Clouds behind the clouds
Aitor Ortiz
Abstract
Cloud computing is revolutionizing the way that companies use IT services. The advantages of
cloud computing for companies are numerous, from substantial cost reductions to global access
to data. However, this new channel of communication brings a new antitrust risk, exchange of
sensitive information among competitors in the cloud. The features of cloud computing (i.e. data
location) together with some IT techniques (i.e. encryption of information) may facilitate the
creation of sophisticated systems to share information. These refine systems may even prevent
antitrust authorities from finding evidence of the illicit conduct. This article shows how
companies planning to engage in cartel activities may remain undetected from the competition
authorities if they used the adequate technique. This article further discusses the tools available
to competition authorities to detect and to prevent this behavior and it argues how some
authorities are a priori better prepared than others to combat these ‘cloud cartels’. Finally, the
last section of this article suggests new policies to deter the illegal use of cloud computing
services.
1. Introduction
Cloud computing is seen by companies as a new technological tool which will enable them to
save resources by dedicating time and money to their core business instead of updating and
upgrading their current IT systems.
It is fair to say that the recent flourishing of cloud computing services is demand driven rather
than a new marketing strategy launched by private cloud providers (CPs). A recent study
conducted in Germany shows that the number of companies willing to use cloud services in their
businesses is rapidly increasing. 1 The estimations for the next five years indicate a market
expansion up to EUR 71 billion worldwide.2 In fact, it is surprising to read that the share of
companies rating the use of cloud services as very positive is actually growing faster than the
cloud usage rate itself.3

LL.M. in International Legal Studies, Georgetown University Law Center; MA in European Economic Studies,
College of Europe. Former International Antirust Consultant at the U.S. Federal Trade Commission and Associate
lawyer at J&A Garrigues SLP. Contact: ao339@law.georgetown.edu.
1
See Stefan Heng and Stefan Neitzel, Cloud computing Clear skies ahead, Deutsche Bank AG DB Research, March
1, 2012, at 16.
2
Id.
3
Id.
1
However, not everything in cloud computing services is bright and positive. The voices
clamoring for more data protection, data security and legal certainty are numerous. 4 Other
professionals and scholars have directed their concerns to the foreseeable anticompetitive effects
that cloud providers may cause in the market.5 For instance, the difficulties of migrating data to
and from different clouds (data portability) and the interoperability problems between the clouds
may produce lock-in effects at the cloud provider level.6 Another interesting report goes even
further suggesting that companies such as Amazon, Google, Cisco Systems, I.B.M., Microsoft,
Oracle and other competitors will be in a position to run a cartel on the cloud business.7
These antitrust concerns have already been detected and hopefully addressed (or at least
envisaged to be addressed) by the competent antitrust authorities. However, this article advances
a new antitrust concern that does not affect the cloud market itself, but rather is facilitated by the
existence of the cloud and its multiple applications.
Two questions may summarize the purpose of this article: What would happen if competing
firms start using cloud services as virtual storage of data to share information with illegitimate
purposes? And how are antitrust authorities going to detect this conduct and eventually seize this
information? In both the U.S. and in Europe the exchange of information between competitors
that facilitate the formation of a cartel violates Sherman Act section 1 and Article 101 of the
Treaty of Functioning of the European Union (TFEU), respectively. However, antitrust
authorities on both sides of the Atlantic may encounter tremendous difficulties in gathering
evidence of illegal conduct if stored on a cloud, and, even if they do, they might not have
jurisdiction to claim this data.
In this article I argue that cloud computing creates a new channel for companies to share
information that might be used to engage (or remain) in a cartel and that competition authorities
may lack the necessary tools to deter and investigate this conduct. In part two, I briefly explain
the basis of cloud computing and its associated risks. Part three discusses the possibility for firms
to store, share and delete information from a cloud without leaving any trace. These new
alternatives will have a clear impact on the economic incentives of the firms when deciding
which commercial behavior to adopt. In section four, I explain how the current technology may
allow an Internet user to remain completely anonymous while sharing information with others on
the cloud and how this technology, together with some regulatory/administrative burdens, may
impede the antitrust authorities from conducting adequate investigations. Among other issues,
absence of jurisdiction, identification of the cloud provider, encryption of information and rights
of defense are some of the problems that antitrust watchdogs may face when gathering the
4
See for the U.S. the Preliminary FTC staff report, A proposed framework for Businesses and Policy makers,
December 2010. Available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf and the Public Research
Center ‘EPIC’ at http://epic.org/privacy/cloudcomputing/. For the European counterpart, see speech by the
commissioner
Neelie
Kroes
in
Brussels,
January
30,
2012
available
at
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/40&format=HTML&aged=0&language=EN
&guiLanguage=en
5
See Jasper P. Sluijs, Pierre Larouche, and Wolf Sauter, Cloud Computing in the EU policy Sphere, TILEC
Discussion Paper, Tilburg University, August 2011 and New York Times, Here come the clouds cartels (March 16,
2012, 4.50 PM) available at http://bits.blogs.nytimes.com/2012/01/30/here-come-the-cloud-cartels/
6
See Sluijs, Larouche and Sauter, supra note 5, at 9.
7
See Here come the clouds cartels, supra note 5, at 1.
2
evidence of an alleged cartel orchestrated ‘up on the cloud’. Section five suggests preliminary
solutions to these new challenges such as regulatory, economic, technological and social
measures. Part six concludes.
2. Clouds
2.1. Basic concepts of cloud computing
To identify the antitrust issues, first I will briefly describe what cloud computing is and what the
different emerging markets for cloud computing services are.
To begin with, there is not a single definition of cloud computing, we might find rather complex
definitions for IT experts and plain explanations for beginners.8 Therefore, I have selected the
following two definitions of cloud computing to satisfy all readers:

“Cloud computing is a way of delivering shared, flexible and scalable IT services through
non-firmly allocated IT resources over a network. Typical characteristics are real-time,
metered delivery as a self-service on the basis of Internet technologies charged according
to use. The IT services can cover applications, application development and operating
platforms and basic infrastructure”9.

“Cloud computing provides flexible, location-independent access to computing resources
that are quickly and seamlessly allocated or released in responde to demand”.10
Cloud computing might be public, where several users share the cloud infrastructure with
separate individual allocation of the data, private, customized to the customers requirements and
with an exclusive use of the special cloud infrastructure, and hybrid, combining elements of both
public and private clouds.11
The main cloud computing activities are normally categorized in three service models:


Infrastructure as a Service (IaaS): the CP provides basic IT infrastructure as storage,
network and computing capacity. Examples of this service are Rackspace, Amazon’s
EC2 and S3. 12 IaaS is the main service I will look at in this article since storage of
information and exchange thereof is the only service that companies may require from a
CP to run a cartel.
Platform as a Service (PaaS): the CP provides higher infrastructure-level services for the
consumers. It helps developers to run applications and test them before coming with the
ultimate version. Examples of this service are Google’s App Engine and Microsoft’s
8
For an introduction to cloud computing see JUDITH HURWITZ, ROBIN BLOOR & MARCIA KAUFMAN, COMPUTING
(Wiley Publishing Inc., 2010).
9
See Stefan and Neitzel supra note 1, at 3.
10
See Kuan Hon, Christopher Millard and Ian Walden, The problem of ‘Personal Data’ in Cloud Computing – What
Information is Regulated?, Queen Mary University of London, School of Law. Legal Study Research Paper No.
75/2011 at 6.
11
See Stefan and Neitzel supra note 1, at 3-4
12
See Hon, Millard and Walden, supra note 10, at n. 30.
FOR DUMMIES HP SPECIAL EDITION
3

Windows Azure. 13 This service may bring lock-in problems for customers if they are
using proprietary language or tools provided by a single vendor, reducing portability to
and from the cloud.
Software as a Service (SaaS): the CP provides an integrated service network based on the
cloud infrastructure. It provides the highest level of functionality of the three models.
Examples of this service are webmail services such as Yahoo! Mail and social
networking sites such as Facebook.14
The main idea to keep in mind after this brief description is that companies may now rent space
in a public or private cloud (at a cheaper cost than carrying out these activities by themselves) for
almost any IT activity they wish, from storing data to running new applications and using
software such as webmail, personnel database, accountability programs, etc. But as indicated
above, the use of cloud computing may pose risks for both companies and individuals.
2.2. Problems related to cloud computing services
When a company seeks services from a CP, it should evaluate the conditions under which the CP
is providing the service. Some elements like the (physical) location of the data, the number and
identity of the cloud providers involved in the service, and the data retention and data protection
policies must be carefully analyzed.15 Unfortunately for cloud users, CPs follow a model of mass
customization establishing a general service agreement, leaving almost no room for negotiating
the terms of the agreement with the CP.16
Next, I will outline some of the problems that might arise from a CP’s commercial policy. These
problems will be further linked to the antitrust concerns suggested in this article.
2.2.1. Location of the data
The location of a CP’s server may determine the law applicable to the data stored in that server
and it is not unusual that the cloud provider exclude the actual location in the terms of the
agreement.17
For instance, when a new client wants to contract with Amazon EC2, the company gives the
client the choice to indicate in which region (s)he wants the content to be stored, but does not
indicate where the information is stored if the customer fails to do so.18 Google’s App engine
includes a similar provision by which the customer may select the U.S. or Europe as a permanent
place for the storage of the data, and if a selection is not made, the data is stored in the U.S. by
13
Id. at n. 31.
Id. at n. 32.
15 The main risk that individuals face when using cloud services concerns to leakage of private data, and though it is
a very hot topic in Europe and the U.S., it falls outside the scope of this article.
16 See Sluijs, Larouche and Sauter, supra note 5, at 9.
17
Robert Gellman, Privacy on the clouds: Risks to Privacy and Confidentiality from Cloud Computing. World
Privacy
Forum,
February
23,
2009.
Available
at
http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf
18
See Amazon Web Services Customer Agreement available at http://aws.amazon.com/agreement/ (last visit March
18, 2012, 5:00 PM)
14
4
default. 19 Although this policy could become customary in the industry (or even imposed by
regulation), smaller cloud providers may not be in a position to facilitate storage in different
regions since they might be limited to building servers in countries where the infrastructure and
the commodities are cheaper (i.e. Indonesia, India, Centro-America) and consequently they may
prefer to hide this information from customers.
From the CP’s perspective, the election of one or another jurisdiction brings different obligations
as regards data protection, regulatory compliance and data retention. Accordingly, a company
might decide to store its data in a specific location based, for instance, on the level of protection
of trade secrets or the level of government intervention (i.e. limited discovery rules).
From an antitrust point of view, the election of Europe or the U.S. may not have important
consequences since both the European Commission and its counterparts in the U.S. (the FTC and
DOJ) collaborate closely with each other in sharing the necessary information to conclude an
investigation.20 However, the outcome might be different if the information is stored in a less
cooperative jurisdiction or in a jurisdiction not embedded with an antitrust culture (i.e. Indonesia,
Belarus or Sudan).
Consequently, the location of the data and its possible re-location has a clear impact in the CP,
the customers and the antitrust authorities.
2.2.2. Different layers of cloud providers
As important as the location of the data is the identity and the number of cloud providers
involved in storing the data. In many instances users have no idea who is delivering the service at
the end of a long chain of sub-contractors.21 An example of this is found in DropBox, a CP who
provides its services through Amazon’s IaaS infrastructure.22 Therefore, a company’s choice of
data location may be jeopardized due to the subcontracting services of CPs if the company does
not carry out adequate due diligence.
2.2.3. Data protection
Companies are very keen on securing the data they store on the cloud. A failure in a server may
represent billions of dollars in losses for companies, and if the failure is systemic the
consequences will have a macroeconomic magnitude. However, CPs do not normally take
responsibility for any damage or loss on the data stored. As an example, Amazon23 and Google24
19
See Google Cloud Storage Terms of services available https://developers.google.com/storage/docs/terms (last visit
March 18, 2012, 5:00 PM)
20 Rachel Branderburger and Randy Tritell, Global antitrust policies: how wide is the gap?, Concurrence No. 12012 at 3-11. Available at http://www.ftc.gov/oia/speeches/RandolphTritellGrlobalAntitrust.pdf
21
See Stefan and Neitzel supra note 1, at 6.
22
See DropBox website available at https://www.dropbox.com/help/7 (last visit March 18, 2012, 5.20 PM)
23 AWS does not warrant that this site information, content, materials, products (including any software) or
services […] are free of viruses or other harmful components. AWS will not be liable for any damages of
any kind arising from the use of this site or from any information, content, materials, products (including
software) or services included on or otherwise made available to you through this site, including, but not
limited to direct, indirect, incidental, punitive, and consequential damages, unless otherwise specified in
writing. Available at http://aws.amazon.com/terms/.
5
state very clearly in their terms and conditions that they are not held liable for any damage or
loss of information occurred while using their services.
2.2.4. Data retention
Perhaps more important for our purposes than data protection is the data retention policy that
CPs have to observe. For the time being, CPs are not obliged to keep customers’ records for an
unlimited period of time. In fact, depending on the applicable law, they might not be obliged to
retain data at all.
In Europe, the EU Directive on data retention establishes that European member states may
impose an obligation on providers of publicly available electronic communication to retain
limited information for a period from six months to two years with the only purpose of
prosecuting serious crimes.25 In this regard, cloud providers could be obliged to keep only the
necessary information to trace a source of a communication (such as an IP address) but in no
way might they be compelled to retain and/or reveal the content of the communication. 26
Regardless, it remains to be seen whether CPs are considered providers of publicly available
electronic communication and if an antitrust investigation is deemed a serious crime. The new
draft of the EU General Data Protection Regulation is far from providing a strict timeframe; it
seems to invert the burden of proof, setting out that it is the controller (i.e. CP) who shall provide
the individual the period for which the personal data will be stored. 27
In the U.S., there are no similar data retention provisions. Therefore, CPs are not obliged to keep
any information about their customers.28
In summary, users and CPs are required to negotiate the data retention policy that will govern the
service agreement. Contrary to what we might think, corporations might not be interested in
keeping their records for a long time; instead they demand that the data remain accessible for a
certain time and afterwards be deleted permanently with no recoverable trace. 29 This policy
allows companies to comply with some regulatory obligations and to reduce the cost of ever24
Subject to the universal terms, Google and its licensors disclaim all warranties in connection with the
product and will not be liable for any damage or loss resulting from your use of the product. Available at
http://tools.google.com/dlpage/res/cloudconnect/en-GB/eula_text.html?hl=en-in
25
See Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of
data generated or processed in connection with the provision of publicly available electronic communications
services or of public communications networks and amending Directive 2002/58/EC, Official Journal L105/54,
13.04.2006 at Article 6.
26 Id. at Article 5.
27
Regulation of the European Parliament and of the Council on the protection of individuals with regard to the
processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels
25.1.2012 COM (2012) 11 final, at Article 14.1.c.
28
The only requirement that the U.S. Congress has imposed to Internet Service Providers (ISP) was introduced on
May 25, 2011 by law 18 U.S.C. §, 2701, forcing ISP to save log of all of their customers’ activities for 12 months to
enhance the fight against child pornography. Available at http://www.gpo.gov/fdsys/pkg/BILLS112hr1981rh/pdf/BILLS-112hr1981rh.pdf
29 Jun Li, Sharad Singhal, Ram Swaminathan, Alan H. Karp, Managing Data Retention Policies at Scale, HP
Laboratories http://www.hpl.hp.com/techreports/2010/HPL-2010-203.pdf at 3
6
growing data, but as I will further explain this might also be the best way to keep evidence of
illegal conduct away from regulators.
3. Cartels
3.1. Exchange of information on the cloud
Cloud computing is thought to be used for individual purposes, understood as each company
contracting CP services for its own use. As shown above, private CPs guarantee customers an
individual space protected from unwelcome guests. In order to ensure privacy and to enhance
security in accessing the data, CPs provide passwords, passphrases and even the possibility to
encrypt information (encryption keys).
However, nothing prevents a CEO or manager from voluntarily providing direct access to the
company’s cloud to suppliers, customers or any other company. What is more, nothing prevents
him from uploading detailed information about the company’s price list, production, salaries, etc.
and granting access to its competitors and vice versa. As obvious as it seems, under U.S. and EU
law this practice would violate the antitrust provisions laid down in the Sherman Act30 and the
TFEU31.
3.2. Prohibition of the exchange of information
In the U.S., the exchange of information among competitors on prices, output or other
competitively sensitive variables has long been recognized as a source of anticompetitive
concerns that may violate Section 1 of the Sherman Act.32
The antitrust concern is that the information exchange may facilitate collusion among companies
or a tacit coordination to lessen competition. The Supreme Court has held that sharing
information among competitors, in itself, is not per se illegal, being normally examined under
the “rule of reason”. 33 Nonetheless, this exchange may serve as evidence of per se illegal
conspiracy to fix prices.34
Alternatively, information exchanges concerning technology, know-how or intellectual property
have been acknowledged by the courts and the antitrust agencies as essential to achieve the procompetitive benefits of R&D collaboration.35
30
15 U.S.C § 1.
Treaty of Functioning of the European Union (TFEU), Official Journal of the European Union C83/47,
30.03.2010 at Article 101.
32
15 U.S.C § 1.
33
See United States v. Citizens & So. Nat’l Bank, 422 U.S. 86, 113 (1975) (“But the dissemination of price
information is not itself a per se violation of the Sherman Act.”)
34 ABA Section of Antitrust Law, 1 Antitrust Law Developments 93 (6th ed. 2007) citing, inter alia, In Re Flat
Glass Antitrust Litig., 385 F.3d 350, 368-69 (3rd Cir. 2004) cert. denied , 544 U.S. 948 (2005); Petroleum Products
Antitrust Litigation, 906 F.2d 432, 445-50 (9th Cir. 1990).
35 See Maple Flooring Mfrs.’ Ass’n v. United States, 268 U.S. 563, 582-83 (1925) and FTC and U.S. Dep’t of
Justice, Antitrust Guidelines for Collaborations Among Competitors (2000) at 15, available at
http://www.ftc.gov/os/2000/04/ftcdojguidelines.pdf.
31
7
Determining which exchange
Elements like the nature and
intent, the industry structure
whether the data exchanged
detriment of consumers.36
of information is harming consumers is a case-by-case exercise.
quantity of the information, how recent the data is, the parties’
and the frequency of the exchanges are assessed to conclude
may facilitate collusion or coordination in the market to the
Europe shares similar antitrust concerns to the U.S. The first sign of antitrust concerns shown by
the European Commission about information exchange came with the Notice concerning
Agreements, Decisions and Concerted Practices in the field of Co-operation between
Enterprises. 37 But it was in the early 1990s when the European Commission carried out a
comprehensive assessment of the potential restrictive effects of an information exchange
system,38 which was further endorsed by the General Court (then Court of First Instance) and the
Court of Justice of the European Union (then European Court of Justice).39
The subtle differences with the U.S. approach became clearer with the new EU Guidelines on
horizontal cooperation. 40 Unlike U.S. law, the new EU guidelines foresee that the
communication of information among competitors may constitute by itself an agreement or
concerted practice with the object of fixing prices or quantities infringing article 101 TFUE41.
Having said that, the European Commission also examines the information exchanged on a caseby-case basis, analyzing the type of information exchanged (strategic data), the features of the
market (more or less transparent), the age of the data, frequency, etc. to determine the likely
result in the market.42
For the sake of simplicity, in this article I will assume that the type of information exchanged
between competitors on the cloud clearly facilitates collusion and it would lead to a Sherman Act
section 1 or Article 101 of the TFEU violation.
3.3. It is time to play: Setting up a cartel
Next, with the cards, the table, the croupier and the players in place, it is time to decide whether
to play a risky hand. There is only one new rule in the game: everybody knows everybody’s
hands except the croupier.
36
See Antitrust Guidelines for Collaborations Among Competitors (2000), supra note 35, at 15.
In [1968] OJ C075, p. 3. The 1968 Notice was replaced in 2001 by the Commission’s Guidelines on the
applicability of Article 81 to horizontal co-operation agreements (see OJ C 3 of 06.01.2001, p. 2).
38 See Commission Decision, UK Agricultural Tractor Exchange, in [1992] OJ L 68/19.
39 See for the General Court, J. Deere vs. Commission, [1994] ECR II-957; Fiatagri and New Holland Ford vs.
Commission, [1994] ECR II-905. See for the Court of Justice of the EU, J. Deere vs. Commission, [1998] ECR I3111; New Holland Ford vs. Commission, [1998] ECR I-3175.
40 European Commission Communication: Guidelines on the Applicability of Article 101 of the Treaty on the
Functioning of the European Union to Horizontal Co-operation Agreements ch. 2, 2011 O.J. (C. 11) 1 (Jan. 14,
2011), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2011:011:0001:0072:EN:PDF.
41 Id. at 59.
42 Id. at 86-94.
37
8
This scenario seeks to exemplify the new situation that cloud computing offers to companies that
are willing to form or continue in a cartel. Companies are well aware of the technical features of
cloud computing: the feasibility of storing and erasing data from any point, over any network,
using any device; relocation of data to different jurisdictions; absence of regulation (only limited
requirements imposed on CPs as regards to privacy in Europe) and great discretion to negotiate
with the CP whether to retain the company’s data or not.
With these alternatives in mind, companies may have more incentives – or be less constrained –
to orchestrate a cartel on the cloud. To date, cartels have had to use more rustic techniques to
exchange relevant information or monitor the effective implementation of an unlawful
agreement. Among others, members of a cartel have used inserts in the newspapers43, telephone
surveys and public press releases44, regular meetings45 and in the last decade more advanced but
equally traceable emails46 to invite others to collude.
To a greater or lesser extent, all these techniques require regular contact (physical or not)
between the members of the cartel to police the adequate implementation of the agreement,
leaving evidence of the alleged conduct. Cloud computing diminishes the risk of being caught.
Cloud computing offers broad and ubiquitous network access modifying the normal pattern
followed until now to share information. Now the information does not circulate from one
computer to another, it remains in virtual storage and any authorized person may have access to
it. Cloud computing is also a multi-tenancy, which means that a cloud offers access and service
to multiple users at the same time, unlike other means of communications (i.e. telephone). 47
Therefore, it is possible for all members of a cartel upload information at the same time, obtain
access to the same document with the information needed (i.e. price) and delete the document
before the antitrust authorities become aware.
In this regard, although cloud computing does not eliminate the need to establish a first contact
among competitors to agree in engaging in the anticompetitive behavior, it certainly facilitates
the carrying out of all the communications and decisions on the cloud, where the information
may be accessed and deleted permanently on a daily or weekly basis. Therefore, companies may
deem this new channel of communication as a more efficient (data available in real time) and
less risky method (no traceable evidence) of running a cartel.
3.4. Refining the cartel
Storing information in a cloud may seem attractive for companies thinking about forming a
cartel, but some of these companies may feel uncomfortable uploading detailed information
about the company’s record in a commercial cloud for illegal purposes.
43
In re Valassis Communications, Inc., F.T.C. No. C-4160 (April 19, 2006) (consent order), available at
http://www.ftc.gov/os/caselist/0510008/0510008c4160ValassisDecisionandOrder.pdf.
44 In
re Stone Container Corporation, F.T.C. No. C-3806, all relevant information available at
http://www.ftc.gov/os/caselist/c3806.shtm.
45 In re Nat’l Ass’n of Music Merchants, Inc., F.T.C. No. C-4255 (March 4, 2009) (analysis to aid public comment),
available at http://www.ftc.gov/os/caselist/0010203/090304nammanal.pdf.
46
European Commission Decision in the case COMP/C-3/37.990 Intel, Brussels 13.5.2009 available at
http://ec.europa.eu/competition/antitrust/cases/dec_docs/37990/37990_3581_11.pdf
47 See Sluijs, Larouche and Sauter, supra note 5, at 5.
9
After all, once the data is not in their exclusive custody, they may lose control over it and it
might end up in the wrong hands. In the U.S., according to United States v. Miller48 and Smith v.
Maryland,49 the personal records held by a third party might not have the same constitutional
privacy protection as applies when an individual holds it. Therefore, if this doctrine is applied to
cloud computing (those cases referred to banking and telephone services), the FTC or DOJ
would simply need to request a subpoena to obtain the information they need from a CP.50
In Europe, an antitrust investigation is administrative in nature. Therefore, there is no need, a
priori, for judicial intervention to request the data wanted. The EC, pursuant to Articles 18 and
20 of Regulation 1/2003, may request from any undertaking the necessary information.51 Only
under certain circumstances does the EC need prior authorization from a national judicial
authority to inspect premises where it suspects there might be relevant information.52 In fact, one
of these circumstances, as explained below, is when the EC seeks information in premises
different than the company’s premises, such as the CP.
Notwithstanding the power of the agencies to access the data, the CP may also in some cases
access the information stored, modify the contract at its will or terminate the contract with very
short notice.53
These uncertainties about ‘who’ will have access to ‘what’ data and under ‘which’ circumstances
might push companies to design and create their own ad hoc cloud, exactly matching their needs
such as complete control over who has access to the data and the technical and other barriers
raised to impede regulators from tracking the information.
Even though this possibility seems complex and only open to companies with large economic
and IT resources, the truth is that almost any corporation, or in our case a group of companies,
may afford to pay a technology broker to set up a cloud. The role of this broker would basically
be to install the server of the cloud in a selected country and to provide multiple authorizations
(as many as companies or individuals), fake logins (to avoid any link between the person and the
company involved) and the necessary tools to encrypt the information (in doing so if an outsider
ever gets access to the data without the necessary code will have serious difficulties to decipher
the message).
Consequently, an ad hoc cloud removes the few concerns that companies may have when
deciding whether or not to run a cartel using cloud computing. No hard-copy evidence, electronic
48
425 U.S. 435 (1976).
442 U.S. 735 (1979).
50 It is still unclear which characterization should be given to the storage of data on the cloud and the level of
protection may vary accordingly. Under the Electronic Communication Privacy Act (ECPA) if an ‘electronic
communication service’ holds a text message in ‘electronic storage’, then law enforcement requires a warrant to
obtain access to it, but if a ‘remote computing service’ holds the same text on behalf of the subscriber, a subpoena is
sufficient. See Privacy on the clouds, supra note 17, at 13.
51
COUNCIL REGULATION (EC) No 1/2003
of 16 December 2002
on the implementation of the rules on
competition laid down in Articles 81 and 82 of the Treaty, Official Journal L1/1, 4.1.2003.
52 Id. at Article 21.3.
53 As an example see Amazon’s terms and conditions, available at http://aws.amazon.com/agreement/
49
10
evidence very difficult to detect and in any event easy to delete, fake identities to make the
identification of the companies more difficult, reduction of the risk of leakages by the CP for an
unexpected change of policy or subpoena, high jurisdictional barriers if the data is located in a
remote server and finally encrypted information may render the efforts made by the antitrust
authorities useless.
Companies’ incentives may now be different thanks to cloud computing. While it is difficult to
think that companies will now massively engage in cartel activities relying on the ‘immunity’
that virtual storage can provide them, we should acknowledge that sharing information between
competitors was never easier and less detectable. Regulation is still unclear and companies will
have fewer incentives to betray the other members of the cartel if they know that the risk of
being caught is minimal. As a result, in my opinion cloud computing has the potential to modify
the outcome of a company’s prisoner’s dilemma of whether or not to engage in anticompetitive
conduct.
4. Competition Authorities
4.1. Powers and limits
The role of the competition authorities in discovering this type of behavior on the cloud is
essential, though the powers they have been given might not be sufficient to detect and collect
the evidence to condemn the companies involved. Regulatory boundaries and limited
investigative tools may play a decisive role in the success or failure of an antitrust investigation.
First, as indicated above, the location of the data and the ultimate owner of the data may pose
significant barriers for competition authorities to access the data. As one cyber security expert
asserted, the cloud is multijurisdictional and it is not possible to know what legal standard
applies to the documents stored on the cloud unless it is linked to a physical location.54
In the U.S., the USA PATRIOT Act55 (Patriot Act) grants authority to the FBI (after obtaining a
court order) to compel disclosure of records held by cloud providers.56 This mechanism would
prevent a company from deleting incriminating evidence before the authorities have the
opportunity to seize the data. However, even with the Patriot Act a subpoena is necessary, and
U.S. courts cannot issue a subpoena to gather data located outside the U.S.
In Europe, the European Commission enjoys similar powers with the advantage of not depending
on a subpoena or warrant to request the information, but again, this competence extends only to
the territory of the 27 European member states.
It is implied from the above that cooperation among competition authorities is going to be
extremely important in the upcoming years. There are already mechanisms in place between
Europe and the U.S. to share information, and the current cooperation with other jurisdictions
Speech by Mark Rasch, Director, Cybersecurity and Privacy Consulting, CSC in the Seminar “Lawful Access to
Data on the cloud” at Georgetown University Law Center, Washington D.C., March 20, 2012.
55 Public Law 107-56.
56
50 U.S.C. § 1861.
54
11
like Australia, Mexico, Japan, Brazil or South Africa invites the belief that achievement of this
goal is likely. However, a mere commitment to cooperate is not enough; instead, a quick, diligent
and efficient response from the authorities involved will be required if we want to avoid a
continuous relocation of the data until it is ultimately erased and the investigation jeopardized.
This goal – a quick response from all the competition authorities involved – might be particularly
difficult to attain in those jurisdictions with less human and technical resources, which might
potentially be the target of a technology broker setting up a cloud for cartel members. To remedy
this problem, the International Competition Network (ICN), 57 which currently counts 120
members and advocates for convergence in competition policies and fostering international
cooperation, may provide a unique forum to discuss this issue and to draft a common framework
or guidelines establishing the steps to be taken when a cloud investigation is initiated by one of
its members.
Second, besides data location and the necessity to collaborate, traditional dawn raids might not
be enough to collect the data and alternatives may infringe upon the rights of defense.
Should competition authorities still bother to seize computers from a company’s premises when
all the documents might be stored on the cloud? Yes, they should definitely bother. Although a
well run cartel on the cloud might leave almost no trace of the illegal activity, it is more than
likely that middle or top managers without IT skills will leave traces of this behavior, from
documents saved on the hard drive, to undeleted emails with attachments, to simply documents
sent to the bin but not erased. But even if executives are careful, the information provided by the
hash values embedded in documents and the IT forensic techniques available to the antitrust
authorities will provide valuable information for the investigation.58
In addition, as some readers have probably already noticed, information on the cloud might be
exchanged, encrypted and deleted, but there is a traceable IP address which will lead the
competition agency to the electronic device where the information has been accessed that
belongs to a person (even if fake logs on are used). This might not be initially sufficient to
discover the content of the information, but it will enable the competition authority to request the
relevant information from the owner of this device and if (s)he refuse to do so, most of the
competition authorities are empowered to imposed economic sanctions 59 and even criminal
sanctions60.
57
For more information see http://www.internationalcompetitionnetwork.org/
A hash value is a mathematical algorithm produced against digital information (a file, a physical disk) thereby
creating a digital fingerprint for that information. It is by purpose a one-way algorithm and thus it is not possible to
change digital evidence without changing the corresponding hash values. In other words, if the hash value of a file
has (not) changed, the file itself has (not) changed. International Competition Network, Anti-Cartel Enforcement
Manual, Chapter 3 Digital Evidence Gathering, March 2010, at page 2. Available at
http://www.internationalcompetitionnetwork.org/uploads/library/doc627.pdf
59
For instance in Europe the EC, pursuant Article 23.1 of Regulation 1/2003, may impose on undertakings fines of
up to 1% of their turnover if they fail to provide the information requested. See COUNCIL REGULATION (EC) No
1/2003
of 16 December 2002, supra note 51, at Article 23.1.
60
In the United Kingdom, under Section 42 of the Competition Act 1998 it is a criminal offence punishable by a fine
and imprisonment not to comply with a request of information. See Competition Act 1998 available at
http://www.legislation.gov.uk/ukpga/1998/41 at 42.
58
12
The alternative to carrying out dawn-raids on a company’s premises is to go directly to the cloud
provider (if known) and request the information that the alleged infringer has stored. As
indicated above, this might be a feasible option depending upon where the data is stored, but
even assuming that the agency has jurisdiction and the data has not been either relocated or
deleted, there might still be some regulatory burdens to surmount and some rights of defense to
respect.
Seizure of indiscriminate amounts of data without prior notice to the company concerned and
without granting the possibility to be present during the investigation might violate the rights of
defense in both, Europe and in the U.S.
In Europe, pursuant to Regulation 1/2003, the EC has to provide a written authorization
specifying the subject matter and purpose of the investigation to the person responsible in the
company before proceeding with the inspection. 61 Since cloud computing is slightly different
because the data is not on the premises of the company investigated but in the CP’s premises,
according to Article 21 of Regulation 1/2003 the EC must issue a Decision, not simply a written
authorization, and obtain a prior authorization from the national judicial authority to execute this
decision.62 But even if the EC complies and notifies the company involved, the real problem is
how the EC will ensure that the data provided by the CP is within and not beyond the scope of
the investigation. How can the EC respect the privilege information such as lawyer-client
correspondence without granting the company the possibility to monitor which information the
CP is providing?
The failure to comply with these requirements, which may jeopardize the surprising effects of a
dawn-raid, will most likely prevent the company from exercising its rights of defense that in
return will render the evidence gathered by the EC useless for prosecuting the company.63
In the U.S., the Patriot Act gives more leeway to the FBI to collect certain information from third
parties without compromising an ongoing investigation. Even if a subpoena is normally needed
for these types of interventions, the CP will be very limited in its ability to reveal to its client that
it received the order.64 Therefore, it is likely that the company investigated only gets notice of
such investigation when the DOJ or FTC discloses the final report.
Nonetheless, in both jurisdictions, all these efforts to comply with the procedural rules may be in
vain because of the retention policy established between the CP and the companies. In other
words, if companies request the CP to permanently erase the information stored on a daily basis,
by the time the antitrust authorities may suspect the existence of this data and proceed to seize it,
it will be gone. As I suggested at the outset of this article, to alleviate this problem competition
61
See COUNCIL REGULATION (EC) No 1/2003
of 16 December 2002, supra note 51, at Article 20.3.
Id. at Article 21.3.
63 Yves Van Gerven, Bringing “Dawn Raids” to light. Regulation 1/2003: Inspections (“Dawn Raids”) and the
rights of defense. Available at http://www.vvgb-law.eu/lawyers/yves-vangerven/Resources/VanGerven_Regulation1_2003InspectionsDawnRaids.pdf
64
50 U.S.C. § 1861(d)(1). According to this provision, the CP could only disclose the request made by the FBI to
those persons to whom disclosure is necessary to comply with the order, but this would normally not include CP’s
client. The CP could also disclose to an attorney in order to obtain legal assistance and lastly to other persons
authorized by the Director of the FBI.
62
13
authorities may impose a regulatory obligation on CPs to create a back-up of certain clients’ data
for a limited period of time.
In summary, competition authorities still have tools to fight cartels on the cloud, but it is crucial
to boost cooperation and refine dawn-raids to minimize the opportunities for companies to delete
or relocate the evidence.
4.2. Onion Routing: just when you thought it could not get worse
This name refers to a new technique that enables Internet users to remain completely anonymous
when they operate on the net, including hiding information about the websites they have visited
and the physical locations of users.65
Onion routing (OR) works as follows: messages are repeatedly encrypted and then sent through
multiple network nodes called onion routers. Each onion router removes a layer of encryption to
uncover routing instructions and sends the message to the next router where the activity repeats
until the message reaches its final destination.66 OR is not very well known yet in the legal arena,
but it might be incredibly troublesome for competition agencies to detect cartels when combined
with cloud computing.
The aim of Tor Project, an OR provider, is to enhance privacy and security on the Internet.
Among the positive applications of this technique are (i) the ability of users to prevent websites
from tracking them, (ii) the possibility of publishing web sites and other services without
revealing the location of the site, and (iii) for law enforcement to conduct web site surveillance
without leaving government IP addresses on their web logs and strengthen security during sting
operations.67
On the other hand, the potential implications for antitrust investigations are obvious. By using
this technique, companies wishing to form a cartel may find the way to break the only link that
competition authorities could establish between the data stored on the cloud and the companies
involved: the IP address of the device used to access the data. As I have mentioned before, if a
cartel is well managed, companies will use a private ad hoc cloud, accessing it through a Tor
email account containing encrypted information. If that occurs, antitrust authorities may find it
practically impossible to ascertain who and where the sender and receiver are and what the
content of the information exchanged is. Only a mistake by one of the members could facilitate a
trace to begin an investigation.
One might think that the authorities could request the OR provider, for instance Tor, to provide
the information necessary to ascertain who and where one of its users is located. Unfortunately,
not even the founders of this technique are able to break the anonymity of its users, and they
have asserted that if the U.S government ever requests that they install a backdoor in their
system, they will strongly – and legally – oppose it.68
An example of onion routing is EFE’s Tor, available at https://www.torproject.org/
See Privacy on the clouds, supra note 17, at 20.
67 https://www.torproject.org/about/overview.html.en
68 https://www.torproject.org/docs/faq.html.en
65
66
14
This technique, not widely used for the time being, adds a hurdle in an antitrust investigation and
in my view it should be addressed not from a technological point of view, but rather by
modifying the incentives for firms to come to the authorities with the evidence.
4.3. Consequences
Technology advances much faster than regulation and competition authorities do. Besides,
competition authorities normally do not have the economic and personal resources to invest in IT
experts and to train their personnel in IT forensics. Therefore, the most adequate solution to
address this problem is by offering more incentives for companies to betray a cartel.
For the time being, the most successful tool to create instability in a cartel has been a wellstructured leniency program. 69 However, even if its validity is not at stake here, leniency
programs may become less efficient if companies have no reason to believe that a cartel member
will blow the whistle. In this regard, it is worth remembering that in a cloud, evidence is
destroyed on a regular basis, so cartel members may feel more reluctant to depart from the
collusive agreement because the benefits of remaining are higher than the likelihood of being
caught. Even if caught, the evidence presented by the whistle blower might refer to a shorter
period of time than the actual duration of the cartel, limiting the amount of the fine that the
company is facing and consequently diminishing its deterrent effect.
New policies such as amnesty plus 70 and rewards schemes 71 strengthened the efficiency of
leniency programs. However, as suggested in the next section, antitrust authorities should add
new measures to incentivize companies to terminate cartel agreements.
5. Attempted Solutions To Deal With These Challenges
5.1. Technological Solutions
69
See Scott D. Hammond, The Evolution of Criminal Antitrust Enforcement Over the last two Decades, National
Institute of White Collar Crime, February 25, 2010 available at
http://www.justice.gov/atr/public/speeches/255515.htm and Neelie Kroes, Recent Developments in the European
Commission’s campaign against Cartels, the 10th Annual Competition conference at the European Institute, Fisole,
Italy October 13, 2006, available at
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/06/595&format=HTML&aged=0&language=EN
&guiLanguage=en
70
Amnesty Plus refers to benefits that prosecutors can offer to a cartel member who discloses previously undetected
antitrust offenses involving a cartel different from the one that first brought that cartelist to the prosecutors'
attention. See Thomas Barnett, Criminal Enforcement of Antitrust laws: the U.S. model, Fordham Competition Law
Institute’s Annual Conference on International Antitrust Law and Policy, New York, September 14, 2006 available
at http://www.justice.gov/atr/public/speeches/218336.htm. United Kingdom adopted a similar system called
leniency plus available at http://www.oft.gov.uk/shared_oft/reports/comp_policy/oft803.pdf.
71
See D. Daniel Sokol, Detection and Compliance in Cartel Policy, CPI Antitrust Chronicle, September 2011. This
article briefly explains the South Korean antitrust experience that in 2007 established a system by which individual
informants of a cartel may be rewarded with up to $850 million if they provide valuable information that allows the
agency to defeat the cartel. In 2008, United Kingdom also adopted a similar reward scheme. For more information
about the UK reward scheme see http://www.oft.gov.uk/OFTwork/competition-act-and-cartels/cartels/rewards
15
Coming up with an adequate technological solution to this problem exceeds the scope of this
article. Instead, I propose approaching this antitrust problem in a way that mirrors the approach
adopted in other areas of law, particularly in white-collar crime. In the same way that artificial
intelligence and smart systems detect fraudulent financial transactions that are subsequently
reported to the authorities, it should also be possible to develop software to examine the access
and data logs of cloud providers in order to flag anomalies in the sharing of information among
different users or cloud clients. This software should be able to detect, for instance, when an
‘outsider’ is trying to get access to a different cloud than its own, when sensitive information like
prices or output is exchanged, or even when a CP’s clients belonging to the same horizontal
market are sharing information (regardless the content thereof).
This software, together with the appropriate investigative tools (i.e. discovery rules, request of
information to third parties, IT forensic techniques), would allow antitrust authorities to use these
systems to canvass documents and databases on the cloud to identify cartel activity and likely to
engage in an undercover investigation.
5.2. Legal & Regulatory Solutions
Regulatory measures are probably the first idea that comes to the European regulator’s mind but
the last in the minds of U.S. regulators. These type of measures are aimed at regulating the
commercial relation between CPs and businesses to diminish the antitrust risk associated with
cloud computing. Therefore, this category will include provisions to challenge data location,
jurisdiction and data retention policy:



List of clients: By obliging CPs to regularly provide a list of clients to the antitrust
authorities cartels might be deterred by two means. First, antitrust authorities will have a
list of the companies using cloud services before conducting an investigation that will
allow the agency to refine its searches or raids (i.e. not limiting the search to seize
computers). Second, companies will be restrained from using cloud computing for illegal
purposes if they fear intervention by the antitrust agency (i.e. in some jurisdiction the
intervention will be conducted without prior notice).
Mandatory Back-up: Since companies might delete the information stored on the cloud at
any time, CPs might be required to keep a back up of a client’s data upon request of the
antitrust authority, especially for those companies who demand a very short retention of
the data. The authorities should not have access to the information retained by the CP
unless they provide the necessary subpoena or court order. This measure seeks to avoid
the loss of relevant information during the initial steps of an investigation or while
processing the court order. Should the investigation lack merit or the court order is not
granted, the back up will be deleted permanently as requested by the company.
Limiting ability to relocate data: This is probably the most intrusive clause of the three
and likely the most difficult to adopt. The terms of the CPs’ contracts should limit the
capacity of the parties to choose the location of the data and even the possibility to
relocate this data. One possibility is to require that the location of the data be one of the
parties’ legal registration, and to permit its relocation upon notification to the competent
authority. A waiver of jurisdiction in favor of a given authority might be also used to
limit the capacity to relocate data.
16
5.3. Economic Solutions
The measures abovementioned mainly address the risks that may come along with commercial
CPs, but they are not designed to tackle antitrust problems originating with ad hoc clouds. It is
difficult to believe that members of a cartel who decide to set up a cloud for illegal purposes will
comply with regulatory obligations. Therefore, the next set of policy recommendations is thought
to deter companies from engaging in cartels using cloud-computing resources by strengthening
the stick and sweetening the carrot.


Aggravating circumstances: If antitrust authorities pursue more transparent clouds, they
should include as an aggravating circumstance for the calculation of the fine the storage
of data in a non-registered cloud provider or in a cloud that does not comply with the
regulatory obligations foreseen above (see section 5.2). Antitrust authorities may grant
an exception if there is a legitimate justification (i.e. the cloud is located in a territory
with lower cost but the competent authority does not impose regulatory obligations)
subject to the submission of evidence that the data stored is not used for illegal purposes.
In this regard, the provision of hash numbers and IP addresses from the initial moment
of uploading documents on the cloud may provide information to the authorities about
who has accessed to the data, what modifications have been made and which documents
are not longer available.
Heavy fines for cartel cooperators: Fines should be imposed not only on members of a
cartel but also on companies and individuals (i.e. technology brokers) who cooperate in
setting up a cloud for illegal purposes. At this point, the U.S. and Europe differ widely.
Whereas the U.S. would probably impose the same fine on the companies and the
cooperator, in Europe, the EC had once the opportunity to sanction a company whose
purpose was basically to assist companies in running their cartels, but it finally imposed
a symbolic fine (EUR 1000) which obviously lacks any deterrence effect.72
5.4. Social norms and conventions
 Create a culture of competition: following the example of the FTC, antitrust agencies
should consider the possibility of imposing Antitrust Compliance Programs for antitrust
offenders. 73 These programs are imposed as a result of a violation and not ex-ante,
therefore the deterrent effect of these programs resides in two elements: the economic
burden that it entails to comply with it and the unpleasant situation for companies to
have an antitrust compliance officer who oversees the company in order to detect and
report possible antitrust concerns that might arise in the course of regular business.
However, by adopting these programs the problem of recidivism is sharply reduced
because companies subject to them are continuously monitored, their opportunities to
72
Judgment of the GC (then CFI) of July 8, 2008, in the case T-99/04, AC-Treuhand v. Commission.
The FTC has imposed in three cases Antitrust Compliance Programs to companies found guilty of violations of
Section 5 of the Federal Trade Commission Act, as amended, 15 U.S.C. § 45. The three orders were imposed to Pool
Corporation (Docket No. C-4345, adopted January 10, 2012), Transitions Optical, Inc. (Docket No. C-4289, adopted
April 22, 2010) and NAMM (Docket No. C-4255 adopted April 8, 2009). These programs impose, inter alia, the
following obligation on the companies: appointment of an Antirust Compliance Officer, in-person antitrust training
to Executive and Sales staff, distribution of the order to the company’s clients, publication in the company’s website
the content of the order and retention of documents to comply with further obligations.
73
17


depart from competitive behavior are rather limited and because companies free of these
programs but with an antitrust history might decide ex ante not to use cloud computing
for these purposes.
More media coverage showing the ‘bad behavior’ of antitrust offenders: while this
action is not specifically addressed to combat cartel activities using cloud computing,
some articles show that the economic impact of a bad reputation for a corporation might
be more devastating than a fine.74 Consequently, if antitrust violations gain some weight
in the public media, companies and CPs will be more diligent in their businesses to
ensure that they are not on the front page of a newspaper accusing them of depriving
consumers from better prices and services.
Adoption of criminal sanction: Even though this proposal appears at the very end of this
article, the adoption of criminal sanctions could really mitigate an individual’s
incentives to operate a cartel in a cloud. There is vast literature about the pros and cons
of adopting criminal sanctions to obtain the optimal deterrent effect.75 However, it seems
undeniable that those jurisdictions like the U.S. or U.K. where individuals can be
imprisoned are in a better position to deter executives from uploading information in a
cloud or acceding to somebody else’s cloud than other jurisdictions like Europe where
only companies might be fined. To articulate a refined cartel using cloud computing
requires a continuous commitment from an individual to upload and exchange
information, to share personal passwords, to use personal electronic devices and to adopt
decisions the company might not be aware of even when conducting internal
investigations and compliance programs. Therefore, it is important to allocate some risks
to the individual to avoid companies’ arguments that the conduct was unknown by the
board and it is the sole responsibility of the individual, because unlike traditional cartels,
this time it might be true.
6. Conclusion
Cloud computing is offering IT solutions for companies worldwide, but new technology is not
exempt from problems. Some of the problems mentioned in this article (i.e. location of the data,
data protection and data retention) are a result of the cloud infrastructure itself and from the
business model chosen by the CPs.
However, other problems might be brought by companies using cloud services for illegal
purposes (i.e. sharing sensitive information with competitors). The sophistication in exchanging
74
See Johan J. Graafland, Collusion, Reputation Damage and Interest in Codes of Conduct: The Case of a Dutch
Construction Company, MPRA Paper No. 20281, January 27, 2010 available at http://mpra.ub.unimuenchen.de/20281/1/MPRA_paper_20281.pdf and Pete Engardio and Michael Arndt, What Price Reputation?
Many savvy companies are starting to realize that a good name can be their most important asset—and actually
boost the stock price, BUS. WK., July 9, 2007 available at http://www.businessweek.com/print/magazine/content/
75
See, inter alia, OECD, Policy Roundtable Cartel Sanctions Against Individuals, January 10, 2005 available at
http://www.oecd.org/dataoecd/61/46/34306028.pdf; Wouter P.J. Wils, Is criminalization of EU Competition law the
Answer? European University Institute Robert Schuman Center for Advance Studies, 2006 EU Competition Law
and Policy Workshop, available at http://www.eui.eu/RSCAS/Research/Competition/2006(pdf)/200610-COMPedWils.pdf and Cindy R. Alexander & Mark A. Cohen, The Causes of Corporate Crime: An Economic Perspective in
PROSECUTORS IN THE BOARDROOM: USING CRIMINAL LAW TO REGULATE CORPORATE CONDUCT 33
(Anthony Barkow & Rachel Barkow eds., 2011)
18
that information may reach levels never seen before, preventing antitrust authorities from finding
evidence of the unlawful conduct.
The technology nowadays allows Internet users, corporations included, to navigate the web
anonymously, to exchange files without leaving any trace and to access information stored in a
cloud anywhere at anytime.
To fight the collusive effects that are envisaged to occur, competition authorities across the globe
will have to cooperate closer than ever and foresee common procedures to react quickly every
time that a competition agency requests assistance in compelling a CP or a third party to furnish
the information needed.
Notwithstanding this cooperation, the real challenge for the authorities will be to cope with the
new technological developments having scarce resources and, sometimes, limited investigative
tools to achieve satisfactory results. In this regard, it is worth noting that some jurisdictions are
initially in a better position than others to deter and investigate cartels. For instance, in the U.S.
the powers granted by the Patriot Act to the FBI to collect information from third parties (cloud
providers) without notifying the concerned company are far more effective than the requests of
information that the European Commission is authorized to convey. Similarly, the possibility of
imposing criminal sanctions to individuals has a wider deterrent effect that the pecuniary
sanctions. Yet, irrespective of the investigative tools, the still unclear legal characterization of
cloud providers may add administrative hurdles in an investigation, obliging the antitrust
authorities to refine their investigations to avoid breaching the rights of defense of the company
investigated.
To overcome these problems I suggest a combination of technological, regulatory and economic
solutions that will deter companies from using clouds for the wrong purposes. By creating
software that detects suspicious movements in a cloud, such as the exchange of prices between
cloud users, and by imposing some data retention obligations on CPs it would be possible to
eliminate most of the antitrust problems related with the cloud infrastructure and the CP business
model. In addition to these measures, if competition authorities strengthen the stick for
companies that exchange information on the cloud (i.e. higher fines, imposition of antitrust
compliance programs and adoption of criminal sanctions) it is almost certain that companies will
see cloud computing as it should be, a powerful technological tool that will help them to reduce
costs, work more efficiently and compete more fiercely in the market to offer better prices and
services to customers.
19