Slides for talk by Prof Chris Reed, Cloud Legal Project http://cloudlegalproject.org on who owns information in the cloud, at Cloud Computing: Legal, Organisational and Technological Issues conference, University of the West of England, on 23 February 2011, Bristol, UK.

1. Information Ownership
iccl @ CCLS
in the Cloud
Chris Reed
Professor of Electronic Commerce Law
1
What is “Ownership”
• No physical property rights in information
But customers may expect similar rights
• Three legal sources of ownership
IP rights
Confidentiality
Contract
• Customer/provider relationship
Confidentiality and contract are primary sources
IP rights relevant to claims against third parties
• But need to be allocated in the customer/provider relationship
• All these are well-understood in normal computing
usage

2. What is different about cloud
computing?
• Provider makes processing technology and other
information available to customer
Thus further information rights come into play
• Provider
• Third parties
• Copyright fragments ownership and creates
uncertainty
Who owns information generated in the cloud?
Particular problem of generation across jurisdictions
• Provider has ability to undertake data mining and
produce metadata
Does customer have any rights to control exploitation?
Licensed
technology
Metadata
Licensed
Provider
information
Know how/ Billing data
Trade secret
Data mining
Know how/
Processing
Trade secret
outputs
Customer
Customer own Licensed
information technology
Employee &
Client Licensed
information information

3. Licensed
technology
Licensed
Provider
information
Information
inputs
Customer
Customer own Licensed
information technology
Employee &
Client Licensed
information information
Ownership of information inputs
• Ownership unchanged by placing in the cloud
IP rights (mainly copyright/database) continue to
subsist in software and data
Third party information and software
• Owned by providers
• Use may be controlled by licence terms
• Service terms may modify this
Provider will require licence from customer to use
information inputs
Providers rarely ask for ownership rights in inputs

4. Metadata
Provider
Outputs and Know how/ Billing data
derived Trade secret
Data mining
information
Know how/
Trade secret Processing
outputs
Customer
Information outputs
• IP rights uncertainties
Authorship
• Who? (customer/provider?)
• Where?
Problem for database right
• Jurisdictional uncertainties
Is the output created on the server?
• Differing national law approaches to IPRs
Functional/factual works
Computer-generated works
And which server was actually used?
When is this a problem?
• Claims against third parties
• Use by provider

5. Metadata – the great unknown
• Metadata is information about the customer’s
use of the service
• Addition, deletion and generation of information
• Use of software applications and databases
Generated by provider, thus IPRs owned by provider
But when relating to customer, metadata will be confidential
• Data mining
Provider has ability to search customers’ information and
extract further information from it
• Unless constrained by service terms
Generated by, and thus IPRs owned by, provider
Potentially very valuable to third parties
Will metadata generation infringe
customer’s rights?
• IP rights
Location of copying/extraction determines
applicable rights
Terms of provider’s licence to use customer
information
• Confidential information
Primary duty is to preserve confidentiality
• Aggregation and anonymisation can reduce this risk
• But note development of reidentification technology
Secondary duty not to take unfair advantage of the
information?

6. Customer concerns
• Secret use of “my” information
• Risk of confidentiality breach
Carelessly including identifying information
Customer identity can be deduced from metadata
or mined data
• Revenue sharing
Provider uses customer’s assets to make profits
for itself
• Customer will want to share
• But revenue from this may be implicitly included in cost
of service
Resolving the ownership
conundrum
• All these issues can be addressed by
appropriate service terms
But do current service terms even recognise the
issues exist?
If so, are they dealt with appropriately?
Do customers have other expectations which need
to be catered for?
Effects of consumer protection law on service
terms?

7. The limitations of service terms
• Little scope for individual negotiation
Provider needs all users to be on same deal as to
information ownership
• Hidden parties
Outsourcing and reselling of cloud capacity
• Differing national law effects
But clouds transcend geography
A governance model
• Window of opportunity for cloud providers to
establish a governance forum
Identify best practices for issues such as
information ownership
Leading to coherent and consistent service terms
across multiple cloud services
• Might be sufficient to forestall hasty national
legislation
History tells us that first generation regulation of
cyberspace is usually a failure!