Digiworld Economic Journal, no. 85, 1st Q. 2012, p. 23. www.comstrat.org

Competition, Neutrality and Diversity in the Cloud

Andrea RENDA CEPS, LUISS Guido Carli and European University Institute

Abstract: The emergence of cloud computing is promising enormous benefits for small businesses, due to the dramatic reduction in IT costs caused by the service-oriented architecture. At the same time, the transition to a cloud ecosystem is more controversial for individual end users, as emerging business models can potentially affect both competition within and across layers, and the end-to-end nature of the Internet. The paper argues that policymakers should work on several fronts, including privacy, security and competition policy, before the transition to the cloud ecosystem can be seen as really conducive to a desirable outcomes for end users. Work in the direction of the inter-cloud architecture and a European partnership for cloud computing should thus be oriented towards an open, competitive environment, compatible with different levels of quality of service, and such that end users can still access a robust, best-effort Internet infrastructure, along with managed services with guaranteed QoS. Key words: cloud computing, electronic communications, neutrality, security, data protection, competition, business models.

n three decades of commercial exploitation, personal computing has gone through several generations of products, which led to a constant evolution of the customer experience. The first "offline" decade (from the mid-1980s to the mid-1990s) featured most evidently the emergence of

semi-open architectures that revolved around a de facto industry standard such as IBM processors and, later, Microsoft Windows coupled with the Intel processor (the so-called Wintel platform). All other layers of that architecture were mostly contestable, i.e. several firms competed to produce complementary products such as hardware and applications: this maximized the value of existing platforms by magnifying the impact of indirect network effects, thus making the platform very attractive for end users, while competing platforms were less attractive due to lack of a comparably large number of applications. The second decade (from the mid-1990s to the mid-2000s) saw the advent of the World Wide Web and the emergence of middleware, which became a platform for applications in competition with OS products. During the past decade, OS and middleware products became cross-platform and increasingly exploited the potential of the Internet, starting in particular from server-enabled office LANs. Today, we are

I

24 No. 85, 1st Q. 2012

increasingly witnessing the transition towards high-speed internet access, which gives end users the possibility of connecting to the Internet from multiple devices, exploiting various access forms (including wireless broadband). An increasing number of users are almost always online, and this creates new opportunities to introduce more efficient services, which reduce the costs of using the Internet both in terms of hardware and software.

Technology is making it possible to avoid buying or leasing hardware and downloading software and applications: these traditional transactions are being replaced by "everything as a service", which promises enormous advantages both for individuals and businesses. This is essentially the cloud era: an era in which personal devices become increasingly light, and users are able to lease software located in the cloud, as well as access their files that are stored somewhere in cyberspace, and managed by a cloud provider - put more simply, a limitless "office LAN" where the main server is not located downstairs, but potentially on the other side of the globe 1. A recent industry report defined a "cloud implementation" as "an elastic execution environment involving multiple stakeholders and providing a metered service at multiple granularities for a specified level of quality (of service)" 2.

The significant potential economic, social and environmental impact of this gradual transition is increasingly acknowledged among experts. A report by the Centre for Economics and Business Research (CEBR 2011) estimated that cloud computing will provide €736 billion of cumulative benefits to Europe's five largest economies between 2010 and 2015, creating 2.3 million net new jobs. By 2014, according to a study by the Gartner group (2009), the cloud industry will reach almost USD149 billion in revenues worldwide. The University of Milan (ETRO, 2011) forecasted, more conservatively, the creation of 1.5 million jobs over five years 3. In terms of

1 Cloud computing is a general purpose technology of the IT field which became widely available in the late 2000. VAQUERO et al. (2009) define it as "a large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in which guarantees are offered by the Infrastructure Provider by means of customized Service Level Agreements" 2 The most widely used definition of cloud is that provided by the US National Institute for Standards and Technology (NIST) in 2009: "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction". 3 See https://www.cdproject.net/en-US/Pages/HomePage.aspx.

Andrea RENDA 25

environmental impacts, a report by the London-based Carbon Disclosure Project estimated that blue-chip companies could achieve a 50% reduction of their carbon emissions by 2020 if they migrate their data storage operations to the cloud 4. At the same time however, some studies have highlighted a potential negative impact of cloud computing on employment; and a recent report by Greenpeace has placed emphasis on the significant impact that data centers exert on the environment, by reporting that they already account for 1.5-2% of global electricity consumption 5.

Figure 1 - The hype cycle for cloud computing, 2011

Source: GARTNER GROUP (July 2011)

Figure 1 shows Gartner's analysis of the "hype cycle" for cloud computing, showing how expectations will arise in combination with technological developments. According to Gartner, the evolution of cloud computing will raise inflated expectations over the next 2-5 years due to technological advancements and, after a period of disillusionment,

4 Interviews done by the Carbon Disclosure Project study's authors show that blue-chip companies in the UK plan to accelerate the adoption of cloud computing from 10% to almost 70% of their information technology by 2020. The study claims that these companies could benefit from billions in savings if they do. For example by 2020, large UK companies that use cloud computing could achieve annual energy savings of £1.2 billion (€1.39 billion) and carbon reductions equivalent to the annual emissions of over 4 million passenger vehicles, the study says. 5 See the Report "How dirty is your data?". http://www.greenpeace.org/austria/Global/austria/dokumente/Reports/konsum_CloudComputing_201104.pdf

26 No. 85, 1st Q. 2012

expectations will grow again along with the migration of most of our Internet-related activities to the cloud, which will create critical mass for advertising and ad-enabled business models.

The European Commission has not failed to spot the importance of cloud computing for the future of the EU economy. After including cloud computing in the main actions to be undertaken in the Digital Agenda for Europe, in January 2011 Vice President Neelie Kroes outlined three main areas for a EU strategy on cloud computing: (i) the legal framework, mostly related to data protection and privacy, as well as laws and other rules that have a bearing on the deployment of cloud computing in public and private organizations; (ii) the technical and commercial fundamentals, including security and availability of cloud services and standardization of interfaces; and (iii) the market, also encompassing the role of public procurement to stimulate the development of cloud-enabled solutions. In May 2011, the Commission launched a consultation on a European Strategy for Cloud Computing, which ran until August 31st. In launching the consultation, the Commission announced that it expected cloud services to generate revenues of almost €35 billion in Europe by 2014 6.

The main findings of the Commission's public consultation included the following 7:

- the legal framework on cloud computing, as it stands, is confusing. Citizens, industry and public administrations all have difficulty understanding their rights; - the public sector is not setting an adequate example; - cloud computing is global, and therefore needs an accompanying set of international agreements; - more research is needed to ensure the cloud meets user expectations.

To be sure, the current legal framework for data transfers and management appears very distant from the specific features of cloud computing. At the same time, the development of standards for risk management and security is far from the maturity that such a massive

6 European Commission's Vice President Kroes observed that "I am excited about the potential benefits of cloud computing to cut costs, improve services and open up new business opportunities. We need a well-defined cloud computing strategy to ensure that we make the best use of this potential. The input we are requesting from all interested parties is important to get it right". 7 http://ec.europa.eu/information_society/activities/cloudcomputing/docs/ccconsultationfinalreport.pdf

Andrea RENDA 27

migration of data and user behavior would require. Since the public consultation was closed, the idea of an EU cloud computing strategy seems to have evolved into a possible EU cloud computing partnership, in which industry stakeholders collaborate to speed up the deployment of an EU platform for cloud services to the benefits of businesses and consumers in the European Union. In the meeting of the World economic Forum at Davos (Switzerland) on 26 January 2012, Commissioner Kroes formally announced an initial investment of 10 million Euros for the creation of a European cloud partnership 8.

However, even after recent contributions from the industry, the contours and scope of the emerging partnership are far from being defined with precision. Currently, the issues that are more frequently under the spotlight in the field of cloud computing are mostly related to data privacy, governance and identity management; trust, security and certification; interoperability and data portability; and innovation and uptake 9. However, in recent public events members of the European Parliament have also highlighted the need to preserve adequate competition in emerging cloud services 10. More generally, a few commentators have highlighted the need to ensure that emerging business models in cloud computing do not end up altering the end-to-end architecture of the Internet, nor lead to discrimination of certain application or content, to the advantage of competing products or services. The need to ensure "cloud neutrality" has emerged in a fistful of recent publications (ODLYZKO, 2009; RENDA, 2010).

The present study provides a helicopter view of outstanding issues in the emergence of the cloud ecosystem, and is meant as a mostly descriptive/explorative exercise, though also aimed at drawing some policy recommendations. In particular, the paper explores the emerging issues from the standpoint of competition and innovation in the cloud. The section below briefly describes the emerging cloud architecture and clarifies basic taxonomies of cloud services, in a way that is purely functional to the content

8 She explained that in a first phase, the Partnership will develop common requirements for Cloud procurement, in particular by looking at standards, security and competition, while avoiding lock-in. In a second phase, the Partnership will be asked to develop "proof of concept" solutions for the common requirements. The third phase will be dedicated to the delivery of reference implementations. See SPEECH/12/38, "Setting up the European Cloud Partnership", 26 January 2012. 9 These are the four main areas explored by the Commission-industry Working Group that produced recommendations in November 2011. 10 See intervention of MEP Pilar del Castillo at the Internet Governance Forum in Nairobi, September 2011.

28 No. 85, 1st Q. 2012

of subsequent sections. In the following section, we illustrate emerging proposals for what concerns data protection, other legal and technical barriers, standardization and interoperability. Finally, we explore in depth the issue of competitive behavior in the cloud, and discuss the possible interaction/complementarity between the public cloud and the best effort internet.

���� The emerging (inter-)cloud architecture

Cloud architectures are conceived to be very simple for end users, but feature a very complex architecture "behind the curtains". As an example, Apple's iCloud allows the syncing of various devices with the cloud, such that the end user always enters the same environment regardless of the device used to connect to the network. Similar strategies are being pursued for the end user market by Google (Android) and Microsoft (Windows 8 and Azure). On the other hand, business offers focus mostly on the centralization of data management and access, and on the availability of applications and computing power on a per-use basis, which is expected to drastically reduce the cost of IT, especially for SMEs (ETRO, 2011).

Figure 2 shows the main elements revolving around the idea of a transition towards cloud computing. The most widely acknowledged taxonomies of cloud computing are those that relate to the basic cloud "modes" (i.e. Public, Private, Hybrid); and the main cloud "types" (i.e. Saas, AaaS, IaaS, PaaS).

For the purposes of this report, it is also very important to analyze cloud computing from the standpoint of its complementarity with the Internet ecosystem. Figure 3 shows the changing appearance of the standard "OSI 4-layer architecture" (infrastructure, logical layer, applications and content) under the transition to a cloud environment, where figure 2a shows the layered structure of the best-effort Internet and figure 2b shows a prototypical cloud architecture. As shown in the picture, cloud platforms are juxtaposed to the physical layer of the Internet, and govern the provision of a number of services in a dedicated environment, in which cloud providers process and, to some extent, control continuous data flows. Given the definition of "cloud implementation" given above, it is also clear that cloud providers must also guarantee a minimum quality of service (QoS) for the services they provide.

Andrea RENDA 29

Figure 2 - Main elements of a cloud system - a non- exhaustive view

Source: SCHUBERT et al. (2010)

Figure 3 - Internet v. the emerging cloud architect ure

(a) (b)

Source: own elaboration partly based on Cisco (2010)

30 No. 85, 1st Q. 2012

Against this background, this paper treats cloud computing as a "province" of the emerging Internet ecosystem, in which individuals and businesses seek cost-cutting and user-friendly solutions by switching to use of individual complementors or entire platforms "as a service" in exchange for a given quality of service.

Figure 4 reports a taxonomy of existing cloud vendors elaborated in 2009 by Peter Laird 11. This taxonomy is useful as it divides emerging roles according to the layer to which they belong in the OSI standard model. In the figure, public and private clouds are classified as "infrastructure", although it is clear that these infrastructures need a physical connectivity to be put to work. In conjunction with complementary technologies such as grid computing and virtualization, these types of cloud shape the environment in which data transfers will be organized, managed and monitored over time. Then, both business users platforms and developer platforms are emerging on top of private and public clouds, with dedicated (mostly open source) suites that facilitate the development of customized solutions for different categories of professional and non-professional users. A third layer is represented by storage and integration services, as well as a broad array of enabling services that include billing services, integration and assembling services, security services, and so on. Finally, application providers are increasingly looking at the cloud environment to develop their products, sometimes on a cross-cloud basis, but also on a cloud-specific basis. These vendors and providers are organized in various forms along currently emerging cloud platforms. All existing platforms are layered, and layers exhibit differing degrees of openness and interoperability. Accordingly, where a cloud platform's layer is fully open and interoperable, all the vendors active in that layer can potentially access that platform and offer services; to the contrary, if a given layer is kept proprietary by the cloud platform operator, then entering that layer to reach end users will be impossible for market players active in that layer.

HOFER & KARAGIANNIS (2011) describe the current business models in the cloud environment according to a number of different characteristics: (i) Service; (ii) License; (iii) User group; (iv) Payment; (v) Agreements; (vi) Security; and (vii) Openness, which includes supported Standards and OS, supported applications/frameworks, etc. From this standpoint, they classify the three major cloud platforms, Amazon EC2, Microsoft Azure and Google Apps, and draw an ad hoc tree path for each of them.

11 See http://peterlaird.blogspot.com/2008/09/visual-map-of-cloud-computingsaaspaas.html

Andrea RENDA 31

Figure 4 - Cloud vendor taxonomy

The different choices made by the cloud platform operators highlight different views of how successful cloud computing and, in general, Internet business models should look like. The current diversity of business models is, after all, good news in terms of competition, and might guarantee the "survival of the fittest", provided essential competitive safeguards are preserved in this environment. This is, of course, the portrait of a moving target, as business models are constantly evolving. As technology allows

32 No. 85, 1st Q. 2012

more complex uses, growing capacity and more "always on" interaction between providers and end users across the globe, more services and applications will reach the market.

���� Towards an inter-cloud model?

An interesting feature of the upcoming infrastructure populated by public clouds is the evolution towards a "cloud of clouds", which mirrors the "network of networks" that forms the current Internet model as we know it. In this upcoming "inter-cloud", open interfaces would govern the exchange and portability of data from one cloud to the other, with no switching costs, just like it occurs on the current Internet. If adequate open standards are deployed in this direction, then end users would not distinguish anymore between "provinces" of the cloud-enabled cyberspace: migration of data and traffic flows from one cloud to another would not be perceivable from the receiving end, and this would in principle enable access to all content, anytime, anywhere, from any device, and at enormously lower cost.

Figure 5 - The upcoming "InterCloud"

Source: NIST(2011), BERNSTEIN et al. (2009)

Andrea RENDA 33

Today, the Intercloud project is being studied internationally by IEEE, by the US NIST and by open cloud initiatives such as OCCI 12. In the Intercloud architecture, there will be Intercloud Exchanges (called "brokers" by the NIST) where clouds can interoperate, and there is an Intercloud Root, containing services such as Naming Authority, Trust Authority, Directory Services, and other "root" capabilities. All elements in the Intercloud topology contain some gateway capability analogous to an Internet Router, implementing Intercloud protocols in order to participate in Intercloud interoperability. These would be called Intercloud Gateways. Below, we will get back to the issue of business models from the standpoint of potential competition policy problems.

���� Security, privacy, interoperability

Perhaps the most important obstacle to the development of cloud computing in the EU is the inadequacy of the legal framework. At the same time, the more users rely on the cloud for the storage of their data and access to key hardware and software capabilities, the more important the resilience of the cloud ecosystem becomes. Disruption of a cloud service, theft of user data, violation of trade secrets and many other risks might be enhanced by the virtualization of activities realized by the cloud, if action is not undertaken to fix the legal framework and at the same time encourage the development of self and co-regulatory arrangements that help enhance security and guarantee data protection. Below, we explore emerging issues in a number of domains, including data privacy, governance and identity management, but also security, trust and certification. We then address the issues of interoperability, portability, reversibility and user lock-in.

Data privacy and governance

When it comes to data privacy, cloud computing seems to provide a new paradigm, which escapes the definitions and scope of application currently featured by EU legislation, and in particular by Directive 95/46 on data protection (the "privacy Directive"). The Directive is currently under revision, and one of the main areas that will be targeted by the review is indeed the

12 See http://occi-wg.org/

34 No. 85, 1st Q. 2012

application to cloud computing. The main issues that will have to be addressed are:

• Territoriality. The use of equipment located outside the EU potentially places cloud providers outside the EU jurisdiction, and thus outside the scope of the EU privacy directive. Recently, the EU Data Protection Supervisor Giovanni Buttarelli has advocated the replacement of this territoriality requirement with the concept of "targeted customers", which implies that the application of the Privacy Directive would be linked to the fact that the cloud provider, regardless of its location and the location of the equipment and data centers used, targets EU customers when offering its services.

• Data transfers outside the EEA. The Privacy Directive prohibits transfers of personal data to countries that do not ensure an adequate level of protection. This provision (Article 25 of the Directive) is conceived for point-to-point transfers, not for automated, continuous data transfers such as those that take place in the cloud environment. Absent of a revision, it might significantly inhibit the uptake of cloud services in Europe 13.

• Controllers, processors, or neither of the two? The EU Privacy Directive places most of the obligations on "data controllers". However, cloud providers cannot easily be considered as data controllers, and are rather identified as mere stewards of data, while it is end users that retain control of their data. While cloud computing providers are commonly considered processors or controllers, we further argue that many providers are not even 'processors', but simply provide resources for use by others. As reported by KUAN HON et al. (2011), IaaS, PaaS, and certain SaaS providers, who offer no more than utility infrastructure, will often not know whether information processed through their services is "personal data". They would thus be qualitatively distinct from services like social networking websites 14. The authors suggest that "such providers should be considered mere neutral intermediaries", and that "existing liability defences for certain providers under the EU Electronic Commerce Directive" should be used to help foster e-commerce, and should cease upon the provider having knowledge and control. Of course, the issue is very delicate, since depending on the relative regulatory treatment of controllers, processors, and mere stewards, the incentives to adopt different types of cloud services

13 See also BALBONI (2010). 14 See the debate on contributory infringement and vicarious liability that took place in the US starting with the Napster case (2001), and continuing with Grokster (2003, 2005).

Andrea RENDA 35

(IaaS, PaaS, SaaS) might change. Legal rules do matter in this respect, and are not indifferent for the future of cloud services.

• The "household exception". Currently the EU privacy directive (Article 3) does not apply to data processing for purely personal or household activity. To some extent, this provision could prove outdated when applied to the cloud environment, where services such as Dropbox or some Google Apps (e.g. Picasa) essentially store content for personal or household consumption purposes. As recently recalled by the European Data Protection Supervisor, there might be a need to fill this gap in the upcoming review of the Privacy Directive.

• Accountability, privacy and data protection "by design". There is currently a lively debate on the need to incorporate the principles of end-to-end accountability and privacy by design in the scope of the Privacy Directive 15. The European Commission and the European Parliament explicitly advocated this principle in the aftermath of the Digital Agenda, defining it as a technique through which privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. The main arguments in favor of this solution are the difficulty of capturing responsibility for mismanagement of data on the basis of legal concepts of territoriality and data control. To the contrary, future legal systems should not be based on any concept of territorial use or processing of data: to the contrary, they should apply the rules regardless of where data are transferred. This calls for enhancing the responsibility of providers by requiring that they adopt certified privacy by design solutions. The EDPS itself recommended in 2010 that privacy by design be "explicitly included as a general binding principle into the existing data protection legal framework", since this "would compel its implementation by data controllers and ICT designers and manufacturers while offering more legitimacy to enforcement authorities to require its effective application in practice". Finally, the recent proposal by the European Commission to reform data protection legislation, adopted on January 25, 2012, proposes to introduce a "Data protection by design" principle under which the data controller would be obliged to design the

15 Privacy By Design is an approach first advocated by Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario. As she stated, "Privacy by Design asserts that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation." See Privacy by Design, Information & Privacy Commissioner of Ontario, http://www.privacybydesign.ca.

36 No. 85, 1st Q. 2012

organizational structure, technology and procedures in a way that meets the requirements of data protection 16.

• Certification of privacy by design schemes. The recent industry recommendations adopted in November 2011 called for the development of internationally recognized standards for certification of privacy-enhancing practices and models in cloud offers. However, these voluntary certification schemes should be monitored over time, especially in terms of their alignment with public policy goals.

���� Trust, security, certification

The problem of trust is one of the most heavily felt by businesses, and consistently ranks first in the countless surveys and polls that are conducted to identify future trends in cloud computing, as well as the existing level of uptake 17. The level of trust in the cloud is still limited, also due to the fact that the security arrangements and the availability of risk taxonomies in cloud computing are far from reaching a mature stage, let alone the development of an insurance market for the cloud. This, in turn, is heavily affected by the lack of certainty on the liability of cloud providers for security breaches, as well as on the possibility of redress for end users faced with a theft of identity or personal data. Accordingly, the issue of trust is intimately linked to that of achieving a clearer, more appropriate legal framework, as illustrated in the previous section.

Pending issues and action items that are often mentioned with trust and security include transparency, data security and infrastructure resilience; civil cause for action; and data breaches. Emerging action items at the EU level include extending to cloud providers the obligations imposed by the

16 See the Impact Assessment accompanying the documents "Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data", SEC(2012)72 final, 25 January 2012, at pages 52 and 110. 17 http://webobjects.cdw.com/webobjects/media/pdf/Newsroom/CDW-Cloud-Tracking-Poll-Report-0511.pdf; http://www.enisa.europa.eu/media/news-items/wef-cloud-computing/at_download/file; http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-sme-survey.

Andrea RENDA 37

telecoms package on ISPs, which relate to the notification of data breaches to national regulatory authorities.

Most of the debate about security is indeed focused on the need for standards in risk assessment and management. Currently, public standards such as NIST 800- and ISO 2700x are used to signal compliance with basic assurance frameworks. At the EU level, ENISA provides an information assurance framework for the allocation of responsibility between customers and providers in terms of the lawfulness of the data and security breaches on the cloud. However, despite tremendous efforts in this field, there seems to be room for improving the availability of standards and best practices, in particular for what concerns the development of internationally adopted voluntary standards and certification schemes. Some developments in this field are already visible (see the CSA Control Matrix or the CAMM).

���� Portability, interoperability and user lock-in

One of the issues that are most frequently cited as creating obstacles to a rapid uptake of cloud computing among businesses and individuals is the lack of data portability and cloud interoperability, which might generate the problem of user lock-in: in other words, since it would be very difficult and costly to port personal and business data from a cloud to another cloud, users might end up locked into an unsatisfactory contractual relationship, with no real possibility to switch to competing offers.

The need to ensure seamless interoperability between public clouds is intimately related to the need for open standards that will realize the "federation of the clouds" or "Intercloud" in the years to come, mirroring the "network of networks" paradigm that has made the Internet possible. However, there seems to be a wide disagreement among commentators, policymakers and industry representatives as to whether interoperability should be developed over time through co-regulation or self-regulation, or whether it could be mandated by law already today. First, it is still unclear what interoperability and data portability mean, whether they require harmonization of cloud architectures and standards, or only the definition of common interfaces that would make data portability possible. Second, commentators diverge on whether interoperability or (in the short term) mere data portability should be mandated by law. And anyway, if public and open standards are needed, it remains to be seen who should (and could

38 No. 85, 1st Q. 2012

possibly) be in charge of developing them. On the other hand, as often happens in the IT sector, there is concern that mandatory interoperability at a very early stage of an industry's life might ultimately chill incentives to develop innovative cloud solutions. Or, if anything, such a policy decision might eventually tilt the balance in favor of less disruptive types of cloud services, such as SaaS, and away from more ambitious IaaS solutions, which possibly bear the greatest potential in terms of efficient use of IT resources. Finally, it is still unclear if mandatory or de facto interoperability would eliminate all switching costs, as lock-in would remain possible also by contractual means: for example, the launch of widespread 24-month subscriptions for Smartphones in many countries has exerted a significant impact on the provision included in the revised Telecoms package in the EU, according to which users should be able to switch provider in one working day. Should this be the case with the cloud, a "switching facility" might be provided, and compliance should be monitored extensively over time.

���� Competing in the clouds

Although the cloud market is still in its infancy, it is beyond any doubt that a massive migration to the cloud would determine a major revolution in the competitive environment that characterizes the current Internet ecosystem. The consequences for the competitive position of industry players could be significant, since most of the revenue generated by user behavior would further move up into the cloud layers, thus commoditizing lower layers such as the infrastructure and logical layers of the Internet. At the same time, cloud computing could exert an attractive power also for other existing platforms, for example by directly competing with, or complementing, traditional broadcasting technologies. All this will create a different business environment, in which regulators and competition authorities will have to ensure the creation of a level-playing field.

Looking at the features of emerging business models and their expected evolution over time, a number of issues are likely to emerge, which might be subject to specific views and recommendations for EU institutions and beyond. Importantly, it is still unclear whether the cloud ecosystem will end up hosting most of the content and applications consumed by end users. Should this be the case, then the problems related to application neutrality, media and pluralism that are currently referred to the Internet ecosystem will have to be re-formulated with a view to the emerging cloud architecture. A

Andrea RENDA 39

related issue is whether the evolution of cloud computing will eventually determine a shift in market power to higher layers of the value chain - i.e. whether the more content, applications and services migrate to the cloud, the more end user demand will be chiefly determined by what is available there, not on the general-purpose Internet. This is to some extent already happening with the emergence of Smartphones and tablets that embed WiFi and 3G/4G network capability, such as the iPhone, the iPad and Android-powered devices: the conditions of use and even pricing of subscriptions of these products that give access to the cloud are largely independent of the mobile operator, and are normally imposed by the cloud provider.

More generally, the evolution of application and content in the cloud will produce important consequences for the role of ISPs in the Internet ecosystem. Should the net neutrality logic succeed, they will be forced to act as mere conduits, or "dumb pipes", leading end users into the Internet and, from there, into the cloud. However, if the neutrality logic is aimed at preserving the possibility, for end users, to access any content and application from any device, then the same approach will have to be applied to cloud providers. Possible anticompetitive behaviors, which could emerge also in the cloud ecosystem, might include refusal to deal and/or grant interoperability (including blocking of applications and content); preferential or exclusivity agreements along the vertical value chain; vertical integration leading to discrimination of competitors at certain layers of the Internet/cloud ecosystem. More generally, the same practices that have been considered as potentially anticompetitive at the infrastructure and, most notably, logical layer of the Internet within the so-called "net neutrality" debate will become applicable to all other gatekeepers of the Internet and the cloud, including search providers and cloud providers (see RENDA, 2010 for an illustration).

The rationale for this application of competition policy tools in the cloud is straightforward. Should a cloud provider become dominant, then for application and content providers that serve the cloud environment there will be little or no choice when deciding where to reach end users: if they are not present or sufficiently visible on the dominant cloud environment, they will not be able to meet end users' eyeballs and they will eventually be forced to exit the relevant market. Accordingly, any behavior on the side of a dominant cloud provider that ends up discriminating between application and content providers might be construed as an infringement of Community competition law. The same applies, a fortiori, to refusal to deal, exactly as in the case of ISPs and net neutrality (RENDA, 2008, 2010). As of now, this debate has not fully evolved in the literature: however, this same lack of attention was observed also in the case of net neutrality, especially in Europe, where it

40 No. 85, 1st Q. 2012

took a few years before institutions and even industry players realized that the neutrality v. diversity debate was relevant also on this side of the Atlantic, and was not just a "west side story".

The cloud ecosystem can also be seen as a challenging novelty for application and content providers that are well established on the Internet and in the traditional media sector, and not just as a threat to ISPs. A number of issues will have to be addressed in this respect: as they are still in their infancy, I will limit myself to a brief discussion.

First, the emergence of the cloud is likely to affect broadcasters more than is actually realized, at least in the public debate. Should the cloud become the dominant infrastructure for the provision of premium content - as seems to be the case if one looks at current developments in music streaming and in the evolution of Youtube as a structured multi-channel TV - then broadcasters will have to compete to distribute their content in that environment, through dedicated channels that exploit managed services over the traditional IP infrastructure. In doing that, they might face almost insurmountable competition by OTT players, some of which have already become huge media companies with global reach, able to offer better click-through ratios for advertising and, in any event, in control of most of the online advertising sources and revenues.

At the same time, the transition from a "download" to a "streaming mode" in the cloud (see Apple's iCloud, Pandora/Facebook and Google Music among others) will likely lead to enhanced possibilities of control over the diffusion of content on the side of rights owners. This, too, creates important concerns from the standpoint of access to content and freedom to share content on the Internet. In previous papers, I have described the long-lasting war between control and architecture in cyberspace, which saw important chapters such as the Mp3.com, Napster, Grokster and Pirate Bay cases; laws such as the US DMCA (and currently discussed SOPA and PIPA), the French HADOPI and the Digital Economy Act in the UK; and the battle for the use of DRM which saw content providers increasingly challenged by new cybermediaries such as Apple. Against this background, the cloud ecosystem seems likely to witness a new attempt to modify the end-to-end architecture of the Internet to enhance control over the diffusion of content. The prototypical, DRM-enabled cloud environment developed by Apple with iTunes and now iCloud has already significantly constrained users' ability to share content with others. The fact that the new iTunes Match only enables

Andrea RENDA 41

download or streaming, but not uploads implies that we might be close to a new possible "end of end-to-end" scenario 18.

The most extreme version of this scenario is that of vertical integration, which is currently the worst perceived threat for broadcasters, i.e. a scenario in which ISPs provide their subscribers with both a best effort service and a managed service for the provision of applications and content, by acquiring rights directly from content producers and entirely bypassing broadcasters. Although these attempts might be inhibited by the inherently local/regional nature of ISPs, similar attempts might be made by champions of the application layer, who by their very nature hold an advantage over both ISPs and broadcasters to provide managed services that bring end users directly into the cloud. In this battle of the business models, vertical integration across the value chain might end up representing a threat to competition and interoperability: already now, concerns that competition between operating systems, middleware products, applications and content providers will be affected by these integrated business models are becoming widespread (e.g. in the case of Google's Chromebook).

In summary, more than being a revolution per se, cloud computing seems to be shifting the same old competitive dynamics of the traditional Internet into a new environment, in which the possibilities offered by the "code" - i.e. the technical architecture - seem more geared towards control over content, rather than the empowerment of end users through a real end-to-end environment; and more favorable to global application and content providers, as opposed to "almost-dumb" ISPs and "copyright-impaired" broadcasters. In all this, the real challenge for policymakers will be to restore the level playing field between all these industry players, to avoid distorting the competition for eyeballs that is currently developing in the cloud.

���� Concluding remarks

The cloud ecosystem promises much for small businesses in terms of massive cost-reductions in the use of IT resources. At the same time, this transition is proving more difficult and controversial when it comes to

18 I refer here to the paper written by LEMLEY & LESSIG (2001), which denounced the diffusion of Internet services that significantly departed from the end-to-end principle already at the end of the 1990s.

42 No. 85, 1st Q. 2012

securing Internet openness and freedom in the years to come. Several fronts are still open, and more should be opened and resolved before the legal and competitive framework for the transition towards cloud computing can be considered as complete and sufficiently secure in terms of the protection of the basic goals of cyber-policy at the international and EU level. This paper has argued that, beyond the oft-quoted security and privacy problems (which, anyway, still await suitable solutions), the cloud ecosystem is likely to re-propose a neutrality and competition problem, which policymakers at the national, EU and global level are unlikely to solve in the short term. While, on the one hand, antitrust tools are available to challenge any conduct by dominant cloud providers, which might hamper competition in neighboring markets, a more challenging tasks on the horizon will be to solve copyright and competition issues that are arising between mostly unregulated nomadic players that dominate the application and search layers, and ISPs and broadcasters at two opposite extremes of the Internet architecture. In this respect, the need for clear rules on the future inter-cloud architecture, on cloud interoperability and portability, on copyright protection and enforcement, on basic principles of openness and, not least, on pluralism will prove essential for an equilibrated development of the cloud, which does not fundamentally harm the end-to-end architecture of the Internet. This is the direction that this paper suggests for future efforts devoted by the European Commission towards a European multi-stakeholder partnership for cloud computing.

Andrea RENDA 43

References

BALBONI, P. (2010): "Data Protection and Data Security Issues Related to Cloud Computing in the EU"; Tilburg Law School Research Paper No. 022/2010. http://ssrn.com/abstract=1661437

BERNSTEIN, D., E. LUDVIGSON, K. SANKAR, S. DIAMOND & M. MORROW (2009): "Blueprint for the Intercloud - Protocols and Formats for Cloud Computing Interoperability", IEEE Computer Society, pp. 328-336.

CEBR (2011): "The Cloud Dividend Report: part Two".

CELESTI, A., F. TUSA, M. VILLARI & A. PULIAFITO (2010) "How to Enhance Cloud Architectures to Enable Cross-Federation", IEEE Computer Society, pp. 337-345.

ETRO, F.: - (2009): "The Economic Impact of Cloud Computing on Business Creation, Employment and Output in the E.U.", Review of Business and Economics, 54, 2, 179-208. - (2011): "The Economics of Cloud Computing", Intertic Report. http://www.intertic.org/Policy%20Papers/Report.pdf

EUROPEAN COMMISSION (2010) Communication, A comprehensive approach to personal data protection in the European Union: COM (2010) 605.

FARRELL J. & P. J. WEISER (2003): "Modularity, Vertical Integration, and Open Access Policies: Towards a Convergence of Antitrust and Regulation in the Internet Age", 17 HARV J L & TECH 85.

GARTNER GROUP (2009): "Forecast: Public Cloud Services, Worldwide and Regions, Industry Sectors, 2009-2014.

HAZLETT, T. (2009): "Modular Confines of Mobile Networks: are iPhones iPhony?". http://mason.gmu.edu/~thazlett/pubs/Hazlett_iPhony_ SSRN-id1533441.pdf

HÖFER, C.N. & G. KARAGIANNIS (2011): "Cloud computing services: taxonomy and comparison". J. Internet Services and Applications 2(2): 81-94.

HON, W. Kuan, C. MILLARD & I. Walden (2011): "The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated? The Cloud of Unknowing, Part 1", Queen Mary School of Law Legal Studies Research Paper No. 75/2011, March 10.

LEMLEY, M. A. & L. LESSIG (2001): "The End of End-to-End: Preserving the Architecture of the Internet in the Broadband Era", UCLA Law Review, vol. 48, p. 925.

NIST (2011): Reference Architecture for Cloud Computing. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ReferenceArchitectureTaxonomy/NIST_CC_Reference_Architecture_ v1_March_30_2011.pdf

44 No. 85, 1st Q. 2012

ODLYZKO, A. (2008): "Network Neutrality, Search Neutrality, and the Never- Ending Conflict between Efficiency and Fairness in Markets". http://ssrn.com/abstract=1095350.

RENDA, A.: - (2008): "I own the pipe, you call the tune", CEPS Policy Paper. - (2010): "Neutrality and diversity in the Internet ecosystem", CEPS Policy Paper. www.digitalforum.eu/browser_files.php?id=55 - (2011): Law and Economics in the RIA World, Intersentia.

SCHUBERT, L. (2010): The future of Cloud Computing, Report for the European Commission. http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf

VAQUERO, L. M., L. RODERO-MERINO, J. CÁCERES & M. LINDNER (2009): "A Break in the Clouds: Towards a Cloud Definition", ACM Sigcomm Computer Communication Review, vol. 31, Issue 1, pp. 50-55, January 2009.

WEISER, P. (2009): "Regulating Interoperability: Lessons from AT&T, Microsoft, and Beyond", Antitrust Law Journal, vol. 49.