In a highly publicized move, Amazon Web Services (AWS) removed the social media platform Parler from its cloud early on January 11. While the debate continues about the specifics of this situation in political and legal circles, it has to be raising a few questions for cloud service providers and clients alike. One of the biggest concerns is where responsibility lies when clients’ activities breach their cloud terms of service and a cloud provider “terminates” or “suspends”.
The Many Layers of Cloud Terms & Conditions
As a service provider, you may be the entity bringing the cloud to your customer and managing the technical or compliance demands within a cloud provider’s terms. For example, AWS terms of service require a user to maintain licenses for the software they run on the cloud and not transfer any software outside Amazon’s Services unless getting authorization to do so. If you have an agreement with a business to manage their cloud activity, or you’re a business who hired a technology partner to deliver the cloud, you’ve got an additional layer of responsibility in your cloud model.
Cloud providers and Service Providers usually don’t only address the nuts and bolts of how a business uses their infrastructure and services. They also lay out rules for the content and activities that take place on their platforms. For example, AWS’s Acceptable Use Policy prohibits activities that are “illegal, harmful or fraudulent” or content that is “offensive” (e.g., child pornography).
As “in the weeds” as the details of the Parler situation can get, there is one important nuance in that situation that’s worth pointing out. The activity by Parler subscribers was public information posted on a social platform for the world to see. That’s not always the case. Many agreements include measures to protect data privacy, including limiting access to data. So, how can a cloud provider know if anything illegal, harmful, fraudulent, or offensive is taking place without breaching your agreement?
Furthermore, with the EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act on the leading edge of data privacy regulations, would you even have the capability to investigate, depending on the types of data the business collects and stores? Beyond flagging unusual patterns in use or activity, the answer is often “no”.
It is possible, then, to have an agreement with a business that violates cloud terms of service without cloud provider knowledge. If a Service Provider is part of the equation to deliver a customer solution, it may be possible for a service provider to be aware of a customer breaching Terms of Service but the cloud provider to be left in the dark.
Cloud Providers Aren’t the Only Stakeholder
Now that we’ve examined enough complexity to make your head spin, consider this: A cloud provider may not be the first party to take issue with a business’ activity. In another headline-making case, Mastercard, Visa and Discover blocked their customers from using their credit cards to make payments on Pornhub after allegations the site enabled access to videos of child abuse. This may be one of the most widely publicized incidents of payment processing services acting against a business for violating terms.
What’s Your Next Move?
Whether you’re a stakeholder at a business, service provider, or a cloud provider, the “responsibility model” has moved beyond physical walls and now includes the goings-on of the business at the infrastructure layer even when that infrastructure sits in someone else’s data center. All the stakeholders involved in supporting business technology may share some of this responsibility. It may be worth the exercise to identify those entities and ensure that all parties are in compliance with the terms of service across the board.
This blog raises more questions than it answers but you never find the right answer if you don’t start with the right question. These are important questions to bring to your technology partners, legal counsel, and possibly your state and federal representatives who are, in general, decades behind technology-related legislation.