Lawyers shine light on real cloud concerns

The legal profession is showing a marked increase in interest in the effects of cloud computing on everything from pretrial evidence and privacy to employment law and liability. Its about time.

Like moths to a porch light (or trial lawyers to ambulances), many lawyers are finding the uncertain legal and regulatory terrain of cloud computing fertile ground for new legal analysis--and new legal business.

The effect of cloud computing on our legislative and regulatory world has long been a sub-interest of sorts for me. I have long been fascinated by the ways in which a truly dynamic, multiparty compute environment will challenge laws that assume that electronic assets behave the same as their paper or celluloid brethren--static, not easily duplicated and stored on the owner's premises.

The gap between the cloud and the current state of legislation is serious. Check out these examples from past posts:

Now an increasing number of lawyers are sharing their opinions about cyber crime, privacy rights, and what the law allows and disallows in the cloud. Each and every post or article I've read so far has been enlightening--and not always in a good way.

For example, take CNET's recent coverage of a panel on the effects of cloud computing on cyber crime at Symantec's Norton Cyber Crime Day. Matthew Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office, noted that "hacking" PCs by inserting software into the system by various means is being replaced by a new threat:

"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.

Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella.

Barry Reingold and Ryan Mrazik, members of the Privacy and Security practice group at law firm Perkins Coie, coauthored a very well written paper in Cyberspace Lawyer (a legal journal I hope I can afford). The paper, titled "Cloud Computing: The Intersection of Massive Scalability, Data Security and Privacy" (PDF), covers a wide swath of issues largely targeted at data and processing taking place in external clouds.

This is the first of three such papers from the pair, and as such seems mostly targeted at setting up the problem--and man are there some doosies. Take this list of cloud computing critiques:

  • Reliance on private agreement between users and cloud computing service providers as the primary means of legal enforcement

  • The ability of cloud computing service providers to change terms of service with little or no notice to users of the service

  • An alleged lack of enforceable remedies against providers who suffer a data breach

  • The "monopolization" and integration of Web 2.0 and cloud computing services

  • The possible centralization of user data with a few cloud computing firms

  • Exposure of data to seizure by foreign government and data subpoenas

  • The attraction to hackers of a "high value" target

Also of interest to me was a post by Daniel Schwartz of the Connecticut Employment Law Blog, titled "Cloud Computing and Employment Law: The Uncharted Sky". In this post, Schwartz asks some interesting questions regarding data stored in external clouds:

From an employment law perspective, I have not seen much, if anything on the subject. For example, Connecticut's wage and hour laws require employers to keep track of various records of the employee including hours worked, etc. The catch? Such records need to be kept at the employer's place of business for three years. Does storing the information in "the cloud" satisfy that?

And suppose an employee is fired for improper use of the Internet and you want to "image" (or copy) the computer that the employee has worked on to preserve the evidence. How do you do that when the computer you want to image may be in a server thousands of miles away?

Or consider the lawsuit filed by an employee and the call that needs to go out to your IT department to put a "litigation hold" on your data. How do you do that when it's based in the "cloud"?

These are just a few of the many examples that I have seen come across my path in the last few months. What does it all amount to? Some good advancement of the cloud legal discussion, in my humble opinion, which will hopefully lead to demands for new legislation that will make external clouds as safe a choice as leasing office space.

Of course, it could also lead to a whole new collection of cloud lawyer jokes...

About the author

    James Urquhart is a field technologist with almost 20 years of experience in distributed-systems development and deployment, focusing on service-oriented architectures, cloud computing, and virtualization. James is a market strategist for cloud computing at Cisco Systems and an adviser to EnStratus, though the opinions expressed here are strictly his own. He is a member of the CNET Blog Network and is not an employee of CNET.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Find Your Tech Type

    Take our tech personality quiz and enter for a chance to win* high-tech specs!