[Note: post republished Jan 2010 due to an error by admin (Daithí) with no change to Oisín’s text.]
I’m delighted to present a guest post here – first time I’m doing this, but a very appropriate choice of topic. Oisín Tobin (who will start his own blog soon!) is a scholar and PhD Candidate in the Law School in Trinity College Dublin, where his work focuses on the legal regulation of ʻthe cloudʼ. He recently completed his BCL, with distinction, in Merton College, Oxford. Cloud computing is, of course, one of the most interesting legal and technical issues, and Oisín’s new blog will no doubt be an important source for information and debates on this emerging area. Over to him:
Clouds are likely to disperse, though there is a risk of litigation later in the week.
Ideas, particularly ʻbigʼ and influential ideas, have a way of percolating in the background before suddenly and forcibly thrusting their way upon the public consciousness. The past weeks may have marked marked such a watershed moment in the development of the cloud computing. Unfortunately, this unveiling has less resembled a technological revolution than a French farce.
The failure of the T-Mobileʼs Sidekick cloud based mobile phone system, due to somewhat unclear problems at its cloud infrastructure provider Danger (a subsidiary of Microsoft) and the resulting loss (but later apparent recovery) of personal data including contact details, photographs and messages has exposed, in stark, shocking and public terms, the unpleasant and large scale consequences that can result from a failure in the cloud. While consumers have long been conformable with cloud based services such as gmail and facebook this extremely public failure of a well established cloud computing service marks the first real public exposure of the nature and risks of cloud computing.
Unfortunately for T-Mobile and Danger/Microsoft the technical and PR headache created by this failure only represents the start of their difficulties stemming from this crash: where there are lots of unhappy people, a cock-up and money, one can be certain that the lawyers will not be far behind.
According to CNET at least two class actions have already been filed in the Californian courts, including one (Thomson v. T-Mobile) brought by KamberEdelson, a heavyweight firm that recently forced a settlement with Amazon over the unilateral, and deeply ironic, deletion of copies of 1984 and Animal Farm from usersʼ Kindles
So what are the legal issues that are likely to stem from this, and similar cases, and what do they tell us about the legal risks of the cloud?
Broadly speaking four sets of legal issues (conflicts, negligence, contract and consumer protection law) are likely to dominate any litigation in this area.
As a preliminary matter, it is necessary to bear in mind is the precise relationship between the consumer, T-Mobile, and Danger/Microsoft in this incident. From media reports, it appears that this service was based on a chain of contracts: the consumer had a contract with T-Mobile for the provision of this ʻsidekickʼ service; T-Mobile, in turn, had a contract with Danger/Microsoft for the provision of the cloud infrastructure on which the service ran. Indeed, it seems that consumers had no idea Microsoft was actually providing the infrastructure on which their mobile phones ran.
First up, we have to tackle some profoundly difficult conflicts of laws and jurisdiction problems. In the Thomson action we have two Washington based corporations (T-Mobile and Microsoft) and a Californian based company (Danger) being sued in Federal Court in California, by a customer resident in Georgia, due to a national failure of a mobile phone system. Jurisdiction is being claimed as proper because Danger (i.e. the cloud operator itself) is resident in California and as a result, the conduct complained of (i.e. the failure of the cloud) happened in California. This is so even though the unilateral contract between T-Mobile and its customers expressly bars class actions and requires arbitration or, in the alternative, that the consumer sues in the courts of his or her own state, which here would be Georgia. If the Federal Court accepts the case, it would create an interesting precedent, suggesting that a service provider that relies on the cloud may, despite having a choice of court and law agreement with their customers, find themselves being sued in the jurisdiction where the cloud is physically located (and the law of the place applied), on the ground that the wrong doing took place where the servers are located and/or operated.
The second issue, and the core of the Thomson action, is a claim in negligence. Negligence is a notoriously malleable tort, covering everything from inappropriately placed snails, to excessively hot coffee, to poor professional advice – how does it apply to the cloud?
In essence, Thomsonʼs argument is that T-Mobile, as the service provider, and Danger/ Microsoft, as the infrastructure provider, were both under a duty of care to consumers to protect and ensure access to consumer data. It is alleged that there was a failure to exercise reasonable skill and care in discharging this duty (particularly by the failure to invest adequate resources) causing loss. Although the Thomson pleadings simply refer to the negligence of the ʻDefendantsʼ, all lumped together, it is worth separating out the case against Danger/Microsoft from that against T-Mobile, since the details of any claim in negligence against them would necessarily be different.
In proceedings against the service provider (T-Mobile), the essence of the claim would be an assertion that they were negligent in contracting with Danger/T-Mobile to provide their infrastructure (or, at least negligent in failing to closely monitor Microsoftʼs performance). Such an argument, if it was successful, would seem to be the ultimate renunciation of the assertion that ʻno one ever got fired for buying Microsoftʼ! If such a claim was succeeded, it would seem to indicate that business that buy-in cloud computing power to provide services to their own customers, may be liable in negligence if their infrastructure provider doesnʼt prove up to the task.
As an aside, itʼs worth nothing that if a claim along these lines was brought in the UK or Ireland, then it may be bolstered by strong statutory support from European data protection law. The Data Protection Directive requires EU members to adopt laws providing inter alia that data controllers (such as T-Mobile) deploy sufficient technical measures to prevent accidental data loss and obliges them choose a data processor (as Danger/Microsoft would be described here) that also deploys sufficient safeguards. These statutory obligations could be seen as creating a statutory duty of care to safeguard data that may also ground a separate civil action in negligence.
Slightly different issues would be key in negligence proceedings against the infrastructure providers, such as Microsoft. Here, the key issue would be whether or not they are under
any duty of care to the end user of a cloud service, as opposed to the businesses with whom they contract directly.
However, even if a negligence case could be successfully made out against either Microsoft/ Danger or T-Mobile, the companies may seek to hide behind exclusionary clauses disclaiming any liability for negligence. This brings us to the second set of issues coming out of this dispute: contract law.
As was noted at the outset, we have two distinct sets of contracts on these facts: those between T-Mobile and its consumers, and between T-Mobile and Microsoft. As far as one can work out from media reports, there is no direct contract between Microsoft and the end users.
This last fact is vital, as Microsoft lacking any direct contract with consumers, would have no exclusionary clause to hide behind if it was hit in negligence. Moreover, assuming that traditional common law privity of contract rules applied to this dispute, it would seem that consumers would be unable to bring breach of contract proceedings against Microsoft for its failure to provide the service.
However, should a situation like this arise in future under English law, it is worth bearing in mind that the Contracts (Rights of Third Parties) Act 1999 allows for a third party to bring proceedings for breach of contract, where they form part of a class of persons who are expressly authorised to do so by the contract itself. Draftsmen writing English law cloud computing contracts should give some thought to whether or not the end users of a cloud computing service should be given such a right to directly sue the infrastructure provider.
So what then of the contracts between T-Mobile and its customers? Itʼs noteworthy that the Thomson complaint makes no reference to any breach of contract on the part of T-Mobile, despite the fact that the core of this dispute is T-Mobileʼs failure to provide its customers with a service they contracted and paid for. One wonders if this was due to the presence of half a dozen exclusionary clauses in the terms of service: Clause 5 allows for unilateral alteration of the terms of service; clause 7 specifically disclaims all liability for problems relating to service availability and quality; clause 17 allows T-Mobile to ‘limit, suspend or terminate’ the service, without notice, for any reason; clause 21 provides, to the maximum permissible extent, that the good is provided ‘as is’ and ‘with all faults’ and disclaims any implied terms of merchantability or fitness for purpose (!); clause 22 states, interestingly in a cloud context, that T-Mobile will not be liable for the problems caused by a third party.
Thus, it appears that, in effect, T-Mobile are not contractually required to provide a functioning service! They can walk away from the existing terms at their election and they are expressly exempted from any liability (including, it appears, in negligence) for any problems caused by the failure of its cloud providers. It will be very interesting to see if these exemption clauses allow it to escape liability on the facts.
Itʼs worth nothing however, that, if a cloud computing provider in England or Ireland sought to rely on such a clause they would likely face an uphill battle. Aside from the fact that contract which imposes liability on one party (the consumer) but not the other (the service provider) is hardly a contract at all, such a clause would seem apt to fall foul of the Unfair Consumer Terms Directive. Moreover, it may be set aside in equity as unconscionable.
Finally, the contractual relationship between T-Mobile and Microsoft is worthy of note. According to Techcrunch, a service level agreement, or SLA, is in existence that requires the Microsoft to maintain 99.5 of up-time. It is rumored that Microsoft is making payments in excess of 700,000 a day for breach of the SLA. Although this amount seems considerable, it is worth bearing in mind the massive, perhaps incalculable, brand damage that T-Mobile has suffered from this incident (see, for example, Perez Hiltonʼs expletive laden rant under the headline T-Mobile Seriously Screws their Customers ). In future, companies that will rely on the cloud to deliver services to their own customers may wish to consider the drafting the SLA to ensure that they will receive adequate compensation from the cloud provider for the massive PR damage likely to ensue in the event of an infrastructure failure.
The final legal issues that would be likely come to the fore in any law suit over this incident would stem from the consumer protection law. While consumer protection law is not an area that immediately springs to mind when one thinks of technology regulation, it may prove to be decisive in the area of cloud computing. Any legal issues in this area would result from the divergence between the profound marketing claims about the safety and reliability of cloud computing and the somewhat more uncertain reality. Indeed, lawyers who think they are drafting rock solid contracts for cloud computing companies, complete with ʻas isʼ and broad exclusionary clauses, may, in fact, be storing up trouble – if the companyʼs marking is based on claims of effective service, reliability and safety while the underlying legal reality is that the company offers no guarantees and only has to provide services on such terms as it sees fit, then such marketing may be seen as misleading consumers.
This divergence between the legal reality and marketing puff has already lead to a complaint against Google being lodged with the Federal Trade Commission. Moreover, Californian consumer protection law, along with negligence, it forms a central plank in the Thomas complaint. Its worth stressing that T-mobile is a Washington based company, being sued by a Georgia resident individual – yet the Thomson compliant contains an attempt to apply Californian consumer protection law, on the ground that the back-office cloud services were operated from Dangerʼs premise in California. If this claim succeeds, it could have profound effects on the development of a cloud – a company that buys in cloud computing services could find itself bound by the consumer protection law of the jurisdiction where the cloud itself is located, even where the material consumer transactions took place in another jurisdiction.
The success, or failure, of the cloud is not simply a question of business models and technology, it depends on law. If customers and business are not comfortable and certain of their rights with the cloud, then they will be slow to use it. The Sidekick failure represents the first proper legal test for the cloud – it remains to be seen how it will do.