Question: Just when we were getting comfortable with storing our confidential data in the cloud, now I hear about the FBI shutting this company down. Do I need to reexamine my cloud security policies?
A few years ago, I wrote a scary story about Widgitco a factitious company that found out the hard way that reading the fine print on cloud service contracts is important. Widgetco’s problems stemmed from a lack of clarity about who actually owned the data in the cloud. When Widgitco discovered their customer list had fallen into the hands of their main competitor they had little or no legal recourse because this issue had never been properly addressed by any of the parties in the fiasco, including Widgitco, its SaaS providers or the actual owners of the data center hardware.
Now the courts are addressing a dramatic and all too real example of the question of who owns data in the cloud and even more importantly, who is responsible for the files. The recent legal problems of Megaupload, a filesharing service, not untypical of many others in the cloud storage and file sharing market, highlight these issues. In a nutshell it boils down to the differing perspectives on the legal nature and purpose of file sharing. Clearly there is lots of legitimate file sharing going on. Dropbox, MediaFire, SugerSync, and even Megaupload, despite the government legal actions, all have a huge number of users who are using it to share personal files for both business and personal reasons. According to MediaFire, employees at 86 percent of the Fortune 500 use its services. They are not providing information on the nature of those files and what they are being used for, but I think we can safely assume at least some of the files are being legitimately used by collaborative teams to produce real work. One can argue that using Dropbox and its ilk in the corporate setting does pose a serious risk for exposing sensitive corporate data. I do agree with this sentiment, but I am also realistic about the reasons company employees are turning to these services in the first place. Like the adoption of other consumer driven innovations like mobile devices and IM, it is often simply because the available internal corporate file sharing tools leave something to be desired. How many of you have used a file sharing service as a team collaborative tool simply because it was easy to use and met the objective for expediency?
So what is the real issue? The problem stems from a clash between the interests of the media content delivery companies such as Sony, Warner Brothers and others who are worried that these sites are primarily being used to share pirated copies of movies, e-books or music, and the far more common and benign private file sharing. While one could argue that they should not be worried about the pirating in the first place, (Read Charlie Stross’s interesting take on that issue : What Amazon’s ebook strategy means) that is a discussion that will be left to another time. For the moment it appears that the government is siding with the large media conglomerates at the expense of everyone else.
Part of the reason that there is renewed government interest in prosecuting these services is a change in the technology and service delivery model. In many ways these cloud file sharing systems are using a combination of the unenforceable peer to peer sharing strategy of BitTorrent, where the files are literally scattered all over the globe on millions of private computers, and the centralized server model of the late lamented Napster. The government case boils down to the fact that the files are located in an identifiable set of machines that constitute a cloud file repository, therefore they can be subject to seizure. I suspect the government case rests more on the relative ease of access to the servers than anything more valid. A similar but more legally defensible case against the poor Boston University graduate student, Joel Tenebaum who got caught with pirated music garnered far more sympathy for the student than its intended anti-piracy warning message.
Where does that leave the legitimate business user? The bottom line is that the on-going battle among pirates, business and the legal system will continue to work slowly through the courts, while the enabling technology to beat the system will remain far ahead of the law. In the meantime, I think you can safely continue to use cloud file sharing services; just make sure they are business friendly and meet proper regulatory requirements for data security.