Cloud computing has emerged and grown significantly over the recent decades – from its infancy in 2004, to a $576 billion industry in 2023. FTC’s Office of Technology, Bureau of Competition, and Bureau of Consumer Protection worked together to examine four specific areas of cloud computing through a Request for Information (RFI) and a public panel of cloud computing experts. These areas included competition, single points of failure, security, and AI.
The FTC received 102 public comments from a range of stakeholder groups, including industry participants, academia, and civil society groups. All comments are posted on the RFI’s public docket. Below we highlight key themes that emerged in both the RFI responses and panel – and pose a few forward-looking questions.
The majority of comments addressed issues related to competition, with the following themes most frequently mentioned.
Software Licensing Practices. Many commenters pointed to certain software licensing practices as a source of concern. For instance, some submissions argued that certain cloud providers have practices related to licensing software that limit the ability to use certain software in other cloud infrastructure providers’ environments, particularly when a company is moving existing on-premises workloads to the cloud.
Egress Fees. A number of submissions raised concerns about the fees paid by cloud customers to transfer their data out of (and within) certain cloud environments. According to some commenters, these egress fees could have the effect of discouraging customers from using multiple cloud providers or switching from one provider to another.
Minimum Spend Contracts. Some RFI submissions argued that certain provisions in cloud computing contracts incentivize customers to consolidate their use of cloud services to just one cloud provider. For instance, minimum spend contracts typically involve a cloud provider discounting its services in return for an agreed upon committed spend. Some commenters argued that these types of provisions act as a lock-in mechanism, and that customers are pushed to use just one cloud provider for all the services the customer needs - even if other providers offer certain superior services.
Single Points of Failure
A number of submissions raised concerns about the widespread reliance on a small number of cloud providers – arguing that outages, or other issues that degrade the service of a cloud provider, could have a cascading impact on the economy or specific sectors. Such degradations could be the result of an issue inadvertently introduced by a cloud provider, or the result of a targeted attack. Another submission addressed how the resiliency of cloud systems depends on the implementation details of a cloud provider’s offerings, and a cloud customer’s use of those offerings.
Panelists and RFI submissions noted that cloud services can provide a higher baseline level of security than on-premises options, and that cloud services offer a range of sophisticated security options and tooling. This is especially important for small businesses and startups that can access more robust security options by using cloud services. However, a number of commenters argued there is a great deal of room for improvement in cloud security; that default security configurations could be better;and that the “shared responsibility” model for cloud security often lacks clarity, which can lead to situations where neither the cloud provider nor the cloud customer implements necessary safeguards.
Generative AI and Cloud
The relationship between generative AI and cloud computing was another area of focus among RFI submissions and participants in the cloud computing panel. Generative AI products are heavily reliant on cloud providers. Some argue that cloud credits as a form of investment — in which investors provide money that can only be spent on their cloud services — could lead to vendor lock-in. The FTC is paying close attention to the development of generative AI markets, and recently wrote on the topic of generative AI and potential competition concerns.
The Cloud RFI and panel shined a light on the business practices of cloud computing providers. Looking ahead, here are areas of on-going interest and inquiry.
Are there signs that cloud markets are functioning less than fully competitively, and that certain business practices are inhibiting competition?
Are cloud providers incentivized enough by competition to create systems that are sufficiently secure?
Will competition alone create resilient systems, or is government intervention needed to avoid single points of failure? What policy options are available to improve resiliency and avoid single points of failure?
How will cloud providers respond to a limited supply of specialized AI chips? How will markets for these chips develop given their importance to rapidly developing AI markets, and the growing demand for specialized AI chips?
Thank you to staff from across the Office of Technology, the Bureau of Competition, and the Bureau of Consumer Protection who collaborated on this effort (in alphabetical order): Krisha Cerilli, Mark Eichorn, Patricia Galvan, Alex Gaynor, Hillary Greene, Elisa Jillson, Nick Jones, Kevin Moriarty, Stephanie T. Nguyen, Dan Principato, and Kelly Signs.