The rising importance of cloud services and cloud service providers (CSPs) in society has caught the attention of policymakers and regulators seeking to reap the benefits of this new technology while managing attendant risks. The regulatory landscape of cloud computing is highly complex, owing to factors such as its rapidly increasing centrality to many societal and economic functions and continuous innovations in involved technology. Understanding the many issues emerging from this context will be critical to responsibly unlocking the potential of cloud services for society.
To that end, this paper provides an overview of the many different policy issues related to the cloud that are either attracting or will soon attract attention from policymakers as well as advocates, consumers, and corporations. Principally, we highlight five baskets of policy and regulatory concerns pertaining to both CSPs and cloud services more broadly: security and robustness, resilience, consumer protection, prosperity and sustainability, and human and civil rights. In approaching these issues, we underscore the importance of taking into account the various perspectives through which different actors view cloud governance. In particular, we note four areas of focus and priority among these groups: those that examine the practices of individual CSPs, those that consider the features and implications of the cloud services market as a whole, those that focus on issues arising from dependence of individual and corporate consumers on cloud services, and finally those that look at the implications of government use of cloud services.
We emphasize the utility of such a multidimensional approach in capturing the scope, richness, and dynamism of the cloud phenomenon, and identifying the intersections and tensions between the various issues involved (especially given that these connections present potential challenges to the evolution of coherent policies and regulations). As the cloud affects ever larger swaths of human (and machine) interactions, we highlight the necessity of examining cloud policies and regulations from a global perspective to reflect the cloud’s global reach. This state of affairs naturally implies that governance structures and solutions will inevitably differ between and within countries and regions due to divergent values, interests, and priorities that affect attitudes toward the cloud. We state the need for harmonization or at minimum some compatibility and reconciliation mechanisms between these many governance regimes. In the absence of such efforts, it may become largely impossible to reap the benefits of the cloud for global growth, innovation, prosperity, and stability. As such, this survey strives to overcome the common tendency to examine cloud-related issues from myopic, nationalistic, and siloed perspectives, and instead advance a global and holistic outlook that incorporates the various issues involved in cloud policy and regulation.
INTRODUCTION
Cloud service providers (CSPs) have become an increasingly important part of modern society. They enable a variety of critically important activities, empower numerous applications, and have increasingly come to store and process more and more sensitive data. Their centrality is now apparent not only in the digital economy but also in more traditional economic sectors, and indeed as an essential component of daily life. These developments spark the interest and concern of policymakers and regulators across the globe who aim in their respective jurisdictions to comprehend these trends, and to strike a balance between harnessing the benefits of the cloud revolution while moderating its adverse effects. Toward that end, this paper provides an overview of the diverse policy issues in cloud computing either already attracting or otherwise meriting serious attention and scrutiny from state, federal, and foreign policymakers and regulators in the next few years.
We principally highlight two different kinds of cloud governance issues:1(1) generic ones that have been present in other domains but are already or will in the foreseeable future become eminently applicable to the cloud as well; and (2) issues unique to cloud computing and CSPs that are becoming increasingly important as the industry expands, develops, and occupies a more central social, economic, and security role globally. It should be noted that this preliminary survey is intended for now solely as a tour d’horizon of the governance agenda. We do not aim to prognosticate, acknowledging that there is a great degree of uncertainty in each field we discuss. Furthermore, while we highlight the more contentious issues associated with cloud technology and its centrality, we do not presently suggest priorities (in importance or time frame) among the issues raised, nor do we propose recommendations for any specific set of cloud policy issues or regulations. Along the same lines, the survey is generic, not specific to any particular country or jurisdiction (although it does draw on examples for illustrative purposes).
Ariel (Eli) Levite
Levite was the principal deputy director general for policy at the Israeli Atomic Energy Commission from 2002 to 2007.
The issues discussed herein apply first and foremost to public cloud services that are accessible to any potential client of a CSP, as contrasted with private clouds dedicated to only one specific public or private organization. However, some of the governance issues inevitably also pertain (with some twists and turns) to the latter as well, especially for private clouds supporting government needs. Thus, we also recognize that increased government contracting with and dependence on cloud providers and their services will inform their general outlook toward cloud governance, and impact their policies and regulation in this domain far beyond the contractual arrangements they enter. Nevertheless, this delicate topic requires its own dedicated analysis, and so we do not examine it in detail in this paper.
For now, there is only a patchwork of policies and regulation pertaining to cloud services and CSPs; their maturity varies considerably across sectors and jurisdictions. In some localities and especially in certain domains, there already is existing legislation, for example concerning electronic communications or on handling sensitive personal information, that has been adapted to apply to cloud services, often imperfectly. In other cases, the challenges associated with cloud dependence have themselves only begun to be identified, and coherent policies or governance approaches have yet to emerge. A prime example concerns the data, processes, and especially applications hosted on the cloud or otherwise drawing on it. The platforms and programs that are based on or otherwise harness cloud services are thus far largely unregulated: determining who controls and regulates their use and on what basis, who decides what constitutes appropriate and inappropriate applications of user data, and how liability for cloud service setbacks (pertaining to availability, integrity, and confidentiality) ought to be adjudicated are just a few potential areas of importance here that have yet to be fully explored. This is just one of many emerging policy areas complicating governance efforts.
It is also important to note that much of the governance agenda concerning cloud services manifests not only vexing jurisdictional issues, but also differing perspectives between the various stakeholders and even outright conflicts of perspectives, values, and interests. The inherent tensions between different governance approaches necessitates careful consideration, prioritization, and balancing. We give some consideration to this added layer of complexity toward the end of this paper, and a follow-up publication will explore the issue in more detail.
Even without considering the tensions between them, the innumerable set of domestic, foreign, and international policymaking and regulatory authorities and standards setting bodies with pertinent say on cloud-related issues have prioritized certain areas over others. In some jurisdictions, privacy rights constitute the tantamount concern; for others, systemic risk to the economy or specific sectors thereof is of utmost importance. And for still others, access by certain governmental authorities (but not others) to the data stored on the cloud, and the capacity to both track and censor it, as well as the discretion of CSPs to do these things on their own, are the most critical issues. Thus, while competent authorities will inevitably differ on the priority as well as modalities they assign to addressing these concerns, they will likely all become significant issues in at least one regulatory environment. This fragmentation and differentiation combined with the global reach and centrality of the cloud inevitably means that the harmonization of policies and regulations is bound to prove an especially critical issue on a national and especially international level. Failure to manage and reconcile differences could result in serious degradation of the potential benefits of cloud services.
