The recent Sovereign Cloud Summit, part of VMware Explore in Barcelona, raised a number of questions about data protection and cloud sovereignty, but as Bill Mew argues, the implications go far further than this.
Guest article by Bill Mew, Global Cyber Ambassador for the International Association for Risk and Crisis Communication (IARCC.org)
We all have a right to privacy. However, as members of society this privacy is limited. We need to share data with our doctors so that medical records are accurate and our treatment can be effective. We share identity information so that we can be issued with passports, driving licenses and other forms of identification. We also need to share information with the tax authority so that our contribution to society, taxation, can be calculated accurately. And there needs to be effective law enforcement, whereby under judicially supervised warrants, police are able to obtain evidence for investigation and possible prosecution. They also need to keep records of crimes and of criminals. These powers are limited to our own law enforcement authorities however. There are far more stringent limits on what foreign governments can obtain via international warrants. This is simply how societies work.
A great deal of the information that we share is personal and particularly sensitive and needs to be protected and not shared without our consent. Additional information that we share, when booking a flight or a hotel, should also be used, stored and shared by consent and limits applied for particular uses and the extent that it is shared.
Organizations also have secrets. Governments have confidential, secret and even top secret documents that require extra protection, and companies have intellectual property that they guard stringently.
The problem is that failures to either respect privacy and protect data are increasingly common as are attempts to steal data or conduct mass surveillance.
It is an unfortunate fact that the mass surveillance programs in the US, unveiled by Edward Snowden, not only lack the protections that other societies require (such as independent judicial supervision, means of appeal and redress, etc.) but they are extraterritorial in nature. The NSA in the US can seize data held by US tech firms, even if it is held outside the US, such as in their European data centers. It is for this reason that the data sharing agreements between the EU and US, called Privacy Shield, was overturned, that the US has been deemed to fail the data adequacy test for data sharing, and that supplementary measures are required (such as encryption) when either transferring personal data to the US or sharing it with a US tech firms, including the public cloud giants.
For years governments and concerned players in the EU and elsewhere have argued that sovereign clouds were required that could protect the sensitive information of citizens, companies and governments themselves from such extraterritorial intrusion. The cloud giants were well aware of these issues, but chose to dismiss them, but like an elephant in the room they were hard to ignore.
More recently in an effort to placate concerned clients, the cloud giants have launched serves of their own that they claim offer cloud sovereignty. While these include assurances on data residency and promises of higher levels of assurance, they ignore the extraterritorial legal provisions in the US that have yet to be repealed or reformed.
It is as if the elephant in the room has a trunk ‘cloud sovereignty’ and two large ears ‘data adequacy’ and ‘mass surveillance’. For years the giants have done their best to keep the elephant hidden. In launching sovereign cloud services of their own they are now acknowledging the fact that the elephant’s trunk exists, and in doing so they are endorsing the very real need for cloud sovereignty, but at the same time they are seeking to maintain that the rest of the elephant still does not exist. This is untenable, as Laurent Allard, VMware’s head of EMEA Sovereign Cloud explained at the Summit in Barcelona. Watch the replay here:
Elephant in the room
Pretending that only the trunk exists
Unfortunately there are no internationally agreed standards for cloud sovereignty. VMware, which provides technology to enable local cloud players to create true local sovereign clouds, has a checklist of 20 essential attributes, but these have yet to be incorporated into any formal industry standard.
Indeed VMware’s cloud platform also provides other advantages, such as full interoperability and portability that helps overcome the lock-in that is of concern to clients of the cloud giants.
Broader societal implications as AI starts to transform value creation
One of the reasons that the cloud giants are now recognising the issue of cloud sovereignty, having ignored it for so long, is the emergence of AI. This is going to exacerbate many of the issues that we have already faced - from privacy to value creation and taxation.
- Privacy: the operations of data aggregators have always been of concern and many have been challenged for poor data compliance - sharing or using data inappropriately, failing to protect it or refusing to remove it on request (the right to be forgotten). AI systems aggregate data on a vast scale and assimilate it in a way that makes tracking its use or enabling its removal impossible.
- Value creation: AI systems will enable a massive shift in value creation from humans to machines. While arguments continue in relation to the number of jobs that will be lost or created, it is accepted that AI will be transformational and that many people will be left behind in this revolution.
- Taxation: many of the jobs that will be lost are ones that pay wages and taxes, while the AI systems that will replace them don’t pay either. AI will lead to a massive shift in value creation from labor (people) to capital (machines) and systems of taxation will need to adapt to reflect this.
The problem of taxation has already been of concern during the cloud era and will become even greater in the era of AI. The UK government attempted to crack down on multinationals shifting profits overseas and evading tax by introducing a “Google tax”. Amazon’s main UK division paid no corporation tax at all in 2022 or 2023, and officials predicted that the “Google tax” would raise up to £400m a year, but recent figures show that revenues from the tax have slumped to zero, nor is it expected to raise any money in the years ahead either.
While taxation authorities have been frustrated in their efforts to tax the cloud giants, such will be the scale of the shift in value creation with AI, that it will be impossible for cash-strapped governments to ignore.
We are already seeing ‘private AI’ initiatives where sensitive data sets are mined or manipulated on sovereign clouds rather than public clouds to avoid compromising privacy. The problems with value creation and taxation will be harder to address.
There has also been a long running dispute between local tech players and the tech giants about the societal impact of the market domination by a handful of cloud giants - a debate that the giants have always portrayed as protectionism or anti-globalisation sentiment. However, if governments grow increasingly concerned about their ability to tax value creation and they fear that a key source of revenue is under threat, then we can expect them to sit up and take action. After all, the one thing that all governments care about is their income - taxation. Again - it’s how societies work!
Bill Mew, Global Cyber Ambassador for the International Association for Risk and Crisis Communication (IARCC.org)