Tech Warns Potential Cloud Rules Could Hurt US Competitiveness

President Joe Biden in October signed an executive order directing Commerce Secretary Gina Raimondo to draft regulations requiring reporting from cloud providers when foreign customers are training AI models that have potential uses in major cyberattacks. The regulations are intended to allow the government to better assess and track those threats. Rules would apply to companies offering cloud computing services for storage and networking, or infrastructure as a service (IaaS). Amazon, Google, Microsoft and IBM are dominant players in global IaaS markets.

Requiring the collection and storage of data on foreign customers increases international concerns about “unfettered U.S. government surveillance,” and it conflicts with EU privacy law, Microsoft commented.

Cloud service clients often ask how data is protected from U.S. government access, and they can easily opt for non-U.S. cloud providers, IBM commented: “This proposed rule could make an already difficult situation even worse.”

The French government’s AI Commission recently characterized “reliance on U.S. computing services as a threat to French sovereignty and strategic autonomy,” Amazon said. The French report says requirements contemplated in the EO allow the facilitation of “economic intelligence gathering” and create “privacy and trade secret protection concerns for European companies,” Amazon said. “By stoking privacy and security concerns and further undermining customer trust in U.S. providers, the reporting requirement risks shifting the development of the next generation of AI technology to Foreign Providers or on-premises infrastructure.”

Comments from consumer groups in support of the regulations were sparse. The Center for AI Policy said the proposed rules are a “useful and worthwhile step toward reducing catastrophic risk from advanced AI.”

The regulations conflict with existing U.S. statutes, specifically the Electronic Communications Privacy Act and its goal of balancing law enforcement needs with consumer protections from government surveillance, Google commented. Among the customer data that companies would need to share is information cloud providers wouldn’t be allowed to share under ECPA unless the government obtained a subpoena or warrant, said Google: “We urge the Department to clarify explicitly that no such data will be required to be disclosed except consistent with ECPA and other applicable U.S. laws.”

Foreign users, whether they represent governments, companies or schools, don’t want the U.S. government knowing "why and how they’re using cloud services,” the Information Technology and Innovation Foundation commented. “Their use could involve confidential and trade secret-protected information that U.S. IaaS cloud users don’t want IaaS companies sharing.” Sharing the information could compromise their cybersecurity practices, as well, said ITIF.

Telecom associations urged the Commerce Department to avoid overly broad definitions for cloud service providers that would sweep in companies not intended to be regulated under the new rules. USTelecom and CTA recommended the department exclude content delivery networks, proxy services and domain name resolution services. “Overly broad definitions can create uncertainty for businesses and potentially stifle innovation by imposing unnecessary regulatory burdens on services that were not intended to be covered,” USTelecom commented. CTA quoted CEO Gary Shapiro, who testified: “The cost of over-regulation [for small businesses and startups] means the difference between survival and failure.”

NCTA recommended excluding broadband services. Members are a “highly regulated segment of the communications sector with strict laws and guidelines that dictate the treatment of customer information, and how and with whom it can be shared,” NCTA commented. “To avoid conflicting compliance burdens in an already complex area of the law, NCTA members recommend excluding broadband services from the definition of “IaaS Product” in the IaaS rules.