(No.77) Conflict in the Cloud - Policy Challenges for Stakeholders & Practical Solutions for Sustainable Economic Growth

Go to Report
Status: 
Accepted
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Question 2: Freedom of expression and free flow of information: how do legal framework, regulations, and principles impact this?

Concise Description of Workshop: 

Cloud computing is the natural evolution of the continued growth and advancement of the Internet. However, the dialogue around cloud computing is currently moving to the next level. We intuitively know that cloud computing is a huge economic driver of growth and advancement in developing countries. This is particularly the case where broadband connections are strong. How can cloud computing provide for sustainable economic growth, particularly in light of potential conflicts of national and regional laws involving privacy and government requests (for example the PATRIOT Act in the United States and other similar laws in other countries)? And are these national laws in effect trade barriers? To address this problem in a data-driven, empirical way, several new studies being prepared for the Internet Governance Forum (IGF) on how cloud technology can help drive growth in developing sectors of the economy while at the same time protecting consumers’ privacy. Leveraging these studies, we will explore how conflicts of laws, privacy, security, and government access rules can impede the growth of cloud computing in both established and developing markets: particularly for small and micro businesses. We will also discuss practical solutions that may be used today by users in all economies to help drive cloud adoption.

Organiser(s) Name: 

Marc Crandall JD,CIPP, Sr. Manager, Global Compliance, Google, a multi-national business.

Previous Workshop(s): 

Report is at the bottom of the Workshop description: http://goo.gl/A5UJ7

Submitted Workshop Panelists: 

 

  • Scott Marcus, Director, Wissenschaftliches Institut fuer Infrastructur und Kommunikationsdienste (Confirmed)
  • Yoshihiro Obata, Board Member, Japan Internet service Providers Association (Confirmed)
  • Bertrand de la Chapelle, Academie Diplomatique Internationale (Confirmed)
  • Alejandro Pisanty, Universidad Autonoma de Mexico (Confirmed)
  • Jochai Ben-Avie, Policy Director, Access (Confirmed)
  • Adiel A. Akplogan, CEO, AfriNIC (Mauritius) (Confirmed)
Name of Remote Moderator(s): 
Dr. Patrick Ryan, Policy Counsel, Open Internet, Google will act as the remote moderator, consistent with Section VIII of the I
Gender Report Card
Please estimate the overall number of women participants present at the session: 
There were no women participants at all
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Report
Reported by: 
Marc Crandall
A brief substantive summary and the main issues that were raised: 

Panelists and the audience discussed barriers to cloud computing, including policy. This was an interactive panel where panellists and the audience discussed some of the key contemporary issues surrounding human behaviour and the Internet.

Some of the themes raised include:

  • Advantages of Cloud Computing: it permits all users, regardless of location, to take advantage of data services afforded by cloud providers.  Large providers began offering spare computing resources and server storage to the user-at-large.  There is a tremendous advantage for the economies of scale.
  • Conflict of Law: Conflicts of laws, privacy, security, and government access rules can impede the growth of cloud computing in both established and developing markets: particularly for small and micro businesses.  This is even a challenge for regions that try to create common frameworks.  There's always been a perception that diseconomies of scale represents big negative impacts, big losses of macroeconomic benefits, and therefore, a desire to harmonize, if not make things uniform.  For example, in jurisdictions such as the EU where uniform regulation is attempted, there has been a corresponding a transposition of that regulatory framework into 27+ different legal systems.  As such, there is a substantial variation in the details of implementation.  This has resulted in compliance uncertainty for those operating across multiple jurisdictions.
  • Jurisdiction: there is tension between cross-border cloud platforms and the international jurisdictional systems that are based on national boundaries.  Jurisdiction may be based on the location of the user, where an entity is incorporated, where data is stored, the type of domain name, or where a domain name is purchased.  This creates particular challenges for cloud computing, because something that is relatively straightforward from a jurisdictional perspective, like the location of the server, is becoming more ambiguous, as systems are load balanced between servers in different geographical locations.
  • Open Internet: the ability to store data outside of one’s local jurisdiction may create an enhanced environment of confidence and security, particularly if one does not want to store data locally because of little confidence in local rule of law or a repressive government.  It some jurisdictions, it is better that data is not stored locally, not only for civil society purposes and freedom of expression, but in order to make sure a business runs - local censorship efforts have little effect on a global cloud service outside the problem jurisdiction.
  • Appropriate Data for the Cloud: all forms of data may not be appropriate for cloud computing.  Mission critical information may be appropriate for the cloud from an integrity and availability perspective, but for entities dealing with sensitive or classified information, there are serious considerations.  From a confidentiality and sensitivity perspective, a government agency may choose not to store extremely sensitive or classified data in the cloud, unless it's within country, and the agency has complete sovereignty over that data.  Data involving national security may also fall into this category.
  • Importance of Geographic Redundancy: recent natural disaster events have shown the importance of geographic redundancy inherent to cloud computing.  For example, in Japan, many local governments followed local regulations requiring that personal data be stored only within a given town or village.  That data was destroyed by the tsunami, making it very difficult for local governments to resume operations.   Personal information - such as data related to healthcare or real property ownership - was lost because of these local regulations.  As such, in Japan there is a positive trend towards cloud computing to help protect against these situations.
  • Wealth Transfer: There was consensus that cloud computing offers those in developing economies with equivalent cloud computing resources to those in developed economies.  However, there is a concern as to whether this causes wealth-transfer from developing countries to developed countries, and how the impact of this long-term on developing economies.  Other panelists felt that customers should have a right to choose cloud providers or platforms regardless of geographic location: a right to a freedom of market. You should have a right to market and therefore have a right to do business. You do that by providing ads. And if users want to be able to use an inexpensive service because ads are there, it’s the users’ choice.
  • Bandwidth challenges & IXPs: the use of cloud computing in developing economies fundamentally rely on access to bandwidth, Internet Exchange Points, and other similar resources.
  • Advertising and Big Data: There is a concern that nothing is free with cloud services.  Depending on the service, data may be used for advertising purposes.  A question that should be asked therefore is whether such advertising, if it takes place, is appropriate for the cloud customer, based on that customer’s own assessment.  Concerning big data, and trends that may be gleaned from a large corpus of information, the key question is whether such information has social and economic value.  When it has social value, everybody wins and it's all beneficial. When it also has economic value, it brings back the question of how this economic value is being distributed, and whether the cloud customer can (or should) take advantage of any related economic windfalls.
  • Government Access: the use of the cloud raises privacy concerns among users.  A user’s right to privacy is threatened if a service provider discloses cloud information to government agencies without valid legal process.  Unlike the act of searching through a person's physical belongings or home or correspondence, surveillance techniques can be performed remotely by asking application providers to turn over data.  Online procedural protections, for online data, often lag very far behind off line protections and must be reconciled.  There is also a concern that government interception of intelligence-gathering purposes may not be held to as high a procedural standard as law enforcement investigations.
Conclusions and further comments: 

Recommendations and Moving Forward: Regarding conflicts of law, agreements should be implemented among at least a certain number of countries, a certain number of platforms, a certain number of large users and civil society entities, to make sure that a minimum set of rules apply across various territories.  Governments that accept such a regime would have established guidelines for addressing problems that may arise.  Such agreements can involve lawful access to private data, if there is a legitimate crime inquiry and if the requests complies with relevant protections in terms of due process.  In controversial cases of content blockage on user generated content platforms, rules provide for granular and proportional action and an appeals process.  There is a also message to national governments: that if they want a development of a local cloud industry, they need to implement Internet-friendly regulations.  Regarding appropriate data for the cloud, The cloud is appropriate for certain type of people, just as it is for certain types of data.  A global cloud solution may not be appropriate for classified information; it depends what one is trying to secure.  The same restrictions likely do not exist for the 99% of other data types, including that which is handled by governments or the private sector.  In these cases, cloud-based security, availability, and integrity may be an improvement when compared to users may be able to provide for themselves.