It has been one of the great unresolved debates of this decade: If data, from a legal perspective, should be subject to the laws and regulations of the country in which it was created, then should a cloud platform hosting data from multiple countries be partitioned? Compartmentalized? Segregated? Or should the infrastructure itself become divided and distributed among geographical territories? In recent months, it would appear that politicians and public officials are seeking to stake claims in territories they don’t quite comprehend.
“Germany has a claim to digital sovereignty,” stated that country’s minister for the economy, Peter Altmaier, in a speech last July. “That’s why it’s important to us that cloud solutions are not just created in the U.S.”
Turnkey Balkanization
A number of phrases have been used interchangeably in recent months, that are anything but. Their confusion with one another, whether intentionally or innocently, has yielded international consequences. The most daunting of these has been the onset of fault lines between the world’s IT trading blocs.
As a legal principle, data sovereignty refers to the application of laws and regulations to the protection of data, based on where it is generated and stored. In practice, it turns the concept of a data center’s location inside out, making a facility in one bloc subject to the laws of potentially all the others, based on claims that data created in a place belongs to the authorities governing that place.
Such claims, stated Altmaier, are to something he calls digital sovereignty. A policy paper his department produced last October introduced something it called Gaia-X [PDF], describing it as a project for Europe and its various cloud service providers to produce a “data infrastructure that ensures data sovereignty.” The English translation of the report, though, either innocently or shrewdly juxtaposes as many as three pairs of phrases:
Project GAIA-X makes provision for the federalised structuring of infrastructure services, especially cloud instances and edge instances, to transform them into a homogeneous, user-friendly system. The federated form of data infrastructure that results from this strengthens both the digital sovereignty of sources of demand for cloud services and also the scalability and the competitive position of European cloud-service providers.
A footnote in the report indicates that the German original uses a word that has been translated by others as either “sovereignty” or “autonomy.” There’s a distinct difference there, and the translators seem to prefer the former. But the excerpt above also juggles “federalized” and “federated.” The difference, as security engineers know all too well, is much greater than a single syllable. The former has implications that are far more disruptive than the latter.
At first, few stopped the general press from interpreting the unveiling of Gaia-X, by Altmaier and French Finance Minister Bruno Le Maire, as an effort to build an outright competitor to US cloud providers. In a press conference in late October, the two ministers jointly set a deadline of November 2020 for the construction of some kind of safe, regulated infrastructure for European data warehouses.
Initially, ministers proposed that Gaia-X accomplish this through the use of an as-yet-undevised infrastructure platform for pooling together storage resources — a kind of cloud of clouds. One possible analogue in the real world is VMware’s NSX Federation, which enables security policies to be shared and enforced among data centers that use NSX in their network virtualization infrastructure. Call this point on the scale “federated.”
Another analogue on the opposite end of the ideological spectrum officially launched in November: Russia’s so-called “sovereign Internet.” It’s a law that mandates internet service providers in Russia begin taking steps to implement an alternate, Russia-exclusive domain name system, so that it could be switched on at President Putin’s command — turnkey Balkanization.
That would be “federalized.”
‘To Build Something New’
So which is it, and which is it not? Advocates of the Gaia-X concept, true to form, are taking more than one tack in attempting to circumscribe it.
In a recent op-ed for Handelsblatt, Altmaier offered a clarification, defining Gaia-X as (in a translation by humans into English), “European, sovereign and networked data infrastructure.” This implies a somewhat, if not completely, technological underpinning for the system.
EuroCloud is an organization that certifies European service providers for compliance with EU laws. In his own op-ed last month, EuroCloud Deutschland Director Andreas Weiss explained, “The concerns of European industry are related to the data that is being collected — e.g. data from sensor systems, the Internet of Things (IoT), etc. — and the worry that they are unable to retain full control over their own data assets.” While Gaia-X’s original intent may have been “to establish a kind of virtual hyperscaler for cloud services,” he went on, the project quickly evolved into something else.
Wrote Weiss:
With a very strong focus on fair data sharing and easy access to cloud and edge services according to EU legislation, the intention is not to create systems parallel to the services already offered by incumbent international cloud service providers, but to build something new.
That something new, as Weiss went on to describe, was a kind of “European DNA” of best practices that would establish a “multi-stakeholder governance” system. This opens up the likelihood that Gaia-X may end up imposing a new set of data sharing and interfacing specifications for any data center that happens to host data originated in Europe — something in addition to the GDPR regulations that have already imposed challenges on data center operators in the US and elsewhere.
“Data sovereignty laws aren’t Balkanizing the cloud,” stated Marko Insights analyst Kurt Marko, in a note to Data Center Knowledge, “so much as creating added overhead for the dominant US operators, who have responded by adding European facilities and updating storage services to provide regional control over data placement.”
But even Weiss’s definition is too much about infrastructure, in the view of Fabian Schmidt, head of software engineering for Waldkirch, Germany-based sensor equipment maker SICK AG — the very industry that EuroCloud’s Weiss singled out. For his Homo Digitalis blog, Schmidt contends that the constitution of Gaia-X is actually more cultural and economic than technological.
It’s illusory to think that Europe could challenge the Amazons and Microsofts of our world in terms of cloud computing. They are Internet hyperscalers, comparable maybe to Things hyperscaler Volkswagen. For example, Volkswagen has perfected supply chains, modular design and manufacturing platforms. . . making it nearly impossible for competitors to enter the market. Therefore, building “the next AWS“ over a decade after the rise of cloud computing isn‘t a good idea, and this is why Gaia-X focuses on a meta level.
Thus like a pedestrian in an M.C. Escher lithograph, the explanation for what Gaia-X is not has come around full circle, to encompass exactly what its originator said that it is.
The Circle that Never Begins
If any country in the world knows what it’s like to be told something is not what it clearly is, it’s the United Kingdom. In recent days, voters there granted a clear mandate to Conservatives, led by Prime Minister Boris Johnson, to ratify a plan to leave the European Union next month. At that time, negotiations with the EU would begin that would determine the UK’s place in the EU’s “digital single market” — a territory that may or may not encompass Gaia-X.
For their part, the UK’s cloud providers may already be casting their vote for “not.”
Simon Hansford is the CEO of UKCloud, which provides data center services to the UK’s public sector. Perhaps smelling a rat, Hansford suggested in his own op-ed answering the EU’s creation of Gaia-X with a national cloud that the UK can call its own:
My vision is for an inclusive multi-vendor, multi-cloud service that creates a digital platform for innovation and collaboration within the UK. A digital platform based on technical, ethical, jurisdictional and regulatory standards that would be available for government and industry alike. A digital platform which would create a huge national capability by facilitating the sharing and analytics of data and intelligence. A UK National Capability that treats UK data as our National Asset.
Yet another potential turnkey data island. As Marko warned, the current US administration may like nothing more: “If the EU should impose more needlessly burdensome requirements on the US tech sector,” he told us, “don’t be surprised by some strong retaliation by the current administration, particularly in light of the recent Airbus decision affirming the EU’s unfair subsidies.”
Anyone who would like a preview of how data Balkanization affects consumers, Marko reminded us, should ask an Apple iCloud user about privacy policy changes last October. Users were recently notified that the media and documents they store on iCloud may now be subject to terms and conditions maintained by China-based ISP Guizhou. Each of these users may now need to explicitly exclude China from the list of permitted iCloud data regions.
Data center managers and service providers faced with having to connect to clouds that are irrevocably tied up with the rest of the world, must now have stuck in their heads Hal David’s lyrics of the one indelible song from the musical Lost Horizon:
The world is a circle without a beginning
And nobody knows where it really ends.
Everything depends on where you are
In the circle that never begins.
