EI Workshop 122: Putting your trust in the clouds: Why trust matters to the open Internet

Sixth Annual Meeting of the Internet Governance Forum
27 -30 September 2011
United Nations Office in Nairobi, Nairobi, Kenya

September 28, 2011 - 09:00AM

***

The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

***

   >> PATRICK RYAN:  Okay.  Terrific.  We'll go ahead and get started.  We're hoping to have one other panelist here.  The road from the hotel out to the complex here was a little bit congested this morning so I'll bet Katitza has been hung up but will come join us shortly. 

       Let's go ahead and get started.  Thank you very much for joining our panel, 122, "Putting Your Trust in the Clouds:  Why Trust Matters to the Open Internet."  My name is Patrick Ryan.  I'm Policy Counsel for Open Internet Google.  I joined Google about eight months ago and focus on various different issues related to Open Internet and data flows. 

       The project I'm most closely affiliated representing is the Google Cloud Computing service offering.  And in that context I work very closely with Marc Crandall who is on old Googler, been around Google for, what, five years, and is with me on the Trust team of Google in order to help talk about what Cloud Computing is and to get the word out.

       Before I joined Google, I was a lawyer in private practice.  I consider myself a recovering telecom lawyer so please don't hold it against me.  And I split my time as well teaching at the University of Colorado-Boulder.  And I'll briefly introduce my panel and we'll dive right in. 

       To my right is Vicki Nash with the Oxford Internet Institute.  She's Director of graduate studies and works on a number of things including free flow data, including a project that involves research of risk and harm. 

       To Vicki's right is Nasser Kettani, who is with Microsoft.  And he's the regional technology Director for Microsoft and expert on Cloud Computing.  I can't say enough how happy I am to have a representative here from Microsoft on this panel.  A lot of times people talk about these issues as being one company versus the other and that's absolutely not the case.  We are all in this together.  Particularly when it comes to trust and issues like transactional data flows. 

       So Nasser, thank you for accepting the invitation to join. 

       To Nasser's right is Cynthia Wong.  Cynthia is the international -- the Director of CDT's product on global Internet freedom.  And Cynthia is a graduate of the University of Texas, as am I.  So we share an allegiance to a very unusual school in Austin, Texas, that has wonderful live music.  It is the live music capital of the world.  I know a lot of people -- have whatever opinion you may about the state of Texas.  Austin is awesome. 

       And Cynthia does a lot of really good work in protecting users rights.  CDT is just one of the best standup organisations for making sure the consumers are protected in an Open Internet.  And we're very pleased to have her on this panel. 

       And finally, Nii Quaynor is here.  He is down on the far end.  Dr. Quaynor is with Ghana Dot Com Limited and, boy, has an unbelievable CV.  I wouldn't even know where to start.  He started at Dartmouth and has a PhD as well from SUNY Stony Brook.  And he teaches at the University of Cape Coast in Ghana as the Director for the African region for ICANN.  Certainly a figure many people here in the area will recognize.  And we're honoured to have Dr. Quaynor on our panel. 

       Katitza Rodriguez with the Electronic Frontier Foundation will hopefully join us a little bit shortly so I'll just give her a brief introduction in advance.

Katitza is the international rights Director and she's originally from Lima, Peru, but works in the United States. 

       So let's dive in.  We titled this panel "Trust in the Clouds."  And we talk about it a lot in the trust of concept of Cloud Computing.  We're not alone at Google when we talk about trust.  One of the pioneers of this concept is Microsoft with the Trustworthy Computing initiative started several years ago we think it's a good model a good framework for discussing some of these issues. 

       It's a complicated one because trust is something that develops over time.  And it's not anything that has any complete -- there is no complete answer in many ways to what is fully trusted what is not trusted it's not a binary concept. 

       What is Cloud Computing?  It's always important, even with audiences that are as sophisticated as this one at the Internet Governance Forum to just ask that question, what Cloud Computing is. 

       And a lot of people are starting to talk about it, particularly in the press, that cloud is this brand-new thing it's a whole new evolution it's a revolution in fact it's changing the way people are doing business online in fact Cloud Computing is as old as computing itself.  And it's also as old as the Internet itself. 

       So let me ask:  Who here remembers America Online, CompuServe, Prodigy?  Did anybody use those services?  Is that Katitza?  No.  I thought maybe. 

       Okay.  That's all Cloud Computing.  Right?  You are interacting with a host of servers on the Web using cloud-based services to send and receive e-mail.  Now when you open up your browser you can make different formatting changes to your e-mails you can change the font and orient it in different ways.  In the office context for office type services what you might think of as Microsoft Word all you are doing is editing data on a page.  It's very similar to that. 

       So the Cloud Computing concepts that we're talking about today are no different than the Cloud Computing that we have been using through web-based e-mail ever since the inception of the Internet and in fact the computing if you go back to the 1950s when the original researchers were thinking about how computers would work, Herbert Grosch one of the leading thinkers of the time in the 1950s.  He was an engineer with IBM.  And his theory was that computers would cost -- would be very expensive.  And they would in fact be the square -- the computing power would be the square of its cost.  In other words in order to have a computer that's going to cost four times as much to have a computer that's twice as fast.  He got the cost model wrong. 

       We learned later that Moore's law is in fact the computing norm but Herbert Grosch postulated and this was a law known as Grosch's law that held reign for almost 30 years that the entire world would run off of same 25 mainframe computers and everybody would dial into that and use that computing power as a centralized source. 

       And everybody would in fact access them from dumb terminals so the idea wasn't totally crazy. 

       The French Minitel system from the 1970s up through today really, it really hasn't had a lot of traction since the Internet took off but the French Minitel was based on that same model.  Centralized in this case.  Country run.  Telephone run Cloud Computing services.  And people would get terminals that had no processing power per se on the terminal and they would access the cloud and interact with it. 

       So the cloud is not new.  We're doing new things on the cloud just like we are doing new things with computers and new things with the Internet but the concept is as old as computing itself. 

       One of the things we hear a lot when we talk about Cloud Computing and the risks around Cloud Computing is one of the errors we see people make one of the logical errors of analysis is what we call in academia the nirvana fallacy and that's comparing something to perfection and it's very difficult to compare something to perfection.  So Cloud Computing is new.  Even though it's not new it's perceived now as new. 

       And the tendency is for academics and for Civil Society and for governments and for users the whole gamut to compare it to this nirvana so Cloud Computing is this new thing but look at all of the problems and when you're comparing it to something that's an ideal, it's very difficult to sort of come out with a good score.  Right?  When you compare with something perfect, it doesn't do well. 

       This is what I tell my wife.  You can't compare me to Matthew McConaughey I don't know if he's the nirvana but my wife certainly thinks so. 

       So it's a lot better as a framework and as a comparative point perspective to compare Cloud Computing we think to what you have today in the computing ecosystem.  The types of computing systems we use today and to see how cloud does things differently and how there are risks but how the risks are different.  And in many ways improved over the risk set that we had before.  Just some interesting statistics about data and the safety of data. 

       1 out of 10 computers will be stolen within the first 12 months of purchase and when a computer is stolen even if the data is encrypted on it, that data is lost.  So that's a loss of data.  And certainly a security breach in many ways 66% of thumbdrive owners lose them and 60% that a thumbdrive is lost it contains private corporate data of some kind on them now I say this and I absolutely love the Council of Europe and all of the work that the Council of Europe has done but I want to take one minute to put a little dig because the Council of Europe was nice enough to give us all thumb drives yesterday in our -- in the workshop that we had.  And it says right on here the data protection right on the thumbdrive. 

       So statistically 60% if we're just looking at statistics from the Forrester study if anybody uses these 60% of them will be lost with some form of personal data on them.  So this is a vis age of the old -- visage of the old system because in Cloud Computing you're not storing data on the hard drive to some extent you're not storing it on thumb drives you're putting it in the clouds so the trade all of are the security issues that happen with storing things in the cloud.  But the benefits of not having loose thumb drives having data on hard drives, that type of thing. 

       And there are also tremendous value and benefits of Cloud Computing for small businesses and for users. 

       As Forrester study that we completed showed 80% of the money spent for a typical small-medium sized enterprise on their infrastructure is kept just keeping the lights on feeding the computer with power, maintaining the connections to the Internet, downloading software of various different kinds and then downloading the patches and updates and just keeping that up to speed and wouldn't it be great if those companies could instead invest rather in IT computing invest in what it is they do best stick to their knitting if they are in the production of sweaters to produce sweaters rather than to produce IT systems in order to sell their sweaters online there's a lot of opportunity and promise for Cloud Computing 70% of the Y Combinator startups which is a new type of startup in Silicon Valley use Cloud Computing using devices very similar to this is a cloud based computer it has no hard drive 16 gigabytes of space no programmes on it whatsoever and you're up and running for 4 or $500 in the Developing World opportunities are great access is the problem but we'll solve that but to the extent there is access to the Internet boy it's possible to have a $200 computer that go out to the masses and tap the power of the cloud so turning to some of the thorny issues we'll talk about for many governments trust means control and there are a lot of attempts to control the data and control the flow of data in ways that governments don't do today.

       And there are certain -- around the world we're seeing lots of laws that are being passed that try to cage the cloud to try to treat the cloud as if it's a separate part of the interpret that makes it difficult to use the European example which has some of the most advanced and respected privacy laws.  Privacy is a human right in Europe and there are a number of groups including the Council of Europe and others that do a great job of protecting users rights and interests and really thinking about how -- you know thinking about all of the risks and harms and doing their best to protect them.  But as a consequence of some of those very good important rights that are being protected places like Kenya have difficulty in trading data with Europe.  Because in order for European data to go outside of Europe, it has to be certified through an adequacy determination it's a very sophisticated complicated legal set of analysis and the long and short of it is that countries like Kenya aren't able to legally exchange data on the cloud with Europe because they are not deemed adequate.

And that's unfortunate.  And we're hoping that in the future we can work throughways to develop frameworks in order to address that concern so that countries like Kenya and other places in the Developing World can tap into this wonderful resource. 

       So restrictions on transnational data flows.  That enable cloud services is an important topic and one that I hope we'll ferret out today the second question and that's another one of trust.  How do we as companies and how can we do better talking about trust issues?  Being more transparent.  Being better educators to the public about how our services are handled and how your data is kept safe. 

       I'm hoping today that we'll have an opportunity to talk about that and to inspire a dialogue on things that Google, Microsoft, other companies in this space can do better in order to develop that trust that could be so elusive so with that introduction we'll go ahead and go down the panel. 

       Nasser, why don't we start with you first.

   >> NASSER KETTANI: Thank you, thanks, Patrick and thanks for the introduction and really thank you for the opportunity.  So I'm -- as you said in the introduction I'm a technologist.  And my work is really at the frontier of technology and policy.  But I'm not a policy expert.  I'm not a lawyer.  But I -- it's interesting because as technology has evolved, we are seeing more of the impact of technology and in policy and policy and technology it's very fascinating to see these changes.  And this is happening. 

       The -- you know, there are two really big things that we're seeing, macroeconomic things that we're seeing.  One is as you said more people connected, more services, more businesses connected, et cetera. 

       On the other side from a trust perspective, we see the threat landscape really has evolved.  And is evolving and will be evolving you know as we go.  And that's -- and no matter -- and I just want to make sure that we are clear about it, this nirvana thing.  It's really -- I like it.  Because no matter what we do, as an industry, as governments.  No matter what we do, there will be people out there that are always trying to hack into systems to find failures to do whatever they can.  Because they see value for them in terms of, you know, money and all sort of things to do.  So that's just a fact of life that we have to deal with. 

       And because we have that we shouldn't just say okay let's put our data in our computers because in fact it's more unsafe than just putting it in the cloud.  So just I think that's an important thing. 

       And as Patrick is saying, there are legal things and policies, et cetera.  But from you know the Private Sector perspective and as service providers I think there are a few things we need to be thinking about. 

       First thing for us as a company we are very committed to security, to data protection, to protecting data, customer data.  Whether it's consumers or businesses, et cetera.  It's a very fundamental commitment for us. 

       And commitment starts with firstly thinking.  And adopting certain best practices and the way we actually address the problem. 

       And as Patrick was saying, we started an initiative called TwC, Trustworthy Computing, back almost ten years ago.  It was in 2002.  And the whole concept behind it was about how do we improve on security, privacy, reliability, and business practices as we deliver products to market and a company.  And of course we have done a lot on that front.  And we continue to do that. 

       So I want to touch on three different things that we're doing in the cloud.  Because as the industry moves into the cloud.  As consumers of cloud -- as consumer is consumer of cloud and Government is consumer of cloud and I agree it's not a new thing but the reality is given the power that we have today in terms of networks and data centre capacity and computing and all of those sort of things, cloud is enabling some very sophisticated innovations that we haven't thought about in the past.  And certainly as we speak to it today, we don't even think about the next generation innovations because there are smart guys out there that are thinking through very amazing things that they can do today with cloud that we're that were not possible before so there are three things as we move into cloud as we build products.

       One is building security and privacy as a founding principle as we deliver products.  And this is from Day 1.  And I'll give some few examples there. 

       The second thing is -- so the first one is how we build general technology, how we build products and services. 

       The second thing is how we -- about how we run them.  In the past if you think about it we built products such as Office we give it to customers and they have to run it.  Today it's changing for us.  Although we started years back providing cloud services with things like Hotmail and Xbox and so forth but there's a change for us we also have to put processes in place in terms of how we run the services.  So one is build.  Second is run. 

       And the third is how do we plan for the unexpected because no matter what we do, there will be issues.  And we need to be prepared to respond to those things quickly.  So these are the three things that for us are important as we migrate that. 

       So on the first one which is how do we build security, how do we build privacy by design into every single product that we do. 

       Just to give you a few examples from a framework perspective.  One is we developed something called SDL which is security development lifecycle and security development lifecycle is a methodology, it's a framework, for you building security from the design up to as we deliver the product.  And today no product whatsoever leaves and gets sign-off from our leadership team until it has gone through the SDL process. 

       So every engineer in the company is going through that from a training, from an implementation, et cetera.  And we also have provided SDL as a framework for others to use.  There are a lot of companies today that are using SD L we're even promoting that to the ISO community.  And we would like to see more people actually using that as a framework to develop more security development lifecycle. 

       The other thing is privacy by design.  I'll just give you two examples.  Because we believe that, again, from a privacy perspective we need, from an engineer point of view we need to make sure we educate our developers to put privacy as the builder product and not as an after the thought.  I'll give you two examples of that just to make the point.  Xbox LIVE and Kinect.  You probably heard about Kinect which is this censer you can use with Xbox to play and you can think about why do we need to think about privacy there?  And the reality is there's a lot of face recognition technologies there very sophisticated that's actually built into the camera.  And if we didn't work with the product teams and our experts from the privacy perspective and our lawyers from Day 1 to think about the privacy issues with that, they would have shipped product where there's a lot of privacy issues as far as face recognition and what we have done is we have worked with them to do everything we can to actually make sure that the data that goes from the -- that censor to the live services et cetera nobody can use them in fact they are very encrypted they are put in a way that it's not used by people to do all sort of things they would love to do so that's how we think about it.

It's really Day 1 about how we build a product.  And I think this is also a way whereas we think about the product development, as we think about engineering, we fit in part of this. 

       And the second example is our Windows phone the new operating system.  It's the same thing we could have done it in much -- various ways.  But we've put in place privacy as part of the design of our product.  So you have control in effect as a users of what do you want for example on organizational issues whether you want to share that information, whether applications can use them or not, so forth and so on.  I don't want to go into detail but if you take examples of how as we build technology we think about that through the lifecycle from Day 1 up to the testing and the delivery. 

       And we're transparent with our customers on that.  So that's on the build. 

       On the run, we are building very sophisticated data centres as you can think about.  As our friends from Google I mean these are very sophisticated data centres.  And of course we run you know our customers data and processes there.  And even on that front and we have built very sophisticated security and privacy processes in place.  So it's not just by building the building.  It has very different layers of security. 

       It has very different layers of processes.  Who has access to the data?  Our engineers.  Who has access to the data?  What data do they have access to?  When do they have access to it? 

       So there's lots of things we have built as we run the services, et cetera. 

       And the last piece is about for us, you know, really thinking about how do we react when there's a problem?  Because it always happens, right?  And also on that we have put in place the processes and the tools and education and everything to make sure that if anything happens we're actually able to respond to that and make sure that we fix it.  We communicate.  We are transparent. 

       So that's the -- that's kind of the framework as an industry we're doing.  But the fundamental piece for that is beside everything that we're doing there are two points I want to make. 

       One is no company can solve this problem of security and privacy alone.  I think it has to be a dialogue across the Private Sector, NGOs and Government in order to be -- you know to have an open dialogue about these issues and really work through you know making the cloud and this environment more safe and trustworthy.  So that's No. 1.  And we are very committed to that.  And the second thing is really about the fact that this is for us the most fundamental part is about how we are transparent about what we are doing.  It's about how we are talking to customers about the choices they have.  How do we run our processes?  How do we run our services?  How we develop our products. 

       And they have a very clear view and as they decide to use our services, we really are clear about how we handle their data.  Which data are we capturing?  When are we transmitting the data?  How are we making the data secure, et cetera?  That's a fundamental belief for us.  We need to make sure that we are as much transparent as we can. 

       And the last thing I want to make from a general kind of policy making, et cetera, this is a -- although I genuinely agree with you, Patrick it's still a nation environment.  And you know putting so much regulation and policy out there without really understanding really all of the implications is -- I believe is -- has to have kind of a flexible way of thinking about it.  Because the last thing that we want to do is actually preventing those innovators from coming and building some very sophisticated things that we haven't thought about yet.  And I have seen an example yesterday where I've just -- I was reading on the net the case of a very small company who has developed cows in the cloud, which is a very interesting application where they put sensors on cows and they capture billions of data.  And they use that for all sort of things, including health of cows and all of this stuff.

And they run into so many privacy issues they haven't thought about it.  And it's like no. 

       So we should be careful about as an industry and also as regulators how do we think about these things in order to build flexible policies that protect people, protect users, protect customers.  But also free the place for innovators.  Thank you very much. 

   >> PATRICK RYAN:  Thank you, Nasser.  Let's go on to Cynthia and just looking at the clock just to manage our time a little bit, let's try to keep our -- if we can our comments to about five minutes each.  We'll wrap up about quarter to the hour approximately then and I'm sure there's going to be lots of questions here from the audience and welcome, Katitza I'm glad to have you I also introduced you so you've been well anticipated Cynthia.

   >> CYNTHIA WONG:  Yes and thank you for Patrick and Google for having me on this panel this morning just to echo what my colleagues have already mentioned already I think the way that Cloud Computing services are beginning to scale and the way that users are beginning to adopt them presents incredible opportunities for both innovators and for user themselves but with these opportunities are I think a number of challenges that all of us stakeholders will have to begin to grapple with and I'll focus mostly on the legal and policy side because that's my background. 

       One of the main things we're seeing is that some of the traditional legal frameworks around privacy have not really mapped particularly well considering some of the specific unique aspects where Cloud Computing is moving and these unique aspects include the fact that there's a lot of redundancy in the cloud so when you put data in the cloud there are actually duplicate copies of your data and they are stored all over the world.  Also in order to get the benefits of Cloud Computing, data and applications do need to flow fairly fluidly around the world.  Among data centres based on very real-time needs and available resources.  And finally, again, in order to really benefit from efficiencies in the cloud, data centres really need to be -- need to be created in multiple locations around the world.  Although I would say there might be some pragmatic limits to where you might put a data centre.

But the fact is to really benefit from the cloud that there need to be data centres located in a number of different locations.  And finally I think one of the biggest challenges is that even for cloud operators themselves, it may actually be quite difficult for them to even know where a given dataset or piece of information is actually stored at any given time in the cloud because of the way that clouds are often implemented from a technical perspective. 

       So given these new aspects of Cloud Computing, how national laws like privacy laws have been applied to them creates a lot of interesting new challenges. 

       For cloud operators who may operate data centres around the world and may be subject possibly to the jurisdiction of many different countries, it's often unclear what national laws apply and what duties they might have under those national laws from a privacy perspective. 

       And these laws might include things like data protection laws, data retention requirements, requirements to retain data for a certain amount of time.  And laws that govern law enforcement access to data and what protections should be applied to data that they might store or process. 

       In the law enforcement context especially, I think that old notions of when governments can legitimately assert jurisdiction in order to gain access to user data simply really don't map well to some of the new realities of the cloud. 

       Different governments often take different positions as to when they can legitimately assert jurisdiction based on rule of law and due process norms, things that -- governments often look at things like physical location of servers, whether a company does business in the country, whether they have employees there.  But even things like the nationality of a user whose data the company might have in their cloud or the nationality of a victim or some other person of interest.  So governments are starting to assert ways that aren't really coherent between governments according to older notions of jurisdiction. 

       To add further complication to this in some cases you can imagine very easily how a company could be subject to very conflicting laws.  Right?  So you can imagine where a data retention law of one country might actually be in direct conflict with the data protection law of another country who may require a maximum retention period for data even as the same data might be replicated and stored at any given time in both countries. 

       And so the result I think is that many called operators are in a very untenable position of trying to figuring out what their duties are and what their obligations are under various national laws and trying to craft policies that are coherent about when and how to respond to law enforcement access while still trying to protect the privacy of their users when a lot of governments are asserting jurisdiction in very conflicting ways. 

       I'll also say there's a lot of risk for companies who themselves are consumers of cloud services.  Just as with cloud operators, it might be difficult for these companies to know where their data is located in the world.  And who might have access to it.  And I think importantly, it's difficult for some of these companies to then give meaningful notice or make meaningful promises to their users about how they might be obligated by governments to hand over data or to use or redistribute their data. 

       And finally and certainly not least and one of the things I wanted to emphasize strongly is that these jurisdictional challenges and these legal challenges raise issues for citizens that might undermine their trust in cloud and in using cloud services. 

       In the legal environment I've described users might have very little understanding of what protections do apply when law enforcement outside their country -- even in their country --

       (Audio lost).

   >> CYNTHIA WONG:  Users have a meaningful understanding of their risk associated with their use of cloud and I think this certain environment it all leaves users with little agency and little I think ability to control I think.  I think there's kind of a loss of control here which can undermine trust. 

       So I've spent five minutes now laying out problems without offering solutions.  I'm going to stop there and maybe save some of the more constructive comments for later.

   >> PATRICK RYAN:  Thank you, Cynthia those are very important issues to raise.  Let's turn it over to Nii now.  And Nii, if you can take the microphone for a few minutes. 

   >> NII QUAYNOR:  Thank you very much.  I will be speaking from the perspective of an operator.  I operate a cloud service.  I'm located in Ghana.  And I was fortunate to have been one of the engineers that pioneered Internet to Ghana in West Africa.  And have since moved into a new organisation, Ghana Dot Com principally looking at applications and content and those softer side of the issues. 

       The organisation, I'm going to share it's issues with you it's an ICANN accredited register it's mostly looking at enabling cloud activity if you look at it that way meaning hosting people who want to do cloud applications because they happen to have written programmes that provides different kinds of cloud services. 

       Of course in our case, we do work in the area of eCommerce, as well. 

       So for example, one can go to a Sahara.net which is a service.  And find a name of their preference.  And then take options for hosting types that they want to do.  And then they can throw in their various programmes, whether it is para PHPO (phonetic), what have you.  And proceed from there. 

       And the same environment we provide ishka.net (phonetic) where people can go to a bank and deposit money in their accounts and then they can proceed to do the normal eCommerce with it. 

       We also then operate on NCS  cloud service.  And as you might have observed, every cloud tends to distinguish itself by some kind of application. 

       In our case it's an archival application.  Meaning that it's not so much for the huge enterprises but for the medium to large scale enterprises with a rampant loss of documentation and so on, we found it very effective to introduce an archival solution whereby a person can index some material, any type of object, whether it's a video or text or image or whatever.  But you can index it.  And therefore making it searchable we thought was a very good solution.  And that is at NCS cloud. 

       Now, this whole debate seems like a recurring theme, a strong one, because I remember the same debates during my college days very long ago.  And it was between multi-programming and time sharing at that time.  You know people were safer seeing their code go through in a multi-programme environment because they felt comfortable with the partitioning.  But with cloud sharing they were very not sure.  I see the same thing being played also now.  But even then we passed a stage where people wanted to have the box with them and everything on it so they can touch it, feel it, and so on.  But eventually they let go and started to use some level of outsourcing for these things meaning here the issues the ones who controlled the software, et cetera, staff et cetera were things that were concerning people. 

       We face the same thing.  Do you host in your country or do you host outside?  I mean that's being a regular debate.  And only the speed of access sometimes is the differentiator.  Of course jurisdiction is always an issue because the net doesn't really see those kind of barriers.  You have to layer some things on it to discover territory. 

       So I'm not surprised that this debate is continuing. 

       Now, my observation is that actually Africa has adopted a cloud.  but individually.  Meaning that every one of us have a Gmail account.  We always use social networks.  And we even do our banking. 

       If you can trust a global -- if I can trust a global bank with my money then I don't understand the trust issue.  I think it's just a question of time.  People are learning about it.  And as they learn about it, okay, you might say as you share your transparent activities and so on.  But that's not it actually.  They are just new to them in terms of their thinking. 

       And so that slows down the adoption. 

       But in Africa here, individuals have no issue.  They trust their secrets with Gmail or Hotmail for that matter.  So I don't see that as the off cycle.  I don't think the issue is trust.  I think the issue is time for people to assimilate things and for them to become comfortable with it and for them to begin to adopt it.  Enterprises and governments are behaving a little differently.  They seem to be slow.  But it's because of maybe the newness is coming too quickly. 

       What I've noticed these organisations are doing is they are building intra cloud.  The same as they are building intranet they are using the same cloud tools within their private networks.  And I'm sure Microsoft has sold a lot of cloud tools to enterprises.  I think you understand where I'm coming from. 

       So I believe ultimately the time for people to feel comfortable with it will be a major method of deciding.  However, cost always becomes the scheme.  The reason why many Africans adopt the cloud is because the prices are reasonable to them.  A lot of them are free.  So as we get cloud services that have very competitive prices, I'm sure that many people will adopt it beyond the individuals. 

       Enterprises will change as the terrestrial costs become higher than the international costs.  Meaning that with the cables that are under sea, the international costs are dropping.  And as they begin to approach the costs for the internal terrestrial links, it doesn't matter where your data is.  So many people will then begin to shift towards the Cloud Computing.  I think that's enough from me for now.  Thank you very much.

   >> PATRICK RYAN:  Great, thank you very much.  We have two more speakers.  Let's go ahead with Katitza and then we'll wrap up with Vicki. 

   >> KATITZA RODRIGUEZ:  Thank you.  Well, I'm from the Electronic Frontier Foundation we are a not-for-profit grassroots membership funded organisation with more than 14,000 members in 67 countries.  Well, today we talk about the cloud.  I will have my recommendations at the end.  But I would also do a brief outline of the legal and policy changes for the online user experience.  So what cloud means.  Definition differs but it's more basic for the core meaning of in the cloud is simply in another party's hand. 

       As old-fashioned telephony, putting our communication in the hands of others, leading to early problems with wiretapping, cloud based communication such as e-mail does so, as well.  But cloud based communications typically base -- base the storage of the content into third parties not just communication and the cloud goes well beyond communications.  In other words it involves a storage of pictures, among other things that the various speakers have been explaining. 

       So there are different threats that can be ambition.  But due to time limitations I will focus on one of your core concerns, the way in which law enforcement or national security agents can access data held by third parties in the cloud. 

       Traditionally the law in liberal democracies have provided strong protections against Government intrusion through information that you store your line personally in your house -- that you store offline in your office or office.  Governments need to obtain a search warrant based upon reasonable grounds before they can access is that data. 

       However, this is not the case if the data is stored with Cloud Computing providers and third parties.  In the U.S. data stored by third parties such as Cloud Computing providers have a lower threshold of privacy protection.  In some jurisdictions there's also the possibility that the cloud provider will comply voluntarily with requests for data.  And a warrant will not be needed at all. 

       We need to find a way to ensure online storage is treated as an extension of our own home or office and afforded the same level of protection. 

       (Audio lost).

   >> KATITZA RODRIGUEZ:  And often without their knowledge.  Certain intelligence laws go even farther than law enforcement by providing sweeping powers to intelligence agencies.  The U.S. Patriot Act allows the U.S. Government to allow disclosure of any data located anywhere in the world if the company operates in the United States.  Microsoft and Google both recently admitted that under the long arm of the U.S. Patriot Act the U.S. Government could access European based cloud data where very few legal standards are in place.  The national security letter's power which was branded by the U.S. Patriot Act allows the FBI to secretly demand subscriber information about ordinary citizens private communications and Internet activity without any meaningful oversight of prior judicial review. 

       Recipients of the national security letters are subject to an order that forbid from either revealing the letter's existence to their family members much less the public. 

       What leads to that is the threat of the national security letters existed beforehand, doc orders and all, the use of these letters became much more prevalent after the Patriot Act which made them easier to get.  Other countries such as South Korea are apparently willing to use extraordinary online interception methods to prevent citizens for seeking cyber asylum by committing data to the clouds. 

       While the U.S. Patriot Act and similar national security powers pose serious threats to the methods that are delivered in the cloud the threats to cross borders to be delivered is even more serious.  Many countries do not threat non-citizens privacy -- do not treat with the same respect with the off domestic citizens where national security investigations are an issue this is a problem as cloud subscribers receive the clouds as an extension of their home or office computer they do not expect their data to lose it's domestic level of protection. 

       The U.S. foreign intelligence services for example grants extraordinary interception powers to national security agencies investigating non-U.S. persons. 

       It is not even clear that non-U.S. people can rely on U.S. constitutional protections designed for such powers.  Other countries have introduced similar powers in Canada the National Defense Act and CSIS grants the national security extensive powers for Canadians.  Foreign investigations have historically investitive executive and it's anti-territorialism act they may intercept information of communication.  As cloud services will often be based in foreign jurisdictions, these type of asymmetric protections pose real threats to the cloud.  Civil concerns aside all of this can lead to the erosion of user tracks in the cloud services if it's discovered the data is being restored in a location where there are lower privacy standards. 

       This was a case in Canada, for example. 

       Following the public outcry of a provisional Government's plan to restore the storage of domestic health records in the United States where they would be -- where they would be subject to the U.S. Patriot Act powers.  As a result of the public -- of this outcry, the provisional Government in question was pressured into withdrawing it's outsourcing plans.  And the Canadian Federal Government was compelled to adopt risk assessment policies that prevent storage of sensitive private citizens data in the following country where that identity cannot be assured other governments have responded to such concerns as well.  The Dutch Government recently considered excluding the U.S. based cloud providers from Government contract by -- due to the Patriot Act exposure.  The Government has temporarily backed off from it's stance.  It is committed to resolving what it deems a conflict of legislation that both U.S.

laws in direct opposition with Dutch privacy protections. 

       U.S. cloud storage providers wishing to enter the Canadian market will often broach the Canadian centres so as not to remove themselves from consideration from certain Government storage contracts.  German belief having non-U.S. service based providers have a competitive advantage in the marketplace and they are asking governments regulation to create a safe from the Patriot Act certification process to help customers recognize which service may or may not be free from potential U.S. state private eyes. 

       Civil Society's concern with all of the state powers that are invasive of privacy Cloud Computing presents a specially compelling case.  People use cloud service as proxies for activity that would normally occur in their homes or on their personal computers. 

       Within their control, that's it.  Their expectations are transparent to the cloud but in reality their information is not only in the hands of a third party but subject to foreign laws but there is no easy solution to this issue some systems of data severity where the domestic intercept laws and rights are based not on where the data is located or where the company holding is based.  But rather on the users expectation would be very difficult to implement.  Indeed it runs contradict to the assumptions in the U.S. Canadian and UK systems the foreign nationals deserve lower privacy protections. 

       Comparable privacy protections laws such as those in the European Union are another possibility but this may deprive local residents of services based in other countries that are not willing to create distant domestic servers out of reach of U.S. or other foreign Government surveillance power. 

       The picture is complicated further by the process of long arm laws of some governments and content hosting practices.  Content hosting the reality of this is it is not always clear precisely where your cloud data might be.  This is especially true for larger providers as they can hold servers and storage of user data with multiple residencies it might be challenge for a company operating under such a model to say with any clarity precisely where a given users data is physically located at any given time. 

       Sometimes a cloud service now where the majority of their servers are located we will notify the consumers.  Amazon for example will tell consumers that the Cloud Computing servers are located in certain places it's simple to know that Amazon provides this customer information primarily because it can be inferenced business decisions made by it's commercial customers.  Maybe the other cloud providers choose not to inform the customers that the data will be stored in a foreign jurisdiction at all while a few jurisdictions such as Canada Alberta Providence have adopted clear legal obligations to notify customers of this type of outsourcing.  This does not appear to be the rule or the standard. 

       And finally, further complicating -- further complicating this any attempt to ensure by one country to ensure it's citizens a level of protection against unreasonable foreign Government surveillance is the tendency of some countries to impose their laws beyond the territorial limits for example U.S. courts will on occasions for international companies with local assets in the states to produce customer's data even if it's stored in a far-away legislation. 

       I see I'm short on time but let me quickly conclude by mentioning some possible solutions. 

       If only companies want to ensure that users trust that not become a barrier to adoption there are a number of steps they can take to increase trust.  They can undertake through their users contracts and terms of service to notify users as soon as is practically and legally possible that the Government has accessed or requested access to their data. 

       If disclosure requests are subject to unreasonable gag orders, cloud service companies should undertake to fight such gag orders incurred. 

       They should also contractually commit to not providing any user data to Government agents voluntarily.  That is unless required to by law. 

       There are known risks associated with local Government laws, what those might be.  They should additionally public a status such as Google report highlighting how many requests they are getting for customers data and from which governments. 

       These reports should include all demands that can be disclosed under the law. 

       Finally policies governing data sharing with local law enforcement agents should be made public.  Thank you. 

   >> PATRICK RYAN:  Great.  Thank you and on that happy note let's go ahead and hand the microphone over to Vicki to wrap us up.

   >> DR. VICKI NASH:  I feel like I should tell a joke to maybe everybody laugh.  I'm getting more and more depressed here. 

       So I think I thought I would approach this from the perspective of some OI research really looking at what trust is. 

       We have done a lot of work over the years looking at trust in the Internet generally and one of the things we've discovered, it's not very ground breaking but it's the idea that really the Internet and the related technologies on it we broadly tell them to be experienced technologies which means on the whole people tend not to trust things they haven't tried but once they try them they work out pretty fast that they can trust them. 

       Obviously in this context I think this is -- this is something quite sort of interesting here because as we've said Cloud Computing is actually not new and actually it's really just an extension of some of the same principles we've been operating on for quite a few years here. 

       On the other hand the term Cloud Computing is new.  And my suspicion would be that if you asked ordinary users what Cloud Computing was a lot of them wouldn't know a lot of them wouldn't know whether they are already using them and therefore this issue of how you build trust in a service which many people are already using I think is really quite complex. 

       Thinking about how we might frame that, I think you did a good job at the beginning, Patrick, to sort of set up sort of some of the risks and opportunities again any technology always brings new risks and opportunities and I think together with NASA the discussion of the sort of potential for privacy by design being introduced here technical fixes to social problems is very encouraging.  Obviously there are other risks still.  What happens if your cloud provider goes bust who owns the data, where does it go living in a very small village with frequent power outages I would like to say the power is better in Nairobi rather than Oxford if my data is stored in a cloud I don't have Internet connection then I'm stuffed there are things with every technology advances but one thing we can't do is solve the legislative and policy issues surrounding this Cynthia I hope you'll talk more about your solutions and it's great to hear about some of the EFF's ideas here I'll let you talk about it because you're the expert but I want to briefly talk about the three levels if you like so business users, individual users and perhaps legislative framework to see if there are any suggestions we can make here which is perhaps based on common sense in terms of taking this forward so just thinking about individual users first of all now as I've said already our research tends to show that certainly with individual users people tend to trust things more the more they use a technology.

       Now what does that mean in this context?  For those of us that are sort of trying to provide these lovely new services should we actually go out and start telling people about Cloud Computing or does that risk alarm people I genuinely don't know the answer for that and I think there's enough people in the room here for that.  Transparency points are very key obviously we want people to take more control of their data we also know on the whole it's very hard to do that how many people do actually read contracts terms of service so on I think this area was so complex that we'll move behind contracts and find language that's easy to see where people to see where the data is stored with a particular provider and they will be able to make very easy decisions.  On the other hand we also known Ian Brown has done great research on privacy that privacy is very much contextual we decide to give up data depending on the potential benefits it may well be that people become aware of the complexities here but just decide that the benefits of Cloud Computing are too great and they are at least willing for their own data to make these decisions.

 

       However, it seems to me it gets more complicated when we start using at business users, businesses who are very often taking data from their consumers from their users and putting them in the cloud because there obviously the decisions they have to make are really going to affect all of their consumers. 

       Now there was a survey last year and I haven't looked at the original data so I don't know how well drawn up the survey was but it was by the Ponemon Institute it was Symantec who did the report 1  in 10 companies using Cloud Computing have any sort of vetting procedures for determining how adequate the security terms are and the sort of potential legal weaknesses of any arrangement might be one area as a business users these services could do more is look at their staff training their internal procedures for outsourcing these kinds of services to make sure they meet the sort of adequacy standards that people like Google and Microsoft are trying to do. 

       Similarly I've mentioned already the scope of privacy by design that's great because sort of the bigger companies -- for the bigger companies there has to be a debate here about the increasing world of encryption most ordinary users don't understand if I were to buy Cloud Computing services I'll encrypt all of my data how will I understand that how will I use it I think there has to be an understanding of privacy design what that means just for business users to be able to talk to their clients for the big providers and finally last point because I know we're really sort of running short of time here just thinking about the legislative framework.  I mean the interesting thing from all perspectives here is everybody is very attached to the rights that their states grant them so in Europe yes we have the Data Protection Directive, which we know is very restrictive but we are quite attached to that on a whole in the U.S. obviously the constitutional rights First Amendment they are attached to those we prefer the legislative frameworks of which we operate but this is a clear case we'll have to get used to dealing with legislative frameworks and finding if you like what the commonalties are between them I like the blog on the Microsoft -- sorry the blog post or Microsoft post pointing out that the data is not likely to be approached by Government purposes actually in the UK we have repo (phonetic) to determine whether a child is eligible for a school so at this point I would rather entrust my data to the U.S. than the UK on the legislative point the only thing I think we can say is going forward quite clearly there will have to be some degree of movement towards some sets of common principles to govern this sort of thing just thinking about the European context Christian Millard has asked that we might look at the idea of sensitive or personal data and move away from particular sorts of information about individuals to some sort of categorization to consider is there much risk of this data identifying people and what would happen if we did identify those people for example if we can store this in a very secure way and it's encrypted the fact it's personal sets of data might not matter so much.

       Anyway, so I think we need to look at these three different levels if we are going to think about improving trust in the cloud really at the end of the day we're not going to provide you with any answers today but this is exactly the sort of issue that the IGF needs to be debating because it affects all of us NGOs companies individuals and I look forward to getting answers from this great group.

   >> PATRICK RYAN:  Is that's great we're going to turn to questions now I hope everybody can already see from the makeup of this panel this is something that we're looking very seriously at and we really wanted to get all of the issues out into the open we're not trying to give any particular marketing spin a lot of these things are close to everybody's hearts we're running close to time so I'll suggest we do this we take about five questions at a time I'll take notes and we'll look at the panel and sort of coordinate some quick responses to those questions by groupings and then we'll go back for another round of questions.  So let's go ahead. 

   (Standing by for audio).

   >> PATRICK RYAN:  Thank you.  Good question.  Let's take another couple.  Thank you. 

   >> I very much agree with what Vicki was saying.  And I would particularly like to address this question to Google and Microsoft. 

       I very much appreciate what you're doing on security by design and privacy by design.  I come from the British Computer Society and our 70,000 members are very keen that the major corporations should have the default setting for starting anything being high privacy and high security.  That is under users control to make their own decision about how much they want to open that up.  Could you tell me if you agree with that?  Thank you. 

   >> My name is Eduardo Anthony from the centre from freedom of expression and access to information at Plymouth university School of Law in Argentina.  A couple of questions one from Katitza and the other is to all on the panel. 

       I like what Mr. Kettani said that no company can solve the problem of security and privacy alone.  I really think on that that this is a necessity to have a multi-stakeholder combination of proposals and dialogue to solve the problem.  But I understood that many of the concerns in the panel were related to how law enforcement agencies can access to arrive at an information that is in the cloud.  And that problem is going directly to -- not a new problem which is a jurisdictional problem.  What is the law that should be applied?  And what is the judge that is going to deal with the case?  And Katitza, if I understood correctly, put the burden to fight against these bad law enforcement legislations in the -- in the Private Sector.  You said that the cloud companies should fight those orders when they are not reasonable.  My question is:

Don't you think that this could be possible for big companies but not for small companies?  And if that is the case, what you are pushing is the concentration of the market.  In big companies that would be able to fight these gag orders. 

       And again putting the burden in the shoulders of the users, just working in a transparency policy in the Private Sector, I don't think that this is very useful.  Because the users usually we read the agreements and we click that we agree without many understandings of what we are doing. 

       And so my idea is that we really need what we say is harmonization or some sort of harmonization of principles.  And I'm not sure if the countries are going to do internally these things. 

       So the question is:  Is there a moment to start thinking in an international treaty, in an international agreement, to harmonize these kind of principles that not -- that will not permit the law enforcement agencies to get without reasonable -- in a reasonable way they can get the information in the cloud.  Thank you. 

   >> PATRICK RYAN:  Great.  Thank you.  Let's take one more question and then we'll answer.  In the back.   

   >> (Off microphone).

   >> PATRICK RYAN:  Great.  Thank you we're going to take one last question from one of our remote participants and then we'll go ahead and group these and answer them.

   >> Okay we have a question from the Vanuata hub and the question is how much access do people have to your private data and how secure is the data from third parties? 

   >> Maybe I should take over chairing and you can sit in my space to answer these questions. 

   >> PATRICK RYAN:  Let's go ahead and group some of these questions I'm going to look at the first question that Chris had asked related to the Patriot Act and sort of a lot of the issues that we have which are very American in many ways and whenever people are concerned about Government access to the cloud it's usually the American system that's pointed at and feared.  When we go around and answer this question I'll ask all of our panelists to be very con advice and quick in our answers so we can see if we get one more question round in and Cynthia if you don't mind I'll have you try to tackle the issue to this question about how you're looking at as an organisation to the Patriot Act compared with other types of laws around the world. 

   >> CYNTHIA WONG:  I'm going to defer that answer to Katitza because I'm not an expert in the world all I'll say is there's what exists in U.S. law and there's what exists in U.S. practice there's a lot of bad case law in jurisdiction when it comes to the cloud but it's actually unclear what the actual practice is and I think one of the challenges is a lot of countries looking at what we have on the books in the U.S. get very scared understandably and very upset about that.  And maybe reacting in ways that may be unnecessary because the U.S. Government may not actually be exercising that power so I think there's a need to shed a lot of transparency on the way that the U.S. Government is actually exercising it's power under Bank of Nova Scotia and the Patriot Act to see what's actually happening.

   >> PATRICK RYAN:  So Katitza when you answer that question I would also like you to please add if you would a response to the inquiry about this level playing field big companies like Google and most of the could potentially implement the types of recommendations that you have.  But what about the next Google in the garage of a Kenyan entrepreneur? 

   >> KATITZA RODRIGUEZ:  Thank you.  Okay.  First I think that the first question that Chris made is more directed to the business sector than Civil Society because we have the same concerns that they, too, have raised.  So maybe someone from the business sector can reply.  I think it's more about your business practice rather than us as a legal matter.  I think that's how he put the question forward. 

       But I will go to reply to Eduardo's question.  I didn't finish on the recommendations because I speak Spanish and I try to speak slowly so people understand me.  And I know I will run out of time.  So I saved some of my recommendations for later. 

       So -- but in one of the issues we are working, it's also the centralization of cloud providers.  We believe that there are also movements and projects trying to ready centralize computer services cloud providers but ensuring that people have useful decentralized options nowadays we often feel these projects have a lot of challenges to deal with because for example it's easy for a big corporation to use their infrastructure to do distributed backups of data which help to increase reliability. 

       However, the privacy -- no the centralization advocates, especially we met a few of them in the last computer club are arguing the combination of encryption with Peer-2-Peer architectures will get greater reliability.  For example, you could store copies of your data ultimately on friends or maybe a stranger's computer if it's encrypted properly to ensure it's not readable to them. 

       There are still a few challenges and this is a new area but the technical community, the hackers, the security researchers are working towards that path, the centralization of the infrastructure. 

       However we also understand as Civil Society that many users use those services.  And those companies that have the power and capacity to challenge those.  And we think it's good business practices because it also creates transparency on what those law enforcement practices are because as Civil Society we have little mechanisms to know exactly what's going on.  And how we can make pressure on them if we don't know what's going on? 

       So I think they are not as good and we are not promoting concentration we are just working in different fronts and different venues as it is.  Am the other suggestion the use of encryption although it may not work in all of the systems, it all depends if it's storage or sharing document but encryption is also another mechanism if it's in the hand of the end user to protect the data. 

       And I just want to reply the last question of someone make about the data.  One company -- if one company can read the data. 

       So cloud providers that are targeting the end users could have HTTPS and many companies if for instance Google has HTTPS by default so third parties outside Google cannot know what you're doing inside your cloud provider but it needs to be understood the company they will not be reading your data but they have the capacity to read your data, the person who is actually hosting the cloud service provider.  So there are two different things.  I just tried to clarify that.

   >> PATRICK RYAN:  Great thank you Nasser I'm going to try to group the last two questions for you if that's okay.  They are the two hardest.  No I'm just kidding.  I think we've had a number of hard ones but this one I think is one that you alluded to earlier and you are in your introduction about the privacy controls and about the design systems. 

       One of our -- one of our questioners asked about the default settings and how do companies in this space look at that.  And if you can address that question.  And perhaps together address which I think is related some of the concerns raised by the questioner about putting data -- you know Government data for example for African governments in the cloud and how that is secured. 

   >> NASSER KETTANI: These are all valued questions.  On the privacy settings or default settings, I think the -- it's a very general concept which is -- we which need to understand.  And the way we actually think about it is we think about it in specific context. 

       So we can take you know the concept of default settings and apply it everywhere, et cetera.  So the way we think about it is by including that as part of our privacy by design. 

       So every you know -- every service or every product that we build and as we think through privacy by design as I said from the beginning, then we put in context you know the issue of the default settings and we address that in that sense instead of you know taking that broadly as you know as a major thing. 

       But I think one thing that was mentioned which is I believe is extremely important besides the default settings, I think the most important thing is the clarity of the privacy policies of our services and our service providers. 

       I think the last thing that we want to do is to make those things unreadable and like insurance contracts.  I mean nobody reads an insurance contract ever.  I've signed many and I never read them.  And I know that in many cases I've just signed you know a check to so many things.  I think on the very fundamental fact of private policies I think as vendors we should be extremely transparent, extremely clear.  Provide the most clear and simple terms that people can understand. 

       Just to give you an example again on those, when I think about the way we do that in our products, on the phone for example, the privacy are part of the -- you don't have to connect to the Internet to go and access data and it gets to be really complicated.  It's there.  It's part of the application.  You know it's clear, it's accessible, et cetera. 

       So that's the way we think about it.  Very simple.  Very clear.  Very accessible.  Et cetera, et cetera.  Rather than a general concept of default settings.  But we agree to the principles.  We just would want to put them in context -- we wouldn't want to put them in context of every service, et cetera. 

       On the issue of Government data or is this just pure Government data or, you know, general data -- I just want to make sure.

   >> PATRICK RYAN:  As I understood the question one of the great opportunities of the cloud is the savings and the amount of money that governments can save by moving their data to the clouds.  And you know in the case of an African provider or an African Government where there really aren't a lot of data centres.  There are obviously some.  I'm sure Nii would have a service that's wonderful and could service all of your needs. 

       But you know in those cases, you know, how do we guarantee the security and sovereignty of Government data which has a certain amount of sensitivity.

   >> NASSER KETTANI: I think the real way of doing it -- again I'm a technologist so I'm not addressing it from a policy perspective.  The way I look into it is first of all ask the question of any customer.  And ask him:  Do you think that your security policies and practices today are more sophisticated than what Microsoft has put in place in our data centre or Google.  Just ask that question.  And do you think that your data is safer in your data centre than in our data centre?  Okay.  That's just from a technology perspective think about that.  And respond to that question first.  And the reality is, as companies -- because we know what that problem is.  And we know what that issue is, we have invested billions and billions of dollars on security issues to make sure that we provide the highest level of security ever in any data centre.

And I know Microsoft is doing that.  I know Google is doing that and I know other vendors are doing that and that's the fundamental belief for us in terms of how we do it. 

       And I don't think frankly speaking any Government can afford that kind of you know investment, et cetera.  And that level. 

       But the reality is, you know, governments have always their issue about -- which is not more of a security issue but more of a trust but goes back to the discussion of Patriot Act who has access to my data are you going to provide the data to others and so forth.  I think the one way to look at it to address it let's look at it from a risk management perspective and the other way to look at it is saying this is the reason we have alternative solutions is you might say you might think of certain data that can go to a public cloud that's okay because it's not as sensitive as you think about it, it's okay to move it to a public cloud there might be very sensitive data things you don't want to get out of your country and it's okay to build data centres for that matter to address that problem and still you can benefit from cloud services and applications that can go and leverage your data, leverage data outside and still benefit from cloud.

So cloud is not -- and this is where -- cloud is not only about storage.  Cloud, it's -- it can be services that can provide it but still storage is somewhere else in your data centres and you can have mixed scenarios.  So from that angle I look into it as various scenarios and think about what you really can move to the cloud.  And it's okay.  And think about what you can leave.  But still you know you have to pay -- pay a price for that and you're ready to pay a price for that and a premium price to host it to manage it to secure it, et cetera.  That's the way I actually look at it from a technology perspective. 

   >> PATRICK RYAN:  Okay.  Thank you.  I think Cynthia had one final word and we are out of time so I'll let Cynthia wrap it up and have the last word.  Did you have something?

   >> Can you answer my question does Google provide Europeans with access to U.S. persons data in the same way that you provide Americans with access under the act and equivalents.

   >> MARK CRANDALL:  I can help address that question I'm Marc Crandall I'm also from Google I was counsel for Gmail for a number of years and I can tell you that obviously we have to look at these things on a case-by-case basis we have an entire team that are dedicated -- this touches upon what we talked about earlier we have an entire team dedicated to reviewing third party data requests which we do get of course and we review them not only to review the letter of the law but also to make sure that the requests comply with the spirit of the law and we have to take a very conservative approach.  One nice thing is that as a larger cloud provider we're in a good position to be able to review these requests and push back on them when necessary.  But obviously we have to be very conservative and as the custodian of user data we need to make sure that we take this responsibility very seriously.

But as far as individual questions like you may have had again we have to review it on a case-by-case basis we receive requests from everywhere we have to make sure we comply with all relevant laws which is very hard which is one reason why forums like this is so important which is not only what can we do down the road five years from now but it's also we have to be pragmatic we have to look for a solution we work with now because we do deal with this right away.  And so I'm glad we're doing something like this. 

   >> PATRICK RYAN:  Again I'm --

   >> NASSER KETTANI:  Can I add something on that again I'm not an expert lawyer but this has not -- I mean I'm not saying we're pushing back at that law.  I think we all have problems with you know -- and it's a very fundamental problem.  But this problem in general is not related to cloud.  Any airline company operating in the U.S. has that problem.  Any company that has presence in the U.S. has the problem of that.  So it has nothing to do with whether you're doing cloud or not.  Air France, if they receive the request from the Government they have to provide the data and comply with the law.  It's not because they do or do not do cloud the point I'm trying to make here it's not like there's something new and then the Patriot Act applies to it and doesn't apply to other things this is something to keep in mind this is a problem to be addressed to the whole industry not just cloud providers and this is why it's not just Microsoft -- as I said, everybody has to address that problem whether it's in governments and all of the industry on that front.

But the fundamental thing is we have to abide by the law and we want to be as sensitive as conservative as transparent as we can to address that problem you know as vendors. 

   >> NII QUAYNOR:  I just wanted to comment on the question on whether all of the IT assets from Africa will migrate out and the observation is that as a cloud provider in Ghana, I don't keep everything in Ghana.  I do the same as my counterparts do I do the same as all over the world including those in Ghana so everything is the same as everybody else and nothing really is going out any more than before. 

       With respect to power to the user and so on, I believe we have to do more education about the certificates and keys and so on and so forth.  But that's not really above the normal user.  Meaning within a reasonable time we can build a confidence in doing that.  I believe that governments will maintain two types of clouds as I suggested.  I know the Government of Ghana is building significant data centres.  But they are also including having a private cloud.  But I know they also use public cloud.  Thank you. 

   >> KATITZA RODRIGUEZ:  Just one last comment, Patrick I want to add one additional level from the complexity from a user perspective if for instance activists in a regime or maybe in a country with records of less standards they might start relying on a cloud where the jurisdiction is outside, outside the country.  What we have seen from law enforcement and sorry -- for law enforcement from those countries is they are trying to stop the communications of those cloud providers in order to get the communications because they say they can not access the data that's hosted in the U.S. for instance.  This is also particular challenges recently in the news was a case of South Korea which is calling all of the users who are using Gmail or services outside South Korea that they are getting cyber asylum.  That they are putting -- because they are introducing all of those services outside that country.

But in some way it's protecting them from law enforcement at a national level. 

       So --

   >> PATRICK RYAN:  We're going to have to wrap up, Katitza.  Thank you all very much.  And I'm sure we're all available for any other further questions.  It's been a wonderful session.  Thank you for coming. 

 

(Session ended at 10:37)

 

 

***