Multiple technology service providers — including Amazon Web Services, Okta and Stripe — suspended or terminated service to Parler after the January 6, 2021 mob invasion of the U.S. Capitol building. This effectively resulted in Parler’s business being shut down, or “deplatformed.” As a result, business leaders are revisiting their risk management strategies to understand how exposed they would be if a critical online service contract were terminated.
When and why does deplatforming happen?
Deplatforming does not happen often, but it does happen. Technology service providers have rejected, terminated or announced they would no longer support contracts with certain companies.
For example, PayPal announced that it would no longer process payments for performers on PornHub, a platform for adult video content; and Salesforce changed the language in its terms of service in 2019 to prohibit certain types of firearms retail transactions.
Service providers can terminate contracts for material breaches of the terms of service, choose not to renew them or offer such unattractive terms that nonrenewal is the only reasonable option. This is true not only of cloud service providers, but also of payment processors, e-commerce service providers, traditional hosters and many critical internet infrastructure providers. If a provider terminates a service contract, it may have a severe impact on your business.
There are common reasons why service providers suspend or terminate service, and some companies may be at higher risk of negative provider interactions. Every business can assess the risks and minimize them.
Why would a service provider kick your company off its platform?
Most technology service providers require in their contracts that customers adhere to an “acceptable use policy” (AUP). The exact nuances of an AUP vary by company, yet almost all service providers at minimum prohibit illegal activities, as well as content that exposes the provider to excessive risks. In the case of PornHub, for example, Mastercard, Visa and Discover blocked customers from using their cards on the site out of concern that the site featured child exploitation.
“Customers may be concerned that deplatforming could occur as a result of the “voice of society”
Parler and PornHub represent different forms of “excessive risk” for providers, usually a high bar to reach given laws that shield service providers from liability. United States law protects service providers when they act in good faith to moderate content, but does not obligate service providers to do so in most — but not all — cases. Content or actions that break laws will generally be judged as too high risk to tolerate, and will almost certainly result in AUP enforcement actions.
Some customers may be concerned that deplatforming could occur as a result of the “voice of society” — employee activism, shareholder activism, corporate activism, and other forms of internal or external pressure driven by a particular cause. Different service providers will have different stances toward such pressures. In general, infrastructure providers are less likely to be influenced by these pressures than other types of service providers. Note that these pressures and reactions are not unique to cloud computing.
What should organizations do to minimize risk?
Few legitimate business customers are in any significant danger of breaching an AUP in a way that would result in suspension or termination. To reduce your risk:
- Ensure that you maintain adequate security for IaaS and PaaS resources. You do not want to inadvertently breach the AUP because an attacker has misused your resources.
- Develop policies and procedures for end-user monitoring and management. Document behavior norms in service agreements with your end users, and monitor your systems for adherence to prevent AUP breaches before they happen.
- Promptly handle AUP violation warnings. Create a process and clear lines of responsibility for handling any AUP breaches.
- Negotiate an enterprise contract. Operate on a negotiated enterprise contract rather than on a click-through agreement. If your organization could potentially violate the AUP in its normal course of business, you should negotiate an AUP clarification in your contract.
IaaS providers — such as Amazon Web Services, Microsoft Azure and Google Cloud Platform — usually consider themselves to be public services that are neutral as to what customers they accept and serve, as long as those customers comply with their contractual obligations, including respecting the AUP. However, other types of service providers may be more selective about the organizations they are willing to serve.