In the "largest criminal copyright case ever brought by the United States", US authorities last month charged individuals and corporations allegedly responsible for "massive worldwide online piracy" through the online file-sharing service Megaupload.
Legitimate users affected
In addition to charges laid against individuals and corporations, the Megaupload public cloud data storage service has been taken offline, by the seizure of domain names and hardware associated with the service by US authorities. This article focuses on the flow-on effects for users of the Megaupload service, rather than the copyright claims.
Megaupload provides a service for the storage of data virtually in the public cloud. Megaupload is a public cloud service (as opposed to private cloud) as its storage facilities are available to the general public over the internet.
While Megaupload is allegedly used by some for distributing pirated content (such as movies and television programs), there were also users (including business, not for profit and academic users) who used Megaupload to legitimately store and share their files. These users have lost access to their data as a result of the Megaupload seizure, and it is unclear when (if at all) they will be able to regain access to their data. At the time of writing this article, some news reports have indicated that all data held on the Megaupload servers might be permanently deleted towards the end of February.
The Megaupload closure serves as a timely reminder to organisations of public cloud data storage. In particular, it highlights the fact that users of public cloud services need to have contingencies in place to reduce the risk of data loss.
From a legal perspective, there are limited preventative measures that a user can take to stop data loss in the public cloud because:
- due to the relatively low fees charged by public cloud providers and the sheer mass of participants, users do not have the ability to negotiate and amend a cloud provider's standard user terms and conditions in order to favour and adequately protect a user's rights
- examples like the Megaupload case show that authorities in some jurisdictions have the legal right to shut down operations from a whole of service perspective, thus affecting legitimate users
- contractual enforcement against public cloud providers may be difficult for an individual user (or even a class of users), due to the relatively low loss and damage suffered by a user (thus making it uneconomical to pursue legal remedies) and the fact that court proceedings would need to be issued offshore.
What can public cloud users do?
It is essential that organisations that use public cloud data storage establish practical protections for the storage of data. This includes one or more of the following:
- critical data should continue to be stored on-site with the user
- data should be stored with a number of public cloud providers – thus spreading the risk of a provider being shut down
- organisations should ensure that effective business continuity processes are in place in the event of data or service loss.
The above options are not foolproof but go some way in protecting against data loss.
Organisations that place critical importance on data storage, hold personal/sensitive information (as defined under privacy legislation) or maintain a large volume of data may wish to consider the private cloud as a means of storing data. The private cloud is infrastructure operated solely for a single organisation, whether managed internally within the organisation or by a third-party service provider and hosted internally or externally.
The key disadvantage of private cloud is the relative high spend required, as opposed to public cloud. This is due to the fact that dedicated resources are required for the organisation's private use and access to the service.
Costs aside, the key benefits of private cloud are:
- if a private cloud provider is engaged, this typically allows customers to negotiate more favourable terms and conditions with the provider – including provisions dealing with continuity of service, service levels, non-infringement, compliance with laws in operating the service, data security, fee refund and termination for breach/convenience
- added data security due to the nature of dedicated resources being used to provide the customer's service
- customers may elect to have private cloud equipment stored on premise, thus reducing the risk of hardware seizure
- customers have the ability to choose private cloud providers that are based where the customer is located (such as Australia) thus dealing with a local operator or operators which have a proven track record
- customers may elect to operate their own cloud in-house, thus negating any reliance on any third party cloud providers (telecommunications and network providers will still be required).
Private cloud, like any other type of outsourced service, is still not foolproof, however it provides a greater means of ensuring that organisations maintain continuity of service.
Middletons has significant experience assisting both customers and providers of public and private cloud services.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.