or silence - alone. It is a video, featuring well-known personalities as well as injured soldiers as they observe silence. Although everyone in it is static there is no reason to believe that it is not a dramatic work, in terms of the composition and editing. And, as with 4'33" the soundtrack is not truly silent; rather it records the sounds of someone standing still.
In a sense the RBL video has a very important point in common with 4'33": it is meant to make the audience concentrate and reflect on the attempt at silence, although the two works do so in very different contexts. I agree that if the Batt case had gone to trial the copyright claim might well have failed, but were there other potential heads of claim that could have been more arguable? (False attribution, for instance, or passing off; Batt's real mistake may have been in putting Cage's name to his track.)
I very much doubt that the RBL are going to find themselves following Mike Batt in terms of receiving a claim for copyright infringement. A silent video, even if it's point is the depiction of silence, is not a performance of a 4'33", even if the later does enjoy copyright protection - which it probably doesn't. But part of me wishes that there was another case on this that went to litigation, because I would love to hear the legal arguments put forth.
Thursday, 9 September 2010
I Aten't Dead
...as Sir Terry Pratchett's Granny Weatherwax would put it, although one might be forgiven for wondering, looking at this blog of late. My sole excuse is that I've been employed investigating and writing about IT law as my day job for the last few months, which has inclined me less to blog about it as a hobby.
However, that work has now borne fruit and so this is a good point at which to get LawClanger going again. The QMUL Cloud Legal Project has just produced 'Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services', by Simon Bradshaw, Christopher Millard and Ian Walden, and available for download from SSRN.
'Contracts for Clouds' is based upon a detailed survey I carried out of the Terms and Conditions (T&C) for 31 different Cloud computing services from 27 providers. It began as a baseline study to identify how Cloud providers made reference to some of the wider legal issues we are planning to address in other Cloud Legal Project papers, but it soon became clear that the results were worthy of a paper in their own right. Although there have been a few other reports looking at Cloud T&C, we believe ours is the first that provides a detailed, referenced review of a wide set of T&C together with a comparitive analysis of the terms found. And what we found makes for interesting (to put it politely) reading for prospective Cloud customers.
Many Cloud services, for instance, have clauses in their Terms & Conditions that disclaim all responsibility of the provider for keeping the user’s data secure or intact. Often, providers will reserve the right to terminate accounts for apparent neglect (important if they are used for occasional backup), for violation of the provider’s Acceptable Use Policy, or indeed for any or no reason at all. Customers more worried about their data being seen by others than being lost might also be concerned at some of the terms seen in the survey that related to third-party disclosure. Whilst some providers promise only to hand over customer data if served with a court order, others state that they will do so on much wider grounds – including it being in their own business interests to do so.
We also found that providers very commonly exclude any liability for loss of data or for damage arising from it, or seek to strictly limit the damages that can be claimed against them – damages which might otherwise be substantial if loss of data or services brought down an e-commerce web site, for instance. Customers who seek to challenge their Cloud provider in court might also be in for a surprise when they look at the relevant terms: such providers usually claim that the contract is made under the law governing their main place of business, which in many cases is a US state, and that any dispute must be heard in the provider’s local court.
This isn't to say that Cloud services are dangerous, or that providers are especially cavalier. The terms we saw most likely reflect a desire of many Cloud hosts to remain as much a 'mere conduit' of information services (even though they are clearly hosts) as possible, and to keep customers at arm's length. Whether such T&C evolve so as to be more aligned with customer expectations and interestes will be interesting to see, and indeed will be an ongoing point of study for the Cloud Legal Project.
However, that work has now borne fruit and so this is a good point at which to get LawClanger going again. The QMUL Cloud Legal Project has just produced 'Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services', by Simon Bradshaw, Christopher Millard and Ian Walden, and available for download from SSRN.
'Contracts for Clouds' is based upon a detailed survey I carried out of the Terms and Conditions (T&C) for 31 different Cloud computing services from 27 providers. It began as a baseline study to identify how Cloud providers made reference to some of the wider legal issues we are planning to address in other Cloud Legal Project papers, but it soon became clear that the results were worthy of a paper in their own right. Although there have been a few other reports looking at Cloud T&C, we believe ours is the first that provides a detailed, referenced review of a wide set of T&C together with a comparitive analysis of the terms found. And what we found makes for interesting (to put it politely) reading for prospective Cloud customers.
Many Cloud services, for instance, have clauses in their Terms & Conditions that disclaim all responsibility of the provider for keeping the user’s data secure or intact. Often, providers will reserve the right to terminate accounts for apparent neglect (important if they are used for occasional backup), for violation of the provider’s Acceptable Use Policy, or indeed for any or no reason at all. Customers more worried about their data being seen by others than being lost might also be concerned at some of the terms seen in the survey that related to third-party disclosure. Whilst some providers promise only to hand over customer data if served with a court order, others state that they will do so on much wider grounds – including it being in their own business interests to do so.
We also found that providers very commonly exclude any liability for loss of data or for damage arising from it, or seek to strictly limit the damages that can be claimed against them – damages which might otherwise be substantial if loss of data or services brought down an e-commerce web site, for instance. Customers who seek to challenge their Cloud provider in court might also be in for a surprise when they look at the relevant terms: such providers usually claim that the contract is made under the law governing their main place of business, which in many cases is a US state, and that any dispute must be heard in the provider’s local court.
This isn't to say that Cloud services are dangerous, or that providers are especially cavalier. The terms we saw most likely reflect a desire of many Cloud hosts to remain as much a 'mere conduit' of information services (even though they are clearly hosts) as possible, and to keep customers at arm's length. Whether such T&C evolve so as to be more aligned with customer expectations and interestes will be interesting to see, and indeed will be an ongoing point of study for the Cloud Legal Project.
Subscribe to:
Posts (Atom)