A survey of 31 Cloud computing contracts from 27 different providers has found that many include clauses that could have a significant impact, often negative, on the rights and interests of customers.
The survey formed part of the Cloud Legal Project at the Centre for Commercial Law Studies (CCLS), within the School of Law at Queen Mary, University of London. Funded by a donation from Microsoft, but academically independent, the project is examining a wide range of legal and regulatory issues arising from Cloud computing.
"The ease and convenience with which Cloud computing arrangements can be set up may lull customers into overlooking the significant issues that can arise when key data and processes are entrusted to cloud service providers, says Professor Christopher Millard, principal researcher on the Cloud Legal Project.
The main lesson to be drawn from the Cloud Legal Projects survey is that customers should review the Terms and Conditions of a Cloud service carefully before signing up to it.
Many web services are examples of Cloud computing, from storage and backup sites such as Flickr and Dropbox to online business productivity services such as Google Docs and salesforce.com.
Cloud computing can be very attractive as a means of achieving financial savings, productivity improvements and the wider flexibility that accompanies Internet-hosting of data and applications. There may, however, be unforeseen costs and risks hidden in the terms and conditions of such services.
The survey found that some contracts, for instance, have clauses disclaiming responsibility for keeping the users data secure or intact. Others reserve the right to terminate accounts for apparent lack of use (potentially important if they are used for occasional backup or disaster recovery purposes), for violation of the providers Acceptable Use Policy, or indeed for any or no reason at all.
Furthermore, whilst some providers promise only to hand over customer data if served with a court order, others state that they will do so on much wider grounds, including it simply being in their own business interests to disclose the data.
And Cloud providers often exclude liability for loss of data, or strictly limit the damages that can be claimed against them damages that might otherwise be substantial if a failure brought down an e-commerce web site.
Although in EU countries and various other jurisdictions the validity of such terms may be challenged under consumer protection laws, users of cloud services may face practical obstacles to bringing a claim for data loss or privacy breach against a provider that seems local online but is in fact based in another continent.
Indeed, service providers usually claim that their contracts are subject to the laws of the place where they have their main place of business. In many cases this is a US state, with a stipulation that any dispute must be heard in the providers local courts, regardless of the customers location.
Perhaps the most disconcerting discovery of the Cloud Legal Projects survey was that many Cloud providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web. In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes.
Explore further: Security CTO to detail Android Fake ID flaw at Black Hat
More information: The paper Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services by Simon Bradshaw, et al., is available via the Cloud Legal Project web site at: www.cloudlegal.ccls.qmul.ac.uk