Tag Archives: risk

Jurisdiction matters

Bruce Schneier has this posting about privacy risks for Cloud software. These are all good points, but there is one that Bruce doesn’t mention. In fact few people are mentioning it which is a shame because it’s one of the biggest risks with using Cloud services: controlling legal authority.

In other words, in what country’s jurisdiction is your Cloud service? Do you know? Shouldn’t you know?

This was brought home recently when Germany-based RapidShare had to divulge its users IP addresses, according to this ARS Technica article:

The popular Germany-based file hosting service RapidShare has allegedly begun handing over user information to record labels looking to pursue illegal file-sharers. The labels appear to be making use of paragraph 101 of German copyright law, which allows content owners to seek a court order to force ISPs to identify users behind specific IP addresses. Though RapidShare does not make IP information public, the company appears to have given the information to at least one label, which took it to an ISP to have the user identified.

The issue came to light after a user claimed that his house was raided by law enforcement thanks to RapidShare, as reported by German-language news outlet Gulli (hat tip). This user had uploaded a copy of Metallica’s new album “Death Magnetic” to his RapidShare account a day before its worldwide release, causing Metallica’s label to work itself into a tizzy and request the user’s personal details (if there’s anything record labels hate, it’s leaks of prerelease albums). It then supposedly asked RapidShare for the user’s IP address, and then asked Deutsche Telekom to identify the user behind the IP before sending law enforcement his way.

What’s really interesting is this comparison to the laws governing US based last.fm and Germany based RapidShare:

There are, however, many differences between Last.fm and RapidShare. For one, if Last.fm were to find itself in the position RapidShare is in with GEMA, it would be able to argue that the Safe Harbor provision in the DMCA protects it from liability as long as it removes infringing content after being presented with a takedown notice. In Germany (and many other countries), there is no equivalent, meaning that RapidShare has little choice but to comply with the rulings. RapidShare’s incredible popularity-Germany-based deep packet inspection (DPI) provider Ipoque recently put out a report saying that RapidShare is responsible for half of all direct download traffic-has only made the issue more sensitive for the record labels and service providers alike.

Jurisdiction matters.


Risk, liability, and clouds

I had discussed the issue of software vendor liability here and made the point that no software vendor (now or in the near future) is going to assume the liability for the cost to your business if there are defects in the software. Recently Ed Cone listened to some Cloud vendors talk about security and had this to say about it:

The security model is so immature right now that it is clear that most of the assurances cloud vendors offer are around infrastructure and covering their own respective risks. Most cloud vendors will tell you outright that it is up to the customers to individually secure their own applications and data in the cloud, for example, by controlling which ports are open and closed into the customer’s virtualized instance within the cloud.

As Maiwald puts it, enterprises need to be aware of this distinction. Security in the cloud means different things to those offering cloud services and those using cloud services. Even if you’re working with the most open and forthright vendors who are willing to show you every facet of their SAS 70 audit paperwork and provide some level of recompense for security glitches on their end, they’re most certainly not assuming your risks. For example, if Amazon Web Services screws up and your applications are down for half a day, it’ll credit you for 110 percent of the fees charged for that amount of time but you’re still soaked for any of the associated losses and costs that come as a result of the downtime.

As organizations weigh the risks against the financial benefits of cloud computing, Maiwald believes they must keep in mind that , “There is risk that is not being transferred with that (cloud services) contract.”

There are several important points here; first outsourcing a service doesn’t mean outsourcing the risk. Likewise purchasing software isn’t the same as buying insurance either. Customers of both cloud services and on premise software need to understand this.

Second, when evaluating the risk of moving to a cloud based service you have to compare it against the risk of NOT moving to a cloud based service. There is the risk that your service provider could be compromised. But that has to be weighed against the risk that your own IT systems will be compromised. Likewise the risk of a service provider outage must be weighed against the risk on an internal system outage. Both will impact your business.

Third, you should also factor in opportunity risks. If you choose not to do something that reduces cost you take the risk of losing an opportunity that may have been available by dedicating those resources elsewhere.

Asymmetric Risk, Malpractice Insurance, and Personal Oxen

Bruce Schneier has two very interesting posts on his blog that stand out (to me at least) by their proximity to each other. Most recently Bruce has this to say about the recent financial meltdown:

The most interesting part explains how the incentives for traders encouraged them to take asymmetric risks: trade-offs that would work out well 99% of the time but fail catastrophically the remaining 1%. So of course, this is exactly what happened.

But three posts earlier Bruce has this to say about software vendors:

So if BitArmor fails and someone steals your data, and then you get ridiculed by in the press, sued, and lose your customers to competitors — BitArmor will refund the purchase price.

Bottom line: PR gimmick, nothing more.

Yes, I think that software vendors need to accept liability for their products, and that we won’t see real improvements in security until then. But it has to be real liability, not this sort of token liability. And it won’t happen without the insurance companies; that’s the industry that knows how to buy and sell liability.

Talk about asymmetric risk. If software vendors accepted liability (or even partial liability) for anything that might happen as a result of their product, who in their right mind would ever go into the business? The problem is that liability is open-ended while the profit on each deal is not. It would nuts for any vendor to take such an asymmetric risk. It would be like an MD practicing medicine without malpractice insurance.

Which is, as Bruce alludes, how any such liability would ultimately by acceptable. Software vendors would buy liability insurance to protect themselves in the event that they are ever found at fault. Like malpractice insurances this would pool the risk and spread it over all the software vendors.

Which in the end eliminates any real incentive to avoid the mistakes to begin with. Sure the premiums would increase if found at fault, but just as with malpractice insurance the pain would be diluted by eventually raising every ones rates. And everyone would just price the rate increase into their business model exactly like the medical community does today. In the end it won’t really be the vendors money or risk.

And that’s what it really boils down to in the end. It’s a matter of exactly whose ox is getting gored. You notice that they only people suggesting that software vendors be held liable or otherwise punished for defects are not themselves producing software products. I have never seen a zero defect advocate that could actually deliver zero defect software.

Cloudy forecast

Bavo De Ridder has this interesting take on Cloud Computing:

Cloud computing is cool, no doubt about that. There have never been more good looking and futuristic looking schematics been made in Visio. Thousands of presentations, workshops and even conferences have been held on the subject.

One question however has not be clearly answered yet … what about data ownership? What about privacy of that data? When your applications are running in the cloud you are also handing over your data to whoever is running the data center. How sure are you that they protect this data as they should do?

Bavo does point out some valid concerns. But I feel he goes too far when he links these concerns to the recent Microsoft Live TOS change:

Your cloud partner decides to disable a feature in their application, a feature you depend on. Does your disaster recovery plan takes this into account? This is not far fetched, in a small way this is what happened when Microsoft decided to disable anonymous comments on their Live Blog. They even did this retroactively and so revealed identity information of authors who previously had been anonymous.

While the Microsoft Live situation was a disaster for the users that had an expectation of continued privacy, there is an important distinction, namely the Golden Rule. No doubt the TOS for Microsoft Live, like all free services, are very one sided. For most free services you get the service for, well free, on whatever terms the provider dictates and you are, again, free to take your non-money elsewhere if you aren’t happy.

Commercial service providers typically provide a much different kind of contract with their paying customers. Such contracts would dictate under what conditions features could be added or removed. And there is a strong financial motivation to keep the customers happy.

Of course Bavo’s points about your provider going under or being acquired are quite valid.

Still it all comes down to risk. Successful companies don’t avoid risk. They balance risk against reward. If the cost savings with moving to Cloud Computing makes these risks acceptable then companies will consider doing it.

After all, are these risks so different from what companies take on when they contract with any provider, from payroll down to cleaning services?

There are always choices

People say they have no choice to justify choices they have already made.

Service providers say they have no choice to justify divulging their customers’ identities to the governments of the countries they want to do business with. For instance in this recent article about the Google vs Facebook flap Joe Kraus of Google said:

“Google lives and dies on protecting users’ privacy,” Kraus added. “We believe [Friend Connect] is good for users in terms of control and extremely protective of users’ privacy.”

Ironically this quote was published on the same day that it was reported that Google had given the Government of India the identity of a man who had criticized and posted vulgar comments about an Indian politician on Okrut using his GMail account. Apparently the “lives and dies” part is really more of a guideline that a rule.

Google’s defense (like Yahoo’s in an earlier more serious case with Chinese dissidents) was that they were just following the laws of the country they operated in. To bend Godwin’s law a little, this is a little like saying they are “just following orders”.

There are also conflicting reports about RIM giving the Government of India the ability to decrypt Blackberry traffic in India. If, in the end, RIM decides to compromise the security of its customers using their handsets in India, their defense will also be that they had no choice.

Of course these companies had choices. There are always choices. They could have refused the governments requests and taken the consequences. But when faced with choices like these most companies will do what’s best for their short term business interests. As consumers we need to be aware of this and take this into account when deciding what information to entrust our service provider with.

This security risk is also global. A country like China, where there is no effective restraint on government power, could demand from your service provider your information no matter where you live. They could further demand that your service provider not inform you of this. Why? Because they can.

Now here is a sobering thought. So far I have been discussing personal information and identity. But there is no reason to assume that your company’s data is not at risk if you use a SAAS provider that does business in countries like China.

Staying out of legal trouble

Jeff Jarvis points to this great resource for staying out legal trouble while blogging. Here are the 10 ten things you can do:

The 10 rules to blog by:
1. Check your facts.
2. Avoid virtual vendettas.
3. Obey the law.
4. Weigh promises.
5. Reveal secrets selectively.
6. Consider what you copy.
7. Learn recording limits.
8. Don’t abuse anonymity.
9. Shun conflicts of interest.
10. Seek legal advice.

All great advice, except that 10 is not that practical. Until faced with a legal action I don’t think many bloggers are going to consult a legal expert.