Law in the Internet Society

The Cloud

-- By JoshFoster - 19 Jan 2010

Cloud 9

Cloud Computing seems like a decent idea on paper.

Actually, it seems like many different ideas under one buzzword. Defining carefully what one has in mind is always necessary in this situation. Because you don't offer a clear definition and stick to it, this essay risks and reaps confusion.

Remote access, less concern regarding physical storage, and ability to easily collaborate make this service seem attractive. Further, every conceivable service is available at one’s fingertips, so long as the proper fee is paid. No install worries, no real concern regarding hardware compatibility, and no need to wonder if one’s software is up to date. Cloud computing is, at its core, remote software services provided to users (usually for a fee).

Remote services, software-as-a-service, network hosted storage, federated services, and many other things are described as "cloud computing" according to the needs of the marketer or journalist making careless use of the phrase. I don't understand what fees have to do with it. Computing has a cost, and it is either subsidized or passed along. So?

The software does not reside on the user’s computer, and often storage need not reside there either. All the user needs is an OS and the hardware to run that. A number of providers have stepped forward, and some companies are even offering remote access to clients’ work computers from anywhere.

I'm sorry? This is neither cloud computing nor new in any way. Remote access, whether in the silly Microsoft Remote Desktop way or through SSH, VNC, NX, or any of the other free world protocols is last decade's technology.

While the accessibility is laudable, this endeavor is not such a good idea after all.

Storm Brewing

Despite its seeming advantages Cloud computing would have a number of rather insidious drawbacks. The first would be the subscription requirement. In order to access data or run programs, the monthly fee would have to be paid.

This is still irrelevant as far as I can see. Computing's cost will be incurred and paid one way or another. Using gmail to receive and store mail costs nothing; running your own mailserver costs nothing. I do it, even in preference to using the free mailserver that my own law firm runs for me, because I want to be the only person in final control of all my mail, but there is no cost advantage whatever.

Microsoft introduced a similar scheme with their Zune service. For around $15 a month a user could have unfettered access to Microsoft’s music library and download all the music desired. Of course the moment the $15 was no longer being paid all access rights dry up and the downloads became useless. This lead Jerry Holkins and Mike Krahulik to observe in comedic fashion that the service basically costs “infinity dollars.” Such will it be with Cloud Computing. Monthly fees for data access seem fair until one realizes that 1 Terabyte of data storage costs roughly $86. And that is for an external drive. An internal drive would take $15 off the price. Though this does not really apply to the remote workstation access services, it certainly applies to the core idea of cloud computing, that all software and storage be remote. An individual paying this subscription fee would likely have to pay it forever, unless he or she wanted to abandon all data built up on the service.

This is nonsense. An Amazon S3 cloud storage account, for example, is just a remote filesystem in the network: you can copy data on and off it as easily as you could with a storage volume of your own. And given that any Ubuntu or Red Hat system also provides S3 APIs, moving from "cloud" storage at Amazon to similar storage on your own or someone else's servers can be transparent.

This allows for a sort of captive audience effect. If Google, or any other cloud service provider wants to perform a rate hike, users will have a greatly diminished ability to walk away. Changing service providers does not allow transfer of data. Basically it allows for a data hostage situation.

Surely you can see that technology with that effect is unlikely to be introduced, because rational organizations wouldn't make use of it. What Microsoft or Apple offer consumers has nothing to do with the way sophisticated organizations make decisions about IT.

Thunderheads

Further, even beyond the data held hostage there are huge privacy concerns with Cloud Computing. Google’s pullout of China was, to a large extent, a result of human rights activists’ Gmail accounts being hacked. If all one’s data is out in the Cloud, then theoretically it’s potentially visible to everyone on the internet.

What's the difference between email stored at gmail and email stored on some other hackable mail server? Surely these supposed geniuses in supposed China who supposedly hacked supposedly secure Google could more easily have knocked over some lesser mortal's mail server where these supposed human rights activists would otherwise have been keeping their supposedly important email. And this business of secretly forwarding reporters' incoming gmail to other accounts, which we're supposed to find so technically amazing and so worrisome about "cloud computing" is among the simplest things to do when knocking over the not-even-supposedly secure Microsoft Windows so-called operating system most people run on the computers where they keep all their personal data. So what exactly are you talking about?

Could I interest you at all in the possibility that you haven't been told anything like the truth about what's going on in the Google/China/US imbroglio?

Further, program access and usage will certainly be monitored by the service provider, and even if an account is not hacked, the service provider will have access to all the information. It seems odd that people would be comfortable sharing every single thing they do on their computers with complete strangers. Of course given Facebook it is hardly surprising. This problem is exacerbated in legal or medical communities. Though inter-hospital networks may have their own problems, medical data can at least be stored on-site by the hospital, as opposed to Google or Microsoft employees having access. So too is it with legal documents, which can be just as if not more sensitive. Neither type of data has any business being on a cloud network.

You seem to have forgotten that encryption exists. This is not a good way to conduct policy analysis. You can't just make it up as you go along.

If, however, data that must be secure cannot be trusted in the cloud, why trust any data? While some may claim that the distributed nature and fact that service providers can devote more resources to security means that data would be more secure, but the fact remains that anything open to access on the internet at large is at risk, and cloud computing data is always open in that way. Remote access systems can be particularly bad, with regards to this, as all data on the physical computer is now available for viewing anywhere, and to some extent, by anyone.

Um, no. See above.

Given that employees of the service provider may have access to the data, privilege and confidentiality may be waived where applicable in using these services.

Still wrong. Same problem. When you edited this portion of the draft, did you ask yourself skeptical questions?

This should be a real concern for companies that would use these services. If an entire enterprise has its data on such a service, is there any confidentiality whatsoever? Further, could the service provider itself be subpoenaed to provide data thought to be privileged or confidential. Given the above concerns, there is no real confidentiality with these systems, and thus privilege and confidentiality may be deemed waived, especially since a third party is in control of the data. Even if the courts do not find it so clear cut, the fact a third party controls all sensitive data is not a situation any company should desire.

Flash of Lightning

Cloud computing also cannot deal well with data loss. Several months ago, for instance, a technically glitch at Microsoft caused massive data loss for T-Mobile cellphone users. There is no reason that any other network is more secure. Traditional HDDs can suffer failure, too; however RAID arrays can make recovery much easier, and such failures would generally be limited to one machine. In the above instance the data for thousands of users was lost with one glitch. Even Cloud services used solely for backupping suffer from this drawback. Again this makes such schemes particularly ill suited for medical or legal usage. The above noted malicious access could also allow for deleting of data. Thus hardware failure is not the only issue that could bring about data loss.

Do you actually believe that people who run storage businesses know less about how to protect data integrity than you do? You think the RAID array is not yet familiar to the guys who run databases? Exactly what do you think it is that Oracle does in order to make it possible for Larry Ellison to throw away hundreds of millions of dollars playing with boats? Hardware redundancy is the cheapest thing in the world. People who mind other peoples' data, if they are trying to mind the data of sophisticated people, not consumers buying cute phones they saw someone holding in the airport, make auditable commitments about security and integrity. Redundancy is the least of their contractual technical obligations.

Your Microsoft/T-Mobile example isn't being correctly understood here, either. Sure there's a reason that other networks are more "secure" (you meant more robust) than this: the people involved here did something on the hundred-year-flood level on the stupidity scale: they did a software upgrade to their in-house storage network (yes, of course it was Microsoft software, far less robust than the free world's equivalents) without doing a backup of that network's contents first. So when the upgrade failed, having corrupted their data, they had no previous state of the storage network to fall back to.

People learned not to do this long before they invented computers. Danger, the company for which MS paid far too much in order to fail in the smartphone business, was a consumer provider, which means that they sold crap to stupid people and their customers therefore were in no position to keep them honest. But it is not an argument against a product, or an architecture, that shoddy or criminally negligent versions can be made. It is an argument against Microsoft as a service provider; they bought Danger without understanding its operations very well, and they made the situation worse rather than better, which is why the blowout happened a year after the acquisition, when they began to make "improvements" to their company. But I don't think I know anyone on Earth who believes Microsoft is a good service provider. Even the inhabitants of Planet Microsoft don't believe that: they think they're a product company. To judge this on the basis of consumer services makes no sense. Who in his right mind would carry a handheld device with contacts, calendar, and all that in it and not back it up personally? Consumers, that's who. They're the only people stupid enough to deal with Microsoft for services.

Obviously, before giving someone your data to protect, or your software to run, you want to be sure they can provide the services with high reliability, security and integrity. Unless you're an idiot consumer, you also want a service-level agreement and some indemnities. That's true in the cloud, as it is in the net, as it is with respect to Iron Mountain and your paper shredding contractor. So why is any of this an argument against the cloud?

Thus Begins the Downpour

Cloud Computing is rife with problems, both in data security and storage. The pricing scheme will tether a company to the service essentially forever, and the benefits are negligible at best. Further, from a legal standpoint, it may completely negate privilege and confidentiality. The Cloud is to be avoided.

Your conclusion is unestablished because each of the arguments it relies upon fails. I agree completely with you, but you have not given one compelling reason to do so. As it happens, I also somewhat agree with, don't know about, slightly disagree with, and completely reject what you are saying, depending on what "cloud computing" means, which you do not consistently define or taxonomize. Depending on basic architectural features that vary entirely from one class to another of systems that are described as "cloud computing," there are policy implications, positive and negative, of many kinds. Some recent thoughts of mine on the subject of privacy and "the cloud", explaining the architectural roots of the privacy problems, and suggesting a "cloud computing" way of fixing them, may be helpful for dealing with a couple of aspects of the larger question you're trying to raise.

Navigation

Webs Webs

r2 - 09 May 2010 - 20:06:29 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM