Cloud backups sound like such a great idea, hook up your computer, laptop, mobile device, or what-have-you and instantly, almost magically your data is backed up, ready to restore to your device when ever the unexpected happens. That's the theory anyway, but is it truly a good idea to use the cloud to contain your data?

Well, I've been doing business for long enough that my gut instinct was that using the cloud to hold my data was a bad idea. I expect that the Terms and Conditions of many/most/all of the providers include riders that either essentially invalidate the guarantees or waive your both your rights and your privacy. I assumed this because the market is going after "CHEAP CHEAP CHEAP" prices, thus the things that would be necessary to offer real guarantees, and ensure your privacy are too expensive to do.

Now, I've not tested that assumption until recently when I heard a knowledgeable, technical business owner complain that he'd lost a lot of information due a hardware crash and "should have been backing up to the cloud". I let it go at the time, but it made me go look and see if my paranoia was deserved or not.

Amazon S3

The granddaddy of cloud storage is Amazon's Simple Storage Service (S3) so let's see what goodies await us there.

2. Modifications to this Agreement

I'll not re-post it all but this section essentially says that Amazon can change any or all of this agreement at will and if it is an existing for-fee service (like S3) then you have at most 15 days to find out about, read, understand, and decide whether you want to continue working with them or not. Note there is no limitation set forth whatsoever, they could turn around and say "we have decided to sell access to your data to 3rd party marketers" (I'm not suggesting they would, only that they could). The problem is that any unpalatable new clause could be introduced and you have very little time to even find out about it (all Amazon has to do is post a new one) let alone find a viable recourse should you wish to terminate the agreement. By agreeing to such a contract you may well find that you are one day forced to decide against two bad options: an unpalatable contract or the risk of no backups (as two weeks leaves very little time to institute a new Disaster / Recovery solution).

3. Term, Termination and Suspension

[...]

3.3.2. Paid Services (other than Amazon FPS and Amazon DevPay). We may suspend your right and license to use any or all Paid Services (and any associated Amazon Properties) other than Amazon FPS and Amazon DevPay, or terminate this Agreement in its entirety (and, accordingly, cease providing all Services to you), for any reason or for no reason, at our discretion at any time by providing you sixty (60) days’ advance notice in accordance with the notice provisions set forth in Section 15 below.

In other words, S3 could disappear with as little as 2 months notice, depending on what and how much you have placed there, you may find it nearly impossible to download your stored data (as presumably everybody else is terminated as well) and you have only 2 months to find another solution ... for small businesses this may be ample but for medium businesses or even larger small businesses, this may not be enough time.

5.1. Amazon Simple Storage Service (Amazon S3)

5.1.1. [...] While we may track information regarding your use of Amazon S3, we will not sell or license Your Amazon S3 Content, and will not disclose Your Amazon S3 Content except as we may determine to be necessary or desirable to comply with the Agreement, the request of a governmental or regulatory body, subpoenas or court orders, or for other legal purposes.

And again in 5.2.2 for CloudFront, 5.4.2 for EC2, and I'm sure the rest of the web services are similarly covered as well.

At first glance this might seem like it means your data is secure, however the fact that neither governmental nor regulatory body are formally defined, it pretty much leaves it up to Amazon to decide when they want to disclose your information. And, even if you are generous and say that Amazon will ensure the "governmental bodies" are legitimate (note, it doesn't say whose government Amazon will listen to), the Department of Homeland Security is likely considered a legitimate organization ... hence the stuff you store on S3 is subject to Homeland Security scrutiny. This is true regardless of whether you are a US citizen.

There are many who say "so what, if you have nothing to hide then why worry?" and to some extent that is a vaiid argument; however, for non-US citizens, the Department of Homeland Security has absolutely zero duty to treat that data in any specific way whatsoever. They may share it with whomever they please, including, of course, governmental organizations within your own country. Thus if you are using S3 to store data then your government, if it is friendly with the US, could ask Homeland Security for a favour and bypass any specific laws and regulations preventing them from accessing your data directly.

You do not have to be guilty of doing anything to be uncomfortable with this scenario. Remember, laws that curtail such activity are put in place because without them people tend to go on fishing exhibitions.

There are other little gotchas here and there that tend to water down the actual liability Amazon holds. In short, you must understand, particularly for non-US citizens, that you are giving up a lot of privacy, at least potentially. Is that really worth the price?