November 23, 2010, 3:23 PM — Cloud computing contracts often contain significant business risks for end user organizations, according to independent research by UK academics. Some contracts even have clauses disclaiming responsibility for keeping the user's data secure or intact.
Others reserve the right to terminate accounts for apparent lack of use, which is potentially important if they are used for occasional backup or disaster recovery purposes, according to the Cloud Legal Project at Queen Mary, University of London.
Other contracts can be revoked for violation of the provider's Acceptable Use Policy, or indeed for any or no reason at all, the academics found.
The Cloud Legal Project surveyed 31 Cloud computing contracts from 27 different providers and found that many included clauses that could have a significant impact, often negative, on the rights and interests of customers. Only three of the contracts surveyed - Google Apps Premier, Iron Mountain and Salesforce CRM - state that changes to the T&C may only be in writing with the agreement of both parties.
"The ease and convenience with which Cloud computing arrangements can be set up may lull customers into overlooking the significant issues that can arise when key data and processes are entrusted to cloud service providers," says Professor Christopher Millard, principal researcher on the Cloud Legal Project.
"The main lesson to be drawn from the Cloud Legal Project's survey is that customers should review the Terms and Conditions of a Cloud service carefully before signing up to it."
Even that might not be enough. The Cloud Legal Project survey found that many Cloud providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web.
"In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes," the report's authors warned.Other potential pitfalls involve data security, with some providers promising only to hand over customer data if served with a court order, while others state that they will do so on much wider grounds, including it simply being in their own business interests to disclose the data.