Jamie Clark's preso on cloud computing and legal issues at the OASIS International Cloud Symposium (#intcloudsymp) at Ditton Manor, Windsor, UK, October 2011
2. "The largest
standards
group for
electronic Over 5,000 participants
commerce on representing more than
the Web" 600 organizations and
individuals, since 1993
60+ technical
committees producing
royalty-free and RAND
standards
http://www.oasis-open.org/
3. OASIS interoperates with the world
Cooperation, liaison and harmonization is a first-class OASIS priority:
●
ISO, IEC, ITU, UN-ECE MoU for E-Business
●
ISO/IEC JTC1 SC34, SC38; ISO TCs 154, 215, ITU-T SG 17
●
OECD, SWIFT, UPU, World Bank
●
Asia PKI, Changfeng (Beijing), CESI, EA-ECA, Korean NIA, CEN/ISSS,
European ICTSB, ETSI, PSLX, SIENA, Standards-AU
●
ABA, ACORD, AIAG, CalConnect, CSCC, HL7, MBAA, NAESB, LRC,
InfoCard/OpenID, Kantara/Liberty, OAGi, ODCA, OGC, OMA, OMG,
RosettaNet/GS1/UCC, W3C
http://www.oasis-open.org/liaisons
6. But maybe not as complex
as it sounds, for law
software-as-a-service
platform-as-a-service
Someone else holds or controls your
Someone else holds or controls your
application-as-a-servicedata?Not new.
data? Not new.
Your computing resources are somewhere
storage-as-a-service Your computing resources are somewhere
else? Not new.
else? Not new.
Network latency and service levels? Not
Network
infrastructure-as-a-service latency and service levels? Not
new.
new.
As with e-signatures in the 1990s, lots of
acronyms-as-a-servicepre-existing law andin theallocation of
As with e-signatures
risk
1990s, lots
pre-existing law and risk allocation
practices inform us
practices inform us
boring-slides-as-a-service
oy-gevalt-as-a-service
7. But maybe not as complex
as it sounds, for law
s or
s h h d d o t ne .
ele e olols? rNoneww. What IS new is the degree of
o e eone l o d a a
So Smmone eys ur atat? Not What IS new is the degree of
co ntrlols our d
y e s re e reliance on this tech for critical
ar
contro s putingesources w. reliance on this tech for critical
resourc a
r ot ne
our cmmutings? ?NNt new.
YYur co
op
ele e o systems.
ie e systems.
o ewhre e ls
so mwhe er e d seriv c
some e nc a a n v
tncy y nd ser
c
kalta
etwor l e t new.
k o w. “More outsourcing”
“More outsourcing”
NNtwor
e ls? Nt ne
eve No
lelvels? Consider how our expectations
Consider how our expectations
of mobile telephones changed,
of mobile telephones changed,
as they evolved from toy, to
as they evolved from toy, to
convenience, to necessity.
convenience, to necessity.
Increasingly, apps, MSPs, PaaS
Increasingly, apps, MSPs, PaaS
and remote storage define
and remote storage define
computing.
computing.
8. Many of the challenges that
"the cloud" brings already
are well in hand. Others, not
so much yet.
Being sorted out (maybe not done, Uncharted waters ahead (Here
but well started, anyway): Be Dragons):
Cloud computing security
Comparable Quality of
Virtualization and hypervisor Service measures
interactions
Vocabularies for SLAs &
Reliable messaging and dashboardability
transactional patterns
Data ownership and
Federated identity (of humans access
and organizations)
Jurisdiction
Remote data storage access
Identifier rigor
9. Many of the challenges that
"the cloud" brings already
are well in hand. Others, not
so much yet.
Being sorted out (maybe not done, Uncharted waters ahead (Here
but well started, anyway): Be Dragons):
Cloud computing security
Comparable Quality of
n d andss
Virtualization a r dhypervisor Service measures
Sta dard
Stan
interactions
Vocabularies for SLAs &
Reliable e c h n l ylogy
o o gand dashboardability
echno
T messaging
T
transactional patterns
Data ownership and
a(ofee t s
identity k t
M s
Federatedh e M a rr k humans access
T h e
T
and organizations)
Jurisdiction
Remote data storage access
Identifier rigor
10. Many of the challenges that
"the cloud" brings already
are well in hand. Others, not
so much yet.
Being sorted out (maybe not done, Uncharted waters ahead (Here
but well started, anyway): Be Dragons):
Cloud computing security
Comparable Quality of
n d andss
Virtualization a r dhypervisor Service measures
Sta dard
Stan
interactions
Vocabularies for SLAs &
Reliable e c h n l ylogy
o o gand dashboardability
echno
T messaging
T
transactional patterns
Data ownership and
a(ofee t s
identity k t
M s
Federatedh e M a rr k humans access
T h e
T
and organizations)
Jurisdiction
Remote data storage access
Identifier rigor
11. What's left over for the
lawyers to sort out so that
our contracts actually work?
Comparable Quality of Service measures
Vocabularies for SLAs & dashboardability
Data ownership and access
Jurisdiction
Identifier rigor
All elevated from casual to critical priority: this
isn't your teenager's party pics anymore
12. Quality of Service, and
service level agreements
Comparable QoS measurements: dashboardability
Automated SLAs: Rule-based negotiations for service
use and management: common vocabularies for SLAs?
The “Heidi” model of endpoints: when is a service
asserted to be reliable? Do reputational models suffice?
Consider “good enough” weather forecasts.
Data protection due diligence, plenary magic-bullet
licenses, and the general problem of liability in software
WSQM? RuleML? WSDM?
.902 = 0.81 . . . .904 = 0.66 . . . .9010 = 0.35
“warranty of merchantability … fitness for a purpose”
http://legalbrat.blogspot.com/2011/09/why-this-cloud-has-no-
silver-lining-for.html
13. Data ownership and access
It's yours, but you can't get at it: backup and
portability
Platforms: lock-in by code, not data
If it's about you, is it yours or mine? Privacy,
personal data and the rights of subjects
It's yours, but you gave me permission: ToS
documents, implied consent, and transitive
permission to third parties
Exchange formats; lock-in; data replication
Ownership vs. regulation (as in credit bureaus)
Uniform legal intercept expectations
Who's a “third party”?
14. Data ownership and access
It's yours, but you can't get at it: backup and
portability
Platforms: lock-in by code, not data
If it's about you, is it yours or mine? Privacy,
personal data, and the rights of subjects
It's yours, but you gave me permission: ToS
documents, implied consent, and transitive
permission to third parties n:
itive eerm s oo
prmisisisin: ur
Trnnisive p
Traas t ur at witit oo
dtaa whh ur
saar yyo” a
y hhree our d
“We ma s ane ss
Exchange formats; lock-in;ey s prtrtnrreplication
“Wesin s data er”
ma s
pa t f fr r
bs r daaa oo u d
buuines in creditubureaus) s andt
Ownership vs. regulation (as mayuuseyyo r dases,bbyus an
“We y se ou rpoes, y
“We ma ement pupos ”
Uniform legal interceptaexpectations pur
m anggment providess
e
mana service rovider ”
r
o r r ervice p
Who's a “thirduparty”? nessaassocaiaees”
ou s
t
ci t s”
sso
A bbusi ess
“ usin rs
HHIPA “
IPAA us Poce
r rocessos
ssor
ller vess s P
tooer v
r ll er r u
onn
CCo tr
15. Jurisdiction, applicable
laws and enforcement
Jurisdiction: in the sense of contract enforcement
“This contract and all services provided hereunder are
governed by the law of the State of California without regard
for the application of blah blah blah” and you must come
here to sue us.
Jurisdiction: In the sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot Act
jurisdiction: http://www.katescomment.com/securing-data-
in-the-cloud/
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
16. Jurisdiction, applicable
laws and enforcement
Jurisdiction: in the sense of contract enforcement
“This contract and all services provided hereunder are
governed by the law of the State of California without regard
for the application of blah blah blah” and you must come
here to sue us.
Jurisdiction: In the sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot Act
jurisdiction: http://www.katescomment.com/securing-data-
in-the-cloud/
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
17. Jurisdiction, applicable
laws and enforcement
Jurisdiction: in the sense of contract enforcement
“This contract and all services provided hereunder are
governed by the law of the State of California without regard
for the application of blah blah blah” and you must come
here to sue us.
Jurisdiction: In the sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot ne i n Act
eissoo e
t su t h
coutrttoose eoaattaach
jurisdiction: http://www.katescomment.com/securing-data-
u
tocour her to t c
in-the-cloud/ Gonngtogoingthere t her.
ig
Goi ng; going t anoher.
thng; opetryyissanot t
i
Jurisdiction: In the sense oflocalppoper t i
thigovernment enforcement
r
lo cal r yaaffeecss
tt
l f f Skype,
onyand cl
r c l w o sl o
India: Move your servers for RIM,cGoogle ot all w
nrtaa t tlaaactn :nn t al
CCo ur conrtacts:
ont
please: http://news.cnet.com/8301-1009_3-20015418-
r
83.html o o r cont ry ruees.
yy u ulaooy rul l s.
g t tr
ree ula
rg
18. Jurisdiction, applicable
laws and enforcement
Jurisdiction: in the sense of contract enforcement
“This contract and all services provided hereunder are
governed by the law of the State of California without regard
for the application of blah blah blah” and you must come
here to sue us.
Jurisdiction: In the sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot Act
jurisdiction: http://www.katescomment.com/securing-data-
in-the-cloud/
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
19. Jurisdiction, applicable
laws and enforcement
Jurisdiction: in the sense of contract enforcement
“This contract and all services provided hereunder are
governed by the law of the State of California without regard
for the application of blah blah blah” and you must come
here to sue us.
Jurisdiction: In the sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot Act
jurisdiction: http://www.katescomment.com/securing-data-
in-the-cloud/
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
20. Jurisdiction, applicable
laws and enforcement
Jurisdiction: in the sense of contract enforcement
“This contract and all services provided hereunder are
governed by the law of the State of California without regard
for the application of blah blah blah” and you must come
here to sue us.
Jurisdiction: In the sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot Act
jurisdiction: http://www.katescomment.com/securing-data-
in-the-cloud/
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
21. Jurisdiction, applicable
laws and enforcementw oo:r:
la f f r g ?
ovennnn law sofwaaeeuuses?
G e rr i i g r ser rs
Jurisdiction: in the sense Gov Righssoofsoft tw r privacy?
of contracttenforcementf
Right & va y?
ion& priarec
r t cct
tappotee tion ts?
“This contract and all services providedohereunder
Da r
governed by the law of the StateDofta moaalrirgghs?
a Californiai ht
r l without tregard
for the application of blah blah blah”mor youcmustecome
I R; ;
IPPR and e &coomp tittiioo i nn
pe
taad & m
here to sue us. r de
FFarirtr ?
ai
uuees
r r l l s?
Jurisdiction: In the sense of applicable regulatory schemeshe t
men,t,ififthe
t
e n
Memset (UK): Our cloud's not housedoofea noocc mnAct
in e f f r r e u etyy.
n Patriot r .
A ndeease m'sinncco ntr
ase f i - - ou
And er aam's
jurisdiction: http://www.katescomment.com/securing-data-
r
in-the-cloud/ evv r f f r
ss r
e re
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
22. Jurisdiction, applicable
laws and enforcement
for:
nig ga aw
erithe lw for: ftware secontract enforcement
u s?
Jurisdiction: vinn nightssenseeof rsiresra?cy?
nl
w f
view o
Goer v
R hts ofosoft ion & rivacu? is that a naïve vie of
Go fs owar u
Rig p v yt
a rototctcon & s?Butprovided ation?
it
naïve
pr e e services is that a hereunder are
p B
“This contract DDtat p allal rigtht?
and tr u s rk loc
o the Statewok?location?
aa
; mrarl righ s pnniewrlof? California without regard
tt nuolr s
governed by theIRRmo of & cmmetettien e e
law
IP P; ade co o p i io
o
for the applicationitrrofe blahemetnti,f itfhblah”rerand you must come
Fa tr &
Fair ad blah te e erevre
hs s v
here to sue us. nd ase e foenfnotfrrocremen ,
en c
eas o f .
cou y
AAdrm's i-n-ountry.
n e
Jurisdiction: Inamthe c
fafr 's in sense of applicable regulatory schemes
Memset (UK): Our cloud's not housed in a Patriot Act
jurisdiction: http://www.katescomment.com/securing-data-
in-the-cloud/
Jurisdiction: In the sense of government enforcement
India: Move your servers for RIM, Google and Skype,
please: http://news.cnet.com/8301-1009_3-20015418-
83.html
23. The peculiar problem of
identifiers
Competing identifier systems
Non-rigorous identifiers and massive scaling
Who owns the ID for the object? Who can charge for
it? Where does the data live?
Identifiers and names as a predicate for enforceable
obligations
URIs, URNs, XRIs, UUIDs, UPCs, ASN.1, oh my.
If my inventory falls in the forest, but my subscription to the
identifier database runs out, does it make a sound?
Is the product “identified to the contract”, or substitutable?