Do your cloud vendors disclaim security responsibility?

Cloud providers' terms and conditions shock study

Cloud computing contracts often contain significant business risks for end user organizations, according to independent research by UK academics. Some contracts even have clauses disclaiming responsibility for keeping the user's data secure or intact.

Others reserve the right to terminate accounts for apparent lack of use, which is potentially important if they are used for occasional backup or disaster recovery purposes, according to the Cloud Legal Project at Queen Mary, University of London.

Other contracts can be revoked for violation of the provider's Acceptable Use Policy, or indeed for any or no reason at all, the academics found.

The Cloud Legal Project surveyed 31 Cloud computing contracts from 27 different providers and found that many included clauses that could have a significant impact, often negative, on the rights and interests of customers. Only three of the contracts surveyed - Google Apps Premier, Iron Mountain and Salesforce CRM - state that changes to the T&C may only be in writing with the agreement of both parties.

"The ease and convenience with which Cloud computing arrangements can be set up may lull customers into overlooking the significant issues that can arise when key data and processes are entrusted to cloud service providers," says Professor Christopher Millard, principal researcher on the Cloud Legal Project.

"The main lesson to be drawn from the Cloud Legal Project's survey is that customers should review the Terms and Conditions of a Cloud service carefully before signing up to it."

Even that might not be enough. The Cloud Legal Project survey found that many Cloud providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web.

"In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes," the report's authors warned.Other potential pitfalls involve data security, with some providers promising only to hand over customer data if served with a court order, while others state that they will do so on much wider grounds, including it simply being in their own business interests to disclose the data.

Many Cloud providers exclude liability for loss of data or limit potential damages that can be claimed against them.While the validity of these terms may be challenged under consumer protection laws, "users of cloud services may face practical obstacles to bringing a claim for data loss or privacy breach against a provider that seems local online but is in fact based in another continent," the authors warn.

The research was funded by a donation from Microsoft, but was academically independent

Now read:

Europe's top 25 cloud start-ups battle it out in VC beauty contest

Thumbnail pic courtesy of Florin Mogos

This story, "Do your cloud vendors disclaim security responsibility?" was originally published by Computerworld UK.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies