If you hired a storage unit, would you be perturbed to find the company’s standard terms disclaiming all liability for loss or damage to your property whilst in their custody, irrespective of cause? If you hired a car, how would you react if the rental company told you to check its web site regularly for any changes to permitted daily mileage? What would you think of an accountancy firm that said it would disclose your draft tax return to third parties if it felt that was in its best business interests?
Many businesses might well have substantial reservations about agreeing such terms, whilst individuals – at least, legally-savvy ones – might argue further that such clauses were so unfair as to be unenforceable under consumer protection law. But consumers and corporations sign up to agreements for cloud computing services on similar terms every day. At Queen Mary, University of London, the Centre for Commercial Law Studies’ Cloud Legal Project recently investigated such contracts. Our research shows such terms are by no means uncommon. This article will examine briefly certain issues our survey uncovered. [1]
What is cloud computing?
Cloud computing is clearly of much interest to IT lawyers currently. But what is it, and why is it different from conventional IT outsourcing? It can best be thought of as providing IT services as a utility, much like electricity. As Nicholas Carr pointed out in The Big Switch,[2] the early 20th Century saw industry move from private generating plants – with their own costs and demands for technical expertise – to grid supply from electricity providers. Today, most customers don’t care where their electricity comes from, so long as it is of the right voltage and is available in the quantity needed, when needed. IT services are moving the same way, with cloud providers offering not specific servers but a flexible quota of processing and storage capacity. The great advantage for both customer and provider is that variable demand is easily accommodated. For a customer, only the capacity it requires at any time is used and paid for. For example, with an e-commerce business having seasonal sales (such as holiday bookings or tax return processing), servers can be set up in the cloud as needed, and released when demand eases. This avoids the inherent wastefulness of provisioning for maximum demand in buying dedicated IT hardware, or even long-term outsourcing.
The utility model also benefits providers. If enough customers have variable demand, their aggregate requirement is likely to be far less than the sum of their individual peak needs. A cloud provider should see little idle capacity; server capacity released by one customer can be allocated to another. Such efficiencies, augmented by economies of scale through building large data centres, can produce cost savings they can pass on to customers.
Cloud computing services are easy to obtain
Ironically, the ease of setting up a cloud computing contract may itself lead to legal problems. A conventional IT outsourcing project is usually managed as a significant project with a detailed contract which the customer reviews carefully, and is typically subject to extensive negotiation. A cloud contract, on the other hand, is much easier to enter into. Indeed, much of the attraction often lies in the speed and flexibility of procuring cloud resources. Compared with conventional outsourcing, cloud provisioning is more like taking up an e-mail or broadband service. Many providers allow online sign-up via credit card, on their standard terms, for immediate use. An organisation may thus see cloud services as not only more cost-effective than conventional outsourcing, but quicker and simpler to arrange. The inherent risk is that an agreement seen as quick and relatively cheap to enter into might also be seen as not worth subjecting to proper legal scrutiny, especially if offered on standard terms rather than via a mutually developed contract. However, transferring data and processing to an outsider has just as many legal ramifications if conducted via cloud computing as if conducted by more traditional methods. Indeed, it may have more; cloud services’ flexibility and location-independence introduce new business risks, such as inadvertent transfer of data to other jurisdictions and a murkier relationship between the customer and the provider actually hosting the data.
Signing up to a cloud services contract online invariably involves the customer agreeing a ‘click-wrap’ contract by confirming acceptance of the provider’s standard Terms and Conditions (T&Cs).[3] The QMUL Cloud Legal Project’s survey reviewed in depth 31 sets of T&Cs from 27 different cloud providers.[4] The numerical difference arises because some large providers (eg Google and Microsoft) offer more than one cloud service. Also, the survey involved over 31 individual documents, as many cloud providers issue T&Cs as a set of documents that may include Terms of Service (sometimes called a Customer Agreement), a Service Level Agreement (SLA), an Acceptable Use Policy (AUP) and a Privacy Policy.
Location of data
The contract will not necessarily address clearly all service aspects which interest customers. The location of customer data is likely to be a key concern for many customers, who will, or at least should be, mindful of data protection law restrictions on exporting ‘personal data’ from the EEA. Amazon Web Services offers the option to restrict data storage to its EU Region (specifically, the Republic of Ireland). However, its T&Cs contain no term specifically warranting that data will be kept in a particular location. A customer is asked to select a data region during sign-up, and this, we suggest, would form a representation incorporated into their contract with Amazon. Nonetheless customers should carefully scrutinise a prospective cloud provider’s T&Cs to ensure that the contract actually addresses features or issues important to them.
Disputes and jurisdictional issues
If a dispute should arise, a customer might face difficulties bringing a court action as the contract may well specify a foreign legal system and jurisdiction. Of the 31 T&Cs surveyed, 15 claim to be governed by the law of a US state – usually California, although the laws of Massachusetts, Washington, Utah and Texas were also invoked. Such terms are usually accompanied by a stipulation that the relevant state’s courts will be the sole venue for claims against the provider. Of the other 16, 8 applied English law either generally or for UK or European customers. Customers could thus be expected to travel to a foreign court to argue a claim under a law unfamiliar to them. While such terms are generally void against consumers, it is doubtful how much meaningful legal recourse other customers will have against a provider in another continent.
Confidentiality, integrity, availability and security
Assuming a customer could overcome jurisdictional issues, what issues might prompt a legal dispute over cloud services? A customer contracting for storage and/or processing of data will probably assume providers have obligations of confidentiality, integrity and availability (sometimes termed the ‘CIA Triad’ of data security). Confidentiality is the expectation that the customer’s data will not be disclosed to third parties, through security deficiencies or deliberate release; integrity, the expectation that data will not be lost or corrupted; and availability, the expectation that storage and processing services will work when required. Breach of these obligations may damage the customer, particularly as indirect or consequential loss arising from, for example, an e-commerce site suffering prolonged downtime.
A customer seeking to sue a provider over such breaches would, however, face exclusion clauses and disclaimers. Most of the providers we surveyed made extensive use of such terms. Indeed, in some cases it is difficult to see how the contract, at face value, could allow a dissatisfied customer any redress.
Many providers explicitly place responsibility for confidentiality and integrity on the customer; for instance, Amazon Web Services’ T&Cs, Clause 7.2 states:
…you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
It might seem reasonable to ask the customer to secure data, as the customer may encrypt or decrypt it. However, this is only simple for storage. Data which is to be processed actively in any way (as distinct from mere storage) must be decrypted. Currently this is a major security concern for potential cloud customers with particularly ‘sensitive’[5] data. For data to be actively processed in the cloud, even if encrypted in transit, it must be decrypted for processing. Some researchers seek to develop ‘homomorphic encryption’ systems allowing encrypted data to be processed securely without decryption, but such schemes require so much computing power as to be currently of little practical use.[6] Today, therefore, consumers must rely on providers for the security of their data during active processing, but exclusion clauses like the one above could make it difficult to claim against a provider for inadvertent or negligent leaking of customer data.
Leaks are not always inadvertent. A cloud provider may receive a demand for disclosure of data, for instance of a customer suspected of involvement in crime or a tort against a third party, such as copyright infringement. Some providers will only do so if legally compelled; see, for example, Salesforce.com’s Master Subscription Agreement, Clause 8.4:
The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.
Many providers have a lower disclosure threshold, however. ADrive.com’s Privacy Policy, Clause q states:
You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.
For customers, the risk of such a term is that a provider might consider it prudent or appropriate to avoid possible legal action and associated costs by simply agreeing to a particular disclosure request.
It is worth noting that the disclaimer from Amazon Web Services quoted earlier also covers destruction and loss of data, and furthermore places responsibility for backing up customers’ data with the customer. Such terms should give pause for thought to customers who intend to use the cloud to backup on-site data; in effect, they are being told to back up their backups. This is not to say cloud-based backup is unwise; indeed, as cloud providers typically use highly-redundant architectures to ensure multiple copies of data are stored, the chances of accidental data loss through hardware failure are much lower in the cloud than for on-site storage.[7] Nonetheless, terms such as that quoted seem to deny liability for data loss caused by, for instance, deleting a customer account through administrative error.
A customer might face similar problems trying to bring a claim over poor availability. Many paid cloud services’ SLAs on their face offer compensation for unscheduled service outages. However, typical cloud SLAs may in fact be of limited comfort to customers. The T&Cs often define very restrictively what counts as an outage. ElasticHosts, for instance, appears to offer an impressive 100% availability target, but on closer inspection their SLA excludes downtime caused by, among other factors:
Acts or omissions of you or your users.
Software running within your virtual servers.
Scheduled maintenance which we have announced at least 24 hours in advance.
Factors outside our control, including but not limited to any force majeure events; failures, acts or omissions of our upstream providers or failures of the internet.
Actions of third parties, including but not limited to security compromises, denial of service attacks and viruses.
Whilst many such exclusions are reasonable – it would be perverse to hold providers responsible for failures caused by customers – they nonetheless mean a ‘100% uptime guarantee’ will not, in fact, assure truly uninterrupted service.
Limitations on remedies and liability
Even for cloud outages directly attributable to the provider’s failing, the SLA remedy may not be what a customer wants. All the cloud SLAs surveyed do not offer refunds of charges, but only service credits against future use; usually capped at one month’s standard billing. However, a customer experiencing a serious outage may not wish to continue with the same provider. Credits against future bills will hardly be of benefit to customers deciding to switch providers following unsatisfactory service.
Furthermore, most providers – including all the US-based providers in our survey –exclude liability for damage arising from use of their cloud services, particularly indirect and consequential damages. However, most of the losses suffered by a customer from a cloud service failure are likely to be indirect. If a business’s online sales portal is not available for several hours on a normally busy day, the value of lost sales may dwarf any service credit under an SLA. Such disclaimers can be very wide-ranging, as in CloudHosts’ T&Cs, Clause 9.3:
…in no case will the Company be liable to the Customer [or] any third party for or in respect of any indirect or consequential loss or damage (whether financial or otherwise) or for any loss of data, profit, revenue, contracts or business however caused (whether arising out of any negligence or breach of the Agreement or otherwise) even if the event was foreseeable by, or the possibility thereof is or has been brought to the attention of the Company.
Where providers cannot wholly exclude liability, they usually seek to limit it. We found that T&Cs often cap liability to a customer at the amount paid by that customer over a set period (typically a month). For ‘free’ services this functionally equates to total disclaimer of liability, as seen in Decho’s ‘Limitation of Liability’ Clause for its Mozy.com service:
without limiting the foregoing, the total aggregate liability of Decho, and its suppliers, resellers, partners and their respective affiliates arising from or related to this agreement shall not exceed the amount, if any, paid by you to Decho for the software or services. If the software or services are provided without charge, then Decho and its suppliers shall have no liability to you whatsoever.
A customer suffering damage or loss from a problem with a cloud computing service thus faces several obstacles in bringing an action against the provider responsible. The provider may be in a different part of the world; the contract may be under another jurisdiction’s laws; it may seek to exclude liability for loss or may limit liability to, effectively, a nominal amount. Admittedly, European consumer customers could argue that such terms are unfair under consumer protection laws. Nonetheless they might still face the challenge of recovering damages from a provider in another continent.
Approach to amending terms
Given the issues above, prospective cloud customers may want to examine cloud service contracts carefully. But we found this will often be an ongoing duty, due to the approach many cloud providers take to amending their T&Cs. Many T&Cs allow the provider to amend them simply by posting an updated version on its web site; continued use of the service by a customer is deemed to be acceptance of the new terms. As this policy in effect puts customers on notice to review and check – often long and complex – T&Cs, one might expect providers to flag clearly any changes made. But, surprisingly, few of the T&Cs examined clearly highlighted changes from the previous version. Only about half even stated a revision date. Thus, customers may not only be asked to check if the relevant contract has changed, but may have no way of finding out about any changes without laboriously comparing the current published T&Cs with an archived version line-by-line. Such an exercise is unlikely to be undertaken regularly, if at all, by typical customers, whether public sector organisation, business or consumer.
Conclusions
Should prospective cloud computing users be concerned by such T&Cs? Although some T&Cs may appear alarming, they should be seen in the context of the IT services industry generally. Many cloud providers are based in the USA, and so operate within a legal culture that tends to have a more laissez-faire approach to, for example, exclusion and limitation of liabilities, than is typically the case in Europe. In this wider context, some terms are perhaps not as Draconian as they may at first appear. Furthermore, many cloud providers have a background in hosting and Internet service provision, where an arms’ length relationship with customers, reinforced by broad contractual disclaimers, is common. Indeed, it is notable that the T&Cs of providers with a track record of engaging in long-term, trust-based relationships with customers, such as Salesforce.com, tend to be noticeably more accepting of liability than average.
The contractual issues noted should thus be seen not as factors militating against cloud computing but as matters to be researched carefully when evaluating prospective cloud providers, and to be borne in mind if contemplating moving particularly sensitive or mission-critical data to the cloud. Here is a short non-exhaustive checklist of points that could usefully be considered when reviewing cloud providers’ T&Cs:
– What legal system do the T&Cs claim to be governed by; are there any limits on where, how or when a legal claim can be brought against the provider?
– Does the provider assert the right to vary the contract unilaterally? If so, what, if any, mechanism is there to notify customers?
– Are there any undertakings or disclaimers regarding security of customer data?
– What, if any, notice will the provider give regarding deletion of customer data?
– On what grounds will the provider disclose customer data to a third party?
– What causes of service outage are covered by the SLA? What is the form and level of compensation?
– Does the provider exclude or limit liability for damage, particularly consequential damages such as business losses?
In conclusion, cloud computing is an attractive option for many customers due to various technical and commercial factors, in particular, flexibility and potential cost savings. These positive drivers should not, however, lead customers to lose sight of the need for appropriate diligence in scrutinising the terms of such services. Cloud computing is an immature and rapidly-developing market. Many customers may find a mismatch between their expectations (driven, perhaps, by the ‘hype’ regarding cloud computing) and the reality of terms offered by providers. Cloud services’ flexibility and value for money often comes at the cost of a more arms’ length relationship between customer and provider than in traditional outsourcing contracts, as reflected in many of the T&Cs analysed. As cloud computing services develop further, they may, like more traditional clouds, prove both highly varied in shape and subject to sudden changes – including changes in their T&Cs.
Simon Bradshaw is a consultant for the Cloud Legal Project at CCLS. A former RAF IT Engineer, he qualified as a Barrister in 2009.
Christopher Millard is Professor of Privacy and Information Law at CCLS, where he is Project Leader for the Cloud Legal Project. He is also a Senior Research Fellow at the Oxford Internet Institute, University of Oxford, and is Of Counsel to Bristows.
Ian Walden is Professor of Information and Communications Law at CCLS and Consultant to Baker & McKenzie.
This paper forms part of the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary, University of London. The authors are grateful to Microsoft for providing generous financial support to make this project possible. The views expressed within this paper, however, are those of the authors alone. The authors would also like to thank Bridget Bradshaw for suggesting the title of this article.
[1] For a more detailed review of our research and conclusions, see S Bradshaw, C Millard and I Walden, ‘Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services’ (1 Sep 2010) <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374>.
[2] N Carr, The Big Switch: Rewiring the World, from Edison to Google (2008), Norton.
[3] Some cloud contracts will, however, be specifically negotiated like traditional outsourcing transactions, for example because of their value, perceived risk or public profile (such as the 2009 deal between Google and the City of Los Angeles). This survey concentrated on a range of T&C for contracts offered for immediate online sign-up.
[4] The survey was conducted in January 2010 and all T&C revisited in Jul/Aug 2010 to verify accuracy of specific terms quoted and to assess the nature and extent of any amendments.
[5] Whether ‘sensitive’ in the data protection sense (eg. health data) or for commercial or other reasons.
[6] T Simonite, ‘Computing with Secrets, but Keeping them Safe’, Technology Review, 11 June 2010, <http://www.technologyreview.com/computing/25537/page1/>
[7] H Kommalapati, ‘Windows Azure Platform for Enterprises’, MSDN Magazine February 2010 <http://msdn.microsoft.com/en-us/magazine/ee309870.aspx>.