Cloud computing (still) needs a bill of rights

Cloud computing (still) needs a bill of rights

Summary: The cloud industry badly needs a common code of practice so that buyers know what exactly they ought to expect from a provider, right from the outset. Arriving at a consensus won't happen overnight, but it's high time to start making a serious effort.


Back in December, after Amazon summarily pulled the plug on WikiLeaks using its servers for alleged violations of terms and conditions, the CTO of Fujitsu Technology Solutions wrote that the action constituted a serious threat to the business of cloud computing:

"If a provider can terminate its service that easily, then it is doing exactly what skeptics expect, putting the security and availability of cloud services into question ... Many potential customers for cloud computing services will, I fear, have been paying attention and will now be forced to reconsider whether they can afford to make their IT that dependent on a third party. Cloud-computing's reputation has been damaged."

Even without the political dimension of the Wikileaks case and the powerful arguments around free speech, the principle of non-termination without notice is an important one. CloudAve's Krishnan Subramanian highlighted a wholly commercial example in which a low-cost CDN provider had its servers shut down without notice by an upstream provider (also covered at GigaOm).

These are extreme examples, but they highlight a golden truth about service level agreements: you only find out they're defective after the service fails. The cloud industry badly needs a common code of practice so that buyers know what exactly they ought to expect from a provider, right from the outset. We've had long enough to work out what all the issues are, it's time to take some action and work on publishing some specifications.

So I was glad to see's recently recruited chief scientist JP Rangaswami had posted some thoughts last week on work at the vendor to define a set of ten guiding principles for cloud computing. He writes that "this is something the company has been working on for a while now." I should flippin' well hope so, as it is now more than five years since I first blogged on this very topic of trust in service providers — and that same post was itself in response to outages at

In that post, I set out a first version of my own suggested 5-point code of practice, which I've since elaborated. Others too have come out with valuable contributions to this debate, including Ray Wang's Customer Bill of Rights for Software-as-a-Service, and the work that RightNow has done promoting better contract terms for customers. Not to mention the initiatives under way at EuroCloud, of which [disclosure] I'm a vice-president (and is a supportive member).

Looking at's 10-point list (as cross-posted at the vendor's own Cloud Blog), I do find myself a little disappointed that it's all very data-centric, focusing on privacy, security and governance of data. That's good, but accidents with the data aren't the only area of risk that enterprises have to consider when using a cloud application provider. Their business processes are highly exposed too, vulnerable to sudden disruption from unexpected outages and patches of poor performance, or at the mercy of arbitrary changes in pricing or terms of service, including those mentioned at the top of this post.

The Wikileaks story reminds us, too, that it is not just the industry and its customers that should be involved in the process of discussing and agreeing these principles. Government has to be involved too, both in providing the necessary regulatory framework (as it does for the banking and telecoms industries on similar matters), and in particular agreeing where and when there should be legal limits to its own powers (what value is your service provider's SLA, for example, if the Government itself controls an Internet 'kill switch'?).

With so many stakeholders, and so many angles to cover, arriving at a consensus over the rights and responsibilities of cloud providers, users and regulators is not something that's going to happen overnight. All the more reason, therefore, to foster the discussion now. The more these issues are surfaced, the closer we'll get to having at some common, shared understanding of how cloud providers ought to behave and what their customers should insist on in their contracts and service level agreements.

Topics: Servers, CXO, Cloud, Enterprise Software, Hardware, Virtualization

Phil Wainewright

About Phil Wainewright

Since 1998, Phil Wainewright has been a thought leader in cloud computing as a blogger, analyst and consultant.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 21st Century technology meets 19th Century legal system

    Cloud computing is no different from other forms of outsourcing in terms of what complexities are created.
    - there are layers of contract terms and conditions
    - parties are subject to many different types of legal sanctions (subpoenas, seizures, court orders)
    - tolerance of weasel-words in Terms and Conditions

    Cloud computing adds some additional problems on top of the already nasty brew because of opacity. As a risk manager, you *don't know* where your data or service resides and what hazards that exist. And if you expect the service provider to "make things right", READ YOUR CONTRACT. Half of them don't promise that the company will even return your phone call.
    terry flores
  • RE: Cloud computing (still) needs a bill of rights

    I completely disagree that there needs to be a bill of rights for cloud computing. Regulating means enforcement and when it comes to international cross-jurisdictional issues, the governments of the world are the least suited to handle this issue. Rather than go down the cost and time ineffective legal path which almost always seems to make lawyers richer and hurt the consumer in the long run, let the market make the decision. There are literally hundreds fo cloud computing companies, so if you don't like Amazon's terms and conditions, try Rackspace, or GoGrid, or StormonDemand, or any of the others which are offering better guarantees.

    I had a site called and which exposed boiler rooms selling fake shares to people around the world. At its peak, the site was preventing about $120,000 of securities fraud a day. However, being so effective caused the boiler room operators to hire hackers to do DDOS attacks of which the first successfully took down the whole country of New Zealand for 12 hours. The second attack took it down for only 90 minutes. At which point the government asked me to kindly move the server to somewhere where they could handle the DDOS attacks better. I moved it over to one of the largest hosting providers in the US and told them in advance the issue I was experiencing. After two more DDOS attacks which took down their datacentre, they had to shutdown the site. Although SIRS would be arguably considered a benefit to society and Wikileaks is not as clearly seen that way by all, both site attract a certain amount of hacking and cyber-sabotage attempts. The Cloud Provider needs to protect their business and think about the great good of all their customers.

    I accepted that no matter where I hosted the server now, it would impact other business at the same datacentre, and so therefore, after 5 years of preventing securities fraud, i let the site close down. The crooks had won purely by being able to do cyber-sabotage. I am sure for Amazon, host Wikileaks caused nothing but similar problems. Of which a bill of rights which you suggest would neither solve nor be viable in these cases.

    There is more to the Wikileaks issue at Amazon than what the press is trying to sensationalize on and using that to jump on the bandwagon of insisting for a bill of rights, means you haven't thought through the issue before you wrote the article.
  • RE: Cloud computing (still) needs a bill of rights

    I don't think the bill of rights should be imposed from a government, but rather within the industry. I think it would be a good thing for public cloud computing providers to get together and begin to draft common terms into their SLAs. Some of those things should include:
    - Data retention (after termination the data must be available for up to X days)
    - Termination notice (Where permissible by law of the operating juristdiction we will provide up to 72 hours of warning)
    • In the end, all things are "imposed" by the government

      @snoop0x7b <br><br>Because the government is the only party with the power to <b>compel</b> action. SLAs are worthless even in a contract unless there is a mechanism to enforce the contract. That's where government comes in. You're just debating whether it's covered by contract law or standalone regulation. But even then you miss the point: if I don't trust a cloud company to look out for my interests, then I am not going to do business with them. If all of them have the same problem, then I won't do cloud at all. This is what the author is pointing out.<br><br>As to jbmetrics' problem, it's not relevant. If you rely on IT services to run your business, you have to find a solution. If it's not cloud, and it's not hosting, then you are back to the original solution: in-house computers on an in-house network. <br><br>I oversee three computing centers, two in-house and one remotely hosted. We won't be moving the other two anytime soon; after 6 years the remotely hosted systems are still problematic and not saving us enough money to make up for it. Any discussions about "cloud" end in less than 15 minutes, because once we ask "who is willing to get fired if it doesn't work" the room gets real silent.
      terry flores
      • RE: Cloud computing (still) needs a bill of rights

        @terry flores

        Yes, it's better to built a private cloud. More security and peace of mind. With the right software such as ThinServer, it need NOT be expensive or complicated
  • RE: Cloud computing (still) needs a bill of rights

    "The cloud industry badly needs a common code of practice"

    But I'm not yet convinced the world needs cloud computing.
    • RE: Cloud computing (still) needs a bill of rights

      @hiraghm@... you should probably research SOA. with the high technology and need for automation this is the infrastructure of that paradigm
  • Private cloud considered harmful

    Seeing what some commenters have written, it's time to remind readers that this blog does not recommend private cloud solutions:
  • InfoLawGroup's Cloud Customer Bill of Rights

    We are a law firm that drafts and negotiates cloud contracts on a regular basis. We have put together our own bill of rights that focuses on some of the main security/privacy/data access/risk of loss legal issues of the Cloud. Would be curious to get some feedback:
    David Navetta
  • Cloud Failure in 2011

    I agree with the comments of others that have gone before me and I predict that during 2011 there will be a big outage, with a name brand company and there will be big hype headlines. In the middle of the article will be the root cause disguised by all the hype - poor vendor management, poor contractual terms and conditions and no measurement of the SLAs with the provider. You own the service, you subscribe to components from service providers, you still own the overall service, protecting your business and measuring perception versus reality. Read more here ....

    Michele Hudnall @HudnallsHuddle @BSMHub
    Hudnalls Huddle
  • RE: Cloud computing (still) needs a bill of rights

    Phil, as you say, the 10 principles are a start, and they will get better as we refine them in response to the comments and advice we receive. when it comes to the "impact on business process" issue, I think it is a little more complicated: my gut feel is that the issue exists in all service contracts, not just those that are cloud-related. but thanks for the comments all the same. I'd like to spend some time with you figuring out how we can extend and refine what we have.
  • ...this is not exclusively a Cloud computing problem

    Couldn't all these objections be levied against your power provider? They can, more litterally, "Pull the Plug". Look to how that service model and it's agreements have evolved for a preview of how the Cloud will.