Currently, the limited number of companies that are engaging in this area are American and Asian. ITU activities on cloud-computing should be carefully followed by U.S. companies and perhaps especially now by European companies. Given the European Commission’s ongoing development of a cloud strategy, and its views on privacy, European companies need to be more engaged at the ITU.
The ITU is an organ of the United Nations with three distinct “sectors” – development, radio communications and telecommunications standardization. The world’s governments, private sector and civil society come together in Geneva at the ITU, organized in Study Groups within the three Sectors, to discuss and possibly harmonize policy on telecommunications matters. The Telecommunication Standardization Bureau – or “ITU-T”- initiated a Focus Group on Cloud Computing, with the hopes of identifying some “deliverables” on cloud policy this year.
When the ITU – with a permanent secretariat in Geneva funded by dues of the participating governments and private sector members – turns its gaze on an activity, costs to the industry generally follow. The majority of ITU-T members may be from the private sector. But the fact that it is part of the United Nations inherently adds costs and delays that other private sector standards-setting bodies do not pose. The ITU – formed in 1865 to manage telegraph wires that crossed borders – and supported by an international bureaucracy fighting for relevancy in the Internet Age – has decided it must serve its almost 200 country members by attempting to develop standards for cloud computing.
New challenges of this sort are associated with the emergence of “the Cloud.” What is the cloud – or rather how you define it – matters significantly. It is defined by the U.S. National Institute for Standards and Technology (NIST) as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” The ITU-T has its own definition which inserts a “telecommunications approach,” -- needed to justify ITU jurisdiction. Cloud services include SaaS; IaaS; PaaS and NaaS – or Software as-a-Service; Infrastructure-as-a-Service; Platform-as-a-Service and Network-as-a-Service (bandwidth-on-demand).
All sides have only started to come to grips with what the Cloud means for security – is data more or less secure in the Cloud? Cloud users can’t know who or what else is running on the same shared infrastructure at any given time. Early statements by European officials on the Cloud reflected a concern that its distributed architecture would threaten loss of control over Europeans’ data. Last year EU Justice Commissioner Viviane Reding asked “How can we unleash the potential of the cloud for the digital economy without putting citizens’ data at risk?” (Other countries have taken a more ominous view, seeing the Cloud as threatening control over accessing their citizens’ stored data.) The EU has long-standing restrictions on personally-identifiable data of its citizens leaving the region, a stance based on privacy concerns. The EU Data Directive prohibits the movement of its citizens’ personally-identifiable data to countries with inadequate privacy protection. But the cloud doesn’t respect sovereign borders – its imperative is server availability, regardless of location.
Cloud proponents argue that data is safest in motion. According to cloud providers like EMC and HP, “running in the cloud” has security benefits. A single core router used in a typical cloud has enough computing power to combat the strongest BotNet. Security can be architected into the cloud. Moreover, encryption of customer data is possible at the physical layer. Even AES256 – considered by experts to be virtually unbreakable – can be added to the transponder card in a router. Customers with even the most sensitive and commercially valuable data have trusted the cloud. EU member governments would be wise to trust the cloud too – so long as authentication is available and sensitive data is encrypted before entering the Cloud and decrypted only after it leaves the cloud.
The U.S. government has embraced cloud-computing, through the Obama Administration’s “Cloud First” initiative. Under its February 2011 “Federal Cloud Computing Strategy”, U.S. government agencies must consider cloud computing for new investments. Observers expect the Obama Administration to issue a follow-up initiative to encourage State and local governments to adopt cloud-computing. Presumably to influence that initiative, the American trade association TechAmerica, whose membership includes several cloud providers, released in mid-February its recommendations for state and local governments to expedite cloud computing.
For one thing, the cloud is green. Any government that could mandate the use of “Smart Grid technologies” for energy-saving power transmission, as the EU has done, must appreciate the Cloud’s energy savings. Unused servers waste energy. The on-demand, shared nature of cloud services optimizes use of network infrastructure. Peak use of dedicated servers – can lead to server break-down, contributing to hardware e-waste. But alleviating “cloudbursts,” through which traffic surges on any dedicated network can spill over to the cloud, can add to server shelf-life. In this way, the cloud can satisfy another important priority of the Commission – sustainability.
Perhaps inspired by the U.S., the European Commission has recently signaled that it is more open to the cloud than the Data Directive would suggest. Last year it issued a public consultation on cloud computing, after having surveyed thirteen of its member states. The initial conclusion of the Commission is that cloud-computing does not violate the Data Directive, but citizens’ data must be protected. Commission Vice President for the Digital Agenda Neelie Kroes urged Europe to be not just cloud-friendly, but “cloud-active.” The Commission’s strategy is targeted for mid-year 2012. Towards that end, the Commission’s High Level Conference in Copenhagen 27-28 February organized a panel on “Doing Business from the Cloud – Towards a European Strategy for Cloud Computing.”
To update its Data Protection for a digital economy, the Commission took the unusual step in January of issuing a draft data-privacy Regulation rather than a Directive. Vice President Kroes state that “the challenge is to take our fundamental rights to privacy and the protection of personal data and make them work in the digital era.” The draft Regulation proposes that data be retained only as long as necessary. Much more punitively, it proposes that multinational corporations with 250 of more employees which fail to protect users’ data face penalties of up to two percent of their worldwide annual turnover – a potentially astronomical amount. The draft is currently being reviewed by the European Parliament, so changes are possible. The Parliament should ensure that obligations on data controllers and data processors are appropriate to their role, realizing that processors do not always control the data they process. While many large multinational corporations have Chief Privacy Officers on the payroll today, that requirement would be burdensome for start-up cloud providers. The Regulation should provide a harmonized set of principles for cloud providers across Europe, without prescribing technologies or business processes that do not reflect Internet functioning today or will quickly become obsolete. For instance, the Parliament should not mandate the manner in which providers comply with user data portability or require data controllers to notify any and all third-parties, across the entire World Wide Web, of a user’s request to exercise the proposed Right to Be Forgotten. Given the open nature of the Internet, that simply is not feasible.
Of course, Europeans and Americans influence each other. In a Congressional hearing last fall, an Obama Administration official noted the U.S. Commerce Department was working on a “Green Paper” in advance of a “White Paper” to propose a baseline of consumer-privacy protection and corporate responsibilities, akin to the European approach, rather than the sector-specific patchwork quilt of privacy law that prevails in the U.S. today. At that hearing, a senior member of Congress noted that as a matter of concern U.S. companies apparently are targeted for enforcement under the EU’s data protection rules. That fire will be fueled by Commissioner Reding’s recent statement that Google’s “new rules are not in accordance with the European law and that the transparency rules have not been applied." In this debate, a joint U.S.-EU working group will start discussions in March allowing experts from both sides of the Atlantic to discuss data flows.
While the U.S. and EU are not always synchronized on privacy regulation, they broadly share the same goals of supporting an innovative Internet while protecting users’ privacy. The dust-up over Google’s tracking of non-Google browser users and the rapid response from both Congressional and Obama administration leaders demonstrate those shared goals on consumer privacy. The White House announced a Consumer Privacy Bill of Rights -- its White Paper -- days after news coverage of Google’s tracking policies. The report relies on the current U.S. approach of self-regulation, enforceable by the Federal Trade Commission (FTC) if a company fails to follow its stated privacy policy. But the White House also pushes legislation “to extend baseline privacy protections to commercial sectors that existing federal privacy laws do not cover.” Appreciating perhaps that legislation is not likely to move in an election year, the White House has tasked the Commerce Department with developing a voluntary Code of Conduct for online providers and advertisers.
As for the ITU, the U.S. is urging a more “hands-off” approach. Both the Obama administration and the U.S. private sector have tried to streamline the ITU’s study and keep it aligned and coordinated with private-sector standards bodies. The challenge of the private sector is to prevent any ITU’s “standardization” from slowing global deployment of cloud-computing.
Prior to last month’s work shop on cloud computing, the U.S. submitted a contribution to the Focus Group suggesting that a single Study Group lead the “Joint Coordination Activity.” A concern is that multiple study group meetings and document -drafting documents following by liaison work among them all is a process that raises costs for the private sector. The ITU is generally dominated by government users and large incumbent providers and vendors, many state-owned. While some large incumbent telecommunications companies have had success in transitioning to cloud services, success is more common for companies that started out as data-center providers. Few data-center providers – American or European -- are active in the ITU, this important business segment may be underrepresented in deliberations.
The U.S. noted in its contribution that other standards development bodies and industry groups are working on various aspects of cloud computing. The U.S. suggested that the next step of the Telecommunication Standardization Advisory Group (TSAG) is to allocate the continuing work of the cloud Focus Group to several Study Groups, with one Study Group as the lead. The U.S. cautioned that fragmenting the work among multiple groups could be highly ineffective and wasteful of the available resources. Efficiency – a given in distributed cloud architectures – is not always present in intergovernmental studies!
The U.S. is in a difficult place. If it doesn’t engage in the ITU, other countries may end up framing the global policy environment for cloud services, including imposing onerous privacy restrictions regarding data collection, storage and transmission or local server mandates. The cloud is global – indeed, U.S. industry is global. But the U.S. presumably does not want to sanction the ITU extending its standardization activities into Internet-based services, given the likely extension of possibly unnecessary regulation. Knowing the ITU’s unquenchable urge to study, the U.S. qualified in its contribution on cloud “to the extent the ITU-T has a role in cloud-computing standards, we encourage TSAG to place the majority of the Focus Group on Cloud-Computing Deliverables into SG13, such as Reference Architecture and Vocabulary that are relevant to ITU-T.” To anchor the ITU to industry groups, the U.S. also suggested that the Study Groups “establish formal liaisons with other standards setting organizations (SDOs) engaged in cloud-computing related standardization.”
As proposed by the U.S., the TSAG established a new Joint Coordination Activity for Cloud Computing at its January meeting. To ensure participation from the private sector, the U.S. suggested that this “Activity” be open to representatives of industry consortia, unlike the more closed ITU-T. The U.S. argued that its proposal is necessary “order to avoid divergent standards” – a critical goal in such as a fast moving field as Cloud. There’s no “running in the cloud” in a typical multi-year ITU study cycle! That’s more like a stately promenade. The U.S. warned that without a coordinated activity that includes the private sector “incompatible or conflicting Cloud Computing standards will likely emerge from ITU-T and other standards development organizations and fora that could confuse Cloud Computing consumers and slow the adoption of Cloud Computing.”
The Joint Coordination Activity (JCA) met February 6th in Geneva to continue the discussion on ITU-T standardization of cloud computing. The JCA agreed to allow Study Group 13 to be the overarching lead, while SG17 would lead in security. But apparently SG17 is not satisfied with its supporting role and in mid-February, at the insistence of its Russian chairman, proposed some new work for itself on security for cloud computing. Study Group 13 will nonetheless continue its work as well, with its cloud Working Party meeting in April on security and quality of service.
Of course, the ITU-T is not the only body interested in security and the cloud: the U.S. Congress has no less than six cyber security bills, each with implications for the cloud. With a divided Congress, and a House lead by the Republican opposition to the White House, there is bound to be some partisan criticism in the Administration’s approach. Some Republicans have accused the Obama administration of becoming “too European” in data privacy and warned the White House against “allowing the Europeans to impose costly data flow restrictions on U.S. companies doing business in Europe.” The recent White House Privacy Report revived such resistance, with a Republican subcommittee chair warning that “any rush-to-judgment could have a chilling effect on our economy and potentially damage, if not cripple, online innovation. Hopefully, we can learn from Europe’s mistakes.” Republican Members have also warned the U.S. Trade Representative to ensure that our trade agreements prevent restrictions on cross-border data flows.
In sum, companies providing cloud services or infrastructure – and actual and potential users of cloud as a competitive tool -- would do well to monitor the ITU-T on this issue and at the same time engage with lawmakers on both sides of the Atlantic. The ITU-T – with a global, not just European and American membership – could attempt to impose restrictions on cloud architecture or data flows that undermine the value of this facility. Some governments in remote or less developed countries may mandate deployment of cloud infrastructure in their urban centers, as a condition of use, in order to obtain the reductions in latency or for perceived security. For example, India recently required Yahoo!, Gmail and other Internet content providers to locate in India any servers carrying e-mail accessed by Indians – even if registered in other countries. Mandates on infrastructure location and trans-border data flows could hamper the evolution of the cloud and the benefits it delivers. Rules that limit the physical location of data and code could deter investment.
Education on the cyber security and sustainability benefits of the cloud can help avoid restrictions that could curtail the most effective, efficient and empowering deployment of cloud services around the globe.
Patricia Paoletta is a partner at the law firm of Wiltshire & Grannis LLP in Washington, D.C., which represents companies involved with cloud computing, and a member of the European Institute’s Steering Committee for the Telecommunications, Information Technology and Media Policies Roundtable.
*Perspectives is an occasional forum of The European Institute reflecting member views on topical issues.