 Thank you. Well, since Harry has the better hair and he has the portable mic, he got to discuss the glass half full. And I'm going to discuss, unfortunately, the glass half empty, because the glass half empty is talking about the practical considerations and potential speed bumps to getting from where we are to where we should be when it comes to open in the cloud. By the way, I actually took that picture. Those were clouds in Palm Springs. And they kind of look like spaceships to me. The first thing about cloud, and one of the ways we get in trouble is by the marketing hype about cloud is the newest thing on the planet. And we've never seen it before. Cloud is built on technologies that have existed since timeshare on computing. But what's new about it is some of the business models. And what's new about it is some of the way people are using it, especially individuals to individuals, which is something new, because that hadn't been the way it was used before. It had been, in many cases, the purview of business to business. So the real question that we have here is how can we leverage our existing knowledge and experience with regulation in order to not allow it to get into the way of how to think about these issues? When we think about, oh, you can't really see, but that's Verizzano. So when you think about envisioning the open cloud, it's a question of, how are we going to get from here to there? And in many ways, the vision is one that is the same as navigators who were going into waters that weren't very well-charted. So this is the path that we're following. I asked a friend of mine at the Internet Society to give me an idea of what he thought a definition of the open internet was. And this was his conceptual underpinning. And I think everyone here would have a variation of this concept, but the whole idea of highly distributed global communication working together, uniquely multi-stakeholder, et cetera. We are reminded by some of the hallmarks that Vice President Cruz gave us this morning, the essential nature of standard, the level and competitive playing field, the common language. It came to mind that perhaps she was, in some ways, referring to a digital Esperanto, not reinventing the wheel, which is tremendously important for practical considerations. And then the other concepts, finishing up with transparency, accessibility, and accountability, which are very important hallmarks. This was something that I had actually come up with at a recent, about two internet of things workshops ago, because we were trying to talk about the cloud in context with the internet of things and other issues. And as we talk about openness and we talk about the cloud, we have to think of, back to that kind of idea of, what is the global context? And it's that part of a technological continuum, data, people, objects and services, all interacting, implemented with collaborative methodologies, promoting credible ways to protect privacy and security in order to enhance confidence. And really, when you look at the open agenda, creativity as well. So that's really a gloss on top of perhaps what might be an open cloud manifesto. When you look at policy concepts in the open concept and in the cloud, you see a little bit of a translation. So you have the concept of transparency as very important on the open side, on the regulatory side, one of the issues that gets brought up a lot in relation to transparency or the provision of information is how do you protect privacy related to that? You have questions of I need to have access, the counterpart questions in the policy world are often how do you secure the information that's there. Interestingly, accountability is in the lexicon of both. Much more recently in the policy debate than previously. Within the last three years, accountability has caught on like a house on fire. So accountability is a big moniker in both, has been for quite a while on the open side, perhaps more recently the policy side, perhaps you can trace it back to Sarbanes-Oxley. In the open question, the question of participatory, how can I make sure everyone has the ability to participate in the policy side, the shorthand has become trust. How do you engender trust so that people want to participate? Portability realistically has started to have a direct correlation in the policy world but I'm also gonna say contract because a lot of the question is legal obligations and how you can move things constrained or not constrained by legal obligations. And then the highly distributed concept of open really hits a wall when you get to the policy world because what we have is whether it's the cloud or the internet, you have a set of technological paradigms and business models that operate on a basis that is global and that smacks into a world where laws are still local and jurisdiction is still provincial in many cases. So the question then becomes, how do you map these things together? And what I first wanna do is dispel what I've run into and this is not particular to the European Union, these are general policymaker myths. The first myth is we should never have called it the cloud because they keep on looking for the cloud and looking for the regulation and the standard that will handle the cloud. And the answer is the cloud is not the, it's many things and it requires many approaches and many disciplines. Again, we keep on hearing about the European cloud. There is a benefit to having a policy approach to cloud issues in Europe and that is a European policy approach to cloud. But the cloud itself will not have a jurisdictional definition. The cloud like the internet is again a broader concept. Some clouds may operate in Europe but you can't start a policy making paradigm with the idea of a jurisdictional restriction. Again, we've already dealt with the regulatory experience. I'm gonna get to the portability issue but a lot of the portability issue, they're taking the lesson of cell number portability and thinking the cloud portability is of the same nature when it's a much more complex issue at that point. One of the other myths is and this is where fear comes in. You speak to some policy makers about the cloud and you see them do this because they believe somehow that's where information has gone. There is this ether and the ether is full of your information and if you ask a company where is the information, they couldn't conceivably begin to give you any kind of answer. And the answer is, well, if we didn't know where your information is we wouldn't be able to retrieve it. We actually do know where your information is but the problem is now it may be in multiple places at the same time. That doesn't mean we don't know those places but that means we have increased the complexity of what is the way you think about these issues. The other concept is cloud is on demand therefore everyone gets their own contract to their own liking. And I think that may have gone into one of your quadrants is this isn't gonna work that well when you get into the lower right quadrant which is where a lot of these services are currently parked. And then granular individual control is often considered the holy grail and I just think about my dad sitting in front of the computer and the phone calls I get. And the granular information which was not even granular in his case was completely overwhelming which is why I talked about the need for new ways to mediate that information so that people can actually make usable control of the information as opposed to throwing every piece of information at them and hoping they can make a decision. I was recently in San Francisco actually two days ago at an APEC meeting, Asia Pacific Economic Cooperation. I didn't do my confession. I am not a programmer, I am a policy wonk so therefore I speak in international organization acronyms and I will try not to inflict any of them on you today. But there was a summit on innovation and the first speaker was Anise Chopra who's responsible for the data.gov and the big data open data stuff coming out of the US government and he talked about all the phenomenal examples of open government data and innovation and how it would really spur these things. The second keynote who followed him was a gentleman named Morris Chang who is apparently tremendously influential in technology in Taiwan who all he could talk about was digital IP rights because his company has suffered on that. And there's this creative tension of camps not even speaking to each other. You have all of the potential of innovation and someone who just wants to talk about how do I protect my trade secrets? And it's an either or game at the moment and that's the paradigm that we have to break because the either or game makes no sense. It's not an either or game, it's a game of trying to figure out how both can be optimized to get maximal benefit. So the same question happens with big data. Big data seems to be the opponent of privacy. It's not, they can work together but the bottom line is we don't know enough about aggregation, we don't know enough about anonymization and we don't know enough about the recombination of data to actually make sure that we are not taking unreasonable risks at times. Same thing happens when you're developing patient-centric care. There is no question that if you get more detailed information, longitudinal information and lifestyle information, you can improve disease identification, you can improve disease management and you can improve patient care. But how to do that in a way that is within the policy bounds of what is acceptable under privacy and a number of other issues is the question we have to face. Again, that's an optimization question, it shouldn't be a balancing one against the other question. Accountability and cost are the other questions. We're saying everyone wants to have a third party audit, you can't always have that. Regulation and innovation, sometimes regulation is in fact the enemy of innovation. And again, local and global we've seen those issues. The last one is an issue which has really started percolating more dramatically in the last couple of years where local requirements of security and localization of data for access for security purposes and concepts of indigenous innovation have actually started to run up against business flexibility and privacy. If every country in the world says you have to keep your data in my country, the cloud will not exactly be a very efficient thing to deploy. The next few slides I'm actually gonna run through really, really fast because the next few slides are really just familiar questions that we've seen in the context to ask them and I wanna kinda get to the conclusions because I think we all know them but this gives a little bit of context. Cause these are the questions that individuals and government privacy authorities and other regulators have been asking related to the cloud. Whereas the information who controls it, who has access has it being used. These can be answered in a lot of cases by transparency. A lot of these issues, better information about how this is happening allows you to make a more informed decision. On the back end you get these kinds of issues, a lot of them are contracting issues. The big issue on this one for open purposes is really some of the termination and lock in problem that can happen in the cloud. And in many cases, if you're looking at a provider and that provider is using open standards that allows you to move the data in a usable format, you've really prevented a lot of the lock in issue. But where the lock in occurs with and over time is you customize and you get used to a strategic partner. And that in and of itself is a different kind of lock in. It's not a lock in of adhesion if you will but it's a lock in of the time you've spent developing something. And I don't know that there's a way to fix that but that is one of the issues and clearly open standards is one of the key elements to preventing lock in. The legal concerns, I'm actually gonna in light of time in the fact that I wanna give people an opportunity to ask a couple of questions if they have any. Let's go to, these are the desirable characteristics you would look for in a cloud. So you wanna make sure that if the cloud, if you can trust the corporation who is the face of the cloud that they have the appropriate extended corporate controls, good security and privacy policies, some of the benefits you can sometimes get on a cloud platform is the kind of up to date and patch 24 by seven by 365. Oh, apparently I changed the number of days you need. There's a gap, you need 365, not 356. Tools and other things that are going there and then ecosystem accountability. And a lot of what we heard in the panels this morning a lot of what the big data was for, a lot of what the transparency was for was how you move to systems of accountability. Because accountability is not always just a government entity sitting on top of you having a regulation, accountability is also, how can I make a judgment? And this is the question where how do you understand the multiple sources of information, how do you trust? I mean, in many ways, people now are used to brands. So you may have a faith that a big company may have taken appropriate security precautions because you have a history with that company or some other idea and maybe you know that. But maybe a small provider who has no history has no similar benefit and they're just breaking into the market. And how do we give them leverage so that their reputation can be understood when their reputation doesn't yet exist? And these are the kinds of things that are inherent barriers to actually allowing people to actually get that information. And perhaps transparency of information is one of the ways of getting it. Perhaps new intermediaries like reputation engines. I mean, I think of eBay and how successful that community-based reputation engine is in terms of power sellers and buyers and how it helps to engender some level of trust and transactions that are happening between parties who don't know each other at a distance. From the contracting perspective, because that's always another big issue and everyone's always interested in, can I see the model contract that everyone should use? The answer is that's probably not gonna be a workable solution. There are certainly contracting elements that one should always be looking for. But I don't think we've fleshed out the business models to the extent yet where we know what the model contract would look like in any one situation. In the business-to-business space, you have an experience of people negotiating contracts and while they may be some inequalities of power, they are usually a little less dramatic than at the business-to-consumer or business-to-SME level. On the business-to-consumer level, if you're doing a mass offering, chances are you will not have much power to change any contract. You will have perhaps a power to use tools and choices offered to you related to that contract. And perhaps at this point in time, the best thing that can be done in that model is to make sure that what you're being told is true, correct, and representative so at least you can make an evaluation of the terms you've been given. Again, perhaps that's transparency with a small t in this room, but that would at least be a beginning to make sure that there's at least a truth and a comprehension is what is being told. The more interesting space is when you get the SME-to-SME or the C-to-C space. Because here you may have participants who have no experience in either consuming or offering the service. It may be a level playing field of no experience on either side. And that could potentially be the worst of all possible worlds. And this is the place where models actually could be useful because these are people who can't afford the teams who figure out the practices, who do compliance internally. These are the folks for whom some guidance is useful, not guidance that handcuffs their innovation, but guidance that allows them to see how to choose and make the right decisions. And again, this is not an issue unique to open, but this is one of the issues where you want that dynamism and entrepreneurship to come through and this is one of the places where you have to give some assistance. So with that, I wanted to give a concept that there are some different global perspectives when you get to cloud and it's all about perception. So for some people, this picture might remind them of a migrate painting. For others, it might remind you of the beginning of the Simpsons. But in either case, EU, the question really is, how does your cloud match up to my regulatory issues? And to give credit to Commissioner, to Vice President Cruz and her team who's doing this work, they are really trying to stretch the envelope on this and get away from that point of view to not just look at the glass half empty, but also the glass half full in the possibilities. In the US, it's a slice and dice of sector nature of cloud. It's all these things because the US has a much more differentiated approach when it comes to the law and looking at these things. And there are lots of different sectors and lots of different stripes. Asia, it's all a question when you seem to talk to Asian regulators of how soon can you get this up and they're not much into looking at hurdles. They're looking at how does this help the economy and how does this move forward? APEC as an organization wants to think about it some more. So in terms of some takeaway points, the cloud isn't unitary. Portability is really based on the ability to move data in useful form. It's really an open standards and API's issue. But cloud interoperability is the more complex issue because that goes to feature function. How do I move information and services from one cloud provider to another? That's a much more difficult thing than just cell number portability or moving data from point A to point B. And we have to make sure that the attempt to enhance interoperability doesn't force us into creating essentially vanilla. Everything looks the same and therefore you can have portability. But rather you wanna enhance product differentiation and you don't wanna limit innovation. I think Hal Varian talked about the differentiation as the difference between co-opetition and competition. Lastly, cloud technology is established as standards and that's great. And we already have standards that apply and new standards are developing and new and more interoperable standards are in discussion among many standards organizations. But it might be premature to come up with the model and the practice that deals with all of the way business is done on the cloud because that's still an exploding sector where we don't wanna constrain those ideas. And lastly again, I would stress the need for new intermediaries. And we might have a minute for one question if there is one, we've got one. Thanks. You rightly touched on jurisdiction in a number of cases and I think it's because I think it's a critical issue. Given that as you say, it's often not feasible, certainly not practical to say to keep to a particular jurisdiction. What does that mean in terms of governance and in terms of the people and in terms of democracy, in terms of power? Both in terms of, you know, it matters to me, it matters to me as a consumer, it matters to me as a business, it matters to me legally from a responsibility where the jurisdiction for that data is because I'm gonna be liable in different ways in different places. It also matters when you're talking about, when the chat from IBM was talking about the where, in the sense IBM is everywhere and nowhere, how you have any sort of governance, how I may be a voter in the UK, but actually if the UK, my vote means nothing in terms of jurisdiction, in terms of power, in terms of the ability to influence, what does that mean? How can you resolve these issues? Well, if I knew that, I'd have a really expensive consulting firm, but let me give you two answers of what is being worked on today. One answer is the concept of accountability as we know the European privacy laws predicated on the concept of adequacy. So I can only transfer my information to a location that has quote unquote adequate protection of information of which there are five beyond the European Union. Accountability is inherent in a number of documents from the OECD guidelines to Pipeta in Canada to the APEC framework. And there the concept is, and really inherent in the binding corporate rules that the EU has adopted also. The idea is obligation flows with the information. So therefore the conditions that were there in place when you collected, when information was collected from you, whether they were the promises the company made, whether they were the law in place at the time or the requirements of the law, those obligations follow the information when it has been moved at the behest of the company as opposed to at the behest of the customer. And you have to, and the other part of accountability is there's a proactive element of the need to be able to demonstrate your capacity to comply. So it may mean that if you move information to a country that doesn't have a system in their law that protects private information, you have to demonstrate that you have contracts in place and other mechanisms by which you can enforce those requirements on the information that is moved to the other country. So accountability is one of the ways that is looking at. The other concept that is moving is, I don't want you to understand this word in the standards context because it is not the standards context, but a lot of times Europeans love to talk about harmonization. And the problem with harmonization is it's a winner-take-all strategy because harmonization means you adopt my way of doing it and then we're harmonized. And what we've been talking about is interoperability so that you can understand what does your system do, what does my system do and how can we develop some equivalence so I can know if I have a concern about what it is that's happening. The last thing I'll say is when you said IBM is everywhere and nowhere, that's true but not true because they are, if you have a company that's intent on fraud and isn't really worried about their reputation because they're gonna change their name tomorrow, you're absolutely correct. But IBM is beholden to every regulator in every country they operate in and they're not walking away from their obligations. So the interesting thing about consumer complaints at the moment is the consumer has a no-wrong-door policy really because you don't have to go and complain for a lot of data issues, product issues, this may not always hold the case but you don't have to necessarily complain in the place where they're headquartered which would be still our mark, I guess. But you can go to your local data protection commissioner file a complaint and they have to deal with it in your jurisdiction. That doesn't deal with all the transparency and other issues inherent in your question but I think it's a little too fast and loose to say they're everywhere and nowhere because major companies do stand behind their footprints in foreign countries. What is difficult for consumers is, the difficulty for consumers is sometimes even understanding the information is there because there's such a lack of clarity as to what the back end looks like. No, we don't have a tree structure. But the only other point is to arbitrage different jurisdictions since in which they may be leading the line at all but they can still do it. Yeah. Okay. Thank you very much.