Liability questions¶
This is the question we receive most often, and the one we are least able to answer definitively, which is itself an answer of sorts. The MCLU will work through the parties in order.
The cloud provider¶
The cloud provider followed its instructions. This is, in Ankh-Morpork, a defence with a particular resonance, given that the city’s most famously reliable workers are those who follow instructions without interpretation or deviation. The parallel is not accidental and does not, the MCLU submits, strengthen the defence.
A golem that carries out an instruction harmful to a third party is not absolved by the existence of the instruction. The question is who wrote the chem, what it actually said, and whether the golem had reason to understand that what it was doing fell outside the boundaries of what its principals had authorised. The cloud provider is not a golem. It is an organisation staffed by people capable of asking questions. The question of whether anyone asked, and what happened when they did, is one the MCLU has not yet been able to answer, because the people best positioned to answer it have not responded to our enquiries.
What we can say is that “following instructions precisely” is a partial defence at best. It addresses the question of intent and does not address the question of consequence. The clients experienced a consequence. Someone is responsible for it. The cloud provider is the party that ran the tools. That is not a sufficient account of liability, but it is not an irrelevant one.
The third party¶
The third party supplied the technology, established the terms of the arrangement, and receives the data. They authorised nothing in writing. The MCLU would like to address this directly, because it will inevitably be raised as a point in their favour, and it is not.
Authorising nothing in writing is a strategy. It is employed specifically in circumstances where the party employing it understands that written authorisation would create a record of responsibility they would prefer not to hold. The absence of documentation is not evidence of absence of involvement. It is evidence that the involvement was considered carefully enough to manage its documentation deliberately.
The MCLU has seen this pattern before. It appears in arrangements involving powerful institutions that wish to benefit from capabilities they cannot publicly endorse. It is, in this city, not uncommon. The fact that it is not uncommon does not make it acceptable, and the MCLU would be failing in its function if familiarity caused us to treat it as anything other than what it is: a mechanism for extracting the benefits of accountability-free action.
The third party is, in the MCLU’s assessment, the primary bearer of responsibility for this arrangement. They initiated it, equipped it, and receive its product. The absence of a paper trail relocates the difficulty of establishing this. It does not relocate the underlying fact.
The clients¶
The clients are not liable for what was done to them. The MCLU states this plainly because it needs to be said, and because there is a tendency, in these situations, for the conversation to drift towards what the clients should have done differently, a tendency the MCLU finds both predictable and unhelpful.
The clients engaged a provider in good faith. They accepted terms of service that did not disclose the arrangement. Whether those terms, as written, could be interpreted to cover what occurred is a question that will eventually be answered by a court, assuming the MCLU can identify a court in Ankh-Morpork with the appropriate jurisdiction and a sufficient degree of independence from the parties involved. We are working on this. It is a longer list of requirements than it should be.
What clients may bear is secondary liability: to their own users, members, and counterparties whose data was held on infrastructure under undisclosed surveillance. This is not the same as being responsible for the arrangement. It is being in a position where the arrangement has created obligations that now require discharge. The MCLU is available to assist with the distinction.
The question the MCLU is not yet asking aloud¶
There is a fourth consideration that the MCLU is documenting here without yet making a formal submission about it.
The arrangement required a third party with both the technical capability to provide the surveillance tooling and the institutional interest in receiving the data produced. In Ankh-Morpork, the number of parties meeting both criteria is not large. The MCLU has developed views about which of them is most likely to be involved. We are not publishing those views at this stage, because publication without adequate evidence is a shortcut we are not willing to take, and because the party most likely to be involved is also the party with the greatest capacity to make continued investigation difficult.
We note this. We continue. We are keeping very careful records.