How Does One Tax a Cloud?

In a world where the sky is the limit for technological possibilities, it is not surprising that the next frontier is the clouds—computing clouds, that is. Industry experts believe that cloud computing—a term used to define the latest innovation in web-hosted services—could revolutionize the information technology (IT) industry. Others are holding back their opinions while assessing the risks associated with migrating data into the “clouds.”

State revenue departments face the down-to-earth question of how to tax these clouds. Answering this perplexing question first requires an understanding of exactly what cloud computing is and how it works. This column provides an overview of cloud computing, highlights the benefits and risks surrounding it, and discusses how states are interpreting existing laws and designing new ones to capture the clouds within their tax bases.

What Is Cloud Computing?

Providers and purchasers of a cloud service often have a hard time defining exactly what they are selling or buying. Is it tangible personal property or a service? In an attempt to assist the industry and provide some consistency, the National Institute of Standards and Technology (NIST) has issued a draft definition in which cloud computing is a

model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. 1

Cloud Characteristics

The five essential characteristics of cloud computing, according to the NIST, are:

• On-demand self-service: “A consumer can unilaterally obtain computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.”
• Broad network access: “Cloud capabilities are available over a network and can be accessed through standard mechanisms that promote use by [multiple] client platforms (e.g., mobile phones, laptops, and PDAs [personal digital assistants]).”
• Resource pooling: One of the great strengths of cloud computing is that the provider is able to pool computing resources—“such as storage, processing, memory, network bandwidth, and virtual machines”—to serve multiple consumers with “different physical and virtual resources dynamically assigned and reassigned according to consumer demand.” The subscriber generally has no control over or knowledge of the exact location of the provided resources.
• Rapid elasticity: IT capabilities can be “rapidly and elastically provisioned, in some cases automatically,” according to the scale required. “To the consumer, the capabilities available . . . often appear to be unlimited and can be purchased in any quantity at any time.”
• Measured service: “Cloud systems automatically control and optimize resource use” by metering service appropriately by its type. Resource use is “monitored, controlled, and reported, providing transparency for both the provider and consumer of the service.” 2

An example demonstrates the power of these characteristics. In 2007, New York Times blogger Derek Gottfrid described how the newspaper converted 11 million scanned and archived documents stored as images into portable document format (PDF) files to make them available through its website’s search engine. 3 Rather than tackle the project in-house (an IT nightmare), the Times deployed 100 servers in the Amazon Web Services Elastic Compute Cloud (Amazon EC2) to convert data nonstop. Within 24 hours, all 11 million images were converted and stored on Amazon’s Simple Storage Service (Amazon S3) at a cost far less than if they had been converted in-house.

Other potential benefits for many companies over using internal IT resources include agility, location independence, scalability, and reliability. The cloud allows its customers to be more agile, since they no longer need to build an IT infrastructure or have as many IT professionals to tackle a project. Overall costs are greatly reduced, lowering barriers to entry. Location independence allows customers to access systems using a web browser anywhere and at any time, from whatever device they use to access the internet. The cloud is scalable on demand, meaning a customer no longer has to engineer its systems for peak load levels or maintain systems that are only 10–20% used in nonpeak hours. The cloud allows customers to enhance data security through centralizing it, to increase their security resources, and to improve reliability through the use of multiple redundant sites.

Service Models

The NIST defines cloud computing as using three service models:

Software as a Service (SaaS): This model allows “the consumer to use a provider’s applications running on a cloud infrastructure.” The applications can be accessed “from various client devices through a ‘thin’ client interface” such as web-based e-mail. “The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.” 4

Platform as a Service (PaaS): PaaS allows the consumer “to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.” 5

Infrastructure as a Service (IaaS): This model allows the consumer to obtain “processing, storage, networks, and other fundamental computing resources” and be “able to deploy and run” a range of software. “The consumer does not manage or control the underlying cloud infrastructure” but controls “operating systems, storage and deployed applications” and may have “limited control of select networking components (e.g., host firewalls).” 6

These three categories appeal to distinct user groups. Businesses that want complete control over data will migrate toward the IaaS model. Programmers, developers, and web designers will reach toward PaaS. Home or business users looking for low-cost alternatives to traditional software will gravitate to SaaS models.

Choosing an Infrastructure

The NIST sets out four cloud infrastructures:

Private cloud: Operated solely for an organization, a private cloud “may be managed by the organization or a third party and may exist on or off premises.” 7

Public cloud: The infrastructure is “made available to the general public or a large industry group and owned by an organization selling cloud services.” 8

Community cloud: A community cloud is “shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on or off premises.” 9 For example, a state government may set up a community cloud infrastructure for all its separate organizations to pool resources.

Hybrid cloud: This infrastructure combines “two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability” 10 (e.g., cloud “bursting,” or a dynamic redistribution of resources between clouds to handle surges in demand and balance loads).

As more companies consider the use of clouds, one of their first decisions is whether to use a private or a public cloud or a hybrid. According to a Harris Interactive survey of IT directors at large companies, security concerns are one of the leading barriers to the switch to cloud computing. 11 The survey found that 91% of the respondents were concerned about security in the public cloud, and 50% said security is the primary barrier to implementing a public cloud. Eighty-six percent felt that data are more secure in a private cloud, and 81% cited difficulty complying with regulatory policies in the public cloud as a factor in choosing between a private and a public cloud. 12

A major advantage of a private cloud is its greater security via dedicated resources under the control of one user. Private clouds often appeal to regulated entities that must certify that their information is protected under certain standards, such as those in the financial or medical industries. Private clouds also offer the highest level of customization to a customer’s needs. However, increased customization costs more than standardized public cloud options. Another advantage (or disadvantage, depending on one’s viewpoint) is that all decision making resides with the company setting up the private cloud. With a private cloud, the company does not have a provider to set up firewalls, make hardware choices, or reassign resources. It is the responsibility of the company’s IT department to efficiently automate its applications and resources. Further, the IT department also must guarantee unlimited computing power by setting up protocols that allow the company’s resources to be deployed most efficiently. With a public cloud, all this would be handled by the provider and would be seamless for the user.

Public clouds’ greatest advantages are their scalability and lower cost. However, because they consist of shared assets, providers can offer minimal customization, and the customer does not decide which resources are deployed and in what way. In addition, security depends on the provider. Therefore, the reliability of any public cloud provider must be evaluated thoroughly. To address this concern, many providers offer certifications of their security levels. However, turning over security of a company’s data to a third party often requires additional certification by a company’s auditors and/or applicable regulators.

Taxing the Cloud

Just as states are getting around to amending their statutes to address the taxation of digital products, technology has again evolved and left states racing to catch up. Cloud computing is predicated on borderless global networks. If the location of a cloud cannot be pinpointed, which state’s laws apply in taxing the cloud? If a state taxes at the point of use, what if services are free at the point of use? If tax is based on the location of the servers or the office of the cloud computing provider, will providers simply move to the lowest-tax jurisdiction? 13 How does a provider or purchaser avoid being taxed in two locations simultaneously when states apply different sourcing rules for sales and use tax purposes?

Though lagging behind, states indeed are chasing the clouds. As they update their statutes, some states are including language aimed at SaaS, a logical first step, as SaaS platforms, often referred to as application service providers, have been around the longest. For example, Washington State updated its statutes in 2009 to specifically tax SaaS providers for purposes of both sales and use tax and business and occupancy tax. 14

Other states are addressing the issue though private letter rulings. For example, the Missouri Department of Revenue (DOR) ruled that the sale of software hosted on out-of-state servers is not subject to sales tax when accessed from an in-state location. 15 In contrast, the New York Department of Taxation and Finance ruled that SaaS services hosted on out-of-state servers are subject to tax in New York if the related software is accessed from a New York location. The department also believes that SaaS software falls within the state’s definition of tangible personal property, the use of which occurs when accessed in New York, and that access constitutes a taxable “transfer of possession of the software, because the customers gain constructive possession of the software, and gain the ‘right to use, or control or direct the use’ of the software.” 16 However, the department has ruled that separately stated hosting services are exempt in New York if those services can be purchased separately from software licenses. 17

In Massachusetts, a state that generally taxes SaaS, a taxpayer’s online product that provided employment application collection and selection services through use of its software was deemed not subject to sales and use tax. The Massachusetts DOR reasoned that the taxpayer’s customer was purchasing the information, not the use of the software. 18 It should be noted that many states do not tax services, and cloud computing is often considered a service.

In addition to the increasing number of SaaS offerings available in the marketplace, IaaS and PaaS are enjoying unprecedented growth. Unfortunately, tax benefits and detriments are often overlooked or not given sufficient consideration until after a cloud infrastructure strategy has been implemented. As a result, a company can be blindsided by unintended tax assessments and a surprisingly expanded state tax footprint. In today’s economy, companies are facing increased pressure to cut costs, driving many companies to consider cloud computing infrastructures. This same economy is driving state revenue departments to look for new ways to expand their tax bases without technically enacting new taxes. As a result, many states are looking closely at the developing cloud computing industry as a new source of revenue. Therefore, an analysis of state tax consequences should be conducted by any company moving into the cloud space, preferably before implementing a strategy.

A major challenge in the taxation of cloud offerings is in the tax classification of cloud services themselves. Is the offering a taxable or nontaxable service? Is it a data processing or information service? Is it the sale or lease of tangible personal property? While a significant number of states have addressed cloud services from a SaaS point of view, very few states have addressed tax classification from an IaaS or PaaS standpoint, and very few states have updated their statutes and regulations to address this emerging use of technology.

Private vs. Public Clouds

Using a private or a public cloud can have different tax consequences. With a private cloud (whether on or off premises), specific IT assets are assigned to only one user. For an on-premises private cloud, this asset assignment does not create more tax issues than the ownership of general business assets within a state—the assets are owned by the company and are located on its property, thereby creating nexus in the location state. However, for a private cloud operated and located on a third party’s premises, the tax considerations are more complicated. For an off-premises private cloud, a purchaser must determine if the use of specifically assigned assets transforms what appears to be a service transaction—the purchase of computing power—into the lease of tangible personal property for sales and use tax purposes.

If a state classifies private cloud services as a lease of tangible personal property for sales and use tax purposes, there can be multiple tax ramifications. In many states, service transactions generally are not subject to sales and use taxes; however, the lease of tangible personal property is generally subject to tax. For example, Vermont recently issued a publication stating that computer memory is tangible personal property. 19 This language was quickly removed from the publication, most likely due to political pressure, but this demonstrates that states could begin to look at the hosting or maintenance of a website on a server as a taxable sale or lease of tangible personal property.

Of potentially greater consequence are the possible nexus implications of leasing tangible personal property in a state. Leased property in a state may create nexus for both income tax and sales and use tax in the state where the assets are located. Using a private cloud could create an income tax filing requirement and a sales and use tax collection responsibility for the company. The sales and use tax collection responsibility would apply to all the company’s transactions in the state, not just those dealing with acquiring private cloud computing services.

A few states have started to address the possible nexus consequences of using a private cloud within their borders. Texas recently updated its sales and use tax regulation that defines a retailer engaged in business in Texas. A significant amendment to this regulation provides that a retailer that owns or uses tangible personal property located in-state, including a computer server or software, is considered engaged in business within Texas and may be responsible for collecting and remitting Texas sales and use taxes. 20 In June 2011, the Texas comptroller issued a ruling providing that such activities were not subject to tax. However, this example demonstrates that states are beginning to look at these issues.

Before its removal of the hosting language from its publication, Vermont could have used the interpretation that computer memory is tangible personal property to expand its nexus position that the use of a server in Vermont is the use of tangible personal property, thereby creating nexus for income tax and sales and use tax. Washington State (home to several large high-technology companies) has taken the opposite approach to Vermont’s initial version of its publication and made clear by stating in its law and regulations that the Washington State DOR may not consider a person’s ownership of or rights in computer software, including master copies of software, digital goods, or digital codes, stored on servers located in the state, in determining whether the person has substantial nexus. 21

In addition to the classification complications and possible nexus issues involved with cloud transactions, taxpayers and states struggle with the difficulties of sourcing cloud transactions for both income and sales and use tax purposes. For off-premises private clouds offered by third parties, a provider first would need to determine how the transaction is classified for federal income tax purposes and then look to specific state statutes, regulations, cases, and rulings to determine how to source receipts arising from a cloud transaction. If the transaction is determined to be a lease of tangible personal property, receipts would be sourced for income and sales and use tax purposes based on the location of the servers. If the transaction is determined to be a taxable service for income tax purposes, receipts would be sourced on a cost-of-performance or market basis for income tax purposes, depending on the state’s apportionment formula. However, for sales and use tax purposes, receipts could be sourced either where the service is performed or where it is received, depending on the state. Unfortunately, with cloud computing, either location may be difficult or impossible to determine.

Further complicating the classification and sourcing issues facing cloud providers and purchasers is the increased use of the PaaS delivery model. In PaaS, the consumer is allowed to deploy onto the cloud infrastructure consumer-created or acquired applications created with programming languages and tools supported by the provider. Does providing these tools and infrastructure change the tax classification from a lease of tangible personal property to a service? It is unclear whether PaaS services meet the definition of a bundled service.

Cloud Tax Incentives and Other Location Considerations

Many states now offer credits and incentives to companies setting up physical facilities for providing cloud services in their states. A company setting up its own private on-premises cloud should be aware of these credits and incentives and negotiate with local jurisdictions before deciding on a location.

Types of Facilities

Here are some basic definitions of such facilities:

Server farm: While often used interchangeably with the term “data center,” a server farm houses numerous rack-mounted computer servers simultaneously running common operating systems and applications. A server farm often is referred to as a dark data center because it does not require human intervention in the computing process except for an occasional repair technician. Rack-mounted servers (commonly referred to in industry parlance as pizza box servers) can number in the hundreds of thousands at any given server farm. These allow computing work to be routed among available servers, reducing processing time and increasing efficiency.

Data center: A data center houses computer systems and related equipment, including the data library. Data entry and systems programming often occur in data centers, which have a control center that accepts work from and releases output to user departments. In contrast to server farms, data centers often have human operators working at consoles and providing other support services. The human aspect (or lack thereof) is just one consideration in the way states view taxes and possible incentives.

Dark data center: Dark data centers are a type of server farm. The name refers to a lights-out policy to save power except when equipment is being installed, removed, or repaired. With printers distributed throughout the center and tape and optical libraries that automatically mount the required cartridges, dark data centers require very limited human intervention. Cloud computing facilities generally are dark data centers.

Green data center: A green data center is constructed to run in as environmentally efficient a manner as possible, with all computer, electrical, and lighting systems as well as the building materials rated for maximum efficiency.

Telecom hotel: A telecom hotel is a building constructed or rebuilt to house a data center. Telecom hotels, also known as co-location centers or internet data centers, usually house hundreds to thousands of web servers for web-hosting organizations, large enterprises, and other service organizations.

Data center container: A data center container, usually a shipping container (like the ones on the back of trains), is a self-contained module that includes a series of rack-mounted servers along with its own lighting, air conditioning, humidification, and uninterrupted power supply systems. Containers are designed to be transported and deployed intact and allow the installation of a complete data center in a fraction of the time needed to build a new facility or refurbish one. Containers can be easily transported to locations as needed. Only electrical and network hookups are required.

Resource Needs

Tax professionals should also have a functional knowledge of the cloud’s natural resource needs to better advise their clients. Data centers and server farms need large amounts of land, power, and water. Server farms are massive, with some as large as football fields. These farms often hold 100,000 square feet of pure computing power in the form of racks of servers, perhaps up to 100,000 pizza box servers in a single building. Cheap real estate is a must; although the internet does not depend on location, the technology needs energy, water, and telecommunications infrastructure.

In its 2007 Report to Congress on Server and Data Center Energy Efficiency , 22 the Environmental Protection Agency estimated that servers and data centers consumed “about 61 billion kilowatt-hours (kWh) in 2006 (1.5 percent of total U.S. electricity consumption).” Due to these high energy needs, improved energy efficiency, as well as building in areas with lower energy costs, goes a long way toward reducing costs. The latter can mean real savings; a difference of just a few cents per kilowatt-hour can be significant.

Server farms and data centers also require many gallons of water to run water-cooled air-conditioning systems. The costs of cooling computers can rival the electricity costs for the computers themselves. A 15-megawatt data center can use up to 360,000 gallons of water a day, according to James Hamilton, a data center designer and researcher at Amazon.com. 23 Companies are looking for new ways to become more “green” with new water sources, and cities and states are offering cheap water, trying to become the next data center mecca. Recently, Milwaukee was trying to lure high-tech companies there by touting its cheap water. 24

Other key site selection criteria include these factors identified by an economic development consultant: 25

• Low potential risk from natural disasters and weather;
• Competitive property, corporate income, and sales tax structures;
• Competitive economic development incentives;
• Access to a qualified labor pool;
• Affordable, high-quality construction;
• Dependable telecommunications infrastructure; and
• Access to quality-of-life amenities.

The 2010 article ranks as the most potentially favorable states (in order) Utah, Idaho, Texas, Oregon, Colorado, Arizona, Nevada, Tennessee, Indiana, and New Mexico.

Taxes often play a larger role in decisions about where to locate server farms and data centers than in other industries. States that appear to be the frontrunners in a race to attract server farms and data centers through tax incentives include Alabama, Kentucky, New York, North Carolina, Oklahoma, Tennessee, and Virginia, despite the generally high costs of real estate and high taxes in some of these jurisdictions. In December 2007, the Washington State attorney general ruled that server farms and data centers would no longer be allowed to use a state sales tax break for manufacturers. Microsoft and Yahoo immediately halted construction of data centers in Quincy, Washington, while the state legislature debated whether to reinstate the exemption—one that Microsoft and Yahoo had relied on when deciding on their centers’ locations. Due to the incentive’s unpopularity, the legislative effort was abandoned, and Microsoft moved its data center functions to Texas. The legislature then bent to pressure from business groups and temporarily reinstated the sales tax exemption for purchases of computers, related installation costs, and eligible power infrastructure for eligible data centers that obtained a building permit between April 1, 2010, and June 30, 2011, among other qualifications. 26 However, the repeal of the tax benefits has slowed server farm and data center development in Washington. Compare that outcome with rival Oregon, which through generous tax incentives has attracted a $188 million Facebook data center. 27

However, such incentives are not always popular with voters. For example, the North Carolina Court of Appeals upheld a package of tax breaks granted to certain internet companies, including Google. 28 Those breaks, enacted in 2006, included sales and use tax exemptions for purchases of eligible internet data center equipment. A small group of taxpayers, acting in their capacities as individuals, sought a declaration that the incentives violated the exclusive emoluments, public purpose, fair and equitable taxation, and uniformity of taxation provisions of the state constitution. The trial, appeals, and state supreme courts all dismissed the claims for lack of standing.

How Tax Professionals Can Help

Cloud computing is poised to become one of the largest revolutions in this era for the IT industry. Client service professionals must be familiar with the basics of cloud computing to effectively discuss potential risks and benefits with their clients. From a business perspective, various internal control protections, including those required by the Sarbanes-Oxley Act 29 and the Health Insurance Portability and Accountability Act, 30 require varying levels of IT security and control. Accordingly, the use of cloud computing may have an adverse effect on a company’s IT control for business purposes.

From a tax perspective, client service professionals must stay informed about potential changes in state tax policies regarding the tax treatment of the various cloud computing platforms. Further, tax professionals need to inform their clients of cost-saving tax exemptions when client cloud computing providers are looking to expand operations. By being aware of the various tax issues surrounding the cloud, tax professionals and their clients will be better prepared to weather the storm of state taxation that is sure to come.

Footnotes

¹ Mell and Grance, The NIST Definition of Cloud Computing, National Institute of Standards and Technology Special Publication No. 800-145 (January 2011).

² Id.

³ Gottfrid, “Self-Service, Prorated Supercomputing Fun!” NYTimes.com (November 1, 2007).

⁴ Mell and Grance, NIST Definition of Cloud Computing.

⁵ Id.

⁶ Id.

⁷ Id.

⁸ Id.

⁹ Id.

¹⁰ Id.

¹¹ Eddy, “Adoption of Private Clouds Accelerating: Survey” Channel Insider (October 6, 2010).

¹² Id.

¹³ Longbottom, “Obstacles to Cloud Computing,” Information Management (November 5, 2008).

¹⁴ WA Rev. Code §§82.08.010(1)(a) and 82.12.020(1)(e).

¹⁵ MO Dep’t of Rev., Letter Ruling No. LR5753 (7/16/09).

¹⁶ NY Dep’t Tax. and Fin., TSB-A-09(33)S, quoting NY Comp. Codes R. & Regs., tit. 20, §526.7.

¹⁷ NY Dep’t Tax. and Fin., TSB-A-09(41)S (9/22/09).

¹⁸ MA Dep’t of Rev., Letter Ruling 11-4 (4/12/11).

¹⁹ VT Dep’t of Taxes, Technical Bulletin TB-54, Treatment of Computer Software and Services (9/13/10, rev’d 11/19/10, 4/11/11).

²⁰ 34 TX Admin. Code §3.286(a)(2)(E).

²¹ WA Rev. Code §82.04.067(2)(e); WA Admin. Code §458-20-19401(2)(g).

²² U.S. Environmental Protection Agency Energy Star Program, Report to Congress on Server and Data Center Energy Efficiency: Public Law 109-431 (August 2, 2007).

²³ Miller, “Data Centers Move to Cut Water Waste,” Data Center Knowledge (April 9, 2009).

²⁴ Miller, “Can Cheap Water Lure Data Center Projects?” Data Center Knowledge (December 15, 2009).

²⁵ Gigerich, “Key Factors Influencing Site Selection Decisions for Data Center Facilities,” Inside Indiana Business (November 9, 2010).

²⁶ Miller, “Washington State Revisits Data Center Tax Break,” Data Center Knowledge (February 1, 2010) ; WA Rev. Code §82.08.986(1), as amended by SB 6789.

²⁷ Holley, “Enterprise Zone Lured Facebook to Prineville,” The Bulletin (January 22, 2010).

²⁸ Munger v. North Carolina, 689 S.E.2d (N.C. Ct. App. 2010), aff’d, No. 130PA10 (N.C. 2/3/11).

²⁹ Sarbanes-Oxley Act of 2002, P.L. 107-204.

³⁰ Health Insurance Portability and Accountability Act of 1996, P.L. 104-191.

	EditorNotes
	Harlan Kwiatek is with Rubin Brown LLP in St. Louis, MO. Jennifer Jensen is with PricewaterhouseCoopers LLP in Washington, DC. Mr. Kwiatek is chair and Ms. Jensen is a member of the AICPA Tax Division’s State and Local Tax Technical Resource Panel. For more information about this article, contact Ms. Jensen at jennifer.jensen@us.pwc.com .