Cloud Computing Giants Turn on Each Other as FTC Enforcement Looms

Published on Jan 26, 2024

As the Federal Trade Commission looks to wrap up its in-depth probe into the cloud computing market, a report and subsequent possible enforcement represents a prime opportunity for the agency to make its mark on digital antitrust law.

Microsoft Azure is at particular risk of FTC scrutiny due to the platform’s restrictive software licensing, as well as sophisticated lobbying efforts by competitors. Amazon Web Services (AWS), far and away the largest cloud business in the world, is another likely target.

In any kind of intervention, the agency would likely draw on the Sherman Act, Section 5 of the FTC Act, or potentially a combination of both, academics and lawyers told The Capitol Forum.

Cloud competition broke into headlines most recently on January 11, when Amit Zavery, head of Google Cloud Platform (GCP), announced that the provider would cut some fees previously charged to users looking to migrate their data to another cloud provider.

“GCP’s move to eliminate data egress fees (not for all scenarios but at least for some) was likely in part a response to FTC and other agencies looking at this issue,” said Steven Weber, a professor emeritus at UC Berkeley who spoke at an FTC panel on cloud computing last spring. “It will put pressure on other hyperscale cloud providers to match the move.”

The FTC has had cloud computing in its sights ever since it launched a 6(b) study of the industry last March. 6(b) investigations entail wide-ranging requests for information (RFI) and indicate agency priorities. After reviewing RFI comments from experts and industry participants, the commission published a blog post in November identifying four categories of concerns.

“This is a typical course of action for the FTC,” said Manatt, Phelps & Phillips attorney Dylan Carson. “We’ve seen this—concern, study, then enforcement actions—time and time again.”

Depending on the legal underpinning, the case could either be relatively straightforward, or a more ambitious attempt to bolster the agency’s interpretation of its authority.

The FTC declined to comment. On Thursday, the agency announced a new 6(b) inquiry into partnerships between the three cloud giants and generative AI firms Anthropic and OpenAI.

Reached for comment for this article, a Google spokesperson pointed to Zavery’s announcement. An AWS spokesperson claimed that since 2021, “over 90% of our customers pay nothing for data transfers out of AWS.”

“In accordance with the European Data Act, for the small number of remaining customers, AWS will not charge eligible EU customers more than cost for data transfers out to support switching or in parallel use of other relevant providers,” the AWS spokesperson added. “Restrictive licensing practices remain a far bigger issue to customers who want the choice of working with their preferred cloud provider.”

A Microsoft spokesperson struck a conciliatory tone. “We’ve made significant changes to our licensing globally based on discussions with partners and customers, and we will continue to actively listen to them and to regulators in the US and around the world,” he told The Capitol Forum.

What would an FTC complaint look like? Sections 1 and 2 of the Sherman Act are foundational, time-tested FTC precedents, especially when it comes to tech firms. But the Sherman Act is a double-edged sword: while the FTC would have an easier time defending a Section 2 complaint in court, the well-accepted legal framework could limit the lawsuit’s reach.

In its blog post, the FTC described some concerns that experts said the Sherman Act might be unable to address. That’s where Section 5 of the FTC Act would come in.

“FTC Chair Khan has explained in two articles and a policy statement how broad the section 5 authority may be,” said Hannibal Travis, a law professor at Florida International University College of Law. In November 2022, the FTC published a statement asserting that Section 5 “reaches beyond the Sherman and Clayton Acts to encompass various types of unfair conduct.”

The agency “will probably seek to reinforce its broad interpretation of its inherent authority under Section 5 through judicial validation,” said Daryl Lim, a professor at Penn State Dickinson Law who writes about antitrust and IP law. “Victories primarily resting on Section 1 or 2 grounds are more likely, but if they hinge on the more traditional interpretations of the Sherman Act, they will yield significant but symbolically limited outcomes for those advocating a radical overhaul of antitrust legislation.”

A Sherman approach to cloud lock-in. From 20th century lawsuits against IBM (IBM) and Microsoft (MSFT) to 21st century interventions against Facebook (META), Google (GOOGL), and Amazon (AMZN), U.S. antitrust officials have used Section 2 of the Sherman Act to take on Big Tech.

The Sherman Act is particularly appropriate for cases involving ‘vendor lock-in,’ where tied or bundled products all but force customers to pay more than they could with another vendor. “There is a tradition of both DOJ and FTC challenging high-tech pricing policies that tend to make it excessively costly to switch providers,” said FIU Law’s Travis.

The first category of cloud competition concerns identified by the FTC—costly data transfer fees, discounts on bundled software, and restrictive licensing terms—would fit neatly into this Sherman Act tradition, according to Travis and other experts.

The FTC could cite precedent from the DOJ’s successful 1990s antitrust action against Microsoft, in which the firm agreed to stop “per-processor” licensing as part of a consent decree. The Supreme Court’s 1992 decision in Eastman Kodak, which outlawed certain vendor lock-in practices, could also be a boon for the agency. And the FTC is already challenging an Amazon tying arrangement in its landmark suit against the firm’s online marketplace, as The Capitol Forum previously reported.

That is not to say that a Section 2 cloud case would be easy, even one against Microsoft’s licensing. Cloud providers could invoke their own favorable precedent, such as the FTC’s 2020 failure to stop semiconductor company Qualcomm’s ‘no license, no chip’ policy.

Cloud market(s). To pursue a Sherman Act complaint, the FTC would delineate a “cognizable antitrust market” that a given cloud provider is monopolizing, according to Gary Reback, a lawyer at Carr & Ferrell who helped lead the 1990s lawsuit against Microsoft.

Microsoft would likely argue that this requirement shields it from scrutiny because, as the firm wrote in its comment to the FTC, “AWS has always been the market share leader in cloud computing services.”

When looking at the aggregate global cloud market, AWS indeed dominates, with a roughly 32% share compared to Azure’s 22%. GCP is the third-largest with around 11%, according to the Synergy Research Group.

But academics and lawyers said the cloud market is more like a collection of many markets, divided by region, industry, and position in the cloud computing ‘stack.’ (Programmers use the concept of a ‘stack’ to describe the interconnected layers of software that constitute the digital world.)

Microsoft’s critics contend that to catch up with AWS, Azure has trapped customers in its enterprise software cloud. “Certain legacy providers leverage their on-premises software monopolies to create cloud monopolies,” Google’s Zavery wrote on Friday. The pointed line probably refers not just to Microsoft, but also Oracle (ORCL), a smaller competitor that allegedly employs a similar lock-in strategy. Oracle sits at approximately 2% market share.

Steve DelBianco, president of NetChoice—an Amazon-backed advocacy group—echoed Zavery’s argument in an interview. “Long before having dominant share of cloud, Microsoft had a dominant share of office,” he said. “When you look at AWS or Google, none of them have an installed base of software licensing.”

Microsoft has indeed maintained an outsize influence in some sectors, especially in the top layer of the stack, also known as software-as-a-service (SaaS). SaaS encompasses the applications that users interact with directly, such as Zoom (ZM), Salesforce (CRM), and Slack.

While tech firms jealously guard market data, various estimates have pegged Office 365’s share of the productivity software market at anywhere from 50% to 87.5%, depending on market definition. One Google-backed study from 2021 found that Microsoft controls around 85% of the U.S. federal government office SaaS market. These submarkets could prove critical for antitrust enforcers building a case.

But Amazon also controls critical segments of the stack, mostly in the bottom layer, referred to as infrastructure-as-a-service (IaaS). There, AWS has 40% of the market, according to figures from research firm Gartner.

The government IaaS market is one area where Amazon has faced particular scrutiny. AWS was the first major cloud provider authorized to store sensitive but unclassified Department of Defense (DOD) data. The company leveraged that early foothold to expand into other parts of the government cloud: A 2022 investigation by The Capitol Forum found that nearly 40% of 35 states surveyed relied exclusively on AWS for their Medicaid agencies’ cloud services.

In 2021, Senator Mike Lee (R-UT) and Representative Ken Buck (R-CO) sent a letter to DOJ expressing concern that “Amazon may have attempted to monopolize one or more markets relating to government and/or commercial cloud computing services by improperly influencing the Joint Enterprise Defense Infrastructure [JEDI] procurement process.” The lawmakers said explicitly that AWS’s JEDI conduct may have violated Section 2 of the Sherman Act.

The Capitol Forum reported extensively on JEDI—the DOD’s abortive foray into cloud computing—and the revolving door between AWS and the Pentagon that could have improperly influenced the process. A LinkedIn search yields over 200 former DOD employees who now work at AWS.

Amazon also dominates in various non-governmental clouds. AWS CEO Adam Selipsky said in 2022 that “over 90% of cloud-oriented startups” operate on AWS, as advocacy group the Institute for Local Self-Reliance noted in their RFI comment.

Moreover, as in retail, AWS’s dual status as a cloud vendor and a marketplace facilitates sector-specific monopolism. Database developers like MongoDB and Elastic have accused AWS of stifling innovation in the open-source database space by repackaging their freely available code and selling it as an Amazon commercial product on the AWS marketplace.

In response, “a lot of the independent database providers are producing more restrictive licensing,” which impedes the flow of open-source innovation, said Gerald Berk, a University of Oregon professor who wrote a public comment to the FTC about the issue. “The FTC can not only protect smaller independents from platform power, but can also protect the viability of open source.”

“I know there are brewing private antitrust suits,” he added. “And there are lots of examples where private cases pushed the state to do public cases.”

Unsurprisingly, NetChoice’s DelBianco rejected the idea that AWS could draw FTC scrutiny. “There’s no shortage of competition in cloud,” he insisted. “The issue is that consumers can’t use the cloud of their choice.”

U.K. regulators disagree. Although a top CMA official did single out Microsoft in a press release, Ofcom, the U.K. communications regulator, expressed concern about anticompetitive practices of both AWS and Azure.

Egress fees evincing market power. Several professors suggested that the ability of Microsoft and Amazon to dominate the cloud with egress fees could itself demonstrate market power under Section 2 of the Sherman Act.

“A number of us have argued that if a company is engaging in practices that wouldn’t make sense in a competitive market, that’s proof of market power,” said Reback. “If a company has the ability to exclude competition, earlier FTC cases have suggested that might be enough.”

Whether that approach would work for the FTC “depends on how much of it they can prove,” he added. “If it’s not straightforward, it’ll be hard to show that the practices alone show market power.”

In Oracle’s June comment to the FTC, the company said Amazon “stands alone as the worst offender” when it comes to egress fees.

GCP’s partial elimination of egress fees followed months of scrutiny from European enforcers, and coincided with the implementation of the EU’s brand-new Data Act, which forbids “obstacles to effective switching” between cloud providers. The extent of GCP’s policy adjustment is unclear, though; the provider announced in late 2023 that some of the unaffected egress fees will increase in February.

The FTC has met with Google about the data transfer fees of its competitors, The Information recently reported.

In the U.S., data “portability has been an issue across industries,” especially healthcare and finance, according to Manatt’s Paul Luehr. Alongside FTC interest in cloud egress fees, the Consumer Financial Protection Bureau in October proposed a rule that would facilitate transfers of consumer data between banks.

Microsoft’s vulnerability. For technical and political reasons, Microsoft may be the lowest-hanging fruit when it comes to FTC enforcement in the cloud. First, some experts say that Azure has grown through acquisition to a greater degree than AWS. Second, U.K. regulators allege that Microsoft has made it financially unsustainable to use Microsoft software on a cloud other than Azure. Competitors like AWS also impede interoperability, but to a lesser extent.

A lawsuit against Microsoft’s licensing would fit under “conventional antitrust theory,” said John Lopatka, a Penn State Law professor who co-wrote a book about the 1990s Microsoft case.

Manatt’s Carson concurred. “I would think the licensing restrictions are a specific tangible consumer harm they can identify and quantify,” he said.

The FTC may also feel emboldened by activity across the pond. The European Commission is reportedly preparing a complaint over Microsoft’s bundling of video-conferencing app Teams and other business applications. And in early October, the U.K.’s Competition and Markets Authority (CMA) announced a cloud market investigation, to be concluded by April 2025. Following the announcement of the CMA probe, Microsoft reentered licensing negotiations with the Cloud Infrastructure Service Providers in Europe (CISPE), an Amazon-backed trade group, as The Capitol Forum reported last month.

Microsoft is unique in that it has drawn censure from not just regulators, but also other tech firms—especially Amazon and Google, which are helping bankroll an international campaign to cast Microsoft as cloud’s chief monopolist.

Last month, a CISPE spokesperson told The Capitol Forum that Amazon’s affiliation with the group shouldn’t “distract from the reality” that smaller cloud providers “suffer most from Microsoft’s discriminatory pricing.” For its part, Microsoft told the CMA that CISPE’s laser-focus on licensing “risks being a disproportionate distraction to CMA resources.”

“I do think that Microsoft is most at risk here with regard to licensing practices,” said Weber.

Section 5 and single points of failure. Experts said Section 5 would enable the FTC to regulate cloud practices that don’t fall squarely within the purview of Section 2. For example, the agency’s blog post discussed “single points of failure” and privacy breaches in the cloud, which the agency attributed to “widespread reliance” on a handful of cloud providers.

Some experts said the FTC could draw on Section 5’s ban on unfair or deceptive practices to address single point of failure issues. In essence, the agency could allege that cloud providers are misleading customers about the security of their services, or the ease with which customers can switch vendors.

The commission has formulated Section 5 as “a mixed consumer protection/spirit of the Sherman Act approach,” Travis said. “Traditional privacy scandals like Comcast, State Farm, and T-Mobile perhaps could have been prevented with better cloud vendors or better configured cloud services.”

“Single point of failure is essentially supply chain resiliency,” said Diana Moss, director of competition policy at the Progressive Policy Institute. “If you don’t have a lot of competition at a chokepoint in the supply chain, there is a higher probability it will fail.”

“I don’t think that is something the market will automatically fix,” she added.

Screenshot from Public Citizen’s RFI comment about cloud competition.

One example of single point of failure could be the financial services cloud market. A 2023 Treasury Department report found that cloud concentration may expose financial institutions to cybersecurity risks. Some of those institutions told Treasury there were “gaps in their ability to assess the resilience” of their clouds.

That said, Treasury could preclude the need for FTC enforcement if the department were to designate AWS and other centralized cloud providers as “systematically important financial market utilities” (SIFMUs). In November 2021, fourteen consumer advocacy groups called on bank regulators to do just that.

Even the Federal Reserve relies on AWS. In response to The Capitol Forum’s reporting last year that the Fed had tapped AWS for its FedNow instant payment service, Representative Nydia Velázquez (D-NY) said Treasury should step up cloud regulation.

In addressing cloud cybersecurity, the FTC would likely “reach for the unfairness prong, rather than the deception prong, of Section 5,” said Luehr.

Whether or not the FTC uses Section 5, experts said that a holistic analysis and approach is necessary to protect competition in this space. Berk said he hopes regulators understand that in the cloud, they are dealing with a new kind of market. “If the FTC and DOJ are only thinking in conventional ways about fees and standard kinds of monopolization strategies,” he said, “my sense is that they’re missing the forest for the trees.”