davide m. parrilli, icri dagstuhl, 24 march 2009 a legal analysis of service level agreements in a...
TRANSCRIPT
Davide M. Parrilli, ICRI
Dagstuhl, 24 March 2009
A Legal Analysis of Service Level Agreements in a Grid and Cloud Computing Environment
Going beyond Business Practices
http://www.law.kuleuven.be/icri
Agenda
• SLA: Introduction;
• SLA and Grid/Cloud computing;
• The business practice;
• SLA negotiation;
• Validity and enforceability of the SLA;
• Liabilities.
SLA: a contract between a user and a provider of a service specifying the
conditions under which a service may be used. It describes the provider’s
commitments and specifies the penalties if those commitments are not met.
An SLA is a legally enforceable contract (exceptions do exist in
academia).
SLA: introduction
Legal assessment of the impact of Grid/Cloud computing on SLAs
Question:
Is Grid able to influence the content of the SLA(s)?
Topic relevant for all technologies that adopt dispersed resources and increase
the quality of the offered services (Cloud!).
SLAs and Grid/Cloud computing (I)
Method of the research:•Survey between the BEs of
BEinGRID. The BEs responded to the above question: 20 % said ‘yes’, the others have to think about that;
•Analysis of business practices.
SLAs and Grid/Cloud computing (II)
Scenarios
Grid/technology
provider
Service provider
End user
SLA 1: Grid provider/Service provider
SLA 2: Service provider/End user
Often in the business practice the SLA must be read in combination with other contracts (e.g. customer
agreement): we focus on the contractual relationship between the parties regulating…
SLAs and Grid/Cloud computing (III)
…The content of the SLA (technology provider-service
provider, service provider-end user), i.e.:•QoS: availability, system performance;
•Fees;•Assistance and support service;
•Security;•Liabilities and remedies (service credits);
•The use of the Grid and of the Grid/Cloud-based services made by the customer: no gambling, child
pornography, discriminations, phishing, viruses, trojan horses, etc. – liabilities to be negotiated on a case-by-liabilities to be negotiated on a case-by-
case basis or imposed by the providercase basis or imposed by the provider.
SLAs and Grid/Cloud computing (IV)
In particular:
management on top of the allocated resources: availability
(compute resources, storage etc), network performance (latency, throughput), etc.
SLAs and Grid/Cloud computing (V)
Question of a typical customer:
Why should the SLA in a Grid/Cloud environment be the same as in non
Grid/Cloud scenarios?
Better expected services = more favorable SLA for the customer!
SLAs and Grid/Cloud computing (VI)
For instance (real needs!):•Most clients of Xignite (financial Web
service provider that delivers market data from the Cloud) are fine with 99.5 to 99.9 % availability. Some want as high as 99.99 %;•Gary Slater (LiveOps): clients want their
system to work all the time.
SLAs and Grid/Cloud computing (VII)
Gerry Libertelli (CEO Ready Techs): “technically, there should be zero
downtime associated with a Cloud [and Grid] instance, since almost everything in a
Cloud is redundant by nature and easily reinstantiated in the case of a failure.”
MOSSO: “since we operate clusters of servers, maintenance that causes downtime should be
rare.”
SLAs and Grid/Cloud computing (VIII)
Thus….Answer of the rational and informed
customer: If I pay (more?) for a service that is
expected to be better than that I was used to, I want to see this in the SLA I sign (influence of technology on legal
agreements).
SLAs and Grid/Cloud computing (IX)
The business practice (I)
Example of ‘traditional’ standard clause (long long time ago…?):
“The system will not be available for 2 hours daily for scheduled
backups and system maintenance”.
Amazon:•S3 Simple Storage Service (storage in 1
bucket): service availability 99.9 %;•EC2 Elastic Compute Cloud: 99.95 %
availability.
Grid/Cloud influence SLAs: better services = different SLAs
The business practice (II)
Joyent:
“Cloud computing brought to you with the power of the Joyent Accelerator”.
Accelerator hosting SLA (Grid container hosting account services):
100 % availability for all users.
The business practice (III)
Google:
SLA for Google Apps Premium Edition: 99 % availability.
Thus…
Performance may be the next focus in Grid/Cloud computing SLAs (Stephane
Dubois, CEO Xignite).
The business practice (IV)
SLA negotiation (I)
Phases:
1. SLA contract definition (template, proposal);
2. Negotiation and signing of the contract;
3. Monitoring;
4. Enforcement.
E-negotiation: focus on agreeing on the conditions of the SLA (QoS, price,
etc).
Human intervention combined with computer-generated process.
E.g.: g-Forge SLA-negotiation: a plug-in is used to decide whether an offer shall be
refused or accepted.
SLA negotiation (II)
E.g.: Web Services Agreement Specification (WS-Agreement): the
protocol is based on a simple round “offer, accept” message exchange.
As far as the parties can managemanage the negotiations and the agreement
reflects their willwill, no legal contractual barriers.
SLA negotiation (III)
Entirely computer-controlled/generated negotiations with no human intervention
(realistic scenario?):
doubts as regards the validity and enforceability of the contract. Does the SLA really represents the will of the parties? Is it
a real agreement?
Tip: prior agreement stating that the parties will be bound by the computer-
generated SLA.
SLA negotiation (IV)
Legal/technical issues in e-negotiations:
security and reliability of the system and network: it is necessary to be sure that all messages have been received and the contract is
really in force.
SLA negotiation (V)
When is the SLA legally valid and binding?
The principle (common law and civil law countries) is that a contract is
deemed to come into existence when acceptance of an offer has been
communicated to the offeror by the offeree/when the offeror knows that
the offeree accepted.
Validity and enforceability of the SLA (I)
Need to check whether the contract shall be made in written form!
Does an e-contract respect this requisite?In the EU, all Member States should allow the
conclusion of e-contracts with electronic signature (Directive 1999/93/EC).
Alternatives:•E-mail with electronic signature;
•Paper-based contracts with ‘real’ signature.
NB: contracts with public authorities, check the standards set in the specific country (e-signature, e-document).
Validity and enforceability of the SLA (II)
B2B SLAs
Which law will govern the contract and will be applicable for the (contractual)
obligations arising from the SLA?
Rome Convention 1980:•A contract shall be governed by the law
chosen by the parties – Art. 3(1);
…
Validity and enforceability of the SLA (III)
…• In absence of choice, the contract shall
be governed by the law with which it is most closely connected – Art. 4(1) – that
is…;• …the country of the principal place of
business of fixed establishment of the party (business) who is to effect the
performance which is characteristic of the contract – Art. 4(2).
Validity and enforceability of the SLA (IV)
The provision of the service is the performance characteristic of the
contract.
The law of the country of the technology provider or of the service
provider will be applicable (Rome Convention 1980 is universal).
Validity and enforceability of the SLA (V)
For instance:1.US (California) Grid/Cloud provider – Spanish service provider: American (Californian) law will be applicable;
2.Spanish service provider (SaaS) – Brazilian customer: Spanish law will be applicable.
Law applicable to what? (a) interpretation; (b) performance;
(c) within the limits of the powers conferred on the court by its procedural law, the consequences of breach, including the
assessment of damages in so far as it is governed by rules of law;
(d) the various ways of extinguishing obligations, and prescription and limitation of actions;
(e) the consequences of nullity of the contract.
Validity and enforceability of the SLA (VI)
B2C SLAs (with a consumer) – Article 5(2):
“a choice of law made by the parties shall not have the result of depriving the consumer of the protection afforded to him by the mandatory rules of the law of the country in which he has his habitual residence:
- if in that country the conclusion of the contract was preceded by a specific invitation addressed to him or by advertising, and he had taken in that country all the steps necessary on his part for the conclusion of the contract […]”
Validity and enforceability of the SLA (VII)
Article 5(3):
if there is no choice the contract shall “be governed by the law of the country in which the consumer has his habitual residence if it is entered into in the circumstances described” in the previous slide.
Validity and enforceability of the SLA (VIII)
Problem: is it possible to say that invitation/advertisement was carried on in
the customer’s state if the invitation/advertisement was made in a web
site? Back in 1980 it was said that if a “German replies to an advertisement in American publications, even if [the goods or services] are sold in Germany, the rule does not apply unless the advertisement appeared in special editions of the publication intended for European countries”.Different possible solutions – case by case
basis – great uncertainty
Validity and enforceability of the SLA (IX)
Validity and enforceability of the SLA (X)
Formal Validity of the SLA – Article 9(2) Rome Convention:
“A contract concluded between persons who are in different countries is formally valid if it satisfies the formal requirements of the law which governs it under this Convention or of the law of one of those countries.”
Tip: the contractual regulationcontractual regulation should be as complete as possibleas complete as possible. Parties should state, in the SLA or in a framework contract, which law will
be applicable and how potential future conflicts will be solved
(competent court, ADR).
Validity and enforceability of the SLA (XI)
Technology providers tend to limit their liabilities as much as possible.
E.g.: “we and our licensors do not warrant that the service offerings will function as described,
will be uninterrupted or error free, or free of harmful components, or that the data you store within the service offerings will be secure or not otherwise lost or damaged… We…shall not be
responsible for any service interruptions, including, without limitation, power outrage,
system failures or other interruptions.” (Amazon Web Services Customer Agreement).
Liabilities (I)
Service (SaaS) providers do the same!E.g.: “we are not liable to you…for any direct, indirect, incidental, special or consequential
damages or losses arising out of access to or use of the Service or inability to access or use
the Service or out of any breach of any warranty including, without limitation, damages or losses resulting from acts of god or events of similar case or the consequences of viruses received by you via the Service, even if we are advised of the possibility of such damages or losses.”
(Business Professional).
Liabilities (II)
The risk, at the end, is shifted to the final customer…
Technology provider Service Provider End user
Liabilities (III)
Impact of Grid/Cloud failures in a SaaS scenario: who is liable for what?
•The technology provider does not take liabilities;•The SaaS provider does not take liabilities;
•The end use…the loser takes it all!
Legislative intervention to allocate risks and liabilities in a fairer way?
In B2C, the application of the Rome Convention can In B2C, the application of the Rome Convention can mitigate the risks for the customer.mitigate the risks for the customer.
Liabilities (IV)
“The best strategy for dealing with the risks of Cloud vendors is to mitigate
them before you move your applications and data into the Cloud.
Do what you can to protect your business before you sign a contract
with a Cloud or SaaS provider.” (Anne Grubb).
Liabilities (V)
In practice…
Distinction between (i) SLAs negotiated between equals and (ii) standard contracts imposed by big
players.
In the latter case, the customer (B2B) takes the risk.
Liabilities (VI)
Rules of jurisdiction:
What if the customer is a consumer (B2C)?
Regulation 44/2001: in case of ‘active’ website of the supplier, the special rules aimed to protect the consumer (who is a
consumer?) apply (Art. 15-16).
Consumer (domiciled in the EU) – Business (extra-EU)
Belgian consumer v. US company = judge ex Belgian rules
US company v. Belgian consumer = Belgian judge
Consumer (domiciled in the EU) – Business (EU)
Belgian consumer v. German company = German or Belgian judge
German company v. Belgian consumer = Belgian judge
Liabilities (VII)
In the field of B2C transactions, substantial (which law?) and procedural rules (which judge?) limit the unbalanced position between Grid/Cloud provider and the customer.
However, these rules are often of difficult application: need for clarifications.
Liabilities (VIII)
Liability of the technology provider/service provider towards third
parties: E-commerce Directive (2000/31/EC).
Limitations of liability:•Grid providerGrid provider: hosting (Art. 14) – duty of
care;•Service providerService provider: mere conduit (Art. 12), caching (Art. 13), depending on the case.
Liabilities (IX)
