Regulating The Cloud PDF Download

Cloud computing challenges existing regulatory paradigms in a variety of ways. This paper, which differentiates among cloud services, services hosted on cloud platforms and 'cloud-enhanced' services delivered with the aid of cloud-based storage, processing and other functions, seeks to identify and analyse challenges to existing regulation arising from the spread of cloud and cloud-hosted services and areas where new regulatory intervention may be necessary (especially to meet the competition and consumer protection obligations of telecommunications regulators). The paper further tries to distinguish between problems specific to the cloud (e.g. the IPR issues associated with content-matching for cloud-hosted content) and those that are simply more noticeable or less tractable there (e.g. issues of data location). The first part of the paper develops a framework for analysing these issues, taking into account i) cloud features (e.g. service, contractual and deployment models, B2B vs. B2C offerings); ii) specific mechanisms for creating or preventing citizen, consumer and competitive harm; and iii) regulatory mechanisms or relations (ex ante/ex post, rule- or principle-based, competition vs. utility). The regulatory issues can be divided among: a) bypass (where regulated activity escapes regulation by going 'via the cloud'); b) direct regulation (of cloud services); and c) indirect regulation (e.g. regulation of cloud-hosted services or use of telecom or direct cloud regulation to address issues arising in cloud-hosted or 'cloud-enhanced' services. The analysis identifies (for European telecom regulators) whether the issues require an extension of the existing mandate or duties and whether they are likely to be transitional (solved by market developments) or amenable to self- or co-regulation. This framework is populated by an inventory of issues and recommendations regarding such specific cases as customer mobility, data location and migration and the telecom regulatory implications of communications-as-a-service. The inventory of policy issues is divided between regulatory concerns arising from the statutory duties of telecoms regulators and implementation issues arising from the distributed and internationally peripatetic nature of the cloud. However, it raises more questions than it answers; while Section 4.2 indicates some areas where existing justifications for regulatory intervention can be applied to the cloud and Section 4.3 discusses how regulation may or may not work, it is useful to consider whether distributed and delocalised computing as a service calls for a reconsideration of the regulatory heritage of communications and/or broadcast content distribution. To partially address, this, the final section provides a prolegomena to an alternative theoretical analysis. It concentrates on economic regulation of cloud services, specifically cloud platform competition and neutrality. To the extent that computational services complement many forms of economic activity, it may be necessary to revise fundamental assumptions regarding market identification, quantification of market power and the appropriate locus of liability (whether regulatory or contractual). This is most obvious for location-based issues but applies as well to linkage between or potential conflict among different competition and consumer protection regulations. For instance, exclusive and transferable IPR protection for content or cloud-hosted applications may need to be recast in shared or networked cloud environments. It may be necessary to devise new forms of protection for economically-valuable personal, proprietary or private data, or at least to reconcile existing tensions between economic vs. fundamental rights and between individual and collective rights. As a final example, quality of service is important both to the efficiency of cloud service markets and to their contribution to the economy as a whole; the very different ways service and platform providers and different classes of users experience quality should engender new contract forms and mechanisms for matching parties and monitoring and enforcing contracts; but these have been slow to develop. The paper suggests extending the conventional two-sided markets approach (viewing public cloud providers as platforms) to differentiate e.g. situations where: • value is derived from a specific matching or relationship among individual users and service providers; • the value of participation for players on one side depends on an aggregate (e.g. distribution or number) of those on the other side or - eventually - the dynamic topology of their networked interaction; and • users and their demands and service providers and their outputs migrate from one platform to another - and where, in consequence, the layered network structure is critical to market structure and performance. This analysis can identify the implications of different deployment strategies, 'freemium' and pay-or-play models and predatory or collusive use of the cloud and cloud-based resources. Specifically, the value of engagement with (through) the cloud should be treated as a real option based on the totality of content and services available. From this, it is possible to derive the technical, allocational and innovation efficiency consequences or various market regimes and business models and to assess stakeholders' incentives to invest in shareable resources (including telecom infrastructures) and the platform operator or hosted developers' willingness to provide risk-management services (e.g. privacy as a service, processing of encrypted material). This naturally raises the issue of cloud neutrality as a generalisation of net or platform neutrality. While we remain convinced that the 'right kind' of differentiation is potentially valuable - or even essential to provision of certain services at particular stages of development - we feel that it is also valuable to consider the effects on cloud services of 'net neutrality' regulation binding on ISPs and the potential effects of more extensive 'cloud neutrality' regulation. This is a very broad topic; the discussion here is limited to quality of service discrimination (specifically latency) with reference to some promising specific application areas: algorithmic or high-frequency computer-based financial trading; supply chain data repositories; app ecosystems; and privacy of action and computational communication.