WHAT IS CLOUD LAW?
Law Lab co-director John Clippinger proposes a vision to consider new ways of thinking about the law in relations to the Cloud.
By invoking "Cloud Law," I want to be clear that this is a statement of intent, an aspiration, an invitation to consider new ways of thinking about the law, rather than any claim about an existing practice or program. The notion of Cloud Law derives from cloud computing, something that is rapidly becoming a digital global infrastructure through the efforts of innovative upstarts-- including Cloudera, Cloudsoft, and Eucalyptus-- as well as established companies such as Amazon, Apple, Google, Intel, IBM, Akamai, Red Hat, and Microsoft.
Cloud computing is really a combination of many technologies such as grid computing, SAS, Web 2.0, and other technologies. The key characteristics of cloud computing are the ability to scale and provision computing power dynamically in a cost efficient way that is relatively easy and inexpensive to use. The cloud architecture itself can be private or open, the key feature being that the services are virtualized in that they can located anywhere and provided by anyone.
There is widespread recognition within the computer and open source community that there is a real need to keep cloud computing “open” so that there is no lock-in to proprietary clouds and that user/consumers could have complete choice and portability of their data. This view is embodied in the Open Cloud Manifesto (www.opencloudmanifesto.com) signed by over 77 companies – including large companies such as IBM, Akamai, Accenture, AT&T, EMS, Computer Associates, Cisco, SAP, and new startups such as Cloudera, CloudVu, and Metadot. The manifesto calls for a new set of principles “that must be followed to ensure the cloud is open and delivers the choice, ﬂexibility and agility that organizations demand”.
One of the key points about cloud computing is that computing will eventually become like a utility, ubiquitous and easy to use. If one inserts the word "law" for "computing", you can get a sense of what Cloud Law would be like — a kind of "virtualized" resource that could be available anywhere, to anyone, at any time.
As in the case of software as service (SAS) offerings, there could be competing ways of drafting and delivering new kinds of law. Very importantly, one will not necessarily be stuck with a particular legal regime as dictated by one's physical circumstances. (See Paul Schiff Berman, Legal Pluralism, 2007) There is great potential in this vision, which suggests that the "rule of law" might be accessible as a software service anywhere on the planet where there is Internet.
As cloud computing becomes more pervasive, it will become not only a new global computing infrastructure, it will further digitalization and virtualization in all spheres of social, economic, cultural and civic life. New kinds of institutions and policies will need to be devised that span not just the physical and the digital, but the jurisdictions of nation states and international agreements, profoundly challenging time-honored notions of governance and sovereignty. Complex issues concerning privacy, security, and local jurisdiction are but the tips of the iceberg as new kinds of financial and technical services are designed to leverage—and exploit— the opportunities presented by globalized computing resources.
In order for cloud computing to achieve its promise, it will need to evolve a new service layer, what we call Cloud Law — principally, identity, authentication, dispute resolution, reputation, accreditation and governance services. As forms of digital enterprises evolve in the cloud, they will experiment with new legal mechanisms for contracting, governance, dispute resolution, and enforcement. Some of these mechanisms can be a developed within the context of traditional private law, but others will require new kinds of public and international law to sustain them. By encoding principles of transparency, accountability, recourse, self-healing, and non-coercion into the design of digital institutions, there is the prospect of bringing the rule of law to countries and situations where it has been absent.
When Technology Blurs Human Values
As technology augments and mediates our daily lives what does it mean to be human if functioning and surviving in a digital dependent society necessitates or mandates technology use?
As technology augments and mediates our daily lives what does it mean to be human if functioning and surviving in a digital dependent society necessitates or mandates technology use? What are the human values that emerge from this melding of co-dependent activity? What new power structures emerge from increased dependency on Cloud technology when individuals have limited control over balance and distribution of processes? How do we assess the Human Experience under these new terms and how does this experience change the value systems that Cloud Laws are based on? What new human rights might emerge from the evolving inter-dependency between the personal technologies (embedded) with its interaction on the Cloud? These are questions at core of our legal systems that challenge the notions and foundations under which laws are based. We are reaching an age in the 21st Century where it may be not so easy to separate Humans from the technology they depend on when that technology my have its own agency.
Cloud Law will need to address the changes in how people interface with the Cloud Computing services. The emergence of smart phones and net books with Internet access via the Cellular network provides possible innovations where location and presence are factors in how people will interact on-line. These developments are only a few of the advances that may challenge what Cloud Law needs to address in the future. For example, privacy controls get escalated from misuse of personal information to physical vulnerabilities if the individual is easily tracked in real-time. What legal safeguards will be required to prevent threats that have serious consequences while providing for privacy rights that facilitate further innovation? Innovation is not without consequences of responsibility, in our short history of information technology one can easily see how uses and abuses have emerged that the inventors and designer never intended. For every advance its uses are many and the global reach and network effect generates a system dynamics with amazing benefits but equally threatening capabilities. Gaining a deeper understanding of the foundation and phenomenon to help anticipate what legal frameworks are needed for Cloud Law requires research and considerate thought that can be put into pragmatic action to reset the policies and systems on a course of great promise for the 21st century.
A review of trends and transformation in how people may interface and interact on the Cloud might help to illustrate the legal considerations that may accompany each innovation and the questions they raise.
• End of Legal Stability – if the interfaces to the Cloud are embedded then the laws that are based on explicit interfaces between known or expected outcomes gets challenged in ways that are difficult to anticipate. Mobile devices become wearable computing, implanted medical devices are embedded in the objects we interact with, ambient intelligence within the spaces we exist in; this pervasive and ubiquitous mediated and augmenting technology blurs the experiences that people have and the judgments they apply to situations. How do new laws build on older frameworks and how will people understand the new legal framework and use them effectively?
• Growth of dependency on technology and hyper- connectivity – communications is consuming our lives instead of freeing up time, the constant digital presence of mobile devices will extend to smart mobs acting as a collective. What can be demanded of device reliability and expectations of safety when the processes use services on the Cloud? When the Cloud gets attacked or an individual’s life is disrupted by Cloud failure or unexpected outcomes what laws will be needed to remedy or ascribe liability and responsibility. How to create the laws to address infrastructure breakdown and malfunctions. If laws are implicit and taken for granted as part of the usage of the Cloud, then how might that impact precedent and legal judgment? If the Cloud has autonomous processes how does that impact the legal framework?
• Digital Footprint and Life Logging – as the Cloud gets used to capture, manage, share, and archive personal traces of information in databases controlled by corporations and governments this reflects a loss of control of one’s personal digital assets. Do we need laws to manage vast amounts of personal data and the ownership and analysis of the digital footprint? What are the implications for the law and how do these needs to evolve to address balance the rights of the individual, the public good, the corporations, and the government to services their public?
• Growth of digital creative’s – Cloud computing facilitates the consumption, production, and publication of professional and personal works that remain as artifacts distributed by the entities the control the Cloud. The division of ownership and span of control has much to be desired in terms of legal protections for all modes of participation.
The above trends are only focused on the Information Technology aspects of innovation and omit the advances in Life Sciences. The new area of research in Computational Biology may bring together Biology and Information Technology in ways that will merge and blur the boundaries such that our conception of physical aspects of being human may change as well. As technology gets further infused into our daily lives such that human experience is indistinguishable from the mediating technology, when it becomes invisible and always present, how we think of human values is likely to change and the human rights that are at the foundation of a legal system may be challenged.
Sellen A., Rogers Y., Harper R. Rodden T., Reflecting Human Values in the Digital Age, Commun, ACM 52, 3 (March 2009).
Cloud Law- Can it be Engineered?
Cloud Law – What is it?
Cloud law may be defined as the application of ethical principles using verifiable semantics to achieve the formation and execution of fair and economical processes to govern technology mediated social communications where those processes may act on behalf of the participants on systems for which they may not own or have full control of. Cloud law extends Internet or Cyber Law beyond questions of Intellectual Property concerns, Privacy, Identity or Data Ownership, and includes the challenges to jurisdiction and sovereignty, legal precedents (common and civil laws) from the physical world that have no analog in the virtual space, legal interpretation of statues, access to evidence and chain of custody, forensics, implied digital contracts, fluidity of language and its ambiguity as used on the Net, and the very notion of why and how laws are formed and who they serve.
Lawyers on the Cloud
Given the integrated communications that the Cloud enables it may be necessary for lawyers to use the Cloud and craft the legal structures before establishing the laws that govern the use of the Cloud. This would be closers to how the Cloud is evolving, as a self-organizing distributed complex adaptive system. The Cloud is adopting technology quickly to gain capability in support of the massive network and computational scale it requires. The legal system has thus far lagged the developments of the Cloud and when engaged have resorted to applying existing laws to new circumstances which may not of been appropriate or effective. The Music Industry’s reluctant transformation, due to file sharing taking hold on the Cloud, is a well known example. This example may not have the worst consequences relative to what may occur once large segments of the population are easily tracked on the Cloud without representation or legal recourse. The US legislative and judicial systems may lack adequate experience with this rapid adoption of technology that is quickly pervading every segment of society and commerce. If the legal profession were the early adopters of Cloud Computing would the laws be crafted prior to the mass participation of its appeal and utility?
Accessibility of the Law for all
Lawyers have increasingly become dependent on technology and the Cloud. Graduating lawyers are required to know as much about legal research using Lexis/Nexus and WestLaw as they are to know about using a law library. Not using one of the commercially controlled sources for legal research can disadvantage a litigation case and subject it to negligence claims. Yet much of the information provided by the two major legal information providers are in the public domain but not readily available on the Cloud. Accessibility of the law for all that maintains it credibility and is economical may be one of the challenges for Cloud Law. If Google is attempting to make freely available all information and books regardless of quality, credibility, or authority, what implications does that have for the practice of law? Do citizens have the right to have free access to all the laws that govern them and the publically available cases that set the precedents for which the laws are judged? When will lawyers start a wikiLaw for lawyers by lawyers in support of Cloud Law? What new learning and research processes are required of Lawyer’s in support of crafting Cloud Law and how would these laws be tested and made valid in practice?
In the near future it may be feasible to automate legal reasoning using formal representations of the laws that apply to technology mediated communications on the Cloud. Such computational law processing would use advances in artificial intelligence and machine learning on semantic networks. This would be an evolution of what has previously been attempted with digital contracts using Internet Trading Exchanges. Cloud Law may need to address the legal gaps that remain while leveraging the advances in computation to seize the opportunity to automate legal compliance within the Cloud. A number of challenging research areas in computation need further development in Specification Languages, Ontology, Abstract State Machines, Petri Nets/Workflow Nets, Temporal Logic, Process and Event Algebra of Communicating Systems, Prepositional Logic and Inference. As these research areas emerge as capabilities on the Cloud, lawyers may need to become versed in computational law to craft the laws that function on the Cloud. In the future the laws may be embedded into the Cloud and act as constraints on the activities therefore become integral the systems dynamic.
Engineering Cloud Law
The notion that Cloud Law may require the embedding of encoded computational law subjects it to the challenges of expressing the law within software engineering process. Software has some distinct characteristics that make it unlike other engineering practices and may be more like attempting to apply the law against a structural and process legal system. Cloud Law embedded into the system may require the following engineering principles:
• Predictable Outcomes – application of the law has no unintended negative consequences and can be modeled against the actors. The application of the law produces consistent outcomes given similar circumstances
• Tolerance – applying the law even with varying interpretations produces outcomes within certain acceptable ranges or metrics.
• Risk Management – enforcing the law must be easy, systems should not allow for easily breaking the law without clear intentions to do so. Once broken it should be immediately detected. Risk of breaking the law should not create large scale risk to people on the Cloud.
• Separation of Concerns – laws should be applicable regardless of specifics of the Cloud technology implementation.
• Reconciliation of Conflicts – laws should recognize all actors and motivations and capabilities or lack of and how these interact within constraints and forces to produce and consume Cloud artifacts.
• Adaptation – Law needs to facilitate complex adaptive systems and have mechanisms for appropriate changes in response to obsolescence or the laws may also initiate or facilitate a change in the system dynamic.
• Ease of Judgment – Law should be easy to negotiate and judge and by extension easy to learn and teach to all actors in the system. The laws should be easy to understand, implement, and enforce by those being governed. They should be desirous to adhere to by all and not following the laws should be readily apparent and easily corrected.
Formal verification of software is not a widely adopted practice and therefore software systems tend to be incomplete and error prone. Even when the system performs reliably often this is due to the fault tolerance and redundancies created to overcome the inherent lack of verification. Cloud Law would operate on large scale concurrent systems with autonomous processes that are highly distributed. What happens when systems predict and act on behalf of actors based on machine learning algorithms and make inference that cause it to behave inappropriately or illegally? Amazon’s recommendation engine has on occasion suggested offensive products relative to a search term where no human intervention was present nor could anyone anticipate such occurrence. When autonomous multi-agents are the norm what Cloud Laws and mechanisms will govern this? Given the lack of formal verification in both the software and the law and the inability to predetermine all possible behavior of a Cloud acting under its own agency how will the law be applied? This is not an act of nature but and act of an artificial system.
The development of Cloud Law may have constraints that are closely aligned with the limitations of software engineering and therefore these two professions will need to converge in joint research to overcome those obstacles. Lawyers will need to learn computational thinking and Software Engineers may need to understand the principles of jurisprudence. Until this happens it is likely that Cloud Law will remain a disembodied application of existing legal practices onto a medium that is evolving rapidly and not completely deterministic in its system dynamic. If Cloud Law is to be an enabling endeavors it will need to race ahead and charter the legal grounds to facilitate continuous innovation and novel uses of Cloud Computing by society and commerce. Equally if technology innovation wants to avoid being constraint by future regulation then research is needed to understand how Law and Computation can fuse into solutions that embody the policy into the systems.
Riehle, R., An engineering context of software engineering, Ph.D. Thesis 2008.
Denning, P., Riehle, R., Is Software engineering engineering?, Commun. ACM 52, 3 (March 2009), 24 – 28