Several of our customers have been asking us questions about the viability and future of public cloud storage based on the recent government shutdown of MegaUpload. The concern is that, due to the malfeasance of another customer on a shared cyberlocker company, your own corporate data may be unavailable when you need it.
I forwarded several questions from our customers to our Attorney Philip Corwin, one of the leaders in the field of Cyber Law ( www.vlaw-dc.com). Phil’s answers highlight the uncertainty surrounding the future of public Cloud Storage, as a result of recent actions.
1) Can the DOJ take down any cloud storage provider without any prior notification to the legitimate users of the storage service? If so, how do legitimate users get their critical data access restored?
The DOJ will provide no advance notice to the users or operators of a domain and associated file-hosting/sharing service it believes to be engaged in unlawful criminal activity. The DOJ has made it clear that it has no near-term intent to restore any files to Megaupload.com users – that such users should not have kept their only copy on a remote service. It is unknown whether and to what extent the DOJ is reviewing files on the seized servers in a search for additional evidence of criminal activity. Some (primarily non-U.S.) Megaupload users have threatened to sue the DOJ for return of their files but no such action has yet been brought and there’s no telling how it might fare; in any event, no near-term relief is likely.
2) If our company is using a cyberlocker service, for back up and archival usage and the DoJ impounds the storage servers, how quickly can I get my data from the DoJ if I need to a restoration?
As noted above, the DOJ has given no indication as to whether or when it may permit any user of Megaupload.com to have access to and recover their files from the servers that have been seized.
3) What is the differentiation of a service provider like MegaUpload and Amazon S3 in the DoJ’s definition? Can the DoJ pull down our Amazon storage due to another user’s data storage usage practices?
It is not at all clear from the Megaupload indictment while it was criminally charged while other very similar services – such as Rapidshare and MediaFire — have not been, yet (as we have seen with domain seizures undertaken by the ICE division of the Department of Homeland Security, once a new criminal copyright enforcement tactic is employed it will likely be used again in other instances). One key element may have been the allegation that Megaupload paid users to upload infringing content in the past, although they had discontinued their “rewards” program at the time the criminal complaint was lodged. Amazon’s Cloud Drive is a no-frill cloud storage service with a 2GB limit on individual files and no file sharing function, so it is much less likely to be used for infringing purposes and become the target of a DOJ action.
4) If a public access storage provider can be shuttered by the DoJ for one or two suspect cyberlockers , can a Colo Facility or a Network Provider also be shuttered?
Any entity that is knowingly and willfully engaged in large scale online infringement for profit can be a potential target of a DOJ enforcement action. Network service providers do enjoy secondary liability immunity under the DMCA’s notice-and-takedown procedures safe harbor, but only if they expeditiously remove infringing files and refrains from any activity that constitutes direct infringement.
5) Is our data loss insured in the event of a felony or RICO action by the government when it takes down a public access storage provider?
That would depend on the exact terms of your insurance policy. But even monetary compensation cannot replace seized files, so it is best to retain at least one copy of all stored and shared files on hard drives under your direct control.
6) Would you recommend that customers move their data to secure internal clouds, based on the new legal uncertainties surrounding public cloud storage services up time guarantees?
If you can afford to do so a private cloud under your own control would be the safest bet. If that isn’t feasible, at least one copy of all files placed on remote servers should be saved on your own devices. And there will be a need for much greater due diligence investigation of file hosting and sharing services to determine whether they are likely targets of criminal enforcement actions that include website shutdown and server seizures.