April 10, 2012

Just a decade ago, it would have been hard for all but the most tech-savvy to imagine the extent of cloud computing today. A complex system of data centers worldwide that store, process, and deliver information on demand over the internet, the cloud provides users with resources, applications, and information that they previously would have stored locally. The cloud—what some are calling “the factory of the 21st century”—is run by a network of IT service companies, internet firms, and telecommunications services providers, and it offers services to all of us: from banks and retailers to individuals like you and me. It is both real—requiring traditional inputs such as electricity—and virtual.

Throughout the history of corporate responsibility, a few megatrends have redefined how we think about the ethics of business. The outsourcing of manufacturing to places with low labor costs and lax regulations led to a rise in consciousness about working conditions at supplier facilities. The increasing number of people living at the “base of the pyramid” (the now 2.5 billion people who exist on less than US$2.50 per day) prompted companies to address global poverty while advancing business interests.

We believe cloud computing has the same potential to create profound new sustainability and ethical dilemmas. Addressing these dilemmas calls for an update on how we think about corporate responsibility.

To be clear, cloud services make a positive contribution to sustainability: The cloud encourages important clean-tech applications like smart grids, and it also encourages consumers to use virtual services such as video streaming to replace resource-heavy physical products. The cloud also draws resources to where they are used most efficiently, and its jobs tend to be cleaner and safer than those of more traditional industries.

What follows is an evaluation of how cloud computing will affect two top sustainability issues of our time: climate change and human rights.

The Climate in the Cloud

At the BSR Conference 2011, Autodesk CEO Carl Bass posed a question about the power of what he called “infinite computing,” asking what we can do to harness the unlimited amount of computing to help solve some of today’s most pressing problems.

There is no doubt that the expansive power of computing can help us address sustainability challenges, but this technology also draws from the Earth’s finite environmental stocks and biosphere. Data centers are already responsible for 1 to 2 percent of global electricity use, a level that doubled even during the economic slowdown between 2005 and 2010. There are troubling signs that data center power use will continue to grow substantially.

Against this backdrop, there are several interconnected issues related to the cloud’s impact on climate change: its swelling energy footprint, the fact that location makes all the difference on the carbon footprint, the cloak of secrecy around data center sites, and the challenge of accounting for carbon when collaboration is so complex.

On the first issue, regarding the data centers themselves, there have been breakthroughs in energy efficiency, such as chiller-less servers and pods that use low energy in harsh climates, and there will be more. But with global energy consumption set to rise by around 40 percent by 2030—due to more affluent people desiring more high-tech equipment, and applications growing hungrier for energy—energy demand from data centers is likely to outstrip efficiency gains.

 Facility location is another challenge: If all else is equal, data center operators will build facilities where the energy is cheap, and, usually, that means dirty. In the United States, more than half of all top data centers rely on coal for the majority of their energy needs, which means a lot of new data centers are clustered in North Carolina and the Midwest.

 Meanwhile, there is a tendency for operators to keep quiet about where their sites are located, which runs against the good practice of making carbon information transparent. Many companies keep certain site locations, such as suppliers, under wraps for competitive reasons, and cloud companies are even more secretive about data center locations due to often legitimate concerns about security. Customers whose personal information is stored at these data centers tend to appreciate this. Nevertheless, transparency about local carbon impacts remains a key element of climate responsibility, and companies will be under increasing pressure to disclose more and, when they can’t disclose, to explain why.

Finally, the cloud’s value chain is more complex than what current accounting and reporting systems can handle. Even the new Greenhouse Gas Protocol’s Scope 3 standard, the authoritative framework for measuring carbon in value chains, offers little guidance. The difficulty lies in the fact that the disparate collection of IT services companies, internet firms, telecommunications, and services providers make it hard to create accountability for carbon performance as a system.

 These four challenges point to some new themes that will soon be considered part of leading climate and corporate responsibility practice for cloud-services providers:

1. Location matters. One of the greatest opportunities for cloud carbon reduction is with siting, since energy makes up such a large share of a data center’s footprint, and the carbon content of electricity is determined by the local grid’s portfolio. This makes alignment among sustainability, operations, and real estate teams crucial for managing carbon performance. Furthermore, those building data centers for customers have a responsibility to educate clients about the carbon impacts and risks that result from where they commission facilities to be built. They also have an opportunity to strengthen relationships by offering better insights and services to help customers get the most out of low-carbon siting.
2. Companies have a role in influencing electricity grids. Because data centers can be large energy customers, an additional point of leverage for developers and operators is to influence local policymakers and utilities to invest in more sustainable energy sources. On first thought, this might seem radical. But savvy companies already negotiate electricity prices with utilities and engage with local governments on a range of policy issues, so this can be an extension of those conversations. Also, power utilities are effectively key suppliers—if not the key one—for energy-intense data centers, and the practice of engaging suppliers on sustainability is a common frame of reference.
3. Transparency will enhance collaboration. Data center operators need to be more proactive about advancing carbon transparency by reporting as much as they can about carbon impacts through the Carbon Disclosure Project, and communicating more earnestly about what can and cannot be disclosed. The more information companies can provide, the more tools researchers, civil society, and service providers will have to establish metrics and public policies that improve incentives for investments in energy and carbon-efficient operations. 

The Human Dimension of the Cloud

How much the cloud affects human rights will depend on the range of services it provides; there will be less risk associated with corporate information than personal communications, for example. Some categories of customers (such as civil society organizations) may have more reason to be cautious than others (such as multinational corporations).

We believe cloud-services providers should consider their human rights responsibility in two main dimensions: data center location and their role as gatekeepers of information.

The first responsibility is to integrate human rights factors into decisions about data center location. In addition to price and local energy supply, a key factor in determining the ideal location for a data center is the local jurisdictional context. While some countries have strong privacy and security laws and practices, others do not, and this variation can significantly affect the cloud’s impact on privacy, security, and freedom of expression.

When it comes to siting data centers, companies are understandably nervous about storing data in jurisdictions that may not respect the rights of their users and customers. For this reason, they often choose to locate data centers in places with favorable privacy laws, even if that means storing the data in a country outside the users’ location. Yahoo, for example, chose to locate its services targeted at the Vietnamese market in Singapore. However, governments are becoming wise to this and can retaliate by requiring that data be located in-country if the business is to be licensed to operate there.

The second responsibility of the cloud provider relates to its role as the gatekeeper of user data when law enforcement comes knocking for personal information. In theory, it is often the customer—the bank or the retailer, for example, and not the cloud-services provider—that defines the response to a law-enforcement demand. However, what really happens in a law-enforcement context is shrouded in mystery, and there are various controls and conditions that local government can require as part of the local license to operate that could bypass the customer altogether and go straight to the cloud-services provider. Additionally, and very importantly, when cloud-services companies provide services such as email or file storage to an individual customer, it is clearly the cloud-services company that defines the response to the law-enforcement demand.

This places cloud-service providers in a difficult position: In theory, they exist to provide virtual services to anyone, anywhere, unrestricted by traditional geographical boundaries or physical presence. In reality, the cloud is connected to the ground, and there is a very real ethical question about where to locate its physical presence. And as more business transactions take place in the cloud, cloud-services companies are caught between protecting the rights of their users and abiding by the law-enforcement demands of their regulators.

 So what is a responsible company to do? Consider three main ethical dimensions:

1. Location: For both the users and providers of cloud services, it is important to have a siting strategy that fully considers the legal and jurisdictional issues where the data centers and network architecture are located.
2. The role of law enforcement: For the providers of cloud services, it is important to have a clear understanding of how to manage law-enforcement relationships. This may mean insisting on due process, challenging law-enforcement demands that may jeopardize human rights, and promoting good governance and the rule of law. The Global Network Initiative is a good example of a responsible approach that supports greater interaction between companies and governments to enforce laws that protect rights to privacy, security, and freedom of expression.
3. The importance of raising awareness: The providers of cloud-based services—who are by implication the experts in cloud issues—have a responsibility to provide advice and guidance to users who know less about how the cloud affects privacy and freedom of expression.

The Changing Ethics of the Cloud

In our conversations with companies about cloud computing, we’ve encountered objections to some of the views expressed here. We’ve heard it argued that cloud-services companies have no business trying to influence energy policy—that this is the purview of the energy industry. We’ve also heard that cloud providers should stick to their core contribution of “dematerializing” the economy and “enabling solutions.” And we’ve heard it argued that cloud-services companies should avoid engaging in human rights, the rule of law, and good governance in high-risk countries—that governments know best, and the role of business should be simply to follow their laws.

But it’s important to remember the core definition of corporate responsibility (as defined by the European Union, ISO26000, and many others), which emphasizes the role of business in supporting sustainable development. In this regard, cloud computing represents two shifts that are highly relevant. First, its highly networked, decentralized structure blurs jurisdictional lines, raising questions about accountability that effectively have never been asked. Second, today’s version of cloud computing is an embryo for what will be one of the most important industrial revolutions of the 21st century. With significant infrastructure to be built for an industry whose equipment is reinvented every two or three years, decisions made today will establish the architecture, communities, and choices we will have to work with later.

http://www.bsr.org/en/our-insights/bsr-insight-article/taking-ethics-to-the-cloud