DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Article: Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services

Posted on September 12, 2010 by Dissent

I posted this to PogoWasRight.org last week but probably should have posted it here, too:

Simon Bradshaw of University of London – Centre for Commercial Law Studies, Christopher Millard of the
Centre for Commercial Law Studies; Oxford Internet Institute, and Ian Walden of Queen Mary University of London, School of Law have a working paper that reports the results of their survey of 31 Cloud services offered by 27 discrete providers and compares their Terms and Conditions (T&C). The survey includes Amazon Web Services, MobileMe, DropBox, Facebook, Google Apps Premier, Google Docs, SQL Azure Database, Rackspace Cloud, Salesforce CRM, and others. The results are very thought-provoking.

The paper makes clear that it seems many, if not most, cloud services are specifically disclaiming any liability for data integrity, so if you’re concerned about security, you may want to think twice or be prepared to spend more to obtain additional back-up or security services that they offer. Here’s what the authors say about Data Integrity:

A natural concern for Cloud computing customers is that data placed into the provider‟s Cloud be secure against loss, be it loss of integrity or availability (resulting, for example, from corruption or deletion) or loss of confidentiality (due perhaps to a security breach or an unauthorised disclosure). Our survey found however that most providers not only avoided giving undertakings in respect of data integrity but actually disclaimed liability for it.

The majority of providers surveyed expressly include terms in their T&C making it clear that ultimate responsibility for preserving the confidentiality and integrity of the customer‟s data lies with the customer. A number (for example, Amazon, GoGrid, Microsoft) assert that they will make “best efforts‟ to preserve such data, but nonetheless include such a disclaimer. A number of providers go so far as to recommend that the customer encrypt data stored in the provider‟s Cloud (for example, GoGrid, Microsoft) or specifically place responsibility on the customer to make separate backup arrangements…[…]… Significantly, such terms are imposed by storage providers such as ADrive and Apple for services that for many (especially individual) customers will be their „separate backup arrangement‟. In effect, a number of providers of consumer-oriented Cloud services appear to disclaim the specific fitness of their services for the purpose(s) for which many customers will have specifically signed up to use them.

Concerned about privacy? Here’s a snippet from the section on Data Disclosure:

In terms of the circumstances in which providers will disclose customer information (including customer data stored on the provider‟s Cloud), we see a spectrum of approaches ranging from providers that have a very high threshold for justifying disclosure to ones which have a much lower one.

All providers that mention this issue state that they will disclose such data in response to a valid court order. Some purport to establish procedural safeguards. For example, the T&C for Salesforce CRM provide that the customer will be given advance notice of a requested disclosure, unless such notice is prohibited, and that Salesforce will assist the customer in opposing such orders.

A number of providers have a slightly lower threshold of disclosure, accepting requests (as distinct from enforceable orders) from recognised law-enforcement agencies, or where there is a clear and immediate need to disclose information in the public interest or to protect life….. […]… An unusual approach is that taken by IBM regarding its beta-test Smart Business Cloud. IBM expressly states that it has no duty of confidentiality regarding customer data and places responsibility for keeping it confidential on the customer, for example, via encryption…

You can read the entire working paper on SSRN.

Category: Commentaries and AnalysesOf Note

Post navigation

← ‘Sensitive information’ on Tamil migrants stolen (update 2)
Follow-up: Lawsuit filed over horrific student records breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.