cloud computing law

cloud computing law vincent gautrais

professeur agrégé /associate professor faculté de droit / faculty of law

université de Montréal /university of montreal

January 23/24th, 2011

chaire en droit de la sécurité et des affaires électroniques / udm chair in e-Security and e-Business law

www.gautrais.com

thanks to CUSO

… but maybe not a so nice gift

4 points in my intro

definitionwikileaks

law + i.t.legal tools

0.1 - definition

is it really so new ?

buzz ASP outsourcing

good or not ?

“an emerging architecture by which data and applications reside in cyber space, allowing users to access them through any web connected device.”

(John B. Horrigan) (2008)

“Cloud computing refers to a variety of technologies that transfer the responsibility for a computing activity (such as storage or processing) from a local computer to a network of remote computers over the Internet. The remote computers are generally operated by a third-party cloud service provider.”

James Kosa (2010)

3 models

Saas

Paas

Iaas

infrastructure

platform

software

0.2 – wikileaks

• political perspective

• constitutional perspective

• knowledge management perspective

• legal perspective

0.2.1 – political perspective

0.2.1 – political perspective

strange interpol efficiency…

for a ‘rape by surprise’ infringement

0.2.1 – political perspective

“Yep. For years people have extolled cloud computing as the way of the future. The lesson of the last week is simple: be careful what you wish for.”

John Naughton (2010)

0.2.2 – constitutional perspective

balance between

nationalsecurity

free information

0.2.3 – knowledge management perspective

“if you want to kill your dog you accuse him of having the plague”

2008 Chatsworth train collision

Stefana Broadbent

0.2.3 – knowledge management perspective

why 1 to 3 billions of people had an access to sensitive information ????

0.2.3 – knowledge management perspective

efficiency / access security

0.2.4 – legal perspective

0.2.4 – legal perspective

contract ?liability ?

contract

ovh

liability

0.3 – i.t. + law

• inherent opposition between both concepts– law is stable – techno change quickly – law had no choice to be late (Cicero) – techno is already tomorrow – law is old – techno is new (revolution ???)

26

techno law

27

Michel Serresles nouvelles technologies :

révolution culturelle et cognitive(new technologies: cultural and

knowledge revolution)

28

Michel Serres

« when the support / information conbinaison is changing, everything is changing !»

29

- 5000

- 4000

- 3000

- 2000

0- 1000

2000

1000

writing

printing

internet

30

Michel Serres

« today a pure science professor teaches 60 to 70% of content that he or she doesn’t learn him(her)self in the university».

0.4 – legal tools

• constitution• international convention• laws• jurisprudence • contract• trade usages• internal documentation

0.4.1 – constitution

• ex: the Canadian Charter of Rights and Freedoms (1982)

• Life, liberty and security of person art. 7 • Freedom of expression art. 2 b) • Freedom of association art. 2d) • Freedom of Conscience and Religion art. 2 a) • Equality before and under law and equal protection and benefit

of law art. 15

• EX: – Yahoo! Case in France and United States – wikileaks

• ex: Quebec Charter of human rights and freedoms, R.S.Q. c. C-12 (1975)

0.4.2 – international convention

of course nothing on cloud computing • copyright

- WIPO Copyright Treaty (1996) - WIPO Performances and Phonograms Treaty (WPPT) (1996)

• contract- United Nations Convention on the Use of Electronic Communications in International Contracts

(2005)

• privacy (no real international convention)- Council of Europe and Privacy Protection (1980)- United Nations Guidelines concerning Computerized Personal Data Files

(1990)

• cybercrime - Convention on Cybercrime (2001) (Council of Europe)

0.4.3 – laws

main instrument (+ regulations)

• ex: e-contract• ex: privacy• ex: copyright

0.4.4 – jurisprudence

very few

0.4.5 – contract

part 2

37

0.4.6 – trade usages• usages and customs • usages rebirth because others norms are unsufficient

• laws (EX: Utah) • regulations • treaties • Jurisprudence

• intrinsic reasons of its rebirth • formal reasons

– flexibility – vague

• subtantial reasons – technical (EX: T.J. Hooper) (1932) – commercial (lex mercatoria) – international (EX: consumer protection)– new and variable

38

0.4.6 – trade usages

• usages and customs • CCQ. recognition

– « 1434 CCQ. : A contract validly formed binds the parties who have entered into it not only as to what they have expressed in it but also as to what is incident to it according to its nature and in conformity with usage, equity or law. »

• but limited recognition – Rare jurisprudence – “too vague to be honest”– outside the law?

0.4.7 – internal documentation

maybe the most important legal solution

…

that may be used for almost every problems

6 main problems

1. document management

quite silence of law …

ex.1

An Act to establish a legal framework for information technology (Quebec) (2001)

34. “Where the information contained in a document is declared by law to be confidential, confidentiality must be protected by means appropriate to the mode of transmission, including on a communication network.

Documentation explaining the agreed mode of transmission, including the means used to protect the confidentiality of the transmitted document, must be available for production as evidence.”

ex.2Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5

4.7 Principle 7 — Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.4.7.3 The methods of protection should include(a) physical measures, for example, locked filing cabinets and restricted access to offices;(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and(c) technological measures, for example, the use of passwords and encryption.4.7.4 Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.

electronic document management is different from paper

documentoperations

documentfunctions

paper document security = safe locker

physical solutions

electronic document security = documentation

administrativesolutions

ex: document evidence

1 – documentitself

2 – documentation

1.1 document functions

–Confidentiality

–Authentification

–Non-repudiation

–Disponibility

–Integrity

examples of solutions

• technical solution are available (as encryption) (not the most important aspect)– always a balance between comfort versus security– always a balance between cost versus security

• documentation is often required • norms may by used (as ISO)• human resources education• etc.

1.2 document operations

retention

destruction

transmission

transfercustody

simple storage (ISP)

22. A service provider, acting as an intermediary, that provides document storage services on a communication network is not responsible for the activities engaged in by a service user with the use of documents stored by the service user or at the service user's request.

However, the service provider may incur responsibility, particularly if, upon becoming aware that the documents are being used for an illicit activity, or of circumstances that make such a use apparent, the service provider does not act promptly to block access to the documents or otherwise prevent the pursuit of the activity.

custody

26. Anyone who places a technology-based document in the custody of a service provider is required to inform the service provider beforehand as to the privacy protection required by the document according to the confidentiality of the information it contains, and as to the persons who are authorized to access the document.

During the period the document is in the custody of the service provider, the service provider is required to see to it that the agreed technological means are in place to ensure its security and maintain its integrity and, if applicable, protect its confidentiality and prevent accessing by unauthorized persons. Similarly, the service provider must ensure compliance with any other obligation provided for by law as regards the retention of the document.

process of security

process of security

• categorization of information WHAT

• pluri-disciplinary approachHOW

• identification of a person in charge of the process

WHO• place of servors

WHERE• work in progress process

process of security

too much norms

… as the car business in 1920

2. contract

What’s a contract?

A B

1386 CCQ. The exchange of consents is accomplished by the express or tacit manifestation of the will of a person to accept an offer to contract made to him by another person.

2 questions to deal with

1. content of the contract (obligations of provider)

2. form of the contract (eContract)

2.1 very simple…

just need 2 wills

1 – content

that said…

1. possible to negociate2. possible to use correction of law (contract of

adhesion)– as abusive clause protection– contract is interpreted in favour of the person who

contracted the obligation (against the person who stipulated it)

– illegible or incomprehensible clause protection

main differences

• free providers (impossible to negociate)

• $$$ providers (sometimes, it may be possible)

main contractual questions

• who is responsible?• which law is applicable?• what is the level of security?• who is the owner of data / software?• how customer use cloud services?• where are data?• how did we terminate the contract?• etc.

general

• free• 7 pages• Several documents by

reference (as privacy policy, copyright, complaint, etc.)

• contract may be changed by Amazon with no specific notice

• $$$$ / free• 23 pages• several documents by

reference (as privacy policy)

• contract may be changed by Amazon with no specific notice

liability

law

• state of California (art. 19)

• state of Washington (art. 14)

security

no mention

You agree that Google has no responsibility or liability for the deletion or failure to store any Content and other communications maintained or transmitted by Google services.

7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you ...

ownership

• Google’s rights– Software– Marks– Advertisement

information

• Your rights– Non-exclusive right and

license to use the object code of its sofware

– Data

• Amazon properties:– Software– Marks– Platform– feedback

• customer properties– License – Data – Some applications

permission

4.1 Permitted uses

generally

4.2 Restricted uses generally

2 – APPROPRIATE CONDUCT You understand that all information, data, text, software, music, sound, photographs, graphics, video, messages or other materials ("Content") are the sole responsibility of the person from which such Content originated. Google reserves the right, but shall have no obligation, to pre-screen, flag, filter, refuse, modify or move any Content available via Google services. You understand that by using Google services you may be exposed to Content that is offensive, indecent or objectionable, and that you use Google services at your own risk. For some services, Google provides tools to filter out adult sexual content, including our SafeSearch preference settings …

data location

• no information in contract but…

• … for sure there are some server farms in US

• no information in contract but…

• … for sure there are some server farms in US

PATRIOT Act

• Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (2001)

– enhance American authorities control ability– lack of transparency about the law application

some providers offer insurance that data are not store outside a specific place

ex.: lawyer obligation (as British Columbia in Canada) See http://www.lawsociety.bc.ca/publications_forms/rules/rules_part03.html#3-68

and more widely

25(1). The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

European directive (1995)

termination

• Immediatly (for Amazon) in some cases (hacking, inappropriate content, etc.)

• 5 or 15 days (after a notice) (for Amazon) in other cases (as payment problem)

ou may discontinue your use of Google services at any time. You agree that Google may at any time and for any reason, including a period of account inactivity, terminate your access to Google services, terminate the Terms, or suspend or terminate your account. In the event of termination, your account will be disabled and you may not be granted access to Google services …

2.2 very simple too…

just need 2 consents

So… may be done via internet

2 – form

consent is …

1) communication

2) acceptance

1

2

2.1.1 communication

1399 CCQ

« Consent may be given only in a free and enlightened manner. »

legibility

Contract = Information

but ...

At least 10 pathologicalcontractual practices

1 - readability

2 - dynamic

7. Privacy; Monitoring the ServicesWe are under no obligation to monitor the services, but we may do so from time to time and we may disclose information regarding User’s use of the Services for any reason and at our sole discretion in order to satisfy applicable laws, regulations, governmental requests, or in order to operate and deliver the Services in an effective manner, or to otherwise protect us and our Users. We agree to comply with the terms of our Privacy Policy as set forth on our FAQ website, as it may be amended from time to time.

3 - lenght

information = oxygen

Feldman v. Google (April 2007)

« AdWords Agreement gave reasonable notice of its terms. In order to activate an AdWords account, the user had to visit a webpage which displayed the Agreement in a scrollable text box. (…) the text of the AdWords Agreement was immediately visible to the user, as was a prominent admonition in boldface to read the terms and conditions carefully, and with instruction to indicate assent if the user agreed to the terms. That the user would have to scroll through the text box of the Agreement to read it in its 14 entirety does not defeat notice because there was sufficient notice of the Agreement itself and clicking “Yes” constituted assent to all of the terms. The preamble, which was immediately visible, also made clear that assent to the terms was binding. The Agreement was presented in readable 12-point font. It was only seven paragraphs long – not so long so as to render scrolling down to view all of the terms inconvenient or impossible. A printer-friendly, full-screen version was made readily available. The user had ample time to review the document. »

4 - hyperlinks

Linearity versus hyopertextuality

5 - where’s the e-contract ?

6 – multiple Legal Documents

Copyright Privacy Cookies Terms and Conditions of Sale Terms of UseLimited WarrantyService ContractsHardware Technical Support PolicyEtc.

7 – legal terminologies

THE SERVICES PROVIDED BY US ARE PROVIDED "AS IS." WE MAKE NO WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, OR ANY WARRANTY REGARDING THE RELIABILITY OR SUITABILITY FOR A PARTICULAR PURPOSE OF ITS SERVICES. USER UNDERSTANDS AND ACKNOWLEDGES THAT WE EXERCISE NO CONTROL OVER THE NATURE, CONTENT OR RELIABILITY OF THE INFORMATION AND/OR DATA PASSING THROUGH OUR NETWORK. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY US, ITS DEALERS, AGENTS OR EMPLOYEES SHALL CREATE A WARRANTY AND USER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE. WE MAKES NO WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, REGARDING THE QUALITY, ACCURACY OR VALIDITY OF THE INFORMATION AND/OR DATA RESIDING ON OR PASSING THROUGH ANY NETWORK. USE OF ANY INFORMATION AND/OR DATA OBTAINED FROM OR THROUGH SERVICES PROVIDED BY US WILL BE AT USER’S OWN RISK. USER ACKNOWLEDGES THAT WE ARE NOT LIABLE FOR ANY ERRORS OR INTERRUPTION IN THE INSTALLATION PROCESS OR IN PROVIDING THE SERVICES, WHETHER WITHIN OR OUTSIDE THE CONTROL OF US. UNDER NO CIRCUMSTANCES SHALL THE USER HOLD US OR ANY OF OUR AGENTS, CONTRACTORS OR REPRESENTATIVES RESPONSIBLE FOR ANY FORM OF DAMAGES OR LOSSES (INCLUDING WITHOUT LIMITATION ANY DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL DAMAGES OR LOSSES) SUFFERED FROM, BUT NOT LIMITED TO ERRORS, DELAYS, LOSS OF INFORMATION, DELAYS IN THE INSTALLATION OR PROVISIONING PROCESS, OR INTERRUPTIONS IN THE SERVICES CAUSED BY THE USER, US OR A THIRD PARTY’S NEGLIGENCE, FAULT, MISCONDUCT OR FAILURE TO PERFORM. USER UNDERSTANDS THAT TELECOMMUNICATION AND/OR NETWORK ACCESS SERVICES MAY BE TEMPORARILY UNAVAILABLE FOR SCHEDULED OR UNSCHEDULED MAINTENANCE AND FOR OTHER REASONS WITHIN AND OUTSIDE OF THE DIRECT CONTROL OF US. UNDER NO CIRCUMSTANCES DO ANY SUCH ERRORS, DELAYS, INTERRUPTIONS IN SERVICES OR LOSS OF INFORMATION NULLIFY OR MODIFY THESE TERMS AND CONDITIONS. WE RESERVE THE RIGHT TO REFUSE OR TERMINATE SERVICES TO A USER AT ANY TIME WITHOUT CAUSE. THE INTERNET CONTAINS UNEDITED MATERIALS, WHICH MAY BE SEXUALLY EXPLICIT, OR MAY BE OFFENSIVE TO YOU OR OTHERS ACCESSING THE SERVICES. WE HAVE NO CONTROL OVER SUCH MATERIALS AND ACCEPT NO RESPONSIBILITY FOR SUCH MATERIALS.

7 – legal terminologies

8 – non-legal titles

consumer contract • terms of Services • conditions of Use• conditions of Sale • notice • legal • waiver • licence • etc.

Privacy « contract » • privacy • confidentiality • FAQ• security• legal• waiver • licence • notice• etc.

9 – abusives clauses

10 – stupid clauses

DELL (INCLUDING DELL’S PARENTS, AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES OR AGENTS) DOES NOT ACCEPT LIABILITY BEYOND THE REMEDIES SET FORTH HEREIN, INCLUDING ANY LIABILITY FOR PRODUCTS NOT BEING AVAILABLE FOR USE, LOST OR CORRUPTED DATA OR SOFTWARE, PRODUCTS SOLD THROUGH DELL’S SOFTWARE AND PERIPHERALS DIVISION, OR THE PROVISION OF SERVICES OR SUPPORT. DELL WILL NOT HAVE ANY LIABILITY FOR ANY DAMAGES ARISING FROM THE USE OF THE PRODUCTS IN ANY HIGH RISK ACTIVITY, INCLUDING, BUT NOT LIMITED TO, THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, MEDICAL SYSTEMS, LIFE SUPPORT OR WEAPONS SYSTEMS. DELL WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF BUSINESS, OR OTHER INCIDENTAL, INDIRECT, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY EXCEPT AS EXPRESSLY PROVIDED HEREIN.

10 – stupid clauses

« Do not use the ING DIRECT Web Site to communicate to others, to post on the ING DIRECT Web Site, or otherwise transmit to the ING DIRECT Web Site, any materials, information, or communication that either causes any harm to any person or that is illegal or otherwise unlawful, including without limitation any hateful, harassing, pornographic, obscene, profane, defamatory, libellous, threatening materials which constitutes or may encourage conduct that would be considered, a criminal offence, give rise to civil liability, promote the excessive, irresponsible or underage consumption of alcohol, or otherwise violate any law or regulation.  »

10 – stupid clauses

« The limited warranty set forth below is given by Canon U.S.A., Inc. (Canon U.S.A.) in the United States or Canon Canada Inc., (Canon Canada) in Canada with respect to the Canon-brand PowerShot Digital Camera purchased with this limited warranty, when purchased and used in the United States or Canada. »

10 – stupid clauses

11. Governing Law

This Agreement is governed by the law of Sharp’s Audio Visual.

some simple solutions

• short • plain english • humanity• slow• visual

2.2.2 acceptance

1399 CCQ

« Consent may be given only in a free and enlightened manner.  »

A. shrink wrap consent

B. click wrap consent

C. browse wrap consent

1 - shrink wrap

ProCD (US - 1996) King (Canada - 1989)

2 - click wrap – dell case

• dell computer c. union des consommateurs - supreme court decision (July 2007)

• contract is valid

Click 1

Click 2

Click 3

Click 4

3 - browse wrap

by using or signing up to use Netscape.com, you signify that you agree to these terms. You consent to the AOL Network Privacy Policy and you agree to receive notices and terms from us electronically. If you do not agree, do not use Netscape.com.

3. liability

bruce schneier

no liability = no security

civil law

liability =

damage + fault + link between both of them

but not too much liability too…

2 sorts of providers

1 – simple storage

2 – custody

116

liability

• ISP (Internet Services Provider) (Hosting services) • Definition.• General exemption Regime

117

• eBay Cases– April 2008 in France = Hermes v. eBay (see

Manara Comment – french) • Not an editor • Not a ISP• In the middle = reinforced ISP liability

– 2000 in USA = Hendrickson c. eBay• VERO (Verified Rights Owner) application• No liability for ISP (under exception)

118

Tyffany c. eBay, (2008) (US)

119

liability

• custody services

in which category are cloud computing providers?

• difficult to say …

• need to read the contract• $$$ or free may be a criteria• in both cases, need to identify the provider

diligence

4. privacy

personal information definition

2(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

European directive (1995)

Same in Switzerland

“all information relating to an identified or identifiable person.”

« Democracy means that if the doorbell rings in the early hours, it is likely to be the milkman. »

Winston Churchillprivacy = expectations

difficult to really know…

… between phantasm and real fear

privacy may be seen as a question of control

provideritself

publicinstitutions

R. v Patrick, [2009] 1 S.C.R. 579

129

[62] Nevertheless, until the garbage is placed at or within reach of the lot line, the householder retains an element of control over its disposition and cannot be said to have unequivocally abandoned it, particularly if it is placed on a porch or in a garage or within the immediate vicinity of the dwelling where the principles set out in the ﾒ perimeter cases such as Kokesch, Grant and Wiley apply.

[63] (…) However, when the garbage is placed at the lot line for collection, I believe the householder has sufficiently abandoned his interest and control to eliminate any objectively reasonable privacy interest.

R. v. Patrick, 2009 SCC 17

cloud computing is from web 2.0

highexpectations

lowexpectations

british-columbia

« She said she could no longer kayak, hike or bicycle, but the defendant produced some of the plaintiff’s own photographs posted on her Facebook page that showed her doing these activities. » (Bagasbas v. Atwal, 2009 BCSC 512)

Brisindi et STM (Réseau des autobus), 2010 QCCLP 4158

no one alleging his own turpitude is to be heard

satisfied

control may beby consent

limited

on 1 side …

consent = best way to offer information to individual

… on the other side…

consent = is the best way for using personal information of individual

ex: facebook

137

ex: facebook

138

what are customer’s privacy expectations?

privacy

to be honest…

i don’t know!

to be honest…

i don’t know!

controlling personal information is quite an illusion

information obligation26. Anyone who places a technology-based document in the custody of a service provider is required to inform the service provider beforehand as to the privacy protection required by the document according to the confidentiality of the information it contains, and as to the persons who are authorized to access the document.

During the period the document is in the custody of the service provider, the service provider is required to see to it that the agreed technological means are in place to ensure its security and maintain its integrity and, if applicable, protect its confidentiality and prevent accessing by unauthorized persons. Similarly, the service provider must ensure compliance with any other obligation provided for by law as regards the retention of the document.

(custody in Qc)

information categorization

a question of risk management

but no accountability obligation yet

5. international law

first step

• see applicable law clause in the contract

– In most cloud computing contract

– always the law of the provider (cheaper)

– always the court of the provider (cheaper)

– arbitration may be a good solution

second step

• if no clause … • see law applicable in your own country • in Switzerland law

– Le contrat est régi par le droit choisi par les parties. (an act is governed by the law designated in the act ) (art. 116)

– A défaut d’élection de droit, le contrat est régi par le droit de l’Etat avec lequel il présente les liens les plus étroits. (country with which the act is most closely connected) (art. 117)

third step

are you sure you want to go in court ?

6. property

• quite simple for almost all situations

– customer = owner of data– customer = user of software

(license)– provider = owner of software– provider = custodian of data

but…

data ownership may be compromise

• bankruptcy of provider • data compatibility (difficult to migrate)

– ex: facebook• non-exclusive license of the data owner with

provider– ex: facebook – ex: google

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

some data may be create by the provider

• metadata or data mining produced by provider on customers activities– may be confidential (if PI - privacy) – May be aggregated

conclusion

• not so new• read your contract (even if they are quite long and

maybe boring)• write some internal audit to show your diligence• identify a person in charge of cloud computing

management• understand cloud computing is a work-in-progress

process• etc.

cloud computing law vincent gautrais

professeur agrégé /associate professor faculté de droit / faculty of law

université de Montréal /university of montreal

January 23/24th, 2011

chaire en droit de la sécurité et des affaires électroniques / udm chair in e-Security and e-Business law

www.gautrais.com