Taking Ethics to the Cloud
Just a decade ago, it would have been hard for all but the most tech-savvy to imagine the extent of cloud computing today . . . We believe cloud computing has the same potential to create profound new sustainability and ethical dilemmas. Addressing these dilemmas calls for an update on how we think about corporate responsibility.
Just a decade ago, it would have been hard for all but the
most tech-savvy to imagine the extent of cloud computing today. A complex
system of data centers worldwide that store, process, and deliver information
on demand over the internet, the cloud provides users with resources,
applications, and information that they previously would have stored locally.
The cloud—what some are calling “the factory of the 21st century”—is run by a
network of IT service companies, internet firms, and telecommunications
services providers, and it offers services to all of us: from banks and
retailers to individuals like you and me. It is both real—requiring traditional
inputs such as electricity—and virtual.
Throughout the history of corporate responsibility, a few
megatrends have redefined how we think about the ethics of business. The
outsourcing of manufacturing to places with low labor costs and lax regulations
led to a rise in consciousness about working conditions at supplier facilities.
The increasing number of people living at the “base of the pyramid” (the now
2.5 billion people who exist on less than US$2.50 per day) prompted companies to
address global poverty while advancing business interests.
We believe cloud computing has the same potential to create
profound new sustainability and ethical dilemmas. Addressing these dilemmas
calls for an update on how we think about corporate responsibility.
To be clear, cloud services make a positive contribution to
sustainability: The cloud encourages important clean-tech applications like
smart grids, and it also encourages consumers to use virtual services such as
video streaming to replace resource-heavy physical products. The cloud also
draws resources to where they are used most efficiently, and its jobs tend to
be cleaner and safer than those of more traditional industries.
What follows is an evaluation of how cloud computing will
affect two top sustainability issues of our time: climate change and human
Climate in the Cloud
the BSR Conference 2011, Autodesk CEO Carl Bass posed a question about the power of
what he called “infinite computing,” asking what we can do to harness the
unlimited amount of computing to help solve some of today’s most pressing
is no doubt that the expansive power of computing can help us address
sustainability challenges, but this technology also draws from the Earth’s
finite environmental stocks and biosphere. Data centers are already responsible
for 1 to 2 percent of global electricity use, a level
that doubled even during the economic slowdown between 2005 and 2010. There are
troubling signs that data center power use will continue to grow substantially.
Against this backdrop, there are several interconnected
issues related to the cloud’s impact on climate change: its swelling energy
footprint, the fact that location makes all the difference on the carbon
footprint, the cloak of secrecy around data center sites, and the challenge of
accounting for carbon when collaboration is so complex.
the first issue, regarding the data centers themselves, there have been
breakthroughs in energy efficiency, such as chiller-less servers and pods that
use low energy in harsh climates, and there will be more. But with global
energy consumption set to rise by around 40 percent by 2030—due to more affluent people
desiring more high-tech equipment, and applications growing hungrier for
energy—energy demand from data centers is likely to outstrip efficiency gains.
location is another challenge: If all else is equal, data center operators will
build facilities where the energy is cheap, and, usually, that means dirty. In
the United States, more than half of all top data centers rely on coal for
the majority of their energy needs, which means a lot of new data centers are
clustered in North Carolina and the Midwest.
Meanwhile, there is a tendency for operators to keep quiet
about where their sites are located, which runs against the good practice of
making carbon information transparent. Many companies keep certain site
locations, such as suppliers, under wraps for competitive reasons, and cloud
companies are even more secretive about data center locations due to often
legitimate concerns about security. Customers whose personal information is
stored at these data centers tend to appreciate this. Nevertheless,
transparency about local carbon impacts remains a key element of climate
responsibility, and companies will be under increasing pressure to disclose
more and, when they can’t disclose, to explain why.
the cloud’s value chain is more complex than what current accounting and
reporting systems can handle. Even the new Greenhouse Gas Protocol’s Scope 3 standard, the authoritative framework for
measuring carbon in value chains, offers little guidance. The difficulty lies
in the fact that the disparate collection of IT services companies, internet
firms, telecommunications, and services providers make it hard to create
accountability for carbon performance as a system.
These four challenges point to some new themes that will
soon be considered part of leading climate and corporate responsibility
practice for cloud-services providers:
- Location matters.
One of the greatest opportunities for cloud carbon reduction is with siting,
since energy makes up such a large share of a data center’s footprint, and the
carbon content of electricity is determined by the local grid’s portfolio. This
makes alignment among sustainability, operations, and real estate teams crucial
for managing carbon performance. Furthermore, those building data centers for
customers have a responsibility to educate clients about the carbon impacts and
risks that result from where they commission facilities to be built. They also
have an opportunity to strengthen relationships by offering better insights and
services to help customers get the most out of low-carbon siting.
- Companies have a role in
influencing electricity grids. Because data centers can be large
energy customers, an additional point of leverage for developers and operators
is to influence local policymakers and utilities to invest in more sustainable
energy sources. On first thought, this might seem radical. But savvy companies
already negotiate electricity prices with utilities and engage with local
governments on a range of policy issues, so this can be an extension of those
conversations. Also, power utilities are effectively key suppliers—if not the
key one—for energy-intense data centers, and the practice of engaging suppliers
on sustainability is a common frame of reference.
- Transparency will enhance
collaboration. Data center operators need to be
more proactive about advancing carbon transparency by reporting as much as they
can about carbon impacts through the Carbon Disclosure Project, and
communicating more earnestly about what can and cannot be disclosed. The more
information companies can provide, the more tools researchers, civil society,
and service providers will have to establish metrics and public policies that
improve incentives for investments in energy and carbon-efficient operations.
Human Dimension of the Cloud
How much the cloud affects human rights will depend on the range
of services it provides; there will be less risk associated with corporate
information than personal communications, for example. Some categories of
customers (such as civil society organizations) may have more reason to be
cautious than others (such as multinational corporations).
We believe cloud-services providers should consider their
human rights responsibility in two main dimensions: data center location and
their role as gatekeepers of information.
The first responsibility is to integrate human rights
factors into decisions about data center location. In addition to price and
local energy supply, a key factor in determining the ideal location for a data
center is the local jurisdictional context. While some countries have strong
privacy and security laws and practices, others do not, and this variation can
significantly affect the cloud’s impact on privacy, security, and freedom of
When it comes to siting data centers, companies are
understandably nervous about storing data in jurisdictions that may not respect
the rights of their users and customers. For this reason, they often choose to
locate data centers in places with favorable privacy laws, even if that means
storing the data in a country outside the users’ location. Yahoo, for example,
chose to locate its services targeted at the Vietnamese market in Singapore.
However, governments are becoming wise to this and can retaliate by requiring
that data be located in-country if the business is to be licensed to operate
The second responsibility of the cloud provider relates to
its role as the gatekeeper of user data when law enforcement comes knocking for
personal information. In theory, it is often the customer—the bank or the
retailer, for example, and not the cloud-services provider—that defines the
response to a law-enforcement demand. However, what really happens in a
law-enforcement context is shrouded in mystery, and there are various controls
and conditions that local government can require as part of the local license
to operate that could bypass the customer altogether and go straight to the
cloud-services provider. Additionally, and very importantly, when
cloud-services companies provide services such as email or file storage to an
individual customer, it is clearly the cloud-services company that defines the
response to the law-enforcement demand.
This places cloud-service providers in a difficult position:
In theory, they exist to provide virtual services to anyone, anywhere,
unrestricted by traditional geographical boundaries or physical presence. In
reality, the cloud is connected to the ground, and there is a very real ethical
question about where to locate its physical presence. And as more business
transactions take place in the cloud, cloud-services companies are caught
between protecting the rights of their users and abiding by the law-enforcement
demands of their regulators.
So what is a responsible company to
do? Consider three main ethical dimensions:
For both the users and providers of cloud services, it is important to have a
siting strategy that fully considers the legal and jurisdictional issues where
the data centers and network architecture are located.
- The role of law enforcement:
For the providers of cloud services, it is important to have a clear
understanding of how to manage law-enforcement relationships. This may mean
insisting on due process, challenging law-enforcement demands that may
jeopardize human rights, and promoting good governance and the rule of law. The
Network Initiative is a good example of a responsible
approach that supports greater interaction between companies and governments to
enforce laws that protect rights to privacy, security, and freedom of
- The importance of raising
awareness: The providers of cloud-based services—who are by
implication the experts in cloud issues—have a responsibility to provide advice
and guidance to users who know less about how the cloud affects privacy and
freedom of expression.
Changing Ethics of the Cloud
In our conversations with companies about cloud computing,
we’ve encountered objections to some of the views expressed here. We’ve heard
it argued that cloud-services companies have no business trying to influence
energy policy—that this is the purview of the energy industry. We’ve also heard
that cloud providers should stick to their core contribution of
“dematerializing” the economy and “enabling solutions.” And we’ve heard it
argued that cloud-services companies should avoid engaging in human rights, the
rule of law, and good governance in high-risk countries—that governments know
best, and the role of business should be simply to follow their laws.
But it’s important to remember the core definition of
corporate responsibility (as defined by the European Union, ISO26000, and many
others), which emphasizes the role of business in supporting sustainable
development. In this regard, cloud computing represents two shifts that are
highly relevant. First, its highly networked, decentralized structure blurs
jurisdictional lines, raising questions about accountability that effectively
have never been asked. Second, today’s version of cloud computing is an embryo
for what will be one of the most important industrial revolutions of the 21st
century. With significant infrastructure to be built for an industry whose
equipment is reinvented every two or three years, decisions made today will
establish the architecture, communities, and choices we will have to work with
As cloud computing takes hold and changes the profile
of business, so, too, will it change notions of business ethics and corporate
responsibility. There was once a time when business would argue that suppliers
should take sole responsibility for following labor and environmental laws, yet
today we see armies of auditors and labor-relations specialists going above and
beyond what is legally required. A similar transition will arise with cloud
computing, and activities deemed outside the scope of corporate responsibility
today—challenging unreasonable law-enforcement demands, meddling in energy
policy—will be mainstream tomorrow. Now is the time for today’s most innovative
companies to define what that looks like in practice.