The good folks at Cloudiquity.com pointed me to a couple of Threat Level articles from last week that highlight yet another example of how public policy and the law are often at odds with running a business in the cloud.
The articles report that the FBI raided at least two Texas data centers last week, serving search-and-seizure warrants for computing equipment, including servers, routers and storage. The FBI was seeking equipment that may have been involved in fraudulent business practices by a handful of small VoIP vendors.
The problem is that they didn't just grab the systems belonging to the VoIP vendors, but also hundreds of servers that served a wide variety of businesses, the vast majority of which had never dealt with or even heard of the companies under investigation, according to Threat Level. Companies interviewed complained of losing millions of dollars in lost revenue and equipment with no warning whatsoever.
One company, auto vendor marketing and inventory management vendor Liquid Motors, filed suit in a U.S. district court seeking a restraining order against the FBI that would force the return of the company's servers.
In what has to be one of the most scary verdicts for cloud users everywhere, the district court sided with the FBI and supported its probable-cause argument for holding on to the servers. Although the FBI was kind enough to copy the disk drives for Liquid Motors (on drives Liquid Motors had to provide), the precedent set here sends a shiver down my spine.
The issue, I think, is one of how search and seizure laws are being interpreted for assets hosted in third-party facilities. If the court upholds that servers can be seized despite no direct warrants being served on the owners of those servers (or the owners of the software and data housed on those servers), then imagine what that means for hosting your business in a cloud shared by thousands or millions of other users.
As I noted in a blog post last fall, there are a series of legal issues that really need to be addressed before external cloud services can truly be trusted. Here is what I argue must happen:
The law must respect digital assets in the same way that it respects physical assets. This means that search-and-seizure rules should apply to data and software run on third-party infrastructure (or wholly owned infrastructure run in third-party facilities) in the same way that they protect my home and personal property, if I rent an apartment in a building housing of hundreds of tenants. The fact that one tenant commits a crime is not enough for the civil liberties of all of the other tenants to be null and void. I argue the same goes for digital assets "renting" space in the cloud.
The federal government should adopt a cloud-computing bill of rights. (Here is a rudimentary example.) Each state should as well. Declare loud and clear that you suffer little or no loss of rights if you choose to run your business in the cloud over running it within your own facilities. Repeal or revise the laws that make it impossible for foreign businesses and governments to allow communications and data to pass within U.S. borders (including relevant elements of the Patriot Act).
It is time for our policy makers to step up and really understand the influence that the Internet and cloud computing will have on the future growth of this country. It is scary how little technical understanding most Congress and Senate members have. However, that alone is not an excuse for not grasping the policy gaps that are brought about as our commerce and society rely increasingly upon Internet-based services.
I don't want to spread unnecessary fear here, so let me temper my comments by noting that outsourcing and hosting are two industries that have thrived and survived just fine in the current legal climate. I still believe strongly that cloud computing is a next generation, disruptive technology that will change the face of business once more.
I should also say that I understand that the FBI has a job to do, and generally agree with Mark Burack, executive vice president for Liquid Motors, when he noted "Catching bad guys is important. We support them, and we know they have a tough job. And sometimes innocent people get hurt."
However, I will point out that our legal system allows us to change laws when our environment changes. This is especially true when we realize the innocent are being hurt, and we can take action to prevent that without harming the security or economic welfare of our nation. Search-and-seizure rights in the cloud are one example of this, in my opinion.
What do you think? Will the U.S. legal system be a hindrance to cloud-computing adoption, or will these types of events be rare enough--and justified enough--to have little effect. Are you comfortable running your business in the cloud, knowing that the infrastructure you rely on could be shut down and taken away with no notice?