Celebrity Nude Photos, Is the Cloud a Legal Risk?

Thursday 11 September 2014 @ 11.46 a.m. | IP & Media | Legal Research

Recently, The Globe and Mail reported that Apple is to tighten its online security measures to reduce the chances of its users being victimized by hackers, like the ones that apparently stole nude photos from actress Jennifer Lawrence and other Hollywood celebrities. Apple's announcement follows statements by the FBI indicating that they are also looking into how the intimate celebrity pictures were stolen and leaked to the Internet.

Most of the speculation over how the celebrity pictures were obtained is that a lot of the images were illegally taken from cloud services. The cloud service most commonly mentioned in this respect being the one owned by Apple, known as "iCloud", a service which backs up content from one or more devices owned by a user onto the internet and then makes that content available back to any of those devices. It is reported that Apple has investigated whether its iCloud accounts were hacked and while Apple states its own iCloud's security was not breached it points out however, that the users own security may have been overcome. In this respect, The Globe and Mail reports Apple CEO Tim Cook as telling  The Wall Street Journal  that Apple would in future:

". . . use e-mail and push notifications to alert the hundreds of millions of people using its services when there has been an attempt to restore their iCloud data on a new device, change an account password or log on to an account with a new device. Previously there were no notifications for restoring iCloud data, but users did receive an e-mail when someone tried to change a password or log in for the first time from a new device".

All of the above is well and good as a response to the recent "nude photo crisis" but as UK firm Bond Dickson points out cloud computing is not limited to personal users who mostly upload pictures or backup their smart-phones and tablets. Increasingly, it is attracting business and commerce and even government users. Given this attraction, the legalities and the legal risks around cloud computing become very relevant.

Why the Attraction for Non-individuals?

If instead of calling it "the Cloud" you label it "outsourcing" the commercial attraction becomes very clear as a business or organisation moves from having to own and operate its IT resources to being able to rent them and connect to them on an as needs basis for services such as employee records, payroll and leave management, payment processing, and data and content storage and management.

Thus, the attraction of Cloud computing to non-individual users is not hard to pin down - mostly it's about money and the large amounts saved through the ability to store large quantities of data remotely without having to purchase and maintain large complex computer hardware and the networking software required to run the alternative.

The other two key elements of attraction are also fairly easy to target; namely, "portability" and "accessibility". Every business or large organisation easily sees the value of being able to take a linked device anywhere and from anywhere being able (given access to the internet) to access data/content, virtually any required information.

Understanding these simple points of attraction make it easy to understand why the likes of Google and Apple see the Cloud as a big part of their future, a part that will transform the information technology and industry.

Some of the Legal Issues and Related Matters to Consider

Security procedures: These need to be a major up front consideration established according to a company’s objectives and work flow. Surprisingly, the opposite is reported to be true as many companies implementing cloud based solutions and services ignore security or implement it poorly. Further, many companies also lack measures for approving or evaluating cloud based applications, which when moving to a "Bring Your Own Device" (BYOD) computing approach, are even more required. Generally, training, several layers of security and rigorous procedures for data transfer and copying are some options for protecting data in organizations.

Protection of information: Privacy is a key concern and it is important to ensure providers of cloud services can guarantee it. For example, an important matter to consider is that a cloud service provider is contractually prohibited from using your data for any of the provider’s own purposes, such as, advertising.

Liability: Typical of information technology agreements, cloud service agreements seek to minimise the provider's liability for any loss that arises from the provision of the service by for example:

  • excluding indirect and consequential losses (for example, lost data);
  • setting low liability caps (like, forfeited fees under the agreement); or
  • an exclusion of liability all together.

The trick is to be aware of these exclusions and seek to cap them or control them so the outcome is reasonable for both parties.

Intellectual property rights: These are different from one country to another and since the Cloud is on the Internet, by its nature it is global, meaning it is not always clear what intellectual property laws will apply in the cloud computing environment. It is important to be aware of the regulations and rights applying in the country where you store your content/intellectual property and to be sure that the cloud provider you use knows how to protect your intellectual property and avoid potential infringements.

Other matters to consider are performance management targets for agreements, how an agreement is terminated (how data is returned, for example) and dispute resolution (where it is done, what laws apply?).

Managed Risk is the Solution

The key is understanding the technical and legal risks around Cloud computing and managing them in a way similar to how inhouse computing is managed, namely; through security procedure, company policy and practice and legal agreements. As UK firm Bond Dickson says:

"Celebrity photo leaks aside, the cloud has provided efficiency for businesses and in many cases, improvements in security. But cyber threats continue to be a growing issue, and add complexity to risk management decisions. The bottom line is that when it comes to storing data in the cloud, risks should be identified and managed in the same way as if you were storing data yourself."

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products.

Sources:

Related Articles: