Sony (SNE) announced that it would start to restore its PlayStation Network, following cyberattacks that compromised the personal data of 100 million user accounts. Now it turns out Sony has Amazon (AMZN) to thank for the attacks, at least indirectly. Someone set up a fake-name account with the company's EC2 cloud service and used Amazon's massive computing power to wreak havoc.
It's easy to focus on the impacts on Amazon's customers and on Sony. But let's talk potential liability instead. When individuals and companies get hurt, they want someone else to pay, and cloud vendors are frequently the ones wearing the targets. That could mean some major business problems for cloud vendors -- even those who don't consider themselves cloud vendors at the moment.
The cloud as liability
Not that lawsuits have started flying quite yet. But cloud vendors seem to be going out of their way to attract them. Last month, for instance, Amazon's cloud service had a massive service outage that temporarily crippled such high-profile Web 2.0 businesses as Foursquare, Reddit, and Quora. And this isn't a one-time event. The same thing happened in 2007, when another Amazon EC2 outage permanently lost some customer data.
Move beyond Amazon. Sony is clearly a cloud provider of entertainment services and it didn't have adequate network security, even after it knew of problems. Microsoft (MSFT) knew of problems with its paid Web-based email service and yet waited to inform customers of problems. What happens if a PayPal (EBAY) or other online payment service mistakenly freezes someone's account or Skype disrupts an unusually large number of telephone conversations?
Exactly what is the definition of a cloud vendor, anyway? More companies in many industries increasingly want to store data for customers, offer services over the Internet, and otherwise undertake work that quickly looks like cloud services. Banks keep lists of vendors and scheduled payments for customers. Logistics companies offer order handling, scheduling, and shipment for their business customers through what you could call cloud services.
Eventually, a great many companies that don't think of themselves as cloud computing providers become exactly that -- because they host computing services that their customers come to depend on.
Forget the legalese
As cloud services evolve into serious business tools, they'll start to bring on liability concerns when things go awry. Companies often rely on limitations on warranties to protect them when their own gaffes stoke customer legal wrath. Since at least October 2008, Amazon has had an EC2 SLA that promises "at least 99.95%" up-time for an entire service year.
That's a pretty strong promise. If Amazon has a problem, its Amazon Web Services customer agreement contains some provisions aimed at limiting the company's liability. But as DLA Piper partner Mark Radcliffe mentioned in a BNET interview in 2009, even after decades of existence, that kind of software licensing is far from being settled law.
A court might decide that the limitations typical to packaged software wouldn't apply when a software vendor hosted all the operations, because users would have no practical way of separately safeguarding their data. In such a case, you could argue that the lack of a reliable back-up system, with copies of data sitting somewhere other than on the system that has a problem, was negligent.
The cloud as weapon
Now consider the flip side of potential liability: When people use a cloud service to do something illegal. Someone used Amazon's EC2 to launch a cyberattack on Sony. Could Sony sue? Well, it didn't sign a paper in advance that would let Amazon off the hook. Who would a Sony sue? Answer: The deepest pockets available -- otherwise known as Amazon.
Of course, Amazon has indemnification wording in its AWS customer agreement. Fat lot of good that does. The original cyberattacker (or attackers) used fake identification and is long gone. Even if someone does identify the culprits, it seems pretty unlikely that he or she would have the resources to cover Amazon's potential losses.
In short, Amazon -- or whoever the cloud vendor in question -- is on the hook. Forget "safe harbor" provisions that protect companies from getting sued over the behavior of their customers. Such provisions cover online content posted by users -- not cases in which users abused a computing service to launch an illegal cyberattack.
Although many executives are looking critically at cloud services and the technical issues (especially availability and security), the business issues are enormous and need more than the assumption that everything will eventually work out. Because when they don't, the liability is already sitting there, waiting.
- Cloud Computing: Can't Anyone Play This Game?
- Sony's Security Snafu: How Other Companies Can Make Hay of Its Total Cock-Up
- Amazon Outage Shows How Web 2.0 Becomes Web 0.0
- Mandatory Software Warranties for Everyone