Hi!
DISCLAIMER:
I may be asking the wrong questions, it may be the wrong place to ask them and most of all even if you are a lawyer, you are not my lawyer
I was brushing up a bit on legal stuff and something came to my mind. I think those questions are not related only to cloud environments - in my view they apply to any kind of outsourced hosting/processing configuration that you don't operate yourself (somebody else runs servers for you).
Cloud is used to provide 'magic' solutions of many kinds - from simple SaaS, through PaaS to IaaS... As far as SaaS goes, 'what you
see pay for is what you get'
- simple, complete, strict in form. Other cloud forms are less regulated so to say and offer more room for potential abuse or 'actions with negative consequences'.
Using PaaS or IaaS - cloud becomes kind of weapon - same rules apply. Firearms don't kill people - people kill people. Cloud can be used for good or bad purpose - all depends on the end-user. I'm not saying that one is better suited to do good or bad things, it's a question of legal responsibility for providing service, which is the gray area that I'm interested in...
Questions:
1. As far as I remember, under UK law some things can be classified as 'facilitating tools to commit crime'. Ok - there is a question of intentions (I love that part about UK law hihi) but a cloud is located in... right, that's the first problem...
Let's assume an entity has created a tool (PaaS) that can be used for good or bad purpose and that tool can utilize EC2 from Amazon for example. Question is - what's the entity's liability if an end-user (called 'boss') resident in the UK (in this example) uses their magic PaaS to help himself commit something of criminal nature?
2. Which of the laws would apply in such case:
a) UK (assuming that's where the entity operates in one formal way or another)
b) End-User's country of residence - where the 'boss' is located (UK, EU, other)
c) country where the entity's platform logic is hosted (UK, EU, other)
d) country where 'boss' runs his stuff in using our magic PaaS (where his EC2 or similar instances are)
e) country where a 'cloud provider' that hosts the servers for the boss is registered (some providers have registered offices in other countries than data centers - for example Amazon)
f) country where the potential victim resides (anywhere - it's the Internet)
g) none of the above / other
h) all of the above (yikes!)
i) it depends (favorite legal line... hey - if you pick this one, I want to know the why and what are the options :->)
j) ... I bet you can come up with some other possibilities
3. What may be the potential solutions to the problem - except creating very long T&C that would cover all possible exceptions for all possible cases above (and more), etc?
I hope you see the problem - who has authority to declare which law applies? Even simple question - I run stuff on EC2 in EU, then I use data from EC2 to commit a criminal offense in country X (outside of US/EU zone). Is that EU law (data generated in EU - facilitating tools for crime), US law (Amazon is registered in US), victim's country law or where I am running the attack (country Z)?
If anybody can knows, feel free. If you want to give your best guess - go for it, just say it's a guess so others won't take it for granted... and most of all remember - this is just a theoretical exercise (but quite real) and the disclaimer from the top of this post is still valid
