Challenges for consumer rights in a cloud computing powered world and ISO/IEC Project 19086
description
Transcript of Challenges for consumer rights in a cloud computing powered world and ISO/IEC Project 19086
Challenges for consumer rights in acloud computing powered world
and ISO/IEC Project 19086
developing a framework standardfor service level agreements in cloud computing
Norbert Bollow <[email protected]>
Chiang Mai, 3 April 2014
from the presentation of the ISO/IEC JTC1 SC38 Chair to the ISO/IEC JTC1 plenary, November 2013
Consumer rights laws are currently based on assumptions that are typically
not valid for cloud based services ● assumption that services to consumers are provided
by companies subject to the laws of the consumer's country
● assumption that consumers (or at least organizations that test products in order to inform consumers) are able to recognize defective products
● assumption that a defective product primarily harms its users (rather than society as a whole)
● assumption that competitors are able to offer significantly different products
Consumer rights laws are currently based on assumptions that are typically
not valid for cloud based services ● assumption that services to consumers are provided
by companies subject to the laws of the consumer's country
● assumption that consumers (or at least organizations that test products in order to inform consumers) are able to recognize defective products
● assumption that a defective product primarily harms its users (rather than society as a whole)
● assumption that competitors are able to offer significantly different products
A simple scenario for a cloud based service provided to consumers
● Company A in country X offers a cloud service implementing a business process.
● Companies B, C and D in country Y make use of this cloud service to provide a service to consumers in country Y.
● Key properties of the service offered by companies B, C and D depend on the SLA offered by company A, the laws of country X, and the laws applying to the supply chain of A.
What to do?
● Insist that ISO/IEC Project 19086 developing a framework standard for service level agreements in cloud computing puts emphasis on the aspects that are important for consumer protection.
● Consumer organizations need to build competence for validating claims of providers of cloud based services e.g. in regard to security / data protection.
What are ISO and IEC?
● ISO=“International Organization for Standardization”, formally a private sector association with seat in Geneva, economically a cartel of national standardization organizations.
● IEC=“International Electrotechnical Commission“, also has the seat in Geneva.
● Under WTO rules, ISO/IEC standards can be referenced in legislation (that wouldn't make sense for the 19086 standard, but this is relevant to the culture of the organization and its processes).
● Consumers International engaged in COLPOCO.
ISO/IEC JTC1 SC38● “JTC” = “Joint Technical Committee” of ISO and IEC.● SC = “Sub-Committee”.● SC38 is for the topic areas distrivuted computing,
service oriented architecture, and cloud computing.● Participants have a technical background, most are
employees of big companies who want to earn money in this area.
● Most countries are represented by employees of US based international companies, it is particular to SC38 that for very many countries this is Microsoft.
● Because consensus processes are used, even a single consumer organization voice can have huge impact!!!
What's in my report?
● I've looked at national consumer laws for arguments that can be used to influence ISO/IEC SC38. This is not a legal analysis, as the people in SC38 have a technical rather than a legal background.
● Analysis which aspects are particularly important in the cloud computing context.
What to do? (We need to do it!)
● Insist that ISO/IEC Project 19086 developing a framework standard for service level agreements in cloud computing puts emphasis on the aspects that are important for consumer protection.
● Consumer organizations need to build competence for validating claims of providers of cloud based services e.g. in regard to security / data protection.
● “All that is necessary for the forces of evil to succeed is for enough good people to do nothing.” (famous quote misattributed to Edmund Burke)