A wise user judges each Internet usage scenario carefully
by Richard Stallman
First published in The European Business Review
Businesses now offer computing users tempting opportunities to let others keep their data and do their computing. In other words, to toss caution and responsibility to the winds.
These businesses, and their boosters, like to call these computing practices “cloud computing”. They apply the same term to other quite different scenarios as well, such as renting a remote server, making the term so broad and nebulous that nothing meaningful can be said with it. If it has any meaning, it can only be a certain attitude towards computing: an attitude of not thinking carefully about what a proposed scenario entails or what risks it implies. Perhaps the cloud they speak of is intended to form inside the customer's mind.
To replace that cloud with clarity, this article discusses several different products and services that involve very different usage scenarios (please don't think of them as “cloud computing”), and the distinctive issues that they raise.
First, let's classify the kinds of issues that a usage scenario can raise. In general, there are two kinds of issues to be considered. One is the issue of treatment of your data, and the other is control of your computing.
Within treatment of your data, several issues can be distinguished: a service could lose your data, alter it, show it to someone else without your consent, and/or make it hard for you to get the data back. Each of those issues is easy to understand; how important they are depends on what kind of data is involved.
Keep in mind that a US company (or a subsidiary of one) is required to hand over nearly all data it has about a user on request of the FBI, without a court order, under “USA PATRIOT Act”, whose blackwhiting name is as orwellian as its provisions. We know that although the requirements this law places on the FBI are very loose, the FBI systematically violates them. Senator Wyden says that if he could publicly say how the FBI stretches the law, the public would be angry at it. European organizations might well violate their countries' data protection laws if they entrust data to such companies.
Control of your computing is the other category of issue. Users deserve to have control of their computing. Unfortunately, most of them have already given up such control through the use of proprietary software (not free/libre).
With software, there are two possibilities: either the users control the software or the software controls the users. The first case we call “free software”, free as in freedom, because the users have effective control of the software if they have certain essential freedoms. We also call it “free/libre” to emphasize that this is a question of freedom, not price. The second case is proprietary software. Windows and MacOS are proprietary; so is iOS, the software in the iPhone. Such a system controls its users, and a company controls the system.
When a corporation has power over users in that way, it is likely to abuse that power. No wonder that Windows and iOS are known to have spy features, features to restrict the user, and back doors. When users speak of “jailbreaking” the iPhone, they acknowledge that this product shackles the user.
When a service does the user's computing, the user loses control over that computing. We call this practice “Software as a Service” or “SaaS”, and it is equivalent to running a proprietary program with a spy feature and a back door. It is definitely to be avoided.
Having classified the possible issues, let's consider how several products and services raise them.
First, let's consider iCloud, a coming Apple service, whose functionality (according to advance information) will be that users can copy information to a server and access it later from elsewhere, or let users access it from there. This is not Software as a Service since it doesn't do any of the user's computing, so that issue doesn't arise.
How will iCloud treat the user's data? As of this writing, we don't know, but we can speculate based on what other services do. Apple will probably be able to look at that data, for its own purposes and for others' purposes. If so, courts will be able to get it with a subpoena to Apple (not to the user). The FBI may be able to get it without a subpoena. Movie and record companies, or their lawsuit mills, may be able to look at it too. The only way this might be avoided is if the data is encrypted on the user's machine before upload, and decrypted on the user's machine after it is accessed.
In the specific case of iCloud, all the users will be running Apple software, so Apple will have total control over their data anyway. A spy feature was discovered in the iPhone and iPad software early in 2011, leading people to speak of the “spyPhone”. Apple could introduce another spy feature in the next “upgrade”, and only Apple would know. If you're foolish enough to use an iPhone or iPad, maybe iCloud won't make things any worse, but that is no recommendation.
Now let's consider Amazon EC2, a service where a customer leases a virtual computer (hosted on a server in an Amazon data center) that does whatever the customer programs it to do.
These computers run the GNU/Linux operating system, and the customer gets to choose all the installed software, with one exception: Linux, the lowest-level component (or “kernel”) of the system. Customers must select one of the versions of Linux that Amazon offers; they cannot make and run their own. But they can replace the rest of the system. Thus, they get almost as much control over their computing as they would with their own machines, but not entirely.
EC2 does have some drawbacks. One is, since users cannot install their own versions of the kernel Linux, it is possible that Amazon has put something nasty, or merely inconvenient, into the versions they offer. But this may not really matter, given the other flaws. One other flaw is that Amazon does have ultimate control of the computer and its data. The state could subpoena all that data from Amazon. If you had it in your home or office, the state would have to subpoena it from you, and you would have the chance to fight the subpoena in court. Amazon may not care to fight the subpoena on your behalf.
Amazon places conditions on what you can do with these servers, and can cut off your service if it construes your actions to conflict with them. Amazon has no need to prove anything, so in practice it can cut you off if it finds you inconvenient. As Wikileaks found out, the customer has no recourse if Amazon stretches the facts to make a questionable judgment.
Now let's consider Google ChromeOS, a variant of GNU/Linux which is still in development. According to what Google initially said, it will be free/libre software, at least the basic system, though experience with Android suggests it may come with nonfree programs too.
The special feature of this system, its purpose, was to deny users two fundamental capabilities that GNU/Linux and other operating systems normally provide: to store data locally and to run applications locally. Instead, ChromeOS would be designed to require users to save their data in servers (normally Google servers, I expect) and to let these servers do their computing too. This immediately raises both kinds of issues in their fullest form. The only way ChromeOS as thus envisaged could become something users ought to accept is if they install a modified version of the system, restoring the capabilities of local data storage and local applications.
More recently I've heard that Google has reconsidered this decision and may reincorporate those local facilities. If so, ChromeOS might just be something people can use in freedom—if it avoids the many other problems that we observe today in Android.
As these examples show, each Internet usage scenario raises its own set of issues, and they need to be judged based on the specifics. Vague statements, such as any statement formulated in terms of “cloud computing,” can only get in the way.