the ethical cloud

On October 17th, I gave a talk at the inaugural east-cost multi-cloud conference, ESCAPE in Manhattan, organised and hosted by Cockroach Labs.

I wanted to deliver this talk for a number of reasons:

  • The tech industry isn’t talking about these issues as much as it should be.
  • There are very few tech conferences where this kind of talk would be encouraged.
  • I know next to nothing about the subject and there’s no greater kick up the arse to learn something than commit to speaking at a conference.

I work at Lush, a company that’s committed to having a positive impact on the world and its inhabitants.

In my talk, I covered the environmental, data privacy, and human impacts of cloud computing. Each of the 3 sections included information on what Lush are doing in this area (limited to stuff that’s relevant to the talk), along with suggestions to the attendees on what they could do.

In my opinion, this stuff is too easily ignored and too readily forgotten.

Environment

I opened my talk with the following question:

Who’s in the cloud?

Around 80% of hands went up. Not unsurprising for a cloud conference! I then asked the particpants to keep their hands up if they knew:

How much of your cloud provider’s energy is renewable?

Every single hand went down. No one knew how much of their cloud provider’s energy usage was green. This was validation that this talk needed to happen and threw into sharp focus, the fact that the environment can be an afterthought for all of us in the tech industry.

The Internet is likely to be the biggest thing we create as a species - Greenpeace

Greenpeace are doing a lot of great work in this area, they publish reports detailing the major cloud and managed service providers and their energy impacts. To me, this quote highlights the scale of the impact the cloud will have if we don’t help and push our providers to acheive 100% renewable energy soon.

As of 2019, cloud spending is around ~$200B. By 2022, that’s going to increase to around $1.3T, a six-fold increase to an industry that already uses 3% of our globally available power and produces as much emissions as the entire aviation industry.

To put some figures to this, global data centre power consumption is around 100B kWh. Amazingly, 30-40% of this consumption goes to cooling to them. Google are raising the temperature in their data centres to reduce the amount of power they use on cooling. The result? They now direct around just 10% of their total power consumption to cooling, saving energy and billions of dollars in the process.

Virginia

Virginia is a major state for data centres. Many of the world’s largest providers have a massive presence in the area. One provider in particular ramped up its operations by 60% in the past 2 years alone. All in a state whose available renewable energy represents just 4% of its total available energy, putting it 38th in the rankings for greenest state.

There are neighbouring states with better access to renewable energy!

Sadly, new fossil fuel infrastructure is being built to cater for this demand and it’s coming in the form of the 42” Atlantic Coast Pipeline, delivering massive amounts of gas to the power-hungry data centres. This represents a huge step backwards in our critically important need to be sustainable.

Our clouds need your help.

Employees from Amazon, Google, and Microsoft are campaigning for their clouds to act faster in going green and they need our help:

Like Lush, these groups all walked out on September 20th in support of the global climate crisis strikes and we need everyone to join us, show support, and tell the world that its biggest and most influencial companies have big concerns for the future of our planet.

The 3 big cloud providers publish reports that detail their aspirations for 100% renewable energy consumption (along with their progress) and while you should try to independently validate the claims being made, they make for interesting reads:

What Lush are doing
  • Being picky - a few years ago, we moved all of our workloads from one cloud provider to another (in 22 days, over Christmas, the team are incredible). One of the reasons we did this was to align ourselves with a cloud provider whose environmental ethics closely matched ours.
  • Asking our managed service providers to do the same - we don’t shy away from asking those who provide us with a managed service if they’d be prepared to switch clouds to join us. They might not be able to (and that’s OK) but we think it’s important to ask.
  • Minimising over-provisioning - we’ve taken a look at our infrastructure and where we’re being wasteful. The outcome of this, is a project to reduce our production estate by around one third; maximising our utilisation of the cloud and having the happy side-effect of saving us a lot of money in the process.
  • Redesigning our applications for efficiency - we’re committed to using best-in-class software to make sure that our applications run as efficiently as possible.
What you can do
  • Non-cloud users - consider moving into the cloud! There are massive efficiencies to being in the cloud due to the hardware available and the virtualisation technologies used. Even if your concerns aren’t for the environment, allow it to be a side-effect of the decisions you make.
  • Choose your provider carefully - some clouds appear to be in a period of growth-at-any-cost, which is resulting in a balooning demand for fossil fuels, while others are on a commit course to being greener.
  • Consider the consequencies of over-provisioning your estate - beyond simply looking at it from a cost perspective. Wherever you’re over-provisioning, there’s power (and money) being wasted.
  • Speak with your managed service providers - ask them to jump to a greener cloud. They might not be able/prepared to but hopefully it’ll start them thinking about the issue as well.
  • Optimise your cloud use - the 3 big cloud providers provide tools to help you get the best from their services, with suggestions like reducing instance sizes for workloads that never stress them:

 

Data privacy

I opened this segment up by asking a series of questions to gauge how much the audience knew about the implications of data privacy laws on their customers’ privacy:

Who’s familiar with the 4th amendment?

Around 5% of the audience were familiar with the 4th amendment, which centres around:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.

I then asked:

Who’s familiar with the Third Party Doctrine?

One hand remained in the air. Before giving this talk, I would have been among the vast majority of people with my hand in my lap. The Third Party Doctrine states that:

People who voluntarily give information to third parties such as banks, phone companies, Internet Service Providers, and email servers have no “reasonable expectation of privacy.”

There have been a number of court cases seeking to establish a legal precedent and they demonstrate how challenging this law can be to navigate:

In the case of Smith v. Maryland, Michael Lee Smith was deemed not to have a legitimate expectation of privacy because he’d shared the number he was calling with the phone company, simply by dialling it. His phone record was therefore available to be used against him during his prosecution.

Don’t forget that the doctrine also relates to Internet Service Providers and therefore the data we share with our cloud providers.

I then asked:

Who’s familiar with the CLOUD Act?

One hand again (a different one this time) and as with the last question, I would have been in the vast majority before reseaching for this talk.

CLOUD stands for Clarifying Lawful Overseas Use of Data and was signed into law by President Trump on March 23rd 2018 without being debated in congress. It:

Allows federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the US or foreign soil.

With the CLOUD act, the legal protection of an individual’s right to privacy depends on an objection from a provider (some clouds will more readily object than others). There’s no direct mechanism for individuals to challenge an order under the CLOUD Act.

US courts can require production of data despite an objection, even where the laws of another nation would be violated.

Three can keep a secret if two of them are dead - Benjamin Franklin

House Bill 57

House Bill (HB) 57 was signed into law in Utah and states that:

A law enforcement agency may not obtain, without a search warrant issued by a court upon probably cause:

i. location, stored, or transmitted mobile data.
ii. data transmitted to a remote service provider.

Probable cause is key here and its remit of data covers our modern technology landscape, representing a great win for Utah and a big step in the right direction for data privacy.

So far it’s only Utah and I’ve not ventured too far down the rabbit hole with how National Security Letters (reseach them, they’re terrifying) would affect someone’s privacy in the face of an objection via HB57.

Encryption-at-rest

I then asked the audience:

Who relies on cloud-provided encryption-at-rest to protect their customers’ data?

Around 5% of people had their hands up this time. Which surprised me, given encryption-at-rest is a core part of data security in the cloud.

Most people will get encryption-at-rest for free from their cloud providers. It ensures that any data stored within the cloud will be encrypted before being persisted and adds a level of security to your data in the event that it is stolen.

Unfortunately for your data (and those in my audience who weren’t aware their data was being encrypted to start with), by default, encryption-at-rest will use a Data Encryption Key (DEK) that’s generated by the cloud provider. If a government requests data, it’ll be the data and the DEK that gets provided to them. Bye bye privacy!

Transparency reports

The 3 big cloud providers publish reports that detail the number of requests for data they’ve received from the goverment, along with the number of request they’ve responded to with customer data, or objected to:

What Lush are doing:
  • Keeping stored customer data to an absolute minimum - our user’s privacy is a primary concern for us. Their right to privacy always trumps our need to store their data and it has done so for so long that it’s part of our core work ethic.
  • Asking questions - we don’t have all of the answers. This is a legal minefield and we’re certainly not experts in navigating it! We’ve spoken with our cloud provider’s technical and legal teams to learn more.
  • Considering domiciling sensitive data in countries with stricter data protection laws - as with cloud providers, some countries will more readily hand over your data when asked. This site details the countries whose data privacy laws will best protect your privacy and the privacy of your customers.
  • Looking at user-generated DEKs and KEKs (Key Encryption Keys, keys that are used to encrypt your DEKs, providing another level of security and an ability to change or “rotate” your keys without having to re-encrypt your data) - ensures that any data handed over to a government will be unintelligible. It takes the fight for our customer’s privacy into our hands.
What can you do?
  • Don’t store what you don’t need - if you can give your customers a great experience without storing all of their information, don’t store all of their information!
  • Understand the legal minefield - speak with your cloud provider’s technical and legal teams if you have concerns; they’re there to help.
  • Be picky - some cloud providers will more readily protect your privacy and the privacy of your customers, so consider this before deciding on your cloud partner.
  • Take the fight into your own hands - generate your own DEKs and KEKs to add another level of protection to your data.

Human cost

I opened up my last segment with the following question:

Who is familiar with 3TGs?

No hands up. Again, I would have had no idea what this was before researching for my talk.

It stands for the 4 registered conflict minerals; tin (cassiterite), tantalum (coltan), tungsten (wolframite), and gold. A conflict mineral is any mineral whose mining proceeds fund violent armed groups.

Mining

One of the hardest hit nations for mineral mining and the conflict their proceeds generate is The Democratic Republic of the Congo (DRC). In the DRC alone:

  • 5.4m people have been killed since 1998 as a result of conflict funded by mineral mining.
  • 4.5m people have been displaced and 800k people have had to seek refuge in other nations as a result of conflict.

A mind-blowing $24T worth of minerals are estimated to remain in the ground in the DRC, which shows how desperate the need for fair treatment and safe working conditions for the artisinal miners, along with a carefully controlled supply chain to prevent mining proceeds from getting into the wrong hands is.

Production

China has some of the largest technology assembly facilities in the world and as of the time of writing, workers in these facilities can be subject to appalling conditions and exploitation.

A law exists within China that stipulates that a given percentage of a workforce must be permanently employed (as opposed to temporary or “labour dispatch”). Large companies outside of China are turning a blind eye to massive violations in this law which are reducing job stability for people working in these facilities. The law states that no more than 10% of a workforce can be labour dispatch employees. In reality, they make up 50% of some workforces.

Another law exists within China to prevent people from being forced to work too many hours of overtime in any given month. This too is being completely vioated, with some workers having to work 4 hours in overtime every day to keep up with the expectations on them. Well over twice the legal limit. Not only are the overtime limits being violated but the law also states how overtime must be paid. Sadly, people are being forced to work overtime on weekdays and weekends without pay.

Following a spate of suicides in one of the world’s largest assembly facilities, perhaps most famous and influential tech leader of the 21st century responded that the suicide rate in the facility was within the national average.

Should we as leaders in technology not be aspiring to give our people a safe and happy working environment by looking after their physical and mental wellbeing?

Post-production

Once a piece of hardware reaches end-of-life it becomes what’s commonly referred to as e-waste and needs to be recycled.

Unfortunately, recycling isn’t the fate for around 80% of e-waste, which is illegally traded or dumped. To put this into perspective, that’s 50M tonnes, the area of Manhattan, the weight of 126 Empire State Buildings, or all of the commercial aircraft we’ve ever built, dumped. Every year. And it’s worth a staggering $62B.

Worst of all, deadly amounts of mercury, lead, and beryllium are leaching into the air, soil, and groundwater in these e-waste dumps. Children are growing up being exposed to chemicals that will irriversibly affect their bodies. Agbobloshie in Ghana now ranks as the most polluted place in the world, beating even Chernobyl to the top spot.

Ghana’s imports of this toxic waste are set to double in 2020.

Closing the loop

It’s 13x cheaper to extract minerals from old hardware than it is to mine for new ones. And it generates 80% less emissions.

There are some amazing things happening to increase extraction efforts the world over but we’re just scratching the surface:

  • In 2015, Apple recycled around 1 tonne of gold worth $40M and around 1,300 tonnes of copper worth $6M.
  • People all over Japan gave up their unused phones. The gold, silver, and bronze from these devices was enough to create the medals for the 2020 olympics. In total, around 30k of gold, over 3 tonnes of silver, and over 2 tonnes of bronze were extracted, worth a collective $3M.
  • Websites like e-Stewards list recyclers who are committed to never exporting hazardous materials to developing countries.
What Lush are doing

We’re looking into building our own ethical tablet, considering the fair treatment and payment of everyone involved, be they producing the minerals or components, or assembling it. In doing so, we hope to:

  • Influence - we’re sharing our experiences and trying to lead by example.
  • Create transparency - or as much as we’re able to on the origins of materials and components, by visiting people in assembly facilities and e-waste dumps to see for ourselves.
  • Ask questions - we’re asking the kinds of questions that people have never been asked, simply because these things have never been a priority for other companies before.
  • Partner up - the more people actively working on this, the better.
What can you do?
  • Cloud users - ask your provider what they’re doing to to protect people across the whole production lifecycle. They’re too wealthy to not be accountable for this.
  • Hardware producers - pay your people fairly and give them safe and happy conditions to work in and others will be forced to do the same. Understand your supply chain - don’t rely on the goodwill of other companies. Go to see for yourself to understand the conditions that people of all ages are being forced to live and work in.
  • Hardware consumers - know where your products or components are coming from across the whole supply chain.
  • Close the loop - billions of dollars worth of minerals are dumped every year. There is more gold in 1 tonne of old phones than there is in 1 tonne of gold ore. Rather than mining for new minerals, we can recycle and reduce the amount of e-waste that gets dumped.

Closing

The Internet is growing. There are around 4.5B people online now, with around 1M new users every day. Collectively, we spend around 1.2B years online, that’s 100 days per person per year.

Despite what some world leaders would have you believe, the world is warming and desperately needs help before we run out of time and completely destroy our planet.

Whether it’s artisinal miners in the DRC, or people assembling hardware, people are truly suffering in ways that most of us can’t imagine. And it’s all because of our desire to grow the Internet and the businesses that hang from it.

It’s not just about securing the cheapest price. We can’t afford to blindly focus on cost while the decisions we make to extend our business reach damage the planet and the beings that inhabit it.

The is no higher-power shouldering our personal responsibility for the impact we’ll have. Unless we all act now, this is on us.

It’s our job to know and once we know, it’s our responsibility to act. - Lush