Clouds Without Borders
This is one of those topics I was just intrigued with and felt compelled to blog about it because it’s not only very interesting but very important. What entities have the right to search or seize data based on its physical location? This is already a big issue in several contexts and will only become more complicated as the use of cloud computing continues to grow.
Let’s start by taking a step back and looking at the economics of free trade and protectionism:
Proponents of free trade argue that it results in the most equitable and efficient use of resources. If Japan has the lowest opportunity cost for rice, and the U.S. for corn, then each of those countries should specialize where they have a comparative advantage and purchase from others where they don’t. Harvard Economist Gregory Mankiw stated, “Few propositions command as much consensus among professional economists as that open world trade increases economic growth and raises living standards.” John Maynard Keynes was also convinced of the economic benefit of free trade writing that we should defer to the “wisdom of Adam Smith” in this manner.
However, there can be agendas that might be in conflict with free trade ranging from national security (i.e. a national supply of steel for the military) or other national or cultural interests in maintaining a specific industry at a specific level. Protectionist tariffs and other measures can be erected to protect national industries which are deemed “strategic” by whatever measure.
In the past, the jurisdiction of commerce was fairly simple to define with traditional physical products, but with cloud computing the “product” might be hosted (and stored) in Singapore, transmitted through Germany, and consumed in Switzerland. If there is an issue of national or international law, who has access to the data and at which points and terms? And do we have to start thinking about which countries that data routes through?
We’ve already seen this to some extent with not just China censoring the Internet, but also nations like Iran, North Korea and Cuba which have been trying to build their own “private Internets” to keep out external influences. This can work as a protectionist barrier against not just the economics of cloud computing but also free speech.
Law of Unintended Consequences
The issue is becoming a rather big one in the United States given the growth of cloud computing and the Patriot Act. Under the Patriot Act many potential cloud computing customers are either genuinely concerned by the issue or they are using it as a bargaining chip (or both). POLITICO explain the issue in a recent article:
The PATRIOT Act, which had key provisions extended by President Barack Obama in May, has become a flash point in sales of cloud computing services to governments in parts of Europe, Asia and elsewhere around the globe because of fears that under the law, providers can be compelled to hand over data to U.S. authorities.
To make matters worse it’s not just limited to data that is hosted within the United States. Microsoft recently admitted what was long suspected – that being a US based company they have to comply with the US and –if asked to – turnover data hosted in Europe to US authorities.
Regardless of to what extent these concerns are exaggerated for negotiating leverage versus being legitimate concerns one thing is certain – clarity is needed. At the very least it should be explained under exactly what circumstances (i.e. a FISA court approved warrant) a seizure could take place and more details on the process and recovery.
But going beyond the Patriot Act there are other issues that need to be worked out. We know that the value and potential of cloud computing is diminished when barriers against the free flow of data are raised, but might there be cases where some restrictions are warranted? As noted by Politico, the GSA recently tried to impose restrictions on where datacenters could be located. There’s probably some countries that we would not want to have a claim on government data in any circumstances and some data sets we might even want to keep within out borders. On the other hand, if we adopt too protectionist of a stance, other nations may follow suit, harming our global competitiveness.
Many are inclined to approach issues like this based on ideology first and ask questions later. But these are some very complex issues and balancing acts that require a deep and sincere analysis. Should governments require that government data stay within physical borders? Should strategic industries avoid using cloud services in nations that we have less than solid alliances with? Both governments and business need to think about where they host their data and applications and understand the potential legal situations.
We’re not trading physical commodities any more. We are offering computing services which can be stored in one country, transmitted through a second (or more), and accessed from a third. As cloud computing grows the potential for impact on not just economics but both free speech and security. We need to start thinking about these complex issues and lobbying our government(s) to get it right.
Fixing the Problem
Government typically is unable to react to fast-changing dynamic industries like cloud computing (and often times this might be a good thing) but cloud computing is a growing industry and the US shouldn’t be in a position where it is losing ground in cloud computing because the government failed to provide clarity and address the real market issues at play.
Cloud computing didn’t really exist when the Patriot Act was written and one can’t help but wonder how many of the 535 members (of the US Congress) have an understanding of cloud computing let alone this situation. The good news is that the executive branch appears to be taking action on some of the issues but will this be enough? In the long run, there probably needs to be action on the legislative fronts as well to find a clear and responsible approach to issues of national security that don’t umm…cloud or confuse the impact and adversely affect the cloud computing industry.
Just as there may be needs for court approved wiretaps for national security, it is not inconceivable that there would be a legitimate for this scope to be extended to email, social networking and more – much of which could be using cloud service providers.
This is no place for knee-jerk ideology as there’s complex issues that we need to get right. We need to engage with out lawmakers and lobby that our laws in this matter be clear and cloud-friendly and avoid protectionist stances in the absence of strong strategic agendas.
What you think? Comment below.