[LINK] SMH: 'Megaupload closure hits legitimate users'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Jan 24 08:47:10 AEDT 2012


On Sun, Jan 22, 2012 at 1:56 PM, Roger Clarke 
<<mailto:Roger.Clarke at xamax.com.au>Roger.Clarke at xamax.com.au> wrote:
>[I've got a paper in press at the moment that examines 49 reported
cloud outages.  If I'd held off a bit longer, this could have made a
nice 50th. 

At 18:58 -0800 22/1/12, Scott Howard wrote:
>Out of interest, did you also analyze how many non-cloud outages 
>there were during the same period?  How many companies Exchange 
>servers went down due to power outages, hardware failure, bad (or 
>no!) sysadmins, or any one of a thousand other causes - compared to 
>how many times Google Apps or Microsoft Office 365 went down?  Or 
>what the time to recover was in either situation?
>Picking on cloud outages without considering the alternatives is 
>like claiming that airplanes are unsafe because hundreds of people 
>died in plane crashes last year, without taking into account the 
>fact that they are still orders of magnitude faster than any other 
>form of transport by any reasonable measure.

Yes, your point's good.  And no, I didn't do that analysis.  Using 
media reports would have been an ineffective way to do it.

As previously posted, the paper is here:

Clarke R. (2012)  'How Reliable is Cloudsourcing? A Review of 
Articles in the Technical Media 2005-11'  Computer Law & Security 
Review 28, 1  (January 2012), PrePrint at 
http://www.rogerclarke.com/EC/CCEF-CO.html

I made a couple of brief mentions of the fact that cloud reliability 
needs to be compared with the reliability of other services.

And I said this:

"In the case of local infrastructure or services such as a desktop, 
LAN or workgroup server, an outage affects only those people who are 
local to it. When, on the other hand, every staff-member is dependent 
on the same infrastructure, the 'one out, all out' principle applies: 
the organisation's business processes are frozen, and manual fallback 
arrangements are needed. Some applications are by nature shared 
organisation-wide, and hence co-dependency risks cannot be avoided 
but instead have to be managed in other ways. But cloudsourcing 
extends the co-dependency risk to services that were never subject to 
it before. After an organisation has adopted SaaS for its office 
applications, for example, a single server, database, network or 
power outage renders unavailable the office applications, office 
documents, mail-archives, appointments and address-books of every 
staff-member, not merely those local to the point-of-failure. "You 
have to think about ... not being able to do anything when, say, 
10,000 workers are suddenly idled by a single tech outage" (Needleman 
2011)".


>I'd be interested in what definition you could use to decide that 
>Megaupload were NOT a cloud provider for their customers?  "Cloud" 
>is definitely a vague term, but I don't think it's that vague!

Agreed, it's vague.  In this paper, I said the following:

"The term cloud computing is applied to several somewhat different 
forms of service. Their common feature is that servers are 
'virtualised'. This means that the concept of a server has ceased to 
mean 'a computer that runs processes that provide services to other 
computers', and has reverted to its original sense of 'a process that 
provides a service to other processes'. This time around, the process 
can run in any of a large number of computers (and probably an 
indeterminately large number of them), which can be widely dispersed 
across many locations and many networks".


>I think the real moral of this story is that you need to investigate 
>your cloud providers with a level of diligence that is relevant to 
>the type of service they are providing you.

Agreed.  The paper concluded:

"A significant proportion of user-organisations appear to have 
adopted cloudsourcing precipitately, without ensuring that the 
services will satisfy their business needs. Company directors have a 
clear obligation at law to ensure that risk assessments are 
undertaken, and that risk management plans are in place. This is no 
longer pioneer territory. ...  The evidence of these reports suggests 
that many company directors may be in breach of their legal 
obligations, and that their organisations need to re-visit their IT 
sourcing strategies, and to do so very quickly".


>Given that the Megaupload Terms of Service specifically stated that 
>they were not responsible for the safe storage of people files, and 
>that they could stop providing service to them at any time, it's 
>hard to see how the loss of such files is the responsibility of the 
>US government, rather than the users that uploaded them.

Suppliers can write anything they like in their Terms of Service. 
Consumers are very slack (and that includes remarkably large 
organisations purchasing consumer services, and even purchasing 
factors of production!).  So suppliers have been getting business 
even though they do everything their lawyers can come up with to 
avoid any liability for anything.

The laws of many countries impose various kinds of minimum terms of 
service, and courts will interpolate conditions that the suppliers 
have tried to avoid.  So, if a consumer has money, time, patience and 
employs lawyers for a long time, and if the supplier hasn't been 
bankrupted or skipped in the meantime, some kind of reparations may 
be achievable.

However, regulation and consumer protection aren't easy, but they've 
been abandoned as principles by governments like Howard's, and not 
reinstated by successor governments like Rullard's.  So 'dog eat dog' 
and 'caveat emptor' rule right now, particularly in exciting new 
markets like cloudsourcing.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list