The World Data War
Why cloud computing is a global war being fought on land
Cloud computing has always been a misleading term, given that much of it is on the ground and behind national borders. Chris Middleton and Stuart Lauchlan explain why this means that the US and Europe are at war over data.
You would be forgiven for believing that ‘the cloud’ is some benign fog of code, something global, idealistic and egalitarian, recognising no borders, blind to local politics, free to everyone, and joining all humanity together in a nirvana of shared knowledge. But it’s a long way from the truth.
For the users of enterprise cloud services the functionality may be as promised, but the term ‘cloud’ obscures a war about who owns what and where, and what advantages this gives them. This is a war that’s being fought on land, not in the air. It’s about infrastructure; it’s about where the hardware’s based; it’s about whose laws it’s governed by; and it’s about who owns the IP.
Make no mistake, sharing content, data and research is a good thing. When Sir Tim Berners-Lee invented the World Wide Web 25 years ago, he gave us a non-proprietary system so that knowledge could be shared. He made no money from it.
The core of that vision remains. Wikis, social platforms, open source and open data programmes have proliferated, as have Creative Commons licenses. People share their work for its own sake so that others can too.
But the reality of the enterprise cloud services sector is very different, despite vendors’ claims that it is inspired by the same ideals. It’s a cold war between the East and the West, and increasingly ‘the East’ means anyone East of America.
US industry dominance
The cloud services industry is dominated by US providers, be they globe-straddling platforms such as Google, evangelical pure-plays such as Salesforce.com or Amazon’s infrastructure business, lifestyle giants such as Apple, or born-again cloud enthusiasts, such as Oracle, Microsoft and IBM.
That dominance comes from US companies driving technology innovation, for which they should be applauded. Only SAP’s acquisition of SuccessFactors gives Europe comparable enterprise clout in the space.
But if the European Commission (EC) gets its way, all that could be set to change. The Commission wants to see the European Union step up to the mark and turn Europe into a hotbed of cloud services growth – a Europe that is “not just cloud-ready, but cloud-active,” according to Neelie Kroes, the Commissioner for Europe’s Digital Agenda.
She and her colleagues in Brussels have been working on a proposed EC cloud computing strategy, an overarching plan that would – according to its ambition – increase Europe’s chances of taking on the US, while also setting in play economic gains for the region.
In the wake of entrenched financial problems that brought Europe to the brink of collapse, cloud could provide a necessary boost, argues Kroes. “It could offer a huge lift to the European economy,” she says. “Most businesses using the cloud find they save 10 to 20 per cent of costs. That soon adds up.
“Cloud could revolutionise public services, with services that are more integrated, more effective, and at lower taxpayer cost. “That all leads to a huge economic benefit, totalling hundreds of millions of euros by 2020, plus millions of new European jobs.”
Kroes’ ambition can hardly be faulted: Europe needs positive voices at a time when few leaders have offered much in the way of vision. Except none of this promised transformation will happen unless the Commission gets directly involved, she claims.
The problem is that Kroes is a European politician attempting to use the US’ success in technology innovation as a stick to beat America with, while claiming that Europe should be able to innovate too. But the real question is why Europe has failed to capitalise on the work of innovators such as Berners-Lee.
The answer is that while European governments make the right noises about innovation, they need to foster a supportive investment culture where good ideas can flourish and become healthy businesses.
In the UK in particular, sectors such as financial services, oil/energy, pharmaceuticals, defence/aerospace and (astonishingly) tobacco are seen as the safe places for people to invest their cash – the ones that have always performed well in the past. Indeed, any ‘virgin investor’ is traditionally given a pep talk to this effect. Technology and digital media are high risk, they say. That culture needs to change, but changing it may take decades.
A handful of European companies have cracked the US market, but overall, Europe must accept the reality of a cloud computing market where America dominates.
Kroes believes that, without a supportive environment in place, a free market alone will not deliver a European cloud industry to match the US. “That will only happen if we get the policies right. Without the right policies, the economic benefits will be just a fraction [of the promised figures],” she warns.
Kroes has praised the advantages of the single US market and hopes that Europe can reciprocate with a single digital market of its own. “American [telecoms] operators can serve 300 million citizens while working under one set of rules,” she says, “whereas over here, we have a tangle of 27 different systems. And that’s a headache for operators who want to think big and compete globally.”
However, she believes the US market is closed to outsiders: “The result isn’t just unfair competition, it means less choice and a worse deal for Americans. Opening up would serve all of our interests.”
But Kroes does not want to be seen as anti-American. In fact, she foresees a future of increased US and European cooperation – albeit one powered by the same digital economy that she claims is being obstructed by US dominance.
She recently addressed the American Chamber of Commerce’s EU conference, saying: “The EU and the US are the world’s two largest economies, together representing over half the world’s GDP; and they are among the most open.
“Our trade relationship already amounts to €2 billion [£1.75 billion] a day, and sustains 15 million jobs. In 2012, US investments in Europe amounted to €200 billion [£132 billion] – US companies generating welcome jobs and earnings in Europe. But my message is simple: our relations can be more beneficial if we give priority to the digital economy.”
State of the union
In his 2013 State of the Union address, US President Barack Obama called for a free trade agreement between America and the European Union, to be enshrined as the Transatlantic Trade and Investment Partnership (TTIP). This would be the biggest trade pact of all time, creating a free trade bloc reaching from California to Romania and representing half of the world’s total economic output.
But Kroes still believes that Europe needs to pursue a more Europe-centric cloud strategy. The EC’s proposed strategy aims to tackle three areas:
• Standards and certification to put cloud users more in control of their own data.
• Safe and fair contracts to cover how data is used in the cloud, and liability issues.
• A European cloud partnership of officials to be appointed by the EC, which will shape and consolidate cloud procurement practice across Europe’s public sector.
The move comes at a time when some in the US have accused Europe of creating trade barriers to American businesses through its complex data protection and transfer regime – a claim undermined by the scale of US IT dominance worldwide and by the fact that the US market is even harder to crack.
What the US really means is that it finds the fragmented nature of Europe to be a barrier to the further expansion of its already-dominant technology sector, while rivals in Asia are growing fast within their internal markets and crossing into the West.
Red tape for freedom?
But is the Commission attempting to free the European market by tying it in red tape? “Clearly, our aim is not to over-regulate,” insists Kroes. “That would constrain innovation and stunt growth. On the contrary: we can boost innovation and stimulate demand.
“For example, we can make the market accessible and efficient for all. Currently, the situation is confusing. Service providers are normally not responsible for hosted content; those kinds of limits on liability are what make a lot of ecommerce possible.”
There is certainly a case to incentivise the development of a bigger cloud economy in Europe. In 2012, analyst firm Gartner warned that Europe is at least two years behind the US in its adoption of cloud computing, due to a range of factors – including Europe’s data protection regime. The UK is ahead of its European partners, said Gartner.
But slower adoption does not mean lower interest. “The bottom line is that the interest in cloud is as high in Europe as it is elsewhere in the world,” said Vice President and Gartner Fellow David Mitchell Smith, announcing the findings. “While inhibitors will slow down cloud adoption in Europe, they will not stop it – the potential benefits are too attractive, and the interest in its efficiency and agility are too strong to stall it for long.”
The implication is that, left to its own devices, cloud traction will build in Europe regardless – probably at the same pace as other technologies have crossed the Atlantic over the past 25 years.
But Kroes and her colleagues have evidence to the contrary. They cite research from analyst firm IDC, which finds that having the right European strategy in place could more than double the value of spending on public cloud services alone, from €5.2 billion (£28.3 billion) to €77.7billion (£62.8 billion) by 2020.
In IDC’s vision of the market, Europe faces a stark choice. If it takes a free-market approach to cloud adoption, it could generate a respectable €88 billion (£71 billion) in contributions to GDP by the end of this decade. But if the EU follows a proactive, interventionist policy, cloud could generate up to €250 billion (£202 billion) – nearly triple the amount.
That said, conservative politicians’ belief that Europe is engaged in ‘strangulation by regulation’ is echoed by other analysts. Gartner, for one, has expressed misgivings about Europe’s data transfer and protection rules, which reach further than the European buyer of cloud services.
At present, European rules require any cloud services provider to have a datacentre live in any country in which they operate. This is prohibitively expensive for smaller companies, hence the allegations of trade barriers from some US companies.
There is nothing in Kroes’ latest announcement to suggest that this will change. This is a puzzle, as in Spring 2012 she outlined a coherent vision of a single digital market in which datacentres could be hosted anywhere in Europe.
Under those proposals, cloud companies would have a one-stop shop of enforcement via the data protection authority of that supplier’s country base. So a company could offer services to several countries from a single European datacentre under the oversight of, for example, the Information Commissioner’s Office in the UK.
It was always unlikely that some countries, especially France and Germany – the most rigid adherents to tough data-hosting and transfer rules – would agree to their relaxation. However, the concept was sound and the Commission was keen.
For its immediate cloud strategy, the Commission proposes to set technical standards and model contracts for services, which will include obligations within data transfer and data protection rules. In other words, Brussels will legislate on how contract terms need to be worded to ensure that data location is addressed.
In the US, this is going down badly and there has been a warning shot from the trade body of US software providers, the Business Software Alliance (BSA), an active lobbyist in Brussels.
“In implementing the new strategy, policymakers need to align privacy and security rules so that data can flow across international borders,” says Thomas Boué, Director of Government Relations, EMEA, for the BSA. “Creating barriers to the free flow of data beyond Europe would impose inefficiencies and could cut off European companies from the fastest-growing cloud markets in Asia and elsewhere.”
Other US voices concur. “There is no need for special privacy, security, intellectual property or consumer protection rules that apply just to cloud computing,” says Mark MacCarthy, Vice President Public Policy at the Software and Information Industry Association (SIIA). The organisation is a major influencer of US ICT policy, in particular on cloud computing.
“Generalised rules – indeed, globally interoperable rules – are best suited to the global, borderless nature of cloud computing,” adds MacCarthy.
But this is where the US should get real. The idea of ‘the’ cloud being a global fog of idealistic code made for good marketing in the early days, but it was always a half-truth at best. There is not just one cloud (the internet), but thousands – public, private, hybrid and community – and most of them are based in stacks of US hardware, owned by US corporations, under US data protection rules (including the Patriot Act).
Meanwhile, revelations about the US’ PRISM surveillance programmes have pulled back the curtain on the domestic politics behind it all – the Wizard in the industry’s Oz.
“Our understanding of privacy is fundamentally changing in the digital age, so the rules we have for guarding it have to change too,” says Kroes. “I get frustrated when privacy is seen merely as an irritant. Like most Europeans, I see privacy as a fundamental right.”
The Data Bank of England
But is that view shared by every European government? In August 2013, The Guardian reported that the US had paid at least £100 million over the previous three years to the UK government’s information gathering service, GCHQ, to access UK intelligence. Leaked documents revealed that GCHQ had been ramping up its efforts to access data from UK citizens’ mobile phones and cloud apps.
Since then, there have been increasing signs that the UK government sees citizens’ data as a tradable commodity and that ‘the Data Bank of England’ – a phrase coined by Chris Middleton in 2012 when he was editor of Computing – is now open for business. In February 2014, for example, it was revealed that GCHQ’s ‘Optic Nerve’ programme had been used to spy on Yahoo customers via their own webcams.
All of this suggests that the UK and US governments believe that citizens no longer have a right to privacy, even in their own homes – a position without historical precedent and with no democratic mandate.
The extent of existing and planned programmes – such as the proposed sale of citizens’ NHS records to private companies – has little to do with catching terrorists, and everything to do with amassing and trading ‘the new gold’: data about every citizen.
Storms in the Safe Harbor
Viviane Reding, the European Commissioner for Justice, Fundamental Rights and Citizenship, added her voice to the criticism of the US’ role in spying on European citizens: “The Safe Harbor agreement may not be so safe after all. US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement.”
Given that the US Senate has already passed a bill approving the ongoing funding of PRISM, that’s not going to happen without a fight.
The PRISM revelations certainly have the potential to undermine confidence in US cloud services providers. A recent survey by the cloud Security Alliance (CSA) found that 10 per cent of the 207 officials it polled at non-US companies have already cancelled contracts with US providers as a direct result.
More than half of 456 representatives of companies in the US, Europe and Asia said that they are less likely to use US cloud service providers because of concerns over US government access to their data. Only three in 10 survey respondents said the PRISM revelations will have no impact at all on their use of US-based cloud services.
While the free exchange of ideas enabled by cloud services is democratic and desirable, the suspicion is that, by arguing for Europe’s barriers to fall, US software companies are really arguing for their own proprietary and financial interests.
The SIIA’s MacCarthy is undeterred and makes a fair point – one that tacitly accepts that ‘the’ cloud does not really exist: “A concern is the possible development of privacy rules just for the cloud. In reality, cloud computing is a variety of evolving business and technical developments that share only a rough similarity.”
UK voices in the storm
While some US concern can be dismissed as the airing of vested interests, the UK’s cloud Industry Forum (CIF) – which aims to set user-centric standards for the cloud market – is not enthusiastic about Kroes’ proposals either.
“National interests must not be limited by standards, but equally, any national approach to cloud should have a healthy and constructive approach to collaboration across borders,” says CIF chairman, Andy Burton.
“The key issues really centre on standards for interoperability and security, such as interoperation between different national or departmental clouds; data portability; data protection; and the conflict between European and national laws on data sovereignty and protection. These fundamentals must be resolved, both in the context of Europe, as well as in Europe’s wider relationship with other key markets – not least the US.”
Burton is concerned that the Commission’s strategy is based on a false assumption of a level playing field across Europe. “While, idealistically, the notion of intergovernmental collaboration on best practice may be logical – for example, among all the health services in Europe – such an approach assumes a green-field approach to process design,” he says.
“This presents serious legacy challenges to overcome before even beginning to tackle the more sensitive and very real issues of sustaining local culture and experience.”
It is also made difficult by the UK government’s increasingly decentralised approach to NHS IT, for example, which now favours highly localised solutions and partnerships.
So how is the UK doing in cloud adoption? The UK – following the lead taken by Obama’s ‘cloud first’ technology push in the US – has delivered on its long-promised G-cloud programme. First proposed under New Labour, the G-cloud is now seen as one of the major weapons in the Coalition’s bid to reform ICT procurement and to engage more SMEs.
It is widely acknowledged to have been a success, even across the floor of the House of Commons. Whitehall has also begun pushing its own ‘Digital by Default’ policy. In a sense, this is a large organisation – the UK government – creating its own private cloud, just as many businesses do.
But Kroes does not see things that way. She and her colleagues have dismissed the UK’s programmes as unfit for purpose. Indeed, she thinks they may even stifle the prospects of cloud adoption in Europe.
“We need to think European,” she says. “If we stick to a national approach with national rules, we will constrain the cloud to national borders. We shouldn’t limit our ambition like that. Only with a European approach can we find economies of scale, with benefits for cloud providers and consumers alike.”
As far as the UK Cabinet Office is concerned, Kroes is talking up a fight. “The old business models didn’t work,” says Liam Maxwell, UK Government CTO. “We also see that there are very strong interests working against this.
“The EC is offering to certify cloud services so that only certain companies can pass the bar of being able to host things in the cloud. We feel that is a tremendously retrograde step. It will enable the oligopoly that has driven IT for many years to police the cloud. Only they will have ‘certified’ cloud provision. Consequently, governments will sleepwalk into buying from them – not just here, but across the whole of Europe.”
In other words, Kroes’ plans may have the opposite effect to the one she imagines, by entrenching a small number of major vendors into the European supply chain, shutting out local competition. This may explain why some US suppliers have applauded her vision: there is a high chance they will benefit from it.
But whatever the outcome there is a long road to travel, because any agreed pan-European cloud strategy is years away – if, indeed, it is even possible in a Europe dominated by France and Germany, which both favour a national approach. The UK, meanwhile, is as semi-detached as ever, and – on cloud computing, at least – making better progress. TS
The Strategist says
Signal, not noise