Mostly Cloudy: Why regulating social media could put Facebook in the cloud business


Facebook founder and CEO Mark Zuckerberg (Facebook Photo)

Is Facebook really thinking about becoming a cloud services provider?

The first slate of NFL games had just kicked off Sunday morning, and with little action in the early going I opened up Twitter. Usually, this is a terrible idea, but I stumbled upon an interesting discussion between Mike Issac of the The New York Times and Alex Stamos, former chief security officer at Facebook currently teaching about social media and information security at Stanford.

It was a relatively cordial conversation about topics including content moderation, the push and pull of how journalists cover topics like social media regulation, and how Facebook CEO Mark Zuckerberg can be his own worst enemy when trying to explain his company’s worldview. And then this tweet, written by a person who was part of Facebook’s inner circle for several years, jumped out at me:

I reached out to Stamos Monday in hopes of learning a bit more about his thinking here, but he didn’t respond. Five years is an eternity in technology, and many things would have to happen for this scenario to come to pass.

But, revenue mix aside, it’s not that farfetched. Here’s why.

Cloud-based compliance services are growing

New laws like Europe’s GDPR and California’s pending privacy law, coupled with the expectation that increased tech regulation will be on tap if the U.S. elects the Democratic presidential candidate next year, have set off a wave of investment in compliance startups that want to profit by helping other companies pass their tests.

Compliance might as well be a synonym for “root canal” inside most legal and financial departments: painful but necessary. Companies that want to offer tech services to regulated industries like healthcare, financial services, or government agencies need to establish that they followed designated procedures while building their software, and that’s getting harder and harder to do as software becomes more complex.

Alex Stamos, former Chief Security Officer at Facebook and current Stanford professor (Stanford Photo)

Cloud companies looking to do business with the federal government are very familiar with the FedRAMP compliance program, which has been around since 2011 and sets security standards above and beyond industry-standard practices. But even businesses that want to accept credit cards online have to deal with regulatory agencies, and the process of proving your product or service meets those standards can be labor-intensive.

If you’re an enterprise tech entrepreneur in 2019, you’re looking at ways to automate things that businesses find labor intensive. Just in the last year, I’ve spoken with three companies in the Pacific Northwest developing businesses around helping other companies entering new markets with limited experience around compliance:

  • Hyperproof, founded by Azuqua co-founder Craig Unger

  • Shujinko, founded by two engineers who helped Starbucks establish its compliance program

  • Antiam, a longtime security consulting company that is pivoting hard to compliance after prominent customer Amazon Web Services realized Antiam’s security automation technology could also automate compliance.

The idea behind these services is to automate the process of pulling compliance-related data into a tracking and verification system, rather than designating someone in the company as the Compliance Cop, who has to hound colleagues for compliance reports every so often and then pull all the data together. The complexity of this process grows along with the size of a business and the volume of regulation, and at a certain point manual approaches to compliance simply don’t scale.

All of the big vendors already offer some level of compliance services through their security operations, but there’s lots of room for new tools. Compliance can be a huge distraction for executives and managers, and companies are willing to pay for cloud services that let them focus on their core business.

And if the U.S. or European Union were to impose new regulations or change existing laws around content moderation or the amplification of disinformation over the next five years, a generation of user-generated content companies that built businesses around a hands-off legal approach to these issues will have a big problem.

Facebook’s internal infrastructure is top notch

It seems pretty safe to say that the vast majority of Facebook users don’t spend a lot of time thinking about how Facebook provides its services. But infrastructure nerds are well acquainted with Facebook’s work on data center construction and infrastructure design, expertise that is on par with (and sometimes ahead of) cloud giants like AWS, Microsoft, and Google.

The company opened its first data center in Prineville, Oregon, in 2011, and by the middle of next year will have 15 data centers located around the world, mostly in the U.S. As it built out that first data center, Facebook pioneered a number of efficient infrastructure design and building techniques that it would later share through the Open Compute Project.

The design for Facebook’s Singapore data center, scheduled to come online next year. (Facebook Photo)

Rumors of Facebook’s interest in cloud services have circulated for years within the cloud industry, given that it is among the few companies in the world that has world-class tech infrastructure talent combined with a steady stream of capital provided by the huge portion of the online advertising market it controls. Those rumors never really rose above the gossip mills, although during an earnings conference call last October Zuckerberg was asked about the possibility as a way of offsetting rising capital expenditures.

For a guy who has spent the last couple of years bobbing and weaving before Congressional hearings and the media, his answer was pretty direct:

The quick answer is that we're not planning on going into the cloud services -- we're not planning on doing that. We have to build out all this capacity to serve our community. It's a very computationally and resource intensive set of services that we provide and we need to build that out. We are very optimistic.

Operating a cloud service is not a simple matter of giving customers access to your data centers, and there’s a lot of work that Facebook would have to do to prepare its infrastructure for outsiders. And 15 data centers isn’t enough to service general-purpose cloud computing customers: AWS operates data centers in 69 regions around the world, with multiple data centers in many of those regions.

But if Facebook keeps spending nearly $4 billion a quarter on capital expenditures, over the next few years it could probably build enough infrastructure to service customers with a specific, pressing need.

Sweeping regulation will give Facebook a moat

Nearly all online advertising is controlled by two extremely wealthy companies that, having shaped the modern internet in their best interests thanks to years of federal regulatory indifference, are now starting to welcome federal regulation. That’s because thanks to their stockpiles of data and money, Facebook and Google are best equipped to quickly overcome the challenges posed by any new social-media or user-generated content regulation, and because the last thing they want is to be broken up by federal regulators.

Businesses hate regulation for the simplest of reasons: it costs them money. As noted above, complying with various regulations currently in place is already a complicated and costly endeavor, and budding ideas like data sovereignty laws could increase that cost in a whole different way.

Zuckerberg testifies before Congress in 2018. (C-SPAN screenshot)

Twitter, Pinterest, and a few others would probably be able to find their way on their own, but there are lots of other smaller companies that won’t have the resources to build compliance programs. That could force some out of business, and perhaps more damaging to the future of the social-media market, discourage new entrants put off by the cost of compliance.

But what if Facebook, after tough discussions with federal regulators threatening to break up the company, offered access to compliance-automation services hosted on its infrastructure and built specifically for the challenge of meeting new, more stringent regulations around user-generated content? Such a deal would avoid Zuckerberg’s worst nightmare, allay concerns about the anticompetitive market power that sweeping social-media regulation would have on new entrants, and could open up a new line of business for the company if the advertising market hits some bumps.

Cloud services are popular because more and more companies have realized that it makes sense to pay an expert for complex services that are much more expensive and difficult to build and operate themselves. Sure, there’s lots of companies adjacent to Facebook’s orbit that won’t want to hand their money and data over to a competitor, but lots of retail companies still use AWS despite Amazon’s rapacious retail operation.

Cloud-based compliance services are going to be a Big Thing, one way or another. Facebook will likely have to build an enormous compliance operation to handle even half of the proposals being kicked around across the planet, and it will develop unique insights into how to introduce compliance at companies that rely on user-generated content that other cloud giants and startups can’t easily duplicate.

It took years for the Big Three cloud companies to refine the ideas developed while building their own internal infrastructure as external cloud services. Facebook is a much younger company, but it has the money, expertise, and motivation to break into cloud services.