Signal president Meredith Whittaker says they had no choice but to use AWS, and that's a problem

Messaging service Signal may be unusual in its deployment of credible end-to-end encryption, but it shares a common availability vulnerability with many other internet services – dependence on Amazon Web Services (AWS).

Signal, like many other internet services, failed briefly during the sizable AWS outage that occurred on October 19 and 20. The cause, as AWS explained in its paragraph-starved post-mortem last week, was an error in AWS' automated DNS management system. And the loss of availability and productivity across the many AWS-dependent businesses has been estimated to have cost businesses more than a hundred billion dollars.

AWS has about a third of the global market share for cloud computing services, according to Synergy Research Group. 

But a former AWS employee who corresponded with The Register argues the figure is more like half of the cloud computing market because AWS runs backend services for notional rivals like IBM, Oracle, and Salesforce. A recent report from HG Insights puts the number of businesses using AWS at more than 4 million, with particular concentrations within media, retail, internet services, manufacturing, and education. Our insider tells us thousands of government agencies also depend on AWS, including some national security workloads.

Signal president Meredith Whittaker called attention to this massive dependency in a thread on the Mastodon social network, explaining how the concentration of power among cloud hyperscalers limits the options of services like Signal in terms of resiliency and network control.

Whittaker said that the concentration of power among cloud hyperscalers (AWS, Google, and Microsoft) is less widely understood than she expected, which bodes poorly for efforts to craft realistic strategies to change this dynamic.

She explained, "The question isn't 'why does Signal use AWS?' It's to look at the infrastructural requirements of any global, real-time, mass comms platform and ask how it is that we got to a place where there's no realistic alternative to AWS and the other hyperscalers."

The technical challenges for a service like Signal, Whittaker said, involve running a low-latency platform for instant communications that can carry millions of concurrent audio and video calls. That requires infrastructure around the globe – computing, storage, and edge nodes. And that infrastructure must be powered, monitored, and repaired.

"Such infrastructure costs billions and billions of dollars to provision and maintain, and it's highly depreciable," said Whittaker. "In the case of the hyperscalers, the staggering cost is cross-subsidized by other businesses–themselves also massive platforms with significant lock-in."

• Australia sues Microsoft for misleading M365 users about Copilot subscription options
• The perfect AWS storm has blown over, but the climate is only getting worse
• EU sovereignty plan accused of helping US cloud giants
• UN Cybercrime Treaty wins dozens of signatories, to go with its many critics

The result is that most companies, Signal included, can't afford to replicate AWS' global network of data centers and computing power. 

And even if Signal could afford to do so, she said, the talent to oversee global scale cloud computing is scarce.

"In short, the problem here is not that Signal 'chose' to run on AWS," said Whittaker. "The problem is the concentration of power in the infrastructure space that means there isn't really another choice: the entire stack, practically speaking, is owned by three to four players."

Whittaker said she hopes the recent AWS outage refocuses people's attention on the world's dependence on public cloud giants and encourages efforts to undo the concentration of power.

Europe, which has been thinking about the problem of data sovereignty more seriously since the Trump administration took over in January, has found that it's easier to talk about avoiding US tech giants than it is to actually do so. For example, the official EU Cloud Sovereignty Framework has come under fire from CISPE, a trade association of EU cloud providers, over concerns that the rules favor AWS, Microsoft Azure, and Google Cloud.

Plus, there's always the possibility that the Trump administration, in support of domestic economic advantage, could simply turn off the internet in Europe – whether that involves DNS meddling or directives to US tech giants to withhold service – to secure consent for its demands.

The internet is said – though this is disputed – to have emerged from efforts to design a network that could survive nuclear war, a scenario that rather optimistically assumes the health of those operating the network. But it has already been captured by cloud capital expenditures. ®