[berkman] Microsoft on the multinational legal complications of cloud computing
Lisa Tanzi, VP & Deputy General Counsel of Microsoft is giving a Berkman lunchtime talk called “A New Era of Computing: The Opportunities and Challenges of Cloud-Based Software and Services.” [Note: I am live-blogging, thus missing stuff, getting things wrong, writing badly, paraphrasing.] Her division at Microsoft is more on the enterprise side than the consumer side.
Microsoft is very excited about cloud computing (which I’ll abbreviate as CC)) she says. She’s going to give an overview but wants to spend time on the legal implications.
Lisa begins by putting CC into context on the history of computing timeline. Mainframes, PCs, Client/Server and WWW, and Cloud Services. During the CC era, people have multiple devices. Also, we’re seeing touch-based manipulation and other natural user interfaces. And there’s CC, defined as “providing software and computing power over the Internet.” With CC, you can pay as you go, connect all your devices, and provide wider access to “unprecedented computing power.” “But we at Microsoft don’t see it as an either/proposition.” People will want to have a mixed environment.
She goes through the benefits of CC for businesses, government, public sector, and developers. She shows a television ad.
Now she addresses some legal and policy issues. She begins with a scenario: A business launches a conferencing and email services offering. It’s HQ’ed in the US with data centers around the world. This creates jurisdictional issues — privacy, law enforcement, liability, running mixed source, data portability. But, she wants to focus on two sets of issues. First, moving data across borders: privacy, security and law enforcement. If the service provider doesn’t think it can reconcile the conflicting obligations, it may end up not launching the service. Or it might turn features on and off in different jurisdictions, although the software doesn’t always allow that, plus you lose some economies of scale.
“Governments are going to have to work together in new ways to find solutions to these issues,” Lisa says. Also, it may be that governments that figure out how to make it easier data across borders will have an advantage in attracting data centers.
Second, “How do the large bodies of traditional telecom regulations apply in this new world?” VoIP, email, IM are all affected. The laws vary quite a bit by jurisdiction, and they are usually written for different technologies. Law enforcement requirements, confidentiality obligations, emergency services (e.g., E-911) requirements, etc. How you do all this while enabling this new technology to evolve and be rolled out.
When it comes to data movement (her first point), imagine a German company that’s out-sourcing email to a CC provider that has data centers in France and Belgian. The data retention laws of Germany say that info has to be kept for 6 months, in France it’s 1 year, and in Belgium it’s 2. Whose law applies?
Some provincial laws in Canada require data in a CC system to be stored in Canada. But if a US company builds a data center in Canada, the Patriot Act may apply, and even if it doesn’t, exceptionalism is a bad way of doing business.
Q: Have you faced any specific cases where the mother country’s laws regulate or not?
A: A lot of these issues just aren’t resolved. Another real-world example: When we build a data center in another country, we go through an extensive process to make sure that we’re not in a situation of conflicting laws. Researching Japan we came across a statute that says electronic communications cannot be transferred outside of the country. It’s not very clear what that means. Can a subsidiary transfer info out of the country? Is there some new process we should be engaged in? Treaty-like solutions?
Q: Are you required to go to the highest common denominator among all the privacy and retention policies?
A: No clear answers. It looks like you can have a high water mark on privacy. And it gets yet more complicated if you have to deal with privacy based upon whether the person is, not where the data is.
Q: I use MS Word. To get it from my computer, the police have to get a warrant, etc. If I use MS Live, your CC service, the FBI needs a subpoena which means they don’t have to go before a judge and show probable cause. I’m worried that users are naively using online programs such as Google Docs and Office Live without knowing they’re online and that they’re lacking legal protection. What is MS doing to educate users?
A: We hope that it’s apparent to users that they’re storing documents online. The Terms of Use make the legality clear.
Q: No one reads Terms of Use.
Q: From the European perspective, the European Commission in2004 required MS to change its licensing policy. MS didn’t comply. In 2006, MS was fined. In 2008 there was another fine. Interoperability was the common thread. In 2008, another two cases were opened, against Office and Opera. It’s a neverending story. What’s your attitude toward interoperability?
A: We take our legal obligations seriously. We’ve announced interoperability principles. Windows Azure (MS CC) is in development. When it launches, the goal is to have it work with non-MS languages and development environments. It’s built on standard protocols. The entire industry would benefit from data portability.
Q: Users in cloud environments tend not to have much leverage. My non-profit in Zimbabwe just got kicked off its web host because Zimbabwe misunderstood US policy. The customer has no power in this scenario. I worry that for people who are very concerned human rights, data protection, etc., the early indications are that we should run like hell from CC. It’s too bad because technically CC is a much better way to do this. Unless large companies running clouds can offer assurance that they’ll fight for the rights of customers, the response from at least some class of consumers will be “Over my dead body.” Beyond harmonizing, how does this come into issues of free speech. What’s the responsibility of a company like MS to act as a defender of rights?
A: This fall we joined a global initiative to have companies protect privacy and freedom of expression. [Global Network Initiative] For enterprise customers would classify the situation differently. They want to impose obligations on the service provider: set up your physical security in a particular way, do retention in a particular way. For them those issues are being negotiated contract by contract.
Q: What are MS’s financial projections for CC?
A: We haven’t made any [well, made any public]. We’ll be making our business model clear sometime this year. Probably pay as you go.
Q: MS has pushed for a high bar for human rights when it comes to the Global Network Initiative. But CC makes it much harder. What are you going to do?
A: It’s a tough question. We’re working on it.
Q: What type of treaty might MS push for?
A: I was raising that as a discussion point. It’s sooo complex.
Q: Akamai has a similarly distributed architecture and business model. Have you looked at it and other such companies?
A: We have looked at what other companies do.
Q: Why aren’t you using SSL for the entire email session or for MS Office Live for Consumers?
A: I’ll get back to you.
Q: [jpalfrey] We at the Berkman Center pride ourselves on having great relationships and talking straight. From the perspective of users with less money than business and than other users, the value prop for CC is “free or cheap services.” When cheap services have been rolled out to the poor, there have been problems making it clear to users what their risks and rights are. So, as this CC rolls out, MS should have a “mitigation plan” in effect (e.g., signs on construction sites apologizing for the disruption). What would the mitigation plan look like?
A: I’ll take that one back to Redmond. I haven’t spent that much time on the consumer side of this.
Categories: Uncategorized dw