Launch of Public RFI Signals FTC Scrutiny of Cloud Computing Industry

By: Steve Albertson , Tyler G. Newby , David Feder , Janie Yoo Miller , Susan Lee , Zachary Kalinowski

On March 22, 2023, the Federal Trade Commission (FTC) announced a request for information (RFI) seeking public comments on business practices in the cloud computing industry. The RFI focuses on three intertwined aspects of cloud computing: (1) market power and business practices affecting competition; (2) cybersecurity in the cloud; and (3) the risks of “single points of failure”—the idea that a single malfunction could debilitate a critical system. Underlying the FTC’s focus is its apparent concern that market consolidation in cloud computing could affect competition, data security and data availability.

The RFI closely follows the White House’s March 2, 2022, announcement of its National Cybersecurity Strategy, which, among other things, previewed potential regulation for cloud service providers (CSPs), including rules that would shift a greater portion of cybersecurity responsibility to CSPs. This initiative comes as regulators in the United States and abroad have stepped up scrutiny of the largest CSPs in recognition of the growing role of cloud computing in national and global economic infrastructures.

Identifying “Single Points of Failure”

The issues the FTC seeks to explore are embodied in a list of 20 detailed questions, half of which are focused on issues relating specifically to competitive dynamics in cloud services, with the remainder devoted to broad issues surrounding data security and potential industry shortcomings or vulnerabilities. Given the increasingly important role played by the cloud in government and business, the RFI reflects concerns about large cloud infrastructure providers becoming “single points of failure” that can cause serious and cascading economic and security harms.

These concerns track closely with well-known critiques by FTC Chair Lina Khan of what she regards as dangerously high levels of market concentration in many areas of the economy, particularly with respect to markets in which “Big Tech” companies are among a small number of leading players. According to these critiques, vital industries can become “brittle” in the face of challenging circumstances—precisely because market consolidation and concentration mean that there are fewer incentives for key industry players to invest in product improvements and resilience. The cloud computing RFI is among numerous steps taken by Khan in her tenure at the FTC to ramp up scrutiny of industries perceived to be overly concentrated, and to find and deter anticompetitive practices that can lead to—or entrench—market power.

Examining Competitive Practices

The competition portion of the RFI explores the market dynamics of cloud computing before moving on to discuss practices used by cloud providers to “enhance or secure their position” and incentives offered to cloud customers such as “linking, tying or bundling” their cloud services with other services offered by the cloud providers. This line of inquiry evinces a suspicion that large CSPs may employ self-preferential tactics and contractual methods to deter customers from switching to competing CSPs or that could otherwise make it harder for other providers to compete. This includes questions exploring the extent to which customers may feel locked in to a particular CSP’s vertically integrated suite of offerings across the cloud stack. They also seek to understand whether customers of large CSPs are able to negotiate contracts, or whether there is instead a bargaining power imbalance that may force customers to accept “take-it-or-leave-it” terms demanded by the providers.

The FTC initiative tracks similar efforts in other jurisdictions. For example, last year the European Commission launched a probe of Microsoft for alleged anticompetitive practices in cloud computing in relation to the company’s licensing deals, responding to complaints from European cloud providers. The complaints centered on bundling issues like with the Azure Hybrid Benefit program, which incentivized customers via discounts to run a Windows Server in Azure instead of a competitor’s cloud infrastructure. Microsoft responded by revising its licensing deals to allow customers to use their licenses on any European cloud provider and to purchase licenses for the virtual environment without obligation to also purchase physical hardware. The FTC also cites inquiries into cloud computing by authorities in the United Kingdom, France, South Korea, the Netherlands and Japan.

Additionally, in line with the FTC’s continuing interest in emerging technology issues, the RFI includes a question focused on artificial intelligence (AI) and its dependence on cloud-based services, and conversely, the effect of AI on competition between CSPs “today and into the future.”

Security Concerns

In announcing the RFI, the FTC cited the National Security Agency’s conclusion that “misconfiguration of cloud resources remains the most prevalent cloud vulnerability,” which can be exploited by bad actors. As such, the RFI’s questions address a range of issues, from the extent to which CSPs compete on security-related criteria to concerns about “how responsibility for securing customers’ personal information should be shared between cloud providers and their users.” The questions probe the kinds of security-related information CSPs share with their customers and the extent to which providers take responsibility for breaches of customer data.

Should the RFI lead to rulemaking, CSPs should be prepared to demonstrate how their systems protect consumer data through network resiliency features with appropriate and well-tested fail-safe technology and network redundancy. And current and future cloud users should track the RFI process, which solicits input from a broad range of stakeholders, any resulting rulemaking to assess the suitability of cloud services for their business needs and whether additional customer-imposed security measures are appropriate.

Key Takeaways

  • The deadline for providing feedback to the FTC’s questions is May 22, 2023.
  • The agency encourages participation in the RFI process by a range of stakeholders, including “users of cloud services, academics, civil society groups, industry participants and more.”
  • The FTC may use the responses to focus further investigations. The RFI also signals the FTC may use the rulemaking process in ways that could have broad and far-reaching effects that will be felt in the technology sector and beyond.
    • Potential rules in this area could be aimed both at competitive practices in the industry as well as industry practices around protection of consumer data.
    • Should the FTC undertake rulemaking activity, stakeholders will have additional opportunities to provide feedback specific to the proposed rules.
  • CSPs and other businesses focused on the cloud may wish to use the FTC’s RFI process as an opportunity to educate the FTC on market facts important to their respective points of view, which can help guide any subsequent actions by the FTC.

If you have questions about the implications of the FTC’s cloud computing initiative, or if you or your company are considering submitting responses to the RFI, Fenwick’s antitrust and cybersecurity teams are standing by to assist.


Don’t have an account yet?