I posted this to PogoWasRight.org last week but probably should have posted it here, too:
Simon Bradshaw of University of London – Centre for Commercial Law Studies, Christopher Millard of the
Centre for Commercial Law Studies; Oxford Internet Institute, and Ian Walden of Queen Mary University of London, School of Law have a working paper that reports the results of their survey of 31 Cloud services offered by 27 discrete providers and compares their Terms and Conditions (T&C). The survey includes Amazon Web Services, MobileMe, DropBox, Facebook, Google Apps Premier, Google Docs, SQL Azure Database, Rackspace Cloud, Salesforce CRM, and others. The results are very thought-provoking.
The paper makes clear that it seems many, if not most, cloud services are specifically disclaiming any liability for data integrity, so if you’re concerned about security, you may want to think twice or be prepared to spend more to obtain additional back-up or security services that they offer. Here’s what the authors say about Data Integrity:
A natural concern for Cloud computing customers is that data placed into the provider‟s Cloud be secure against loss, be it loss of integrity or availability (resulting, for example, from corruption or deletion) or loss of confidentiality (due perhaps to a security breach or an unauthorised disclosure). Our survey found however that most providers not only avoided giving undertakings in respect of data integrity but actually disclaimed liability for it.
The majority of providers surveyed expressly include terms in their T&C making it clear that ultimate responsibility for preserving the confidentiality and integrity of the customer‟s data lies with the customer. A number (for example, Amazon, GoGrid, Microsoft) assert that they will make “best efforts‟ to preserve such data, but nonetheless include such a disclaimer. A number of providers go so far as to recommend that the customer encrypt data stored in the provider‟s Cloud (for example, GoGrid, Microsoft) or specifically place responsibility on the customer to make separate backup arrangements…[…]… Significantly, such terms are imposed by storage providers such as ADrive and Apple for services that for many (especially individual) customers will be their „separate backup arrangement‟. In effect, a number of providers of consumer-oriented Cloud services appear to disclaim the specific fitness of their services for the purpose(s) for which many customers will have specifically signed up to use them.
Concerned about privacy? Here’s a snippet from the section on Data Disclosure:
In terms of the circumstances in which providers will disclose customer information (including customer data stored on the provider‟s Cloud), we see a spectrum of approaches ranging from providers that have a very high threshold for justifying disclosure to ones which have a much lower one.
All providers that mention this issue state that they will disclose such data in response to a valid court order. Some purport to establish procedural safeguards. For example, the T&C for Salesforce CRM provide that the customer will be given advance notice of a requested disclosure, unless such notice is prohibited, and that Salesforce will assist the customer in opposing such orders.
A number of providers have a slightly lower threshold of disclosure, accepting requests (as distinct from enforceable orders) from recognised law-enforcement agencies, or where there is a clear and immediate need to disclose information in the public interest or to protect life….. […]… An unusual approach is that taken by IBM regarding its beta-test Smart Business Cloud. IBM expressly states that it has no duty of confidentiality regarding customer data and places responsibility for keeping it confidential on the customer, for example, via encryption…
You can read the entire working paper on SSRN.