A Legal Analysis of Service Level Agreements in a Grid and Cloud Computing Environment Going beyond Business Practices Davide M. Parrilli, ICRI Dagstuhl, 24 March 2009 http://www.law.kuleuven.be/icri Agenda •SLA: Introduction; •SLA and Grid/Cloud computing; •The business practice; •SLA negotiation; •Validity and enforceability of the SLA; •Liabilities. SLA: introduction SLA: a contract between a user and a provider of a service specifying the conditions under which a service may be used. It describes the provider’s commitments and specifies the penalties if those commitments are not met. An SLA is a legally enforceable contract (exceptions do exist in academia). SLAs and Grid/Cloud computing (I) Legal assessment of the impact of Grid/Cloud computing on SLAs Question: Is Grid able to influence the content of the SLA(s)? Topic relevant for all technologies that adopt dispersed resources and increase the quality of the offered services (Cloud!). SLAs and Grid/Cloud computing (II) Method of the research: •Survey between the BEs of BEinGRID. The BEs responded to the above question: 20 % said ‘yes’, the others have to think about that; •Analysis of business practices. SLAs and Grid/Cloud computing (III) Scenarios Grid/technology provider Service provider End user SLA 1: Grid provider/Service provider SLA 2: Service provider/End user Often in the business practice the SLA must be read in combination with other contracts (e.g. customer agreement): we focus on the contractual relationship between the parties regulating… SLAs and Grid/Cloud computing (IV) … The content of the SLA (technology provider-service provider, service provider-end user), i.e.: •QoS: availability, system performance; •Fees; •Assistance and support service; •Security; •Liabilities and remedies (service credits); •The use of the Grid and of the Grid/Cloud-based services made by the customer: no gambling, child pornography, discriminations, phishing, viruses, trojan horses, etc. – liabilities to be negotiated on a case-bycase basis or imposed by the provider. SLAs and Grid/Cloud computing (V) In particular: management on top of the allocated resources: availability (compute resources, storage etc), network performance (latency, throughput), etc. SLAs and Grid/Cloud computing (VI) Question of a typical customer: Why should the SLA in a Grid/Cloud environment be the same as in non Grid/Cloud scenarios? Better expected services = more favorable SLA for the customer! SLAs and Grid/Cloud computing (VII) For instance (real needs!): •Most clients of Xignite (financial Web service provider that delivers market data from the Cloud) are fine with 99.5 to 99.9 % availability. Some want as high as 99.99 %; •Gary Slater (LiveOps): clients want their system to work all the time. SLAs and Grid/Cloud computing (VIII) Gerry Libertelli (CEO Ready Techs): “technically, there should be zero downtime associated with a Cloud [and Grid] instance, since almost everything in a Cloud is redundant by nature and easily reinstantiated in the case of a failure.” MOSSO: “since we operate clusters of servers, maintenance that causes downtime should be rare.” SLAs and Grid/Cloud computing (IX) Thus…. Answer of the rational and informed customer: If I pay (more?) for a service that is expected to be better than that I was used to, I want to see this in the SLA I sign (influence of technology on legal agreements). The business practice (I) Example of ‘traditional’ standard clause (long long time ago…?): “The system will not be available for 2 hours daily for scheduled backups and system maintenance”. The business practice (II) Amazon: •S3 Simple Storage Service (storage in 1 bucket): service availability 99.9 %; •EC2 Elastic Compute Cloud: 99.95 % availability. Grid/Cloud influence SLAs: better services = different SLAs The business practice (III) Joyent: “Cloud computing brought to you with the power of the Joyent Accelerator”. Accelerator hosting SLA (Grid container hosting account services): 100 % availability for all users. The business practice (IV) Google: SLA for Google Apps Premium Edition: 99 % availability. Thus… Performance may be the next focus in Grid/Cloud computing SLAs (Stephane Dubois, CEO Xignite). SLA negotiation (I) Phases: 1. SLA contract definition (template, proposal); 2. Negotiation and signing of the contract; 3. Monitoring; 4. Enforcement. SLA negotiation (II) E-negotiation: focus on agreeing on the conditions of the SLA (QoS, price, etc). Human intervention combined with computer-generated process. E.g.: g-Forge SLA-negotiation: a plug-in is used to decide whether an offer shall be refused or accepted. SLA negotiation (III) E.g.: Web Services Agreement Specification (WS-Agreement): the protocol is based on a simple round “offer, accept” message exchange. As far as the parties can manage the negotiations and the agreement reflects their will, no legal contractual barriers. SLA negotiation (IV) Entirely computer-controlled/generated negotiations with no human intervention (realistic scenario?): doubts as regards the validity and enforceability of the contract. Does the SLA really represents the will of the parties? Is it a real agreement? Tip: prior agreement stating that the parties will be bound by the computergenerated SLA. SLA negotiation (V) Legal/technical issues in enegotiations: security and reliability of the system and network: it is necessary to be sure that all messages have been received and the contract is really in force. Validity and enforceability of the SLA (I) When is the SLA legally valid and binding? The principle (common law and civil law countries) is that a contract is deemed to come into existence when acceptance of an offer has been communicated to the offeror by the offeree/when the offeror knows that the offeree accepted. Validity and enforceability of the SLA (II) Need to check whether the contract shall be made in written form! Does an e-contract respect this requisite? In the EU, all Member States should allow the conclusion of e-contracts with electronic signature (Directive 1999/93/EC). Alternatives: •E-mail with electronic signature; •Paper-based contracts with ‘real’ signature. NB: contracts with public authorities, check the standards set in the specific country (e-signature, e-document). Validity and enforceability of the SLA (III) B2B SLAs Which law will govern the contract and will be applicable for the (contractual) obligations arising from the SLA? Rome Convention 1980: •A contract shall be governed by the law chosen by the parties – Art. 3(1); … Validity and enforceability of the SLA (IV) … • In absence of choice, the contract shall be governed by the law with which it is most closely connected – Art. 4(1) – that is…; • …the country of the principal place of business of fixed establishment of the party (business) who is to effect the performance which is characteristic of the contract – Art. 4(2). Validity and enforceability of the SLA (V) The provision of the service is the performance characteristic of the contract. The law of the country of the technology provider or of the service provider will be applicable (Rome Convention 1980 is universal). Validity and enforceability of the SLA (VI) For instance: 1.US (California) Grid/Cloud provider – Spanish service provider: American (Californian) law will be applicable; 2.Spanish service provider (SaaS) – Brazilian customer: Spanish law will be applicable. Law applicable to what? (a) interpretation; (b) performance; (c) within the limits of the powers conferred on the court by its procedural law, the consequences of breach, including the assessment of damages in so far as it is governed by rules of law; (d) the various ways of extinguishing obligations, and prescription and limitation of actions; (e) the consequences of nullity of the contract. Validity and enforceability of the SLA (VII) B2C SLAs (with a consumer) – Article 5(2): “a choice of law made by the parties shall not have the result of depriving the consumer of the protection afforded to him by the mandatory rules of the law of the country in which he has his habitual residence: - if in that country the conclusion of the contract was preceded by a specific invitation addressed to him or by advertising, and he had taken in that country all the steps necessary on his part for the conclusion of the contract […]” Validity and enforceability of the SLA (VIII) Article 5(3): if there is no choice the contract shall “be governed by the law of the country in which the consumer has his habitual residence if it is entered into in the circumstances described” in the previous slide. Validity and enforceability of the SLA (IX) Problem: is it possible to say that invitation/advertisement was carried on in the customer’s state if the invitation/advertisement was made in a web site? Back in 1980 it was said that if a “German replies to an advertisement in American publications, even if [the goods or services] are sold in Germany, the rule does not apply unless the advertisement appeared in special editions of the publication intended for European countries”. Different possible solutions – case by case basis – great uncertainty Validity and enforceability of the SLA (X) Formal Validity of the SLA – Article 9(2) Rome Convention: “A contract concluded between persons who are in different countries is formally valid if it satisfies the formal requirements of the law which governs it under this Convention or of the law of one of those countries.” Validity and enforceability of the SLA (XI) Tip: the contractual regulation should be as complete as possible. Parties should state, in the SLA or in a framework contract, which law will be applicable and how potential future conflicts will be solved (competent court, ADR). Liabilities (I) Technology providers tend to limit their liabilities as much as possible. E.g.: “we and our licensors do not warrant that the service offerings will function as described, will be uninterrupted or error free, or free of harmful components, or that the data you store within the service offerings will be secure or not otherwise lost or damaged… We…shall not be responsible for any service interruptions, including, without limitation, power outrage, system failures or other interruptions.” (Amazon Web Services Customer Agreement). Liabilities (II) Service (SaaS) providers do the same! E.g.: “we are not liable to you…for any direct, indirect, incidental, special or consequential damages or losses arising out of access to or use of the Service or inability to access or use the Service or out of any breach of any warranty including, without limitation, damages or losses resulting from acts of god or events of similar case or the consequences of viruses received by you via the Service, even if we are advised of the possibility of such damages or losses.” (Business Professional). Liabilities (III) The risk, at the end, is shifted to the final customer… Technology provider Service Provider End user Liabilities (IV) Impact of Grid/Cloud failures in a SaaS scenario: who is liable for what? •The technology provider does not take liabilities; •The SaaS provider does not take liabilities; •The end use…the loser takes it all! Legislative intervention to allocate risks and liabilities in a fairer way? In B2C, the application of the Rome Convention can mitigate the risks for the customer. Liabilities (V) “The best strategy for dealing with the risks of Cloud vendors is to mitigate them before you move your applications and data into the Cloud. Do what you can to protect your business before you sign a contract with a Cloud or SaaS provider.” (Anne Grubb). Liabilities (VI) In practice… Distinction between (i) SLAs negotiated between equals and (ii) standard contracts imposed by big players. In the latter case, the customer (B2B) takes the risk. Liabilities (VII) Rules of jurisdiction: What if the customer is a consumer (B2C)? Regulation 44/2001: in case of ‘active’ website of the supplier, the special rules aimed to protect the consumer (who is a consumer?) apply (Art. 15-16). Consumer (domiciled in the EU) – Business (extra-EU) Belgian consumer v. US company = judge ex Belgian rules US company v. Belgian consumer = Belgian judge Consumer (domiciled in the EU) – Business (EU) Belgian consumer v. German company = German or Belgian judge German company v. Belgian consumer = Belgian judge Liabilities (VIII) In the field of B2C transactions, substantial (which law?) and procedural rules (which judge?) limit the unbalanced position between Grid/Cloud provider and the customer. However, these rules are often of difficult application: need for clarifications. Liabilities (IX) Liability of the technology provider/service provider towards third parties: E-commerce Directive (2000/31/EC). Limitations of liability: •Grid provider: hosting (Art. 14) – duty of care; •Service provider: mere conduit (Art. 12), caching (Art. 13), depending on the case. Thanks for you attention! Davide M. Parrilli ICRI-K.U. Leuven-IBBT davide.parrilli@law.kuleuven.be