Cloud computing has opened up a new field of legal issues and uncertainties, which is why the Brookings Institute is hosting a panel discussion today about proposed legislation called the Cloud Computing Act of 2011. I spoke this morning with panelist Dan Reed, corporate VP of technology policy and strategy and leader of the eXtreme Computing Group at Microsoft, about his thoughts on the draft legislation, based on what he has seen of it.
Reed said the legislation aims to address two important issues: appropriate criminal penalties for cyberhacking of cloud services and providing legal clarity around transnational data storage and computing. Regarding criminal penalties, Reed thinks a big problem right now is that existing laws don’t adequately address the differences between hacking into a single computer versus launching a full-scale botnet attack. His understanding is that the CCA would change the law so that greater penalties would befall larger-scale attacks. However, the bill must be introduced and then make its way through both chambers of Congress, so it’s too early to tell how this will play out.
The draft CCA also addresses the issue of botnet and other attacks carried out using cloud computing services. Amazon EC2, for example, has been used to carry out numerous attacks and password-cracking endeavors. Reed believes that the legislation would empower service providers to take certain actions (presumably civil) in such situations.
As it relates to cloud computing across borders, Reed said the CCA is intended to open a frank discussion between the United States and other countries, particularly the Organisation for Economic Co-operation and Development (OECD) countries of Europe. The concept of determining which country has jurisdiction in litigation involving foreign parties and international business activity is handled differently in nearly every country, which makes litigation complex. That has now been exacerbated by the advent of the Internet and globally distributed servers. Reed acknowledges that the CCA can’t honestly expect to change the rules of international sovereignty, but it can provide operational standards so that all the parties and countries involved in a cloud computing transaction understand what laws will apply and how.
As we’ve reported previously (subscription required), the data-storage laws of specific countries and the European Union have already proved somewhat of a hindrance for American companies trying to operate their cloud businesses overseas. And although Microsoft certainly has a vested interest in more relaxed — or, at least, defined — laws, there is a greater good to be derived from the type of cooperation the CCA proposes. As Reed noted, the cloud’s inherent benefits of scalability and flexibility are hamstrung when they’re bounded by national borders, and there are many countries where no cloud infrastructure exists and likely never will. Users in these countries still need freedom to access cloud computing resources with a certain degree of legal certainty.
Ultimately, all attempts to push federal legislation and policy around cloud computing — the CCA is just one example (see, for example, the Digital Due Process coalition) — are about bringing decades-old code and viewpoints into the 21st century. As Reed explained, cloud services have expanded in scale and scope so fast that governments haven’t really had the time or expertise to keep up. At Structure 2011 next week, I’ll be leading a panel discussion with two esteemed legal professionals to discuss all of these efforts and their potential effects in greater detail.
Feature image courtesy of Flickr user Thorne Enterprises