Last week’s report by Bloomberg that the outage on the PlayStation Network was caused by a hacker using Amazon Web Services’s EC2 platform raises interesting questions in the newly emerging field of cloud computing law. Can Amazon Web Services be held responsible for the breach? In the event of a violation of security on one cloud infrastructure that stems from another cloud computing platform, can the originating cloud computing vendor be deemed legally responsible for the security violation? Consider the case of HIPAA legislation as it relates to the cloud, for example: as “business associates” of “covered entities” such as provider organizations, cloud computing vendors bear responsibility for security and privacy of patient health information data. A covered entity such as a hospital that stores personal health information on Amazon’s EC2 infrastructure can expect that, as a business associate, Amazon Web Services will demonstrate adherence with HIPAA’s privacy and security regulations that require data encryption, access controls, and processes for data back-up and audit review of access.
What is Amazon Web Services’s degree of liability for the Sony Outage, if any? Sources close to the investigation revealed that hackers rented one of Amazon’s EC2 servers and then deployed the attack on Sony PlayStation’s network that compromised the security of 100 million Sony customers. Amazon Web Services is likely to be subpoenaed in the investigation in order to extract details of the method of payment and the IP addresses used for the attack. That said, one would be hard pressed to imagine making a legal case that Amazon bears responsibility for the attack given that virtually any of its customers could have launched the attack and there currently exists no easy method of differentiating between criminal accounts and legitimate ones. Granted, one could make the argument that cloud computing vendors should develop the IT infrastructure to proactively identify suspicious behavior and curtail it as necessary. Given the recent proliferation of cases where hackers use rented or hijacked servers to launch cyber-attacks, such legislation may not be entirely inconceivable as the cloud computing space evolves. Right now, however, regulatory agencies such as NIST and U.S. CIO Vivek Kundra have their hands full grappling with inter-operability and quality standards for cloud based data storage and transmission, separate from formulating the legally precarious constraint that would mandate cloud computing vendors to develop processes to detect hack-attacks before they happen.
Sony PlayStation’s cloud computing network experienced significant downtime starting on April 21. The outage affected Sony’s PlayStation Network and its Qriocity music service. Sony PlayStation’s cloud based environment allows users to download and use online games, music, videos and movies. Patrick Seybold, Sony’s Senior Director of Corporate Communications and Social Media, announced that an “external intrusion” was responsible for the attack, generating suspicions that hackers were responsible for bringing down Sony’s cloud based gaming and music platform. The hacker group Anonymous was the principal suspect for the Sony outage after Sony initiated a lawsuit against George Hotz, a PlayStation user with the username GeoHot that jailbroke his PlayStation 3 and distributed jailbreaking tools to other users to download unauthorized applications. In early March, a Northern California court awarded Sony access to Hotz’s social media accounts, his PayPal account and the IP addresses of users who visited George Hotz’s website. The hacker collective Anonymous objected to Sony’s lawsuit against George Hotz, noting, “You have abused the judicial system in an attempt to censor information on how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target every person who seeks this information. In doing so, you have violated the privacy of thousands.” After Anonymous issued threats to Sony about their handling of the Hotz lawsuit, Sony experienced downtime on its main website, Style.com and the U.S. PlayStation site on April 6, in attacks that have been widely attributed to Anonymous.
But Anonymous denied responsibility for the recent outage by claiming, “For Once, We Didn’t Do It,” and that “While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened. A more likely explanation is that Sony is taking advantage of Anonymous’ previous ill-will towards the company to distract users from the fact that the outage is actually an internal problem with the company’s servers.” Sony’s technical troubles follow high profile recent releases of Mortal Kombat and Portal 2. Considered alongside Amazon’s EC2 recent outage, Sony’s downtime raises increased concerns about quality of service and reliability in the world of cloud computing. Downtime on Sony’s PlayStation Network began on April 21 and continues as of the evening of April 24, 2011.