[co-author: Robert Baker]
Cloud computing has increasingly become a dominant model for computer and information technology service, with the majority of businesses worldwide using computing resources and storing data “in the cloud.” However, despite the ease of use and convenience of cloud computing, moving data and services into the cloud raises several legal issues for both cloud computing providers and users. This article highlights some of the issues and questions related to intellectual property (IP) rights raised by cloud computing.
What is cloud computing?
Generally, “cloud computing" is the remote delivery of computing services and resources to a client. Data is stored and/or processed remotely from the client, on infrastructure that is generally called the “cloud.” The client can access this infrastructure remotely, usually over the Internet. Importantly, the client (e.g. a personal computer) does not have to perform any of the data storage or processing that now occurs in the cloud, significantly reducing the hardware, software and security requirements of the client device.
The actual implementation of cloud computing systems can vary greatly. Example cloud computing service models include: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). Generally, SaaS models allow clients to access and use software applications over the Internet, rather than storing and running the applications locally. PaaS models provide access to a computing platform (e.g. Microsoft Windows) on which applications may be run or developed. IaaS models provide access to computer infrastructure on demand (e.g. data storage, networking and computing resources).
The advantages and disadvantages of cloud computing
One of the advantages of cloud computing is that individuals and businesses can avoid the costs of buying, installing and maintaining sophisticated hardware and software. Instead, this infrastructure is handled by the cloud provider remotely. However, this means that it is not clear where the cloud provider’s hardware and software is physically located, or where the client’s data is physically stored.
For example, services may be sold to a client in one particular jurisdiction, but that client's data may be stored and processed at one or multiple locations in the same or other jurisdictions. The client may not have any knowledge of where the data is stored or processed. Data may be stored redundantly in multiple locations and in multiple jurisdictions, and may be fragmented in storage. Data may even be stored in different countries at different times. Various aspects of data processing may also occur in different jurisdictions.
The amorphous nature of cloud computing makes determining how the law will apply—or even what law will apply—a challenge. Because IP rights are territorial and a single cloud computing service can touch multiple jurisdictions, it is unclear in many instances what IP laws will apply in the cloud computing environment.
Three cloud computing issues for patent owners
Patents are inherently jurisdictional: they confer rights only in the country in which the patent is granted. For example, a Canadian patent grants the patentee the exclusive right to make, use and sell an invention for the term of the patent. However, it does not grant any of these rights in any other country. This poses a challenge for cloud computing systems that extend across international borders.
The multi-jurisdictional nature of cloud computing, and the amorphous nature of the "cloud," give rise to a number of possible complications for patent owners or licensees trying to assert their patent rights against potential infringers.
1) Uncertainty over jurisdictional scope of infringement
As a general principle, infringement of a patent requires meeting every element of a claimed system or process. However, technology implemented in the cloud may be spread over multiple jurisdictions. This presents a potential challenge for patent owners: is the test for infringement satisfied if some of the claimed elements are met in a different country?
There are doctrines in the Canadian jurisprudence which could provide a basis for finding infringement where part of a claim is satisfied outside of Canada. However, Canadian law on the issue has not been settled, and in any event is likely to be highly fact dependent.
Jurisdictional issues also present uncertainty for clearing patent risks. Just as cloud-implemented technology may touch multiple jurisdictions, there is also the potential to attract liability in multiple jurisdictions. The law of each jurisdiction will need to be taken into account. For example, if a system is patented and used in the United States, infringement of the U.S. patent(s) may occur even if a part of the infringing system is located elsewhere (e.g. in Canada).1
Ultimately, patent owners would be well-served to recognize that cloud computing puts a wider range of jurisdictional possibilities into play and should be sure to construct portfolios that include rights wherever they may be needed.
Similarly, businesses should take a broad view when assessing risks and should consider all jurisdictional possibilities.
2) Multiple components operated by different parties
Cloud computing systems may include multiple components, each operated by a different party. For example, servers storing data may be owned and operated by one company, while system components relaying or processing data retrieved from those servers may be owned and operated by another company. These components may be contracted out to yet another company, who might then use those components to service end users. Because in this scenario different parties are responsible for providing different aspects of the system, it may be that no single party infringes all of the elements of a patented invention. Instead, the elements of the invention may be divided between two or more parties. The Canadian Patent Act does not provide for divided infringement, and the issue has not been considered by Canadian courts.
To some extent, this can be addressed by careful crafting of patent rights – applicants should avoid claiming inventions in such a way as to permit elements to be easily separated, and should be creative in claiming inventions from multiple perspectives to ensure robust coverage.
3) Difficulty in detecting infringement
Cloud computing also presents challenges in detecting infringement. By their nature, cloud systems often obscure or abstract some technical detail. For example, the client of a cloud computing service may not know where or exactly how its data is stored or processed. It also may not be possible for the client to reverse engineer the service—at the client end—to detect infringement. Further, a service provider's infrastructure may not be publicly accessible in a manner that allows for efficient detection of patent infringement.
Instead of the whole cloud computing system or its server-side elements, a service provider may consider whether any client-side elements of the system are eligible for patent protection. Activities at the client-side may be more localized and readily detectible. It may thus be easier for the patentee to assert its rights over its client-side elements.
However, when obtaining patent protection for client-side elements of a cloud computing system, one should keep in mind whom the potential infringer would be. It may not be in a company's best interest to assert patent rights against the users of a cloud computing service, since that may alienate those users from ever becoming customers.
Alternatively, if the proper elements can be proved, a service provider may be liable for inducing its users to infringe.
Copyright infringement issues with cloud computing
The de-centralized nature of cloud storage may complicate copyright issues.
Copyright laws vary from jurisdiction to jurisdiction. What constitutes copyright infringement in one country may not in another. This complicates the question of whether copyright has been infringed when data is stored in multiple locations. Typically, the location of a work is easily identifiable. However, the work’s location may be more difficult to identify in a cloud computing environment. It can thus be unclear which jurisdiction’s copyright laws apply, and whether there has been copyright infringement under those laws.
Another issue relating to copyright is whether cloud storage service providers can even be held liable for copyright infringement. Canadian jurisprudence has held that an Internet service provider acting as an intermediary for communication is shielded from liability by the Canadian Copyright Act2 so long as the service provider is not itself engaging in acts relating to the content of the communication. In other words, the Copyright Act shields an Internet service provide from liability so long as it merely provides a conduit for information communicated by others. However, it is unclear whether cloud storage providers necessarily meet this requirement (i.e. whether cloud storage providers are merely intermediaries or conduits). Therefore, Canadian copyright law is currently unclear on whether cloud storage providers may be shielded from liability for copyright infringement.
An additional complication relates to licensing of rights. Jurisdictional limits of licensing need to be taken into account, such that licenses are secured for all jurisdictions where data or software may be used.
Confidential information and trade secrets
Another concern relating to cloud storage is the protection of private and confidential data, such as trade secrets. Before uploading confidential data to the cloud, a user should consider what type of duty of confidentiality is owed to the user by the cloud storage service provider. For example, does that duty of confidentiality extend to sub-contractors utilized by the service provider? Under what circumstances can the user’s data be accessed or disclosed by the service provider? A further complication exists when the user is a business and its data includes private data of its clients or end users. In such cases, the business will need to carefully consider privacy legislation that may apply, and whether the cloud service agreement is sufficient to satisfy obligations under such legislation.
Recommendations for cloud computing and IP
Cloud computing can offer compelling cost and operational and strategic benefits, but creates legal uncertainty and raises complex IP issues, some of which remain unresolved in Canadian law. Businesses making use of cloud technologies, whether as users or as part of their own offerings, should consider and plan for such issues. Likewise, all IP owners should recognize the ubiquity of cloud technologies, and should ensure that their IP assets and agreements are crafted to adequately address the uncertainty and jurisdictional scope associated with cloud computing.
1. NTP, Inc v Research in Motion, Ltd, 418 F3d 1282 (Fed Cir 2005).
2. Copyright Act, RS, 1985, c C-42, s 31.1.