[cryptography] Using Cloud to Obfuscate Liability

Jeffrey Walton noloader at gmail.com
Sun Sep 18 07:12:24 EDT 2011


On Sun, Sep 18, 2011 at 6:43 AM, Ian G <iang at iang.org> wrote:
> On 18/09/11 7:30 PM, Jeffrey Walton wrote:
>
>>>> Its kind of like the poor
>>>> man's cloud (and corporate america is flocking to the cloud, in part
>>>> due to the additional layer of liability offload).
>>>
>>> ! OK, I'll bite.  How does one offload liability by using the cloud?
>>
>> The provider is another entity in the legal entanglements, which
>> offers yet another level of indirection.
>>
>> Pre-cloud: Company A houses your data. Company A is breached, and
>> company A is exposed to legal liability. Post-cloud: Company A uses
>> Company B's cloud service. Your data is breached, and its not clear if
>> the loss occurred at company A or company B. Since you can't prove who
>> is responsible for the loss, neither company is subject to a tortable
>> action.
>
>
> Tort <= provable agent.  I get it, thanks!
Sorry man! I know cynicism spills into a lot of [my] discussions.
Thanks for tolerating it.

>> By the time dust settles on data breaches, any attempts to certify a
>> class action are thrown out because members of the class cannot show
>> loss (and future loss is not considered). Its only going to get worse
>> when cloud providers are added to the mix.
>
> Meanwhile, Peter says, in answer to Dan's cloud question:
>
>> If you avoid it like the plague, you should be OK.
>
> Seems like we have different threat models in mind ;)
The keepers of the information have not done a good job with data
security with only one entity, so they add more to the mix! Now data
can egress from the original system and the cloud owners.

Jeff



More information about the cryptography mailing list