Imagine you need to conduct a complicated calculation or run a storage consuming program, but you don’t have such capacity on your own laptop. Fortunately, instead of investing in a better machine or driving to a highly equipped laboratory to complete your job, you can simply connect to the “cloud” through the internet – send your data and request to the cloud database, have it computed or run, and get the result sent back to you. What, you may ask, is this convenient but mysterious cloud? Who developed the cloud? Who owns or has access to the data on my cloud? Should I really trust the cloud? What implication does it have for international governance? As the attention on cloud starts to accumulate, a series of questions need to be addressed step by step for you to understand the advance and controversy on the cloud atlas.
What is the cloud?
Cloud refers to cloud computing, echoing the collection of computing resources or database similar to a natural cloud. By NIST definition, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction[i]. That is to say, on the clients’ end, cloud computing allows them to remotely pay and use other devices via the internet as conveniently as using software based on their own computers or local drives. On the server end, companies providing cloud services will maintain the pool of supercomputers to allocate clients’ requests to available machines, allowing resource distribution based on need and charging service fees accordingly.
This not only means that information is more portable – you can just store your information on the cloud and access it later instead of driving back to your house for your forgotten flashdrive – but it also reduces your costs for the storage space and computation capacity of your own machine. You do not need to worry about what latest types of hardware you need to get, how much they cost and how to assemble them, but can just leave everything to the cloud. Moreover, on a larger scale, cloud computing increases general welfare and efficiency by concentrating resources in a big pool and distributing them on demand. The closest example is the allocation of utilities: in modern days, people will rarely host their own generator, but instead obtain it from regional power plant. Therefore, cloud building has revolutionized the relations between service providers and clients’ terminal, as well as the whole industry. It is considered one of the largest trends of future IT development.
Who developed the cloud?
We use cloud services every day – Google docs, Dropbox, online gaming profiles, etc., but the basic idea of distributing computing resources was put forward in the 1960s.Due to the significant increase in bandwidth, cloud computing truly started to take off after the 1990s[ii]. In 2002, Amazon started its dominance in cloud services through Amazon Web Services for basic storage and computing and Elastic Compute cloud for commercial computer lease in 2006, which is generally considered “the first widely accessible cloud computing infrastructure service.”[iii] In 2009, when a series of “killer apps” emerged from leading technology giants like Microsoft and Google, the importance of cloud computing was generally acknowledged by the industry and started its take-off.
From real-time chat software to Gmail, from computation services to online gaming – cloud computing is really more a new way of doing business. In March 2012, Citigroup announced its exploratory partnership with IBM to use its supercomputer Watson for its data-crunching capabilities[iv]. By running Citi’s client server software remotely through Watson via the cloud, Citi plans to more efficiently analyze customer needs and client data for digital banking.
From the beginning, cloud computing, similar to many other innovations in IT industry, was a collective effort developed by various contributors from the private sector, and thus has a very clear multi-stakeholder characteristic. Such commercial evolution of the cloud determines that it is mostly maintained by transnational corporations instead of the government or state-own enterprises. The idea of global infrastructure building was embedded in cloud computing technology since the day it was proposed, and leads us to further questions of global governance and regulations.
Who owns the cloud?
If we accept that the cloud is by nature an infrastructure, then the electricity metaphor earlier brings us to another problem. While there’s no difference between the electricity people use, our data flowing in and out of the cloud contain large amount of our intellectual property and our privacy. Therefore we must ask – who owns our cloud?
During the U.S. government’s shutdown of Megaupload in 2012, a previous Megaupload client argued that by doing so the government has denied him access to his own account, in which he stored his intellectual property[v]. However, according to the DOJ filing responding to it, the government insisted that clients’ property rights on the cloud become severely limited by the contract between them and Megaupload and that between Megaupload and its server Carpathia[vi]. Since the data is saved on the server, the government argued whether people own the copy of their data on the cloud depends on whether they own the server of the cloud, and “mere use of the service” was insufficient to “create a legal ownership interest in servers”. Thus, they claimed that when people saved their material onto a cloud, they already lost property rights to that copy of it[viii]. With its terrifying implication, this case has gone beyond the fate of Megaupload to all cloud service providers.
Do I own my property on the cloud? Unfortunately, that question remains highly ambiguous, and largely depends on the specific agreement you enter into when uploading your material. If my cloud service provider or the cloud server with my data is located in a foreign country, who governs the cloud? Who is authorized to read my data? In the absence of a strong international framework, the cloud is subject to domestic laws of where its company or servers is physically located and always follow local jurisdiction. Conflicts between the domestic regulation and the international nature of the cloud brought us more controversy in light of the recent revelation on U.S. internet surveillance.
Who reads my cloud?
Another aspect of cloud security is the protection of privacy. In June, former NSA employee Edward Snowden leaked confidential documents and claimed that several technology giants have “backdoors” in their database for the U.S. government surveillance program PRISM – to surrender private data if such requests were approved under the Foreign Intelligence Surveillance Act (FISA). As a result, criticisms against the NSA and claims of illegal breach of privacy broke out around domestic news media and public debates.
However, the larger problem lies in the international outrage and the implications for U.S.-based information technology companies – they all need to follow local jurisdiction and regulations. While the U.S. citizens can still argue that FISA is unconstitutional and such surveillance is illegal, currently there seem to be no real protection or oversight for non-U.S. citizens on this matter. Particularly in cloud services, not only phone calls and Internet cookies (metadata), but also music, movies, banking, emails or anything else stored in the U.S.-based cloud might be examined without consent in the name of national security.
Since the academic discussion in 1960s, cloud computing has been a concept of globalization – a global computer network and international share of resources. During the spread of cloud technology, one major battle was the trustworthiness – how to get new customers past their misgivings about the security and integrity of data and place their data onto remote servers via the Internet[ix]. As leaked by Snowden, the fact that U.S. government can now request data from major companies under FISA with little probable cause, as noted by cloud expert and author David Linthicum, “will provide more fuel for the already cloud-paranoid.”[x]
Unsurprisingly, international outrage and distrust burst out against U.S. government as well as companies. Neelie Kroes, vice-president of the European Commission, spoke on the digital matters and warned that U.S. internet providers of cloud services could suffer major fallout in Europe, arguing “why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes?”[xi]
According to a report based on Cloud Security Alliance (CSA)’s Government within a month after Snowden’s leak, 56 percent of foreign respondents were less likely to use a U.S.-based cloud service such as Dropbox or Windows Azure; 36 percent of U.S. cloud service providers said that they are less likely to get foreign business as a result[xii]. The guardian also predicted that American technology companies would lose between $21.5 billion and $35 billion in cloud computing contracts over the next three years after the NSA revelation[xiii].
Facing the cloud security distrust, European policy-makers started drafting legislation against U.S. surveillance programs. Recently an amendment referred to as “anti-FISA clause”, Article 42, was put forward to subject any request of personal data on an EU citizen to approval by a special committee[xiv]. However, this means global cloud companies will be facing a serious dilemma of whether to comply with FISA or to protect their customs (half of which are non-U.S. citizens) between two legal frameworks, breaching either U.S. or EU law[xv].
An alternative for global consumers is to cut their ties with U.S.-based cloud and turn to services based in other countries that are subject to international laws and explicit supervision – a great opportunity for some European countries, Canada, Australia and New Zealand[xvi]. Former NSA director Michael Hayden also argues that Europeans are already turning into “Made in Germany” branding campaign on cloud services and France’s “Sovereign Cloud” plan with a $200-million investment in domestic cloud providers[xvii].
Nonetheless, behind the high technology of cloud computing, the real dilemma that the revelation of NSA surveillance program points out is really nothing new, but a general conflict between global infrastructure construction and domestic governance. Critics argue that the U.S. government, through their “digital totalitarianism”, is severely damaging the global ecosystem and violating the most basic international agreements on data security and business relationships[xviii].
In the same way as the development of other technology, the heated debate around cloud services is not so much about technology innovation, but the legal and business framework around it. Technology progresses in such a rapid manner that social institutions and regulations have to be upgraded to catch up with security concerns and challenges to property rights. Hopefully one day, the online computing atlas will be less cloudy than it is in today’s environment.