Up in the Cloud:
Conference on Legal and Privacy Challenges
in Cloud Computing
5-6 July, 2013
Faculty Academic Conference Centre, 11/F,
Cheng Yu Tung Tower, Centennial Campus
The University of Hong Kong
Taming the Nebulous:
Jurisdictional Challenges in
Regulating the Cloud
Terry KAAN
Faculty of Law, National University of Singapore
lawterry@nus.edu.sg
The Global Regulatory Battleground:
The Current State of Play
History: from ARPANET to ICANN and
acronym hell – WSIS, WGIG, IGF, GAC and
ITU and the World Conference on
Telecommunications (WCIT) Dubai 2012, and
Resolution 3
 Outcome: Nothing has changed
 US position more entrenched: the
“multistakeholder model”, House and Senate
resolutions, no business of the UN or ITU, the
Council on Foreign Relations report

2
The Global Regulatory Battleground:
The Current State of Play
But who are these “multistakeholder”, what is
their relationship to the US Govt?
 Who / what should have standing in the
global regulation of the internet?
 Can the global internet be “regulated” in the
same way as national govts regulate
business within their jurisdiction? Or merely
binding agreements to harmonize national
laws, processes and inter-state obligations as
in the banking sector – or traditional
telephony?

3
The Global Regulatory Battleground:
The Current State of Play

Different aspects of the internet may have different
amenability to “regulation” [after Caral] :
 Govts control the physical layer (actual physical
infrastructure, cables etc) – full sovereignty
 Uneasy mix of Govt (mainly US?) and technical
stakeholders control the code layer – ICANN - the
agreed standards & processes on which the
internet runs
 The content layer? Should governments have any
standing to be involved at all, given that most
content is created by the non-governmental
business and individual internet community?
4
The Global Regulatory Battleground:
The Current State of Play




States may assert interest in controlling content in the
national interest and security – problem is borderless
nature of internet and the info it carries – one state’s
national interest is another state’s anathema
Attempts at creating walled gardens: the Great
Chinese Firewall. But does it work? Unless you want
disconnect entirely from rest of world
But some degree of Balkanization appearing?
Thought exercise for prospects of coordinated
international content regulation: do you see the US
agreeing to international rules obliging them to
respect Chinese concerns?
5
What do we want to regulate?
What do or should we worry about?

States:

States can and do exclusively regulate physical
infrastructure within their boundaries
States would like to have a say in regulation of code
layer, especially in relation to access and control of
identities of participants
States assert right to regulate content in name of
national security; control of terrorism, crime and
fraud; protection of human rights such as privacy and
freedom of speech; deny access to foreign pollution
and subversion


6
What do we want to regulate?
What do or should we worry about?
 Multistakeholders:
 Who are these creatures? Companies?
 American Bar Association / International Chamber of




Commerce “Global Internet Jurisdiction: The
ABA/ICC Survey” (2004) – interesting insights
Completely different worries from that of States
Greatest worry: getting sued, legal risks of internet
rising, compliance risk, especially privacy regulations
Problem of compliance with national laws of multiple
jurisdictions – if they conflict?
Response – contract terms, geolocation, refusal of
service to high-risk states - results in handicapping
development of internet?
7
Risks As Opportunity:
Jurisdictional Arbitrage
Paradox: disparate national legal regimes
exposes players to risks, but also advantages
 Amazon’s UK tax bill of £2.4m on £4bn sales,
similar criticism of Google, Apple tax bills
 But they comply with all national laws, and
companies have duty to shareholders – “not our
fault”, urge harmonized rules
 Like tax havens? Not in interest to drive
business away thru regulation – other states
will welcome them!
 Do states engage in arbitrage? US & UK?

8
Cloud Computing, Risks &
Regulation
Obvious concerns about reliability / availability, but
technical, not for regulation
 Perceptions? Information Systems Audit & Control
Association (ISACA) Risk / Reward Barometer Survey
2010 of 1,800 IT professionals in US
 “More than 45% say risks of cloud computing
outweigh benefits”, only 10% would use cloud for
mission-critical services
 Not clear what main worry was: reliability or other
risk? But largest group 28% responded that
“compliance with industry and/or governmental
regulation” was the “most important driver for [our]
enterprise’s IT-related risk management activities”

9
Cloud Computing, Risks &
Regulation
Compliance risks particularly acute for players (e.g.
banks) in sectors and in jurisdiction with strong
legislative privacy mandates? Most such privacy laws
have yet to be fully translated for cloud operations
 Using cloud servers and providers in multiple
jurisdictions may exponentially multiply compliance
risks, or place companies in conflict
 If jurisdiction of cloud provider or server demand a
backdoor key for “national security” purposes?
 How should they respond to demands not permitted
in their home jurisdiction? e.g. the Blackberry
experience with India and Saudi Arabia

10
Pressing Needs
Some bits of the internet are in greater need
of regulation or at least international agreement
on harmonization than others
 Regulation’s role in creating vital mechanisms
– real risk of stunting development otherwise
 Particular glaring gaps:

 Universal internet payment system, particularly for
micro-payments in e-commerce
 Must be scalable to business-business, businessconsumer, consumer-consumer
 E-commerce dispute resolution mechanism
 But do states want this? Implications for flows of
trade and impact on high street brick & mortar
11
Internet Regulation, Cloud
Computing, and the Road Ahead
Recent revelations by Messrs Manning,
Assange & Snowden have had profound impact
on states’ approach to the internet – and to
cloud computing
 With revelations about FISA secret demands
for information, the US’ PRISM and the UK’s
Tempora programs – what hope of security in
the cloud? Or national privacy requirements?
 A reminder for cloud enthusiasts and
snooping states alike: what can be massively
harvested and accumulated can also be
massively leaked
12

Internet Regulation, Cloud
Computing, and the Road Ahead
Implications beyond competing state claims
and national security: Snowden revelations
remarkable only because he chose to be a
public whistleblower. If data siphoned off for
commercial fraud or gain, or state purposes?
No one would have known ...
 Does EU reaction to PRISM and Tempora
revelations herald a re-think of their passively
going along with the US’ opposition to
international regulation of internet at the state
level / UN conference / internet authority?

13
Internet Regulation, Cloud
Computing, and the Road Ahead
Liability and conflict of private stakeholders
caught in the middle after being served with
secret FISA orders? EU reactions?
 In UK, has already sunk hopes of reviving
Teresa May’s snooping charter
 And cloud security? The good news:
encryption works even against states! (but
doesn’t relieve you of your conflicts and
liabilities)
 And offer no information and trust nobody ...

14
Select References




L. Kruger, “Internet Governance and the Domain
Name System: Issues for Congress” (April 23, 2013:
Congressional Research Service) www.crs.gov
Council on Foreign Relations (Chairs: J. Negroponte
& S. Palmisano,), “Defending an Open, Global,
Secure, and Resilient Internet” (Independent Task
Force Report No 70), 2013 www.cfr.org
J. Caral, “Lessons from ICANN: Is self-regulation of
the Internet fundamentally flawed?” International
Journal of Law and Information Technology Vol 12 No
1 (2004)
B. Maier, “How Has The Law Attempted to Tackle the
Borderless Nature of the Internet?” International
Journal of Law and Information Technology Vol 18 No
2 (2010)
15
Select References



The International Telecommunication Union, “Final
Acts: World Conference on International
Telecommunications (Dubai, 2012). www.itu.int
American Bar Association, “Global Internet
Jurisdiction: The ABA/ICC Survey” (April 2004)
http://apps.americanbar.org/buslaw/newsletter/002
3/materials/js.pdf
ISACA, “2010 ISACA IT Risk/Reward Barometer –
US Edition” (March 2010)
http://www.isaca.org/About-ISACA/Pressroom/News-Releases/2010/Pages/ISACA-US-ITRisk-Reward-Barometer-Survey.aspx
16
Media
“Spy claims intensity UK debate over internet
regulation”, Financial Times, June 7, 2013
 “Secret Court Ruling Puts Tech Companies in Data
Bind”, New York Times, June 13, 2013
 “3 Tech Giants Want to Reveal Data Requests”, New
York Times, June 11, 2013
 “NSA scandal: Twitter and Microsoft join calls to
disclose data requests”, Guardian, June 12, 2013
 “Snooper’s charter has practically zero chance of
becoming law, say senior MPs”, Guardian, 27 Jun3,
2013
 “NSA leaks: US and Britain team up on mass
surveillance”, Guardian, June 22, 2013
 “Encryption Has Foiled Wiretaps for First Time Ever,
Feds Say”, Wired, June 28, 2013

17
Up in the Cloud:
Conference on Legal and Privacy Challenges
in Cloud Computing
5-6 July, 2013
Faculty Academic Conference Centre, 11/F,
Cheng Yu Tung Tower, Centennial Campus
The University of Hong Kong
Taming the Nebulous:
Jurisdictional Challenges in
Regulating the Cloud
Terry KAAN
Faculty of Law, National University of Singapore
lawterry@nus.edu.sg