ASIS&T, Meet the Authors Series: Regulating the Cloud, September 14, 2016.
The contributors consider such topics as the economic implications of the cloud's shifting of computing resources from ownership to rental; the capacity of regulation to promote reliability while preserving innovation; the applicability of contract theory to enforce service guarantees; the differing approaches to privacy taken by United States and the European Union in the post-Snowden era; the delocalization or geographic dispersal of the archive; and the cloud-based virtual representations of our body in electronic health data.
Chapter 1 --- Joe Weinman: Cloud Strategy and Economics
Cloud computing is fascinating and disruptive as a technology and IT operations model, but this chapter covers the cloud in terms of its impact on business strategy and economics. Cloud computing can enable a variety of "digital disciplines" that can enable competitive advantage: information excellence, solution leadership, collective intimacy, and accelerated innovation. From an economic perspective, clouds generate value through statistical multiplexing, geographic dispersion, pay-per-use pricing, and reduced provisioning intervals, which may be rigorously quantified through statistics, calculus, trigonometry, and system dynamics analysis and also viewed through the lens behavioral economics. Such an analysis can inform policy.
Chapter 2 --- Marjory S. Blumenthal: Finding Security in the Clouds
The growing importance of cloud computing has heightened the importance of cloud security. At the same time, the Snowden revelations and the accompanying calls for localization have made cloud policy debates increasingly international in scope. Unfortunately, cloud providers lack strong incentives to enhance security, have been reluctant to partner with government to develop solutions, and are concerned that being classified as critical infrastructure will subject them to heightened regulatory burdens. Although regulatory efforts to date have focused on voluntarism in order to preserve incentives for innovation, government oversight of the cloud has become increasingly regulatory in nature, focusing largely on risk management. The growing social importance of the cloud is placing pressure on cloud providers to accede to vulnerability assessments and reporting despite their ambivalence about government involvement in cybersecurity and critical infrastructure protection.
Chapter 3 --- William Lehr: Reliability and the Internet Cloud
The Internet is evolving from a best-effort, unregulated, data transport network overlaid on the legacy telephone network (or PSTN) into the global platform (the new PSTN) for a much more complex array of computing, storage and data transport services (the Internet Cloud). Policymakers confront numerous questions in crafting an appropriate market-based regulatory framework to protect the public interest with respect to the Internet's new role as essential socio-economic infrastructure. This chapter discusses the technical, business, and policy trends driving this transition, with special focus on the complex challenge of ensuring reliability in the Internet cloud.
Chapter 4 --- Christopher S. Yoo: Cloud Computing, Contractibility, and Network Architecture
The emergence of the cloud is heightening the demands on the network in terms of bandwidth, ubiquity, reliability, latency, and route control. Unfortunately, the current architecture was not designed to offer full support for all of these services or to permit money to flow through it. Instead of modifying or adding specific services, the architecture could redesigned to make Internet services contractible by making the relevant information associated with these services both observable and verifiable. Indeed, several on-going research programs are exploring such strategies, including the NSF's NEBULA, eXpressive Internet Architecture (XIA), ChoiceNet, and the IEEE's Intercloud projects.
Chapter 5 --- Andrea Renda: Cloud Privacy in the US and the EU
This chapter reviews the legal framework for data protection in the US and the EU and the attempts made in both jurisdictions to adapt the framework to the challenges posed by cloud computing and the evolving IT ecosystem. The two legal systems have developed widely diverging approaches to the protection of privacy. On the one hand, the US relies on a patchwork of laws (including the Electronic Communications Privacy Act, the PATRIOT Act and the FISAA and many sectoral laws) and the enforcement activity of the Federal Trade Commission under Section 5 of the FTC Act. In the EU, privacy is considered as a fundamental right, and is protected through comprehensive, cross-sectoral legislation (the Data Protection Directive, currently being updated and transformed into a Regulation). The emergence of cloud computing poses challenges for both legal systems: what seems likely is that the US will keep under-protecting privacy in the name of efficient commercial transactions (with great responsibility placed on the FTC to monitor abuses of bargaining power and other deceptive/abusive practices); whereas in the EU cloud services might end up trapped into an over-formalistic legal framework, which leaves little room for trade-offs between privacy and welfare-enhancing customized service for data subjects. The chapter discusses also the future of transatlantic data transfer, with the EU-US Safe Harbour and the Binding Corporate Rules currently being re-discussed in the aftermath of the "Datagate" scandal.
Chapter 6 --- Jonathan Cave, Neil Robinson, Svitlana Kobzar, Helen Rebecca Schindler: Understanding Regulatory and Consumer Interest in the Cloud
This Chapter presents two frameworks to help understand the range of concerns relative to consumer harm articulated at national and European level in the context of cloud computing. These concerns have been in the crosshairs of European telecommunications policy-makers since cloud computing became a prevalent issue for telecommunications regulation around 2007.
Chapter 7 --- Luciana Duranti: Digital Records and Archives in the Commercial Cloud
Commercial cloud computing is increasingly attractive to records creators and preservers, but raises several challenges that need to be resolved before a policy choice can be made. This chapter addresses the key issues of jurisdiction and trustworthiness as they relate to records and archives stored in a commercial cloud environment, and suggests ways of addressing them.
Chapter 8 --- Lothar Determann and David Nimmer: Software Copyright's Oracle from the Cloud
Clouds are on the horizon for software copyrights. The open source movement has been active to turn copyright into "copyleft." Courts around the world are reshaping the first sale doctrine. Software manufacturers flee from distribution to service models, into the Cloud. A perfect storm for software copyrights is brewing. The Cloud promises to enable software publishers to place their code outside the framework of copyright exhaustion under the first sale doctrine and the "distribution trigger" in open source code license terms. Users' inability, in the Cloud context, to directly access the underlying software threatens to exert various side effects, notably affecting software interoperability. New kids on the block lose the ability to reverse-engineer hosted software. Established platform providers gain the ability to prevent interoperability, based on laws prohibiting interference with computers and technical protection measures. These developments risk upsetting the delicate balance between exclusive rights for copyright owners and access rights for the public, a balance that courts and legislatures have carefully established over the years, in order to foster creativity and innovation. With unprecedented pressure on traditional distribution models, how will copyright law cope? This Chapter illuminates the immediate path ahead, presents possible answers, and asks more questions.
Chapter 9 --- Nicolas Bauch: Bodies in the Cloud: A Geography of Electronic Health Data
This chapter takes a geographical perspective on a medical biotechnology known as Wireless Body Area Network (WBAN). WBANs generate, transmit, store, and retrieve information about the biological functioning of patients from any location, allowing doctors to watch their symptoms from computer screens at different locations. The chapter asks what happens to the body when millions of data points are collected from it, and are stored in data center facilities that are increasingly altering urban and rural landscapes. The chapter builds from an ontology based in object relations (e.g. bodies and material, digital information) to propose a different ontology based in extensibility. The political project is potentially vast. When data centers and the landscapes in which they are situated become pieces of the body itself, they must be given greater care and protection by the law.
Conclusion --- Sandra Braman: The State of Cloud Computing Policy