Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing 5-6 July, 2013 Faculty Academic Conference Centre, 11/F, Cheng Yu Tung Tower, Centennial Campus The University of Hong Kong Taming the Nebulous: Jurisdictional Challenges in Regulating the Cloud Terry KAAN Faculty of Law, National University of Singapore lawterry@nus.edu.sg The Global Regulatory Battleground: The Current State of Play History: from ARPANET to ICANN and acronym hell – WSIS, WGIG, IGF, GAC and ITU and the World Conference on Telecommunications (WCIT) Dubai 2012, and Resolution 3 Outcome: Nothing has changed US position more entrenched: the “multistakeholder model”, House and Senate resolutions, no business of the UN or ITU, the Council on Foreign Relations report 2 The Global Regulatory Battleground: The Current State of Play But who are these “multistakeholder”, what is their relationship to the US Govt? Who / what should have standing in the global regulation of the internet? Can the global internet be “regulated” in the same way as national govts regulate business within their jurisdiction? Or merely binding agreements to harmonize national laws, processes and inter-state obligations as in the banking sector – or traditional telephony? 3 The Global Regulatory Battleground: The Current State of Play Different aspects of the internet may have different amenability to “regulation” [after Caral] : Govts control the physical layer (actual physical infrastructure, cables etc) – full sovereignty Uneasy mix of Govt (mainly US?) and technical stakeholders control the code layer – ICANN - the agreed standards & processes on which the internet runs The content layer? Should governments have any standing to be involved at all, given that most content is created by the non-governmental business and individual internet community? 4 The Global Regulatory Battleground: The Current State of Play States may assert interest in controlling content in the national interest and security – problem is borderless nature of internet and the info it carries – one state’s national interest is another state’s anathema Attempts at creating walled gardens: the Great Chinese Firewall. But does it work? Unless you want disconnect entirely from rest of world But some degree of Balkanization appearing? Thought exercise for prospects of coordinated international content regulation: do you see the US agreeing to international rules obliging them to respect Chinese concerns? 5 What do we want to regulate? What do or should we worry about? States: States can and do exclusively regulate physical infrastructure within their boundaries States would like to have a say in regulation of code layer, especially in relation to access and control of identities of participants States assert right to regulate content in name of national security; control of terrorism, crime and fraud; protection of human rights such as privacy and freedom of speech; deny access to foreign pollution and subversion 6 What do we want to regulate? What do or should we worry about? Multistakeholders: Who are these creatures? Companies? American Bar Association / International Chamber of Commerce “Global Internet Jurisdiction: The ABA/ICC Survey” (2004) – interesting insights Completely different worries from that of States Greatest worry: getting sued, legal risks of internet rising, compliance risk, especially privacy regulations Problem of compliance with national laws of multiple jurisdictions – if they conflict? Response – contract terms, geolocation, refusal of service to high-risk states - results in handicapping development of internet? 7 Risks As Opportunity: Jurisdictional Arbitrage Paradox: disparate national legal regimes exposes players to risks, but also advantages Amazon’s UK tax bill of £2.4m on £4bn sales, similar criticism of Google, Apple tax bills But they comply with all national laws, and companies have duty to shareholders – “not our fault”, urge harmonized rules Like tax havens? Not in interest to drive business away thru regulation – other states will welcome them! Do states engage in arbitrage? US & UK? 8 Cloud Computing, Risks & Regulation Obvious concerns about reliability / availability, but technical, not for regulation Perceptions? Information Systems Audit & Control Association (ISACA) Risk / Reward Barometer Survey 2010 of 1,800 IT professionals in US “More than 45% say risks of cloud computing outweigh benefits”, only 10% would use cloud for mission-critical services Not clear what main worry was: reliability or other risk? But largest group 28% responded that “compliance with industry and/or governmental regulation” was the “most important driver for [our] enterprise’s IT-related risk management activities” 9 Cloud Computing, Risks & Regulation Compliance risks particularly acute for players (e.g. banks) in sectors and in jurisdiction with strong legislative privacy mandates? Most such privacy laws have yet to be fully translated for cloud operations Using cloud servers and providers in multiple jurisdictions may exponentially multiply compliance risks, or place companies in conflict If jurisdiction of cloud provider or server demand a backdoor key for “national security” purposes? How should they respond to demands not permitted in their home jurisdiction? e.g. the Blackberry experience with India and Saudi Arabia 10 Pressing Needs Some bits of the internet are in greater need of regulation or at least international agreement on harmonization than others Regulation’s role in creating vital mechanisms – real risk of stunting development otherwise Particular glaring gaps: Universal internet payment system, particularly for micro-payments in e-commerce Must be scalable to business-business, businessconsumer, consumer-consumer E-commerce dispute resolution mechanism But do states want this? Implications for flows of trade and impact on high street brick & mortar 11 Internet Regulation, Cloud Computing, and the Road Ahead Recent revelations by Messrs Manning, Assange & Snowden have had profound impact on states’ approach to the internet – and to cloud computing With revelations about FISA secret demands for information, the US’ PRISM and the UK’s Tempora programs – what hope of security in the cloud? Or national privacy requirements? A reminder for cloud enthusiasts and snooping states alike: what can be massively harvested and accumulated can also be massively leaked 12 Internet Regulation, Cloud Computing, and the Road Ahead Implications beyond competing state claims and national security: Snowden revelations remarkable only because he chose to be a public whistleblower. If data siphoned off for commercial fraud or gain, or state purposes? No one would have known ... Does EU reaction to PRISM and Tempora revelations herald a re-think of their passively going along with the US’ opposition to international regulation of internet at the state level / UN conference / internet authority? 13 Internet Regulation, Cloud Computing, and the Road Ahead Liability and conflict of private stakeholders caught in the middle after being served with secret FISA orders? EU reactions? In UK, has already sunk hopes of reviving Teresa May’s snooping charter And cloud security? The good news: encryption works even against states! (but doesn’t relieve you of your conflicts and liabilities) And offer no information and trust nobody ... 14 Select References L. Kruger, “Internet Governance and the Domain Name System: Issues for Congress” (April 23, 2013: Congressional Research Service) www.crs.gov Council on Foreign Relations (Chairs: J. Negroponte & S. Palmisano,), “Defending an Open, Global, Secure, and Resilient Internet” (Independent Task Force Report No 70), 2013 www.cfr.org J. Caral, “Lessons from ICANN: Is self-regulation of the Internet fundamentally flawed?” International Journal of Law and Information Technology Vol 12 No 1 (2004) B. Maier, “How Has The Law Attempted to Tackle the Borderless Nature of the Internet?” International Journal of Law and Information Technology Vol 18 No 2 (2010) 15 Select References The International Telecommunication Union, “Final Acts: World Conference on International Telecommunications (Dubai, 2012). www.itu.int American Bar Association, “Global Internet Jurisdiction: The ABA/ICC Survey” (April 2004) http://apps.americanbar.org/buslaw/newsletter/002 3/materials/js.pdf ISACA, “2010 ISACA IT Risk/Reward Barometer – US Edition” (March 2010) http://www.isaca.org/About-ISACA/Pressroom/News-Releases/2010/Pages/ISACA-US-ITRisk-Reward-Barometer-Survey.aspx 16 Media “Spy claims intensity UK debate over internet regulation”, Financial Times, June 7, 2013 “Secret Court Ruling Puts Tech Companies in Data Bind”, New York Times, June 13, 2013 “3 Tech Giants Want to Reveal Data Requests”, New York Times, June 11, 2013 “NSA scandal: Twitter and Microsoft join calls to disclose data requests”, Guardian, June 12, 2013 “Snooper’s charter has practically zero chance of becoming law, say senior MPs”, Guardian, 27 Jun3, 2013 “NSA leaks: US and Britain team up on mass surveillance”, Guardian, June 22, 2013 “Encryption Has Foiled Wiretaps for First Time Ever, Feds Say”, Wired, June 28, 2013 17 Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing 5-6 July, 2013 Faculty Academic Conference Centre, 11/F, Cheng Yu Tung Tower, Centennial Campus The University of Hong Kong Taming the Nebulous: Jurisdictional Challenges in Regulating the Cloud Terry KAAN Faculty of Law, National University of Singapore lawterry@nus.edu.sg