Tuesday, September 21, 2010

Social and Legal Aspects of Cloud Computing

Last week I attended one of the public talks organised by the Manchester branch of the BCS, by Dai Davis of Brooke North LLP, entitled "Social and Legal Aspects of Cloud Computing".

Dai's definition of "cloud computing" was quite broad - essentially it's the delivery of a service over the internet, where encompassing "software as a service" through to "storage as a service" and "platform as a service". You could think of it as "renting" hardware, software and/or data storage. The most obvious example is web mail - the service provider typically gives you access to an email client and also handles storage and retrieval of your email.

A key characteristic of cloud computing is that the hardware and data storage could be physically located anywhere in the world, and as an end user you have no idea where they are - you're leaving the service provider to deal with the technical details - and for this reason, cloud computing services have undeniable attractions at the point of entry: they usually have low start-up costs for the end user, both financially and in terms of ease-of-use.

However Dai suggested that there are other factors to consider before opting to use these services, and central to this is control of data - your data. As already noted, once you've entered your data into the system you have no idea where is in the world. Do you know who else might have access to it? If you try to delete it, how do you know if it's really gone? And what if you want to get your data out again - can you get it in the format you need? The first three of these are potential issues under the EU Data Protection legislation, which forbids export of personal data outside the EU, only allows it to be held for as long as is necessary to process it, and stipulates that you must take appropriate measures to ensure its security.

Unfortunately you are unlikely to have any legally-binding guarantees from the service provider as regards any of these - you're asked to take it on trust that the service provider won't abuse their position of trust. Dai pointed to last year's incident when Amazon unilaterally removed copies of "1984" from customers' Kindles as an indication of what could happen, but there are other issues with people losing control of their data - posting to Facebook being one example (another interesting aside was Dai's observation that although it is possible to delete your Facebook account, it's very difficult to erase all trace of yourself from it).

Ultimately the choice about using cloud computing-based services is then a risk-reward analysis, and the problem is really that although the benefits are usually obvious, the risks only become evident further down the line. It's possible that we're yet to realise the full implications of these things. I don't think that Dai is saying that we shouldn't use these services, only that we should go in with our eyes open. Overall, a fascinating and slightly worrying overview of the issues.

No comments:

Post a Comment