Transparency and Clear Guidelines Can Help Regulators through the Fog
Cloud computing continues to grow and expand in use. But its inner workings -- the movement and properties of data within the cloud -- are opaque. Despite the existence of service level agreements, and some management tools (depending on the service model), there is often little scope for tenants, let alone end-users, to determine what happens inside a cloud service. The crucial next step in cloud evolution is transparency.
One of the essential attributes of a regulator is immunity to metaphor. ‘The cloud', as a figurative representation of massive distributed server farms, is particularly potent. But cloud computing underpins a range of online services. For regulators, the cloud must be viewed at the granular, elemental scale: at the level of data and data flows. This is the level that impacts ‘tenants' -- the industry term for those who contract with cloud providers -- as well as the end-users of cloud-hosted services and applications.
The reason the cloud is such a compelling proposition is that it brings great efficiency, through global availability and economies of scale. Regulation generally counters this efficiency: it is national or, at best, regional. So, what should a savvy cloud-regulator do?
What regulators must do is to see through the cloud -- both the metaphorical one, and its physical manifestations. In particular, it would be of significant benefit to cloud tenants and end-users, as well as to cloud providers seeking effective and efficient regulatory and contractual compliance, if there was much greater transparency and control over the internal workings of what are currently opaque, ‘black-box' cloud data flows.
Regulate in a way that reflects the nature of the Cloud
A cloud-hosted application typically involves a number of parties: cloud providers offering the infrastructure; tenants who use the provider's infrastructure to offer services/applications; and end-users who use those services/applications.
It is important that any regulation not only account for these relationships, but also reflects the fact that provider service models differ. In the case of ‘Infrastructure as a Service' (IaaS), for example, providers offer the ‘machinery' for which the tenants install their own software, databases, service functionality, etc. An IaaS tenant has some power to determine how data is managed. This is very different from ‘Software as a Service' (SaaS) offerings, where the whole application/service stack is offered by the provider: think of a university email run by a large webmail provider. Here, the provider calls the shots, with any (technical) mechanisms for tenant customisation predetermined by the provider (and their software).
Given these differences, it is important to tailor regulatory approaches so that they are meaningfully addressed towards those who have effective control and access to data, whether they are the tenant and/or the provider. Regulation should be based on clear guidelines and examples on which parties can place reliance, rather than simply tarring all tenants or cloud service offerings with the same brush. In particular, at one end of the spectrum there are services/applications that actively probe personal data.
At the other are services that provide lower-level infrastructure, and which do not deal in personal data and/or cannot access (intelligible) data, due to encryption or other means. In between, there are also concerns about confidential information of a commercial or fiduciary nature. Regulatory oversight must properly account for these differences, meaningfully and actively protecting the fundamental rights of individuals, while reducing bureaucratic limits and encouraging innovation and competition where these rights are not engaged. In our view, the European data protection framework -- both current and revised -- is too blunt a tool to achieve these ends, through a combination of overreaching definitions and ineffective enforcement.
Drive transparency in Cloud offerings
Currently, the cloud tends to be opaque -- a ‘black-box'. Despite the existence of service level agreements, and some management tools (depending on the service model), there is often little scope for tenants, let alone end-users, to determine what happens inside a cloud service. This is a real concern: if tenants have data management obligations, then it is important for all parties to be able to ‘see into the cloud', to make sure that the data is managed according to expectations and responsibilities.
It would be a significant improvement to have mechanisms in place that give tenants, and indeed end-users, fine-grained, nuanced control over data that is ‘out of their hands'. We are actively involved in research towards this.
The cloud is here to stay -- in fact, its use only continues to increase. Improving the transparency and visibility of cloud service offerings is essential for the market to evolve and thrive. It is a direction that deserves regulators' attention and clear support.
Dr Jatinder Singh is a Senior Research Associate at the Computer Laboratory, University of Cambridge. He works on issues of management control in distributed systems, particularly for cloud and IoT, and is involved in the Microsoft Cloud Computing Research Centre, which explores the tech-legal intersection of cloud computing.
Julia Powles is a lawyer and researcher at the Centre for Intellectual Property and Information Law, University of Cambridge, where she works on the law and politics of information-based assets, from data privacy to patent law.
- Atlantic-Community.org in Transition
- Towards a More Inclusive Transatlantic Partnership: Update on the 2nd Atlantic Expedition
- Topic of the Month: The Future of Health Care
- Do We Need Data Donations?
- eHealth - Tele-Monitoring and Tele-Medicine - Digital Innovation in the Life Science Sector in Germany