Expert Panel: ‘Cloud Computing’ Best Regulated by Market

Published August 1, 2009

Congress and federal regulators should be wary of interfering with the emerging trend of “cloud computing” and instead allow the market the freedom to react to any security and operational bugs, according to attendees at a conference hosted by Google.

Cloud computing, which replaces on-site servers with data centers in the “cloud” of the Internet, lowers costs for businesses and is also how many individual computer users store their data.

Access to such data storage was previously available only to businesses possessing the capital to build and maintain massive-capacity servers themselves, but an entire business model has sprung up in just the past two years to bring people and businesses to the “cloud.”

Urging Regulatory Restraint

Some panelists at the May Google-sponsored conference in Washington, DC warned the United States could lose its hard-earned position of global technological dominance if the federal government moves too quickly in regulating cloud computing.

Jeffrey F. Rayport, founder and chairman of Marketspace, a Cambridge, Massachusetts technology consulting firm, warned against taking a “Patriot Act” approach to growing security concerns about the cloud.

“[Any regulation] may have noble elements, but the simple fact is we are seeing [negative] things happen as a result of this type of legislation,” Rayport said at the conference. “Data traffic on the Internet is being routed around the United States.

“There are cloud providers looking for safer places to put data centers, one being Switzerland. Those government decisions have huge impacts on the unfolding of the cloud vision,” Rayport added.

Market Driving Change

Rayport and his Marketspace colleague, Andrew Heyward, outline their concerns in “Envisioning the Cloud: The Next Computing Paradigm.”

The authors recognize cloud computing is in the early stages of evolution and government intervention could do harm, especially if it prematurely sets standards and prevents companies from competing based on their distinctive systems.

“Private enterprise and consumer behavior are key drivers of cloud computing,” the report notes. “However, policymakers can play an important role in creating optimal conditions for the cloud to flourish …”

Jennifer Kerber, vice president of Arlington, Virginia-based Tech America, a group representing the technology industry, says government regulators would do best simply to sit back and observe—and not join the cloud revolution until the market works the bugs out.

“Government’s procurement policy, with its fixed-price procurement contracts, is not well adapted for managed and subscription services,” Kerber said.

Privacy Concerns

The Washington, DC-based Center for Democracy and Technology is concerned about privacy laws remaining relevant when a third party stores data in the cloud.

Jim Dempsey, the organization’s vice president for public policy, notes the federal Electronic Communications Privacy Act of 1986 makes a distinction between information held in “electronic storage” as opposed to “remote electronic storage.”

While information in electronic storage, such as on a personal computer, cannot be accessed without a probable cause warrant, that is not the case for remote storage, which requires only a subpoena.

“Privacy rights could still be protected with the right interpretation of the Fourth Amendment, but it would take years” for court decisions to establish that, Dempsey said.

Legal Questions

In an analysis for the World Privacy Forum of the implications of the Electronic Communications Privacy Act, Robert Gellman noted a customer of the cloud will likely not be aware when simple communication turns into “storage” and the user loses privacy rights. Furthermore, the information could be stored in another location, changing the legal jurisdiction.

Additional complications can be added by the terms of service. For instance, the cloud provider could have usage rights over the stored data that might be in conflict with the legal obligations of the user. Customers, Gellman says, need to be cognizant of any such terms.

Considering all these complications, Gellman says it’s best to let private security and usage contracts rule.

“A trustworthy legal environment in the cloud computing context is hard to achieve, and users can protect themselves by encryption or by contractual terms which specify the servers where data will be stored,” Gellman said.

Expensive Uncertainty

The uncertainty about protection of privacy rights has wider ramifications for the adoption of cloud computing. The cost savings that make cloud computing so attractive are diluted when uncertainty of future federal regulations prevents security innovations.

“[Government regulation could prevent] the opportunity to apply business practices … to automate the privacy process as part of basic IT application development,” said Bernard Golden, chief executive officer of HyperStratus, a technology consulting company based in San Carlos, California.

Kishore Jethanandani ([email protected]) writes from San Francisco.

For more information …

“Envisioning the Cloud: The Next Computing Paradigm,” Jeffrey F. Rayport and Andrew Heyward, Marketspace: