The Cloud Meets the Law: Where Wikileaks Went Wrong

Updated: The story of Wikileaks hosting its “cablegate” data on Amazon’s EC2 (s amzn) is fascinating to me on many different levels. As a journalist, I feel compelled to root for Wikileaks in the name of freedom of the press, and producing an informed electorate. As an American citizen, I wonder whether maybe there’s such a thing as disclosing too much information when it comes to national security. On a more practical level, I’m flabbergasted that Wikileaks decided to host its site with a U.S.-based provider like Amazon.

Although government pressure appears to have forced Amazon to remove the site, it’s important to remember that the First Amendment does not really apply in cloud computing. Cloud providers are private companies providing a service to private citizens, and their terms of service make it crystal clear that they are the ultimate arbiters of what’s acceptable use of their servers. The Constitution protects certain speech from government censorship or prosecution, but if a company like Amazon doesn’t want to serve as the conduit for that speech, it doesn’t have to. (See Amazon’s decision in the recent flap over a book about pedophilia for further proof.)

Rackspace (s rax) made this perfectly clear in September, when it bowed to public opinion and shut down Koran-burning pastor Terry Jones’s web site. That story received surprisingly little attention, but I noted at the time it was the beginning of a slippery slope with regard to freedom of speech in the cloud. Jones may be a crank, but his plan — however misguided — was perfectly constitutional, and likely would have flown under the radar if not for the demands of the 24-hour news cycle and a heightened political climate. But someone caught wind of it, outrage ensued, and the site was pulled.

Wikileaks, however, presents an entirely different situation. The reality is that freedom of speech hits a wall where national security is concerned. Not only can the government prohibit the publication if such information, but releasing it can be a criminal act. The Espionage Act — particularly 18 U.S.C. Sections 793 and 798 — makes it clear that anyone publishing information that puts national security at risk would be wise to host it outside the jurisdiction of the United States justice system. Without getting too deep into issues of personal jurisdiction and conflicts of law, breaking U.S. law by hosting information on servers located here and operated by a company incorporated here is a recipe for legal disaster.

By doing so, Wikileaks probably opened itself up to being tried in a federal court, but Amazon was always on the hook. If the government decided Wikileaks was breaking the law, and that Amazon was knowingly facilitating it, then Amazon was looking at potential federal prosecution. I have no idea what was said during that call between Amazon on Sen. Lieberman (I-Conn.), but I suspect this point was raised. Guess what: Amazon isn’t going to – and, prudence suggests, probably shouldn’t – risk its business defending charges of breaching national security.

Forget handing over administrative control to a cloud provider or waiving any legal recourse beyond the terms of the SLA. Organizations and individuals choosing cloud computing also give up some constitutional rights. Aside from freedom of speech, antiquated electronic data privacy laws also might put cloud-based data outside the bounds of Fourth Amendment protections against unreasonable search and seizure.  (Microsoft (s msft), Google (s goog) and some legislators are pushing to change this, but so far it’s mostly talk and some early-stage legislation). I still think cloud computing is a transformative delivery model and the future of IT, but potential cloud users – especially those looking to push ethical buttons – would be wise to consider the legalities of what it means to do business in the cloud as well.

Update: Amazon has posted an explanation of its decision to remove WikiLeaks from its servers, saying it was not the result of government pressure, but because the organization breached the web company’s terms of service — since it did not own the rights to the information it hosted, and since the information could have led to people being harmed. The note says:

There have been reports that a government inquiry prompted us not to serve WikiLeaks any longer. That is inaccurate. There have also been reports that it was prompted by massive DDOS attacks. That too is inaccurate. There were indeed large-scale DDOS attacks, but they were successfully defended against.

Amazon Web Services (AWS) rents computer infrastructure on a self-service basis. AWS does not pre-screen its customers, but it does have terms of service that must be followed. WikiLeaks was not following them. There were several parts they were violating. For example, our terms of service state that “you represent and warrant that you own or otherwise control all of the rights to the content… that use of the content you supply does not violate this policy and will not cause injury to any person or entity.”

It’s clear that WikiLeaks doesn’t own or otherwise control all the rights to this classified content. Further, it is not credible that the extraordinary volume of 250,000 classified documents that WikiLeaks is publishing could have been carefully redacted in such a way as to ensure that they weren’t putting innocent people in jeopardy. Human rights organizations have in fact written to WikiLeaks asking them to exercise caution and not release the names or identities of human rights defenders who might be persecuted by their governments.

Image courtesy of Flickr user Thorne Enterprises.

Related content from GigaOM Pro (sub req’d):