Cloud Governance European Commission
28 September 2011 - A Workshop on in Nairobi,Kenya
September 28, 2011 - 16:30PM
The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> THE MODERATOR: So, good evening, good afternoon, sorry. It's a pleasure for me to welcome you to this workshop on cloud governance. This has been a joint, I would say, idea and effort by two European institutions to put in place this exercise. We're very happy to welcome you. I'm your improvised moderator today. I was not supposed to be here but for some reason I do. So I hope that I will do my job properly.
I would like to before presenting tow to you the various panelists that are going to intervene on these very challenging issues on the clouds which raises as much hopes and opportunities as fears and doubts.
I would like to welcome also two members ‑‑ two additional members of the European Parliament here present. They want to, of course, take the floor.
The idea is to give five minutes toy panelist to intervene. While the idea is to get from them some ‑‑ some thoughts and some, I would say, suggestion about what in their view is the main challenges ‑‑ the main challenge. 1, 2, eventually. And if possible, give us an attempt of priority actions that could be associated to those challenges.
Following those presentation, as I say, I repeat, no more than five minutes to save the cloud.
I would ask the audience to ask a question, of course, to ask a question, but also to make eventually statements on what they think the challenges are, reaction to the intervention from the panelists, and questions.
So, our first panelist today is.
>> KATARZYHA SZYMIELEWICZ: Executive Director of her foundation. She will explain to you a bit better the scope and the objective of this foundation.
We'll have to follow, Megan Richards. She was my boss. So I have to behave. But for the ‑‑ for once, I'm controlling her (laugh).
We have beside Megan, Pilar del Castillo. She's an Honorable Member of the European Parliament. She is the mother of the digital agenda in the European Parliament. She has been very helpful in helping the ‑‑ all the institutions to get this project through.
We have Andrea Renda.
Jeremy Malcolm just joined us. We were worried to have the consumer view represented because we have two important business organizations represented by the representative of Microsoft, as well as Patrick Ryan from Google.
So I would ‑‑ maybe ladies first, give the floor to Katarzyha Szymielewicz. Thank you very much.
>> KATARZYHA SZYMIELEWICZ: I'm surprised that I get the floor first. Usually it is the opposite. Thank you very much.
My organization (laugh) ‑‑ my organization deals in the human rights area. We try to defend human rights in the context of modern technologies. We take a lot of interest in privacy. Freedom of expression, right to information. And so on. We work both in Poland and at the eLevel, so sometimes we have the pleasure of meeting European Commission and convincing them to look at privacy and freedom even more seriously.
So surprisingly I will tell you about the threats and risks related to the cloud. I don't think there is a need in that room to introduce cloud‑computing as such and say that vast amounts of our data, including very sensitive data, move extensively into the cloud, which is obviously great. For business purposes it's great, for the users for the comfort of the life and the mobility. But it does pose new risks. And I would like to look at two aspects in my short time.
The first one is privacy risks that result from the cloud in itself and how the cloud providers operate. And the second aspect is the risk that results from the government obtaining access to the cloud and the issue of data sovereignty.
So problems in the cloud. What main problems we have identified as a civil society organization.
First that you know is that we ‑‑ we do trust a lot of data to entities that are commercial. Incentives of cloud providers are commercial incentives which we have to bear in mind. That essentially means that our data might be used for ‑‑ well, there is incentive, okay, so to say that our data will be used for other purposes than user normally imagines. I'm thinking especially about profiling and the risk of creating details, profiles of individuals that might be used to generate more income to generate advertising and so on, and so forth.
It's a very worrying phenomenon mostly because many people do not know about it. It is a foreign idea. What happens behind the screen so to say.
So‑called free services that we often pay for with our privacy. And there is no ‑‑ well, possibility for the user to object changes in terms of the service even if the changes are significant.
The only way forward we have is to leave the service which obviously we can do, but then comes another issue, which is data ownership and data portability. To what extent the service enables us to take the data and go somewhere else, especially if the data includes our conversations, interactions with other users, things are getting very complicated.
So that's a serious thing to be addressed. And I'm sure we will talk about that later.
Then, of course, data security is obviously, sure, an issue we cannot ignore. Data security decreases in the cloud for many reasons. One being that a cloud provider is not a monolith. Do we trust its employees, do we trust the contractors, do we trust the whole entity, how much we know about the entity, do we know how many entities are involved in providing the actual cloud we use?
I think all these questions are often left without answers and the users might feel that the security of the data is threatened. Another aspect which we hear a lot obviously is of course attacks from hackers and other malicious sources that want to take control over our data.
This is as we see not something we can prevent, I mean even the best security systems tend to have holes which tend to get used by some other people.
So the more data is in storage in a place, the higher the risk. This is another issue to be considered maybe with leaving data with the user and having some other models of storing data not making it so centralized. So that's something I would like to discuss at later point.
Finally, there is bolder aspect of cloud‑computing. More and more, it is actually getting ubiquitous that data is getting sent somewhere else. We don't know where physically the data is being processed. Obviously, companies can outsource to other countries. Thinking about European countries, we also talk about sending data to third countries which might be cheaper but not always for the same standards of data protection. We have the concept of safe harbor with the U.S. but the concept seems to be very flawed and is just commercial agreement which does not offer a real guarantee of protection. Users might not have the same rights in the other state because they are not citizens. So we have many implications of this cross border aspect.
Okay. Finished. I can finish. Okay. So then very briefly, the other aspect is the government access if we store data in the cloud which is in different country, we also face the issue of governmental access, talking about we are not supposed to name countries but there is a country famous for war on terror and security loss which also has a law which enables unauthorized access to non‑citizen data. It is an issue. We have to address it because it is a data sovereignty issue. Thank you.
>> THE MODERATOR: Yes, it works. Megan? Thank you.
>> MEGAN RICHARDS: Thank you very much. I won't speak for very long because I think it's more interesting to hear some of the questions and ideas from the audience as well, and, of course, from the other panelists but I would like to start by explaining a little bit where we are in the European Commission on developing European cloud strategy which we expect to have finalized by the end of next year.
By its definition I think cloud‑computing has many advantages for growth, for development, for SMEs, for users, you probably all know what those many advantages par.
And with all new technologies and new manners and means of using ‑‑ you can't hear. How about that? I moved the mic to me. For all those reasons, this is an area where we have great potential for growth, but also like every other new technology or new activity, other risks.
But many of the risks and many of the problems that have been identified, I think are also advantages or should be turned around into advantages for new types of providers, providers who can guarantee security, providers who can guarantee data protection for that particular jurisdiction, governments who want to ensure that their countries are cloud‑friendly will, I'm sure, be less invasive in terms of taking data from users, et cetera, and there are many many advantages and cloud in some ways even though it has special character risks and special requirements has many of the similar problems or issues that arise in other areas that we use on the Internet.
So you know, I'm sure, about many of those.
So what are we doing in the European Commission about this?
We have in good IGF fashion developed a multistakeholder consultation. We are consulting broadly and widely on what are the issues that are of particular interest in Europe for ensuring that Europe is both cloud‑friendly and cloud‑active. We want to make sure that there's as level a playing field as is possible for providers, we want to make sure that users of cloud in Europe have the right guarantees and interests that they have anywhere else.
And to do this, we have launched a public consultation which closed on the 31st of August, when we got 538 responses to this.
We've done an initial analysis of this review.
We have had a special need team between the commissioner whom you may have seen speak yesterday at the opening session and some of the senior industrial representatives, and those were from around the world.
And that group of senior industrial interested parties, let's say, both from the provider side and from the user side have identified four main areas where they are continuing to work and coming up with some recommendations.
And we will continue our consultations with SMEs, consumer interest groups, et cetera, et cetera.
So I hope that in reaching out and getting these responses from as many participants and as many interested parties as we can, we will be able to by the end of next year come up with something that is quite solid. And, of course, I can't forget that we also discuss very much with the European Parliament and the member states as well on these issues. So I don't want to spend too much more type, except to add that in the context of cloud‑computing, of course, the international element is extremely important, and I think an area that we mustn't forget, which has international implications, too, is standardization.
And as I speak, there is a meeting going on right now between two of the main standardization organizations, one in Europe and one in America, to discuss specifically where are the areas that need greater, better, improved standardization on cloud services.
So that's another element that ‑‑ of the many, many, that have to be covered in cloud that I wanted to mention. Thanks.
>> THE MODERATOR: Thank you very much, Megan. I give the floor to Pilar.
>> PILAR DEL CASTILLO: I can use that. Well, thank you very much. I am also to be very brief, because, you know, we have always the risk in dealing with cloud‑computing that each of us, we can go through the same catalogue of problems, so to say. And then we review everything that the protections, security, privacy, and, you know, so on, so on, so on.
So I have to pick up to make an option. I have to make some choice. I have to pick up some aspect and I want to do that.
And for me, one thing that has to be especially taking into account is anything related to a competitive cloud market, a market in which we have real competition, which is an open market, and then a freedom of choice of the users.
Similarly important, we really to have a strong cloud market. And in doing that, I think one of the aspect that we should look more for is all things related to portability.
We cannot be ‑‑ in many countries at least as if we ‑‑ as we were in the past. That in the mobile sector, portability was a problem for users, and they have really ‑‑ they were punished many times, in terms of cost, in terms of time, in terms of travels, and so on, and so on.
And so I think from the very beginning since we are now in that starting point, portability in the cloud market, so to say, it is extremely important. And that's affect to all kind of user paragraph it affects public types, and at the present moment when they are in the cloud, it affects University, affects to ‑‑ well, I would say to anyone that take all the advantages that cloud offer to them in terms of costs benefit.
But you can't have many benefits unless cost ‑‑ but you will really ‑‑ you know, take advantage of all the opportunities that the cloud‑computing cannot only offer to you, if you are a kind of prisoner of, you know, the offer ‑‑ well, of the cloud you are, so to say.
So I think when we are talking about portability we immediately talking about standardization.
And we have to deal with this. Standards is one of the aspect which can really hamper more the possibility of having such an open market.
We don't address the problem of standardization, and I am not a technician at that sense. So I just put in ‑‑ you know, the concept, and the consequences there.
Then we ‑‑ is going to be more difficult if not impossible to really have such a flexible and quick system in which anyone can change or make another option if he is not happy with the service of the ‑‑ of his or her cloud provider.
So I will say that these ‑‑ you know, for me, one of the aspect we should be in part of the core or the problems when we are now facing that. That means some kind of international agreement on standardization should be put into place.
I am aware that when we are thinking of standardization we have to be careful in order not to hamper innovation in the field of the ICTs. We cannot really close the possibilities of new development in technology in the sector, in taking to account this at the same time we need a kind of common standards that make possible, among other things, you know, it's not only that factor, but that really boosts for having a competitive and open market in the cloud scenario or in the cloud environment.
So, that is ... Thank you.
>> THE MODERATOR: Thank you very much. I'm giving now the floor to Andrea.
>> ANDREA RENDA: Thank you. Thank you also to the organizers of these sessions for inviting me here. It's a great pleasure to be able to share my thoughts on cloud governance together with all of you and hear what the other panelists and the audience will have to say about this.
I confess that I've been struggling a little bit with the idea of finding one main challenge for cloud‑computing. I have been thinking about a lot of things with the overall instruction that each panelist has been given before this workshop. And I thought of course, a lot of people say privacy, and for me it's not the main challenge, because it comes as an ingredient ‑‑ a more sustainable let's say architecture for cloud‑computing.
Security, perhaps ‑‑ well, there's a lot of diverging views, there's a lot of people that actually think security would increase with a transition to more massive use of cloud‑computing.
It could see ‑‑ it could be something like increased need for mustn't mum quality of service to guarantee stability and resilience of the services provided through the cloud. And this is part of also in my opinion of the cocktail that we actually need to ‑‑ when we look at the cloud.
It could be certainly interoperability but this looks mostly the application layer of the cloud. So what I think we actually need is to look at the governance of the cloud and the potential policy approaches towards the cloud in a layered way. So we have to look at the whole value chain to see if we actually have in place the right dynamics, not necessarily the right policies, there might be no policy at all. The right dynamics in the market that would lead to an emergence of a real cloud‑computing environment.
That is an enhanced environment on top of the one we already have, because we already live in the age of cloud‑computing to a large extent.
And the layered approach means that we look at all the layers, and the layers of what ‑‑ well, I'm Italian but I will quote the UK regulator in this respect, what he has defined as the lasagna model of telecommunications which means moving from the spaghetti model where each network was reaching each user to a system where all the different technologies reach and bring the users on the same Internet environment.
And we actually living in a situation where there is a transition towards what could be called the cloud lasagna or a cloud Moussaka or in terms of wherever when we need to support Greece. So whatever a layered environment where every layer is an essential ingredient for the working of the step. Very simple example. There's no cloud environment, there's no really resilient and perfectly working cloud environment without a high‑speed infrastructure that is also a stale one. Right? And currently not only Europe but almost everywhere around the world the infrastructure endowments is not sufficient for a massive transition to cloud‑computing would require. This is also something I throw on the table because I think before we reach the cloud‑computing era as has been evoked several times we need to provide the right incentives for those to deploy the infrastructure to invest in it. There has been a long battle for net neutral will the and I think there is more emerging consensus that some degree of traffic management can take place provided there are basic rights and key principles that are respected.
And now if you think about cloud‑computing and the fact that platform as a service, for example, infrastructure is a service it would lead to requirement of minimum quality service then it becomes very difficult to imagine it coupled with cloud‑computing. There is a more important issue here is the fact that we risk the creation of an environment where a number of players would invest money to create a high‑speed infrastructure but it would be other players that would mostly monetize and would mostly reply those benefits is the ones that provide cloud services and these are mostly application layer champions. But we do have potential policy problems, the application layers, some have been mentioned, for example, interoperability or the possibility that some IT giant becomes dominant in the provision of cloud services and starts discriminating against other services.
This is not necessarily something that will happen. I believe that there are very authoritative speakers here that probably have some ideas in this respect. But if this happens how do we make sure that access to all applications is still ‑‑ is still protected? Now, I don't want to get back to the Microsoft case a long time ago because I would reopen the wounds that perhaps one of my speakers doesn't want to look at (laugh) but indeed we have rules that mandate when a player becomes dominant, then there's mandatory basically compulsory licensing and mandatory open access in this respect. And these are embedded in our competition rules.
So in the application layer, we know that there is a sort of ghost of potential mandatory openness that might emerge even wholesale access obligations that might emerge if we don't take it from the right angle.
We have the problems of privacy and security that go into because of lack of time. All this wrapping up, I think that we need to reconsider and we also needed to reconsider before, I think, we need to reconsider our policy approach to this environment in a way that is more layered and it's more smart in the sense of smart regulation.
What I see is that regulators are increasingly caught between a rock and a hard place in this respect, because when you look at the lower layers, issues become so technical that normally regulators and public policymakers not able to be timely and speedy enough, and they will increasingly rely on self‑regulation or co‑regulation with technical agreement between players.
Now if move into higher layers and from local you become more global, national regulators or even new regulators are not sufficient ‑‑ don't have a sufficient coverage and competence and this requires increasingly international cooperation. So what I would probably like to see, and this is my concluding before the chairman becomes nervous, what I would like to see perhaps in the future is a bit more emphasis on multistakeholder or perhaps technical agreements between the different players at the lower layers, and global standards for privacy and global standards for security, and even a ‑‑ an insurance market for security related issues on the cloud at the higher layers. I don't know if it's possible, but I leave it to the audience and the other panelists. Thank you.
>> THE MODERATOR: Thank you, Andrea, for this attempt of gross gastronomic translation on the cloud. I'm sure the French would find the (French word) wording for that and it will have the Commission to translate in all the languages. The action plan.
I will give the floor to Jeremy.
>> JEREMY MALCOLM: My name is Jeremy Malcolm. I'm with Global Consumer Groups. The cloud is a real boon. Consumers benefit the ability to access their music, photos, documents from any device, wherever they are. But one of the first on the panel explained the risks to go along with that and some of the other panelists have also underlined those risks, and certainly I agree with almost everything the other panelists have said so far and so I won't have to talk about that and I won't have to talk about the need for standardization because that's been covered.
So what I will talk about in instead is the need to perhaps generate some soft law norms to cover consumers' interests in relation to cloud‑computing. And that's really what we're all about at the IGF soft power soft law. I think that when you're talking about something like cloud‑computing, which crosses national borders, it's a bit silly to rely only on national laws ‑‑ because, you know, when you travel, you want to be covered by a common set of principles, no matter where you are.
So one of the soft law documents that we are very concerned with in the consumer movement is known as the United Nations guidelines on consumer protection.
Some of you may or may not have heard of this. It was first passed by consensus of the General Assembly in 1985. So it's just celebrated its 25th anniversary. And it was amended once in 1999 to cover sustainable consumption.
But the other paragraphs of the existing guidelines, on traditional consumer issues such as product safety, labeling, information, consumer education, and as you can understand, Internet related issues are missing from the code because it hasn't been updated for so long.
So what we're proposing as Consumers International is that the United Nations guidelines should be amended to bring it up‑to‑date to include some issues that are relevant to consumers in the information society.
And so we have embarked on a process to suggest some amendments.
We began this internal Working Group of consumers international members who took a few months to do a sort of draft provisions. We then took that to an open meeting in Hong Kong earlier this year. And Saturday around in some small table groups, and went over the amendments with a fine‑toothed comb. And we ended up improving them, removing some, adding some others.
And that then went to a public comment period, which took three months and has just ended, in fact, last month.
So if you're interested in what we came up with, you can have a look on our website at a2knetwork.org/guidelines. But there are two particular sets of amendments to the guidelines that are very relevant to cloud‑computing. And I have asked for one of those to be put up on the screen. I'm not sure if that's been possible or not. Let's just wait a minute or two. I could just read them out, but that's going to be a last resort. Is it going to be possible to working on that. Okay. Well, what I ‑‑ what I will do is not start with that one, I'll start with the other one, because as I said, there are two provisions, so let's start with the other one.
The other one that we're not going to see on the screen is about what happens when things go wrong. So it says, and I hope you'll excuse me if I do just read it. It says business and governments should apply data minimization practices and use effective and updated technology to protect confidential personal data against up I wasn't rised use. Those affected by any personal data breach must be promptly notified of the details of the breach and of the available means of redress. The content of consumers' communications online must not be intercepted by governments or third parties without a valid court order.
So as you can see, this principle, it's not going to be a law, it's going to be a guideline for governments to follow, but this particular one is about what happens when things go wrong, what happens when computers ‑‑ consumers' information on the cloud is leaked. So the correct response is to cooperate, to give full disclosure to consumers, and to ‑‑ not to try and hush things up.
Should I go ahead and ‑‑ let's, okay, while they're still (laugh) while they're still working on that, I should say that these guidelines have been relatively ‑‑ the earlier set of guidelines that are already in place have been quite influential, and a number of countries have based their consumer laws around these guidelines. So although we don't want to have a binding instrument, this does have the potential to be very persuasive, let's say.
So given that there is some trouble in bringing up the other provision yeah, let me just read it. Because it will come up on the screen anyway. That will be the end. Governments and industries should support use and contribute to the development of open and interoperable standards for works supplied to or hosted for consumers in digital formats. Suppliers who provide a service to host such works online, other than a content streaming service, should also provide the means for consumers to extract those works from online storage by that supplier using open formats and protocols.
So that's quite a different provision which says, look, if you're hosting my information online, except as a streaming service, but if it's a service like a cloud service that I'm supposed to be able to access I should be able to extract that information in open formats and protocols. So we think if these two provisions were to find their way into a software instrument that would be a beneficial standard that both industry and governments around the world could have reference to when trying to design their national cloud‑computing policies.
Thank you very much.
>> THE MODERATOR: Thank you, Jeremy, and curious later in the intervention if there would be any representative of any member state who would tell us how this is possible to get into the sort of soft laws and inputs of this ‑‑ this kind. Because it's very important also to understand how this consideration can be translated into the reality of the policy making.
I'm giving the floor to Nasser. Thank you.
>> NASSER KETTANI: So, thank you for the opportunity, and, you know, to have the private sector part tabled especially, you know, with cloud providers. So I was thinking about what would be the challenge, the one thing that we need to pick up, which is very difficult, as everybody said.
And I was talking to, you know, when I received the invitation to speak to the topic, I was saying, you know everybody will talk to data software and security and privacy. So ‑‑ so what is ‑‑ what is the one thing that I would pick up? And I ‑‑ and I come up to realize that I think the ‑‑ the most challenging thing around cloud governance is actually cloud governance itself.
Because it's, I believe, is a very difficult topic to deal with.
And just to ‑‑ want to elaborate on that in ‑‑ because I agree with so many things that have been said, not everything, but so many thing that have been said.
So, I think I'm now going back into the, you know, the advantage of the ‑‑ of cloud. I think we ‑‑ a lot of people have ‑‑ you know, know, I just want to mention 1 or 2 which fundamentally are ‑‑ which I believe are fundamentally important, which ‑‑ which are around the ‑‑ the opportunities for more innovation and growth and more job creations yet to come. I believe we haven't yet tapped into the opportunities and the innovations that cloud‑computing is enabling today. And yet cloud has not ‑‑ it's not something new. Right? The concepts have been here for a while. I mean, I was amazed by your example, Patrick, this morning, when ‑‑ when you mentioned that we ‑‑ you know, when we started using Internet, I had, you know, an email service from CompuServe, 20 ‑‑ or five years ago, and these problems has been there since 25 years ago, nothing is new really, in fact paragraph and ‑‑ but the reality is now it's exacerbated, you know, with the scale and the ‑‑ the amount of ‑‑ of data, et cetera.
So ‑‑ so, in a sense, everybody is actually ‑‑ whether it's a government, whether it's a consumer, we had it's an Enterprise, every time we deal with these things, in fact, we are making trade‑offs, we have to do trade‑offs, as a user, as a consumer, when I go online and use an email service for free or anything, what I do is I do ‑‑ I know I'm making trade‑offs, right? On certain things. I get this for free but on the other hand I know or I should now and I want know, and I'm asking my vendors to tell me everything about what they do with my data. So I want to be ‑‑ you know, I want to be in control. I want to know all the privacy policies and certainly all security policies around that. So ‑‑ and then there is on the other extreme governments and organizations, customers, they also want to ‑‑ some sort of ‑‑ they are making trade‑offs, because, you know, some ‑‑ some government entities or some government organizations might say, you know what? I can ‑‑ the costs ‑‑ you know, or the value, in fact, that I'm getting from that service does outpace the cost I have to go to pay for it. And so I can make that trade‑off, knowing that ‑‑ and having enough transparency on certain things, again, as you mentioned, around, you know, the issues around, you know, data sovereignty and privacy and security and so forth.
And the other thing I want to keep in mind ‑‑ us to keep in mind is there are countries around the world that can really, really leap frog in terms of how they can leverage cloud‑computing today, and go to, you know, a next ‑‑ a next level of productivity and a next level of innovation, and so as the, themselves think about cloud policies they need to think about, you know, the trade‑offs on their fronts and what the benefits are for them as you know they go there.
So ‑‑ so for me I know it's what I fundamentally believe is we are in a nation from a transformation perspective we are in a paradigm shift. And the kinds of things that we can do with cloud is ‑‑ with cloud is amazing. I was yesterday having dinner with the ‑‑ with the ‑‑ and a innovator, I'm not sure he's here. And he's done an amazing job. You are there. And he's done an amazing job thinking about, you know, using, you know, cloud‑computing in destructive ways and what he's done is actually ‑‑ I know he can speak better than I do, but basically using sensors in cows, capturing a lot of, you know, immense data about, you know, cows' health and then being able to thanks to cloud technology, being able to deliver information about their health, about so many of things. You know, to the farmers so they can act, you know, in real time.
And that has nothing ‑‑ has not been possible in the past. And these kind of innovations I would like us to think that this is the future. And as we build cloud governance, regardless of what we do, we feed to keep in mind that these are the things that we really need to be thinking about and enabling these innovations, and not preventing them, because I know that he has gone through a lot of policy and privacy challenges in a sense, and we would not want that. We would want to protect that soft and enable ‑‑ and having policies that enable that. So the reason I selected this theme is ‑‑ of saying the biggest challenge of cloud governance is actually cloud governance itself is because we want to make sure that we are making trade‑offs. I mean, just to pick on the standardization aspect I spent years and years on standardization and I know what time it takes to be the standard. Right? It's going to take three, four, five years to be the standard. The reality is technology is going even faster, right? And how can we build standards today in a field that we just don't know? We just don't understand all the implications.
So ‑‑ so I leave it there, with this, you know, with this thought, that, yes, we need cloud governance. We need to protect, you know, consumers, we need to protect governments, et cetera, but at the same time let's make sure that we build flexible frameworks that enable, you know, innovators to keep innovator, small ones, and, of course, the large ones. Thank you.
>> THE MODERATOR: Thank you very much. I give the floor to our last panelist, Patrick.
>> PATRICK S. RYAN: Thank you very much. My name is Patrick Ryan, I'm Policy Counsel, Open Internet, for Google. One of the products that I work on is cloud‑computing, and I'm very excited to be here today. Thank you very much for inviting private sector. I'm very happy to share the panel for a second time with a colleague from Microsoft. And this is a great opportunity to discuss things that are very important to us.
Cloud is obviously a great opportunity. One of the things that a lot of people forget is that the cloud is the Internet. There is, you know, some distinction that people are trying to make in a lot of ways, it's a marketing distinction these days about the cloud, but the cloud is the Internet.
Nasser mentioned that he had a CompuServe account 25 years ago and I'm sure at some point everybody here had a, you know, perhaps a Hotmail account, you know, in the 1990s, which was ‑‑ which was, again, just a ‑‑ nothing more than a cloud ‑‑ cloud based service and you can do many of the things, you know, with Microsoft Hotmail that you can do with any of the other cloud services that are available today.
This really isn't that new of a concept. It's just interacting on the Internet with a new word.
One of the biggest challenges that I see is this sort of concern that people have. And it's a legitimate concern, but it's one that I think can be aired through education.
And that is this question of where data is. There's a lot of familiarity that people have with their old computers. The computers that they have with all of their data on their hard drives, Enterprises that have mainframes in their, you know, in their offices. It's something you can kick, you can feel, you can touch it. And the cloud is a little bit different because you know you can't go visit the data centers, you can't see where the cloud is. You can't see where the Internet is. And that makes people nervous.
Nicholas Carr wrote an excellent book a few years ago that made an analogy about the ‑‑ and he looked at the ‑‑ the movements from private electric systems to the public electrical grid. And I think there's a very interesting story there. Right? There were a lot of industries that were far more comfortable with having their own power plants right next to them in order to be able to maintain manufacturing integrity.
And then as the power plant ‑‑ the public power plants worldwide started to gain momentum, you know, there was some resistance, but ultimately a switch over to the public power plant. Made a lot of people feel uncomfortable because again these industries had a lot of comfort and they had people and staff that maintained their local grids.
It's an interesting are the so of European analogy that occurs to me. I received my PhD in Luven which is a small University town in Belgium, and I just have a very special place in my heart for Belgium, but one of the fascinating things that I always noticed that when I would fly into Belgium at night at the whole ‑‑ you can always tell when you're flying into Belgium because the whole country is lit at night of the right? And you know, why is that lit? Well, because there was a policy you know back in the day where the European countries felt that we each needed to have our own power plants and so Belgium built its own nuclear power facility to power, you know, very small, wonderfully, beautiful, I love it, country of 10 million people. Right. Now, does that make sense? In order to use that excess power because you can't you know use all the power at night. It's nuclear, you can't exactly turn it off so Belgium built street lights along all of the free ways throughout the entire country. Wonderful thing, it contributes to public safety. Not the most efficient use of energy, right? And that's in many ways the way the cloud is today. You know, it's this ‑‑ it's this recognition that, you know, you can do a lot more by embracing a broader grid.
There's a lot of discussion here today, and I'm really excited about it, about the soft law. And these standards for operability and openness. There's a lot of opportunities here for policymakers in that regard. And I really applaud the work that civil society and the European Union is doing with this.
It's not something I'd anticipated talking about, but it really is at the heart of what Google believes in.
Google ‑‑ it wasn't that long ago that Google was a company in a garage. Right? We were built on the idea of openness and ‑‑ and data portability. And we wouldn't be able to have our services be adopted by others if there wasn't a certain amount of portability available.
It's ‑‑ it's such a core philosophy for the company that we have sort of an organization within the organization called the data liberation front. And if you look up the website it's dataliberation.org and it has a fist with a chain, it doesn't look Googly at all. But the principle behind it is to make sure that every product within the Google product line has a data portability option so that users can take their data with them. They have a product called Google takeout so you can take your data with you any time. The philosophy is that we want users to love us, but we don't want you to be locked in. And if ‑‑ if you're ever frustrated with us, there's opportunities to take it. And it's a major organization, every time a product is launched it needs to pass the data ‑‑ the data liberation test in order to make sure that it is portable.
Those rules are wonderful things, and ‑‑ and can certainly enable an ecosystem and enable the next Google of tomorrow hopefully from Europe.
That's it. I have one other just question that I think might be worth discussing since we're talking about standards. I'm very interested in the development of standards and security standards, you know, particularly, in ‑‑ in some of the work that's happening in Europe with ANISA. There's some development of standards with CAM is standard and ANISA has a checklist. In parallel we talked about IS. 0 and the 27,001 standards, lots of opportunities for independent third‑party tests that can be applied. I'd be very interested in any discussion, if it takes us there, about how those may play a role in the future because we're listening and are very interested in that as well. Thank you.
>> THE MODERATOR: Thank you very much. I think you were lucky because my corner died. But I invite everybody to ‑‑ to ask a question or to make any ‑‑ any relevant statement. I would take maybe the first question here.
>> THE PARTICIPANT: I'm the guy behind the cloud story. I've got another concern though when I was listening to the opening statements, so‑to‑speak. There's a big focus on creating a competitive cloud market. But the focus seems to be on the larger corporations that are actually driving the cloud itself like Google, Microsoft, Amazon, Salesforce and whatnot.
Typically, for me, as a small, medium size business, the cloud gives me the opportunity to actually be competitive with the bigger firms in the same space. And without the cloud I would not have been able to do so. Right? So if I am doing a bid on the project, I used to lose to big guy because they are offering a full redundant data center storage to host the application for their customer.
I would not be able to do that as a small, medium business, the cloud actually gives me that opportunity. So in all the regulations and all the corporate binding and all the stuff you're going to think of and policies that we need to have in place I hope you also consider the smaller guy who's actually benefiting big time from the whole cloud initiative.
>> THE MODERATOR: Anybody from the panel that wants to.
>> THE PANELIST: Well, when I started speaking I said how important it was for grown, how important it was for small and medium enterprises et cetera, so in the European context, I can't yeah, yeah, you can't hear me. Sorry. In the European context at least this is one of the elements that we're looking at, particularly, I mean, I said, too, that we want to make sure that cloud providers and cloud users have the best possible circumstances and the best possible market. So you ‑‑ you may be able to use a provider that suits you in one particular country that covers, I don't know, maybe your particular interest is security. And your provider will provide you with security because this is the most important thing. If you lose your house or your data it will be a disaster. Someone else may be more interested in data protection. I mean, there are many different possibilities, and I think the ‑‑ the potential for growth in cloud provision, as well as, of course, by definition, cloud use, is exponential. And if I can ‑‑ since I got the floor like this just a clarification on standards. When I said how important standardization is, and, of course, in the international context I wasn't implying, I hope that wasn't understood that we'll just standardize everything relating to cloud. That would be first, impossible, second, unrealistic, third, it would stop everything (laugh) point‑blank, we would never get any further because it would take us I've years, 20 years probably to do everything. But there are certain elements and areas where standardization can lead us to a level playing field to improve things. So I didn't speak the whole five minutes at the beginning so.
>> THE MODERATOR: Thank you very much. I wanted anyway to come back to the standardization issue, we are talking about it but I think in a very broad sense and maybe if we come back to delay the approach and today I was mentioning we can maybe identify where the needs for standardization can apply but Andrea wanted to.
>> ANDREA RENDA: Of course, there's always a bit of ‑‑ suspicion when you talk about standards, top down standard advocates rather than a bottom‑up. Well, actually well deserved (laugh) but in the ‑‑ of course, there are two ways of seeing things. On the SMEs I perfectly agree. Nobody's denying ‑‑ perhaps, we went all the other extreme, we didn't emphasize enough the benefits that the cloud would be, everybody took them for granted. We started looking at the challenges.
What I think is important is not to confuse the outstanding opportunities that the cloud platforms provide for SMEs also in terms of not just new ideas but also reducing the cost of using IT equipment, for example. And on the other hand, the overall competition that is emerging between platform ‑‑ cloud platform operators, platform providers, meaning, for example, to make ‑‑ to keep it short, a lot of SMEs have been able to develop applications for the iPhone, iTunes over all Apple platform. This doesn't mean that the Apple platform is the most open and interoperable in the world. Okay. That's just to clarify. Thanks.
>> THE MODERATOR: Is there a reaction on this topic, in particular?
>> THE PARTICIPANT: No, I think ‑‑ again, I don't want to seem, you know, against standards, I just wanted to make the point that they take time and say ‑‑ there is an amazing work going on right now, you know ‑‑ you know, across the ‑‑ you know, ISO, and, you know, the NIS, and European Commission, ITO, to dig into the use cases, understand what needs to be standardized, and I think that's the fundamental, if we go through that path and first understand what is needed what are the use cases, scenarios, and we can standardize there what needs to be standardized, that's the best way to do it.
>> PILAR DEL CASTILLO: I mention the aspect of portability and competition, because I think it's essential. I mean, it's very clear that we can get a lot of benefits from the SMEs to yourself or, you know, this is a huge benefit which many of my colleagues said here, but I think we need the standards that we really need for making the interoperability a reality and making the portability a reality. If we don't get that then there will be in the market a restraint for benefits of all users, and then that was my point. And in that sense, I know that. I mean, standardization can really hamper innovation. You close and you are inflexible but then you have to really focus on where, in order to get more competition in that market.
>> THE MODERATOR: Thank you.
>> THE PARTICIPANT: So one of the biggest issues that I encountered in that whole cow story is the lack of data regulation. So I ran into issues where there are countries, member states in the EU that say: Anything you store that lives inside the borders of my country need to be stored on hardware within the borders of my country.
So, and therefore, it's impossible, almost, to do stuff that I did with the cows.
And if you go knocking on the door and go how is this regulated? Nobody seems to know. So what do you do? Do you go to every member state and figure it out yourself? Awake the sleeping dog or are you just going to do it.
So instead of looking at the bigger picture, I think there are issues at hand that are currently not dealt with by the EU as such. And so data regulation I think or freedom from data travel, data sharing so‑to‑speak would be very beneficial.
>> THE MODERATOR: Thank you very much. I think we have a question here.
>> THE PARTICIPANT: Thank you very much. Ian Fish BCS, the charter institute for IT in the UK.
Sorry to move us away from what we've just been talking about because it's fascinating, but I want to take us back to what Nasser was saying about his wanting to know ‑‑ his trade‑off remarks.
And there are two things that I'd like ‑‑ two points I'd like to comment ‑‑ the panel to comment on.
He had basically said he wants to know what all the aspects of the other side of the bargain he's making when he puts his data online are. And there was an implication there that you could actually know this. And there has been some suggestions recently, this is not the case because of aggregation and time, that the other side of the bargain, you actually don't know what it is, because it can go on aggregating information for sometime and even of the a you've left an organization in some cases as has been shown recently or you've left your side of the bargain.
And the second point is that he wants to know what all the aspects of the other side of the bargain s but I was in another panel thus morning, where a tweet came in from a young user, somebody interested enough to be tweeting on this particular issue, and said: Life's too short to look at terms of service, privacy, things and such like. Now, I'm sure that's not just him or her. I'm sure there's an awful lot of people like that. So I'd just like some comment on that. Thank you.
>> THE MODERATOR: I don't know who wants to start? Reacting on this? Maybe an institutional reaction or a business reaction.
>> THE PANELIST: Okay this is a very complicated issue, and I consider myself a recovering Telecom lawyer. So I'm probably not the best to talk about the values of contracts and terms of service and, you know, I'm hoping that I don't ever have to negotiate anymore contracts or ‑‑ or to draft them of that kind.
There have been studies that were ‑‑ that were done, and I don't of the exact figures on hand, that say that, you know, if the average user, I'm going to just make this up, because it's, I think, close, that if the average user had actually read all of the terms of service for the number of websites that they use within a given year it would take them two years of straight reading, that's a lot of reading and they wouldn't have understood it. Right. So I believe you're absolutely right. There's a problem that needs to be fixed. And it's a ‑‑ I think that's a great topic for another workshop.
>> THE PANELIST: And one of the issues that has come up in the public consultation and of course primarily with the consultation with industry is exactly the issues of liability and contract provisions.
And, of course, no one is suggesting that it should be a standard contract for cloud provision, but there are many common interests interests and areas where we know that generalized contractual ideas or generalized contractual provisions or a consumers guide to ‑‑ or something like that would be very helpful. So it's certainly one of the things that we're looking at which we are now expecting in the EU is a huge debate. When you say about the customer and the cloud entity relationship, I would say we can never leave that for negotiation between these parties. I mean the imbalance is clear here much so what we really need is some strong principles that cannot be circumvented with consent. So meaning I agree to very long terms and conditions no matter I read them or not, which might change the other day, but we need principles like data minimization, like accountability, proportionality, so all this old‑fashioned talk, but unfortunately there is no other way forward I believe rather than state or powerful entity limiting what cloud providers can do with the data when you ask about privacy I guess that's more for me, yes, provocative question, of course we do not know how the users will constantly he have zoo privacy in the next generation or how they conceive it now. But from our perspective the problem is awareness and education. I do not think that users know enough what happens with their data and what the implications are. So maybe by talking privacy is not important to us, they just mean things like: I have nothing to hide. But this is not the main issue. The main issue is the manipulation and the balance of power that can happen may happen in the market if we leave our data without any protection.
So I will be careful with these statements just because people don't ‑‑ might not understand the full picture.
>> THE MODERATOR: Thank you, first Nasser. Then Andrea.
>> NASSER KETTANI: I'm not, you know, a lawyer, I'm a technologist but I, you know, kind of the limits of technology and policy.
We have set some principles in our company around these issues. One is we decided that we are not going to leave this discussion around privacy to the engineers. This is a discussion that is taking place by our privacy experts, and what we have done is we have built something that we call privacy by design, which is basically as we build the products, we think privacy from the ‑‑ from the ground up, for each and every one every product that we ship in the markets, and it goes today across‑the‑board where people think about it. Let me just give you an example. Because that shows that even in cases where we don't ‑‑ where people won't think about privacy we actually think about it when we bring privacy experts, when we did connect which a lot of people have seen that disclaimer where people can do justice. And you think why should we have a privacy issue in connect? A lot of technology around face recognition and because we have thought privacy by design from the beginning, we put our experts in place, and we have ‑‑ get the engineers think about how they actually address the problem by, you know, encrypting the, you know, the images, et cetera so that nobody can use that. And we solve some of the problems there. So there is ‑‑ in order to address this problem the first is that it should be commitment and conviction, that this is a problem, and we need to protect customer data whether it's consumers or Enterprise, because I mean there are different ‑‑ and then you build it from the engineering ground up, I think that's one way of addressing that. And the third thing is about how transparent we are about it and transparency is not just by saying, you know, read this, you know, 20 page of contract which basically, you know, is the same thing as an insurance contract because that's another aspect. Banking or insurance or credits, nobody reads them and we don't know what we sign up for. I'm what we need to be doing is to make the distinction very clear, very simple, straightforward, for people to understand. So there's clarity and simplicity as well that needs to take place from our ‑‑ from our angle as this is the way we look into it.
>> THE PARTICIPANT: Thank you.
>> THE MODERATOR: Andrea.
>> ANDREA RENDA: They're interesting questions because I think it's also good example on how certain things can be approached and the relationship with end‑users.
And I think in ‑‑ in this respect we do have like 40 years at least of literature on academic literature on behavioral economics that tells us how to approach that. Cyberspace is the typical environment where it creates a poverty of attention. We cannot expect that the end‑user actually reads through everything as in the real world. So what I think is quite important in this respect is that simple tools that are sort of proxies for what is the compliance with basic standards ‑‑ basic principles are developed perhaps by the industry, for example, other forms of nudging people into more privacy compliant applications or softwares.
Another typical application of this approach, which is grounded in behavorial economics even in new economics to some respect is to switch out from opt out mechanisms into opt in mechanisms where the end‑users actually have to make an informed choice before they actually decide to adhere to a specific scheme of ‑‑ or specific treatment of data before they decide to enter this trade‑off.
I believe this is perhaps an uneasy path for those that live with organization of data. It is, perhaps, more of a Garn fee for the end‑users overall.
>> THE MODERATOR: Thank you, Andrea. I will take two questions from the floor ‑‑ three questions from the floor. The first would be from senator that I welcome here.
>> THE PARTICIPANT: What do you think about the relation between skilled economy and the market regulation?
>> THE PANELIST: It is very simple. Cloud has more problem and not less problem than the classic period of computer. Net neutral will the is the indication.
>> THE MODERATOR: I suppose that the question is about the balance between regulation and self‑regulation. What is the balance? Anybody?
>> THE PANELIST: Like all balances it's delicate. Let's start with that basic principle.
And I think that in an area that is developing so quickly and as many of you know, much better than I, as soon as you start establishing rules that are too restrictive or too limiting, you stop the development.
I'm still convinced that innovators and developers and the youth of today is so ‑‑ what's the word? Innovative I guess and so quick that even if we establish a bunch of silly rules they will find 20 ways to come around them and dwell new technological solutions. But that's not the point.
I think that we are in many areas, particularly in the European Commission and of course, with the Parliament and member states, more and more wary of imposing regulatory provisions that are going to limit development and stop new paths.
On the other hand, there are certain basic rights and requirements that have to be established and that's where we usually draw the line.
With respect to self‑regulation and co‑regulation, of course there are many, many areas where these are extremely useful. I use one from my own area, for example, in the privacy impact assessment for radio frequency ID.
Which has been for the moment extremely useful. We're going to talk a little bit tomorrow about Internet of things and add for workshop tomorrow.
I mean, these are areas where self‑regulation and ecoregulation can really be very useful. And the cloud, of course, is another one.
>> THE PANELIST: Yes, this is an area that I think is a very good question and deserves a lot more study. It's something we've spent a lot of time on and in fact this is one of the focus messages that Google has for the IGF this year and that's, you know, figuring out what the value is of the Internet economy.
Cloud is the Internet. Right? It's one service on the Internet. And we've spent a lot of time recently working with consulting groups to determine what is the value of the Internet to an economy. And in fact, we have a website Google.com/events, it is on the back of my card. We've published the studies that we have so far in this field. There is about 13 or 14 studies, most of them are in Europe. And we've looked at, you know, the ‑‑ the different types of policies and impacts that the Internet ‑‑ different types of regulation could have on the Internet economy.
On the higher end are the companies like the ‑‑ are countries like the United Kingdom and the Nordic countries which, you know, have highly regulated sectors in many ‑‑ in many ways but in the case of the Internet are very hands‑off relative to other country inside Europe.
And we can, you know, see relatively the impact and the projected growth over the next five years of those economies.
Those are studies that are relatively new. And with thing they can they're very powerful tools for policymakers in order to look at and apple lies. I'd be happy to follow up with you on that afterwards.
>> THE MODERATOR: Thank you very much. There is a gentleman here who wanted to ask a question.
>> THE PARTICIPANT: In fact, I was hesitating to ask the question. I am a lawyer from the African Registry. And when our friend from Google said he is no longer in practice, no longer looks at contract, but I still do. I still earn my living from that. When I said the point about looking at the cloud‑computing service contract, do we consider it still as a formal, classical IT service contract? Some people have raised the imbalance in terms of liabilities we tend to offer and those who buy the offer. In balancing terms of obligations. If we continue looking at it from the classical sort of license side from Oracle, from all those providers, of course, the end‑user is always ‑‑ he just opts in. He has no choice.
But of the level of the EU has there been any sort of study done or reflection done to try and get the shift from the classical IT sort of service contract to ‑‑ because it is a special service, it's not just putting something on your record but there are more things to it. When we look at availability of services, who says that tomorrow if the service providers' ISB fails who bears liability to my client down the line.
Tomorrow if I get ‑‑ I buy something in ‑‑ in the old days we are buying software we get a CD. I now I have a license. What do I get when I buy now? A pass through thing? Nothing more than that. I believe there is something to protect the end‑user to allow us to grow, we need to build confidence in those who want the service and I think there must be some studies, I don't know if there are up to now, but we have got to relook, revisit this contract so that it becomes a per se cloud‑computing contract instead of going by analogy to look at it from the other perspective. Thank you.
>> THE MODERATOR: Thank you very much. I would keep the answer of maybe two panelists because we have still four questions. Who wants to react very quickly?
>> MEGAN RICHARDS: Well, I think you asked in the context of the EU, if I'll not mistaken, is that what you said? Well, anyway (laugh) now that I've got the floor, but it's ‑‑ one of the issues that has been looked at and it's been raised by industry, it's been raised by consumer groups, it's certainly an issue that's absolutely essential, liability and contract provisions so I don't have the answer that, yes, X is what it should say or whether it should necessarily be opt in or opt out. But these are certainly the issues that we're looking at.
>> THE PARTICIPANT: I think your question is correct, meaning there's a ‑‑ although the EU is famous for having regulated always everything on earth.
>> THE PANELIST: A consumer policy has been a very long one and thorough one in the mid‑'70s and over the '90s, when it comes to click wrap contracts that has not been fully tackled at the EU level.