February 4, 2010
Technology & Entrepreneurs Cloud Computing and the Law by Raymond J. Keating The previous two Technology & Entrepreneurs analyses (that can be read here and here) from SBE Council dealt with the issue of cloud computing. Given the opportunities that lie in this area for entrepreneurs, businesses and consumers, it is worth looking a bit closer at needs on the public policy front. In addition to the speech by Brad Smith, Microsoft general counsel, highlighted in the last Technology & Entrepreneurs piece, the software maker also issued a white paper - "Building Confidence in the Cloud: A Proposal for Industry and Government Action to Advance Cloud Computing" - that provided additional detail in key areas. First, the Electronic Communications Privacy Act has failed to keep up with technological change, especially given the impact of the Internet. The following is noted in the paper: • "For example, ECPA classifies all covered services under two definitions, "electronic communications services" and "remote computing services." This definitional question is critical, because how a service is classified under the law has a major impact on the process by which law enforcement can access customer data held by such services. Due to the transformative changes in computing and the Internet since 1986, however, these definitions are no longer sensible, or even intelligible-especially as they apply to providers of cloud services. As a result, cloud service providers (as well as law enforcement and the courts) are faced with the increasingly challenging task of determining which provisions of ECPA apply to any given online service. As another example, ECPA today extends greater privacy protections to emails stored for less than 180 days than emails stored for more than 180 days. These distinctions might have made some sense in 1986, when email services did not automatically retain messages for long periods of time. But that distinction no longer bears any relationship to reality-hosted email and other online services almost invariably store emails and other content for years, and users reasonably expect these communications to remain just as private on day 181 as on day 179." Second, the Computer Fraud and Abuse Act is a principal tool for law enforcement to fight digital crimes. Three measures are cited to beef up the law: • "Specifically, the CFAA should be amended to state that, for purposes of establishing the thresholds necessary to impose felony penalties (e.g., that the value of the information obtained exceeds $5,000 under § 1030(c)(2)(B), or that the value of information obtained through fraud was over $1,000 under § 1030(a)(4)), prosecutors can establish this value by multiplying a specified statutory amount (such as $500) by the number of violations, where each separate account accessed without authorization would amount to an additional violation." • "Congress needs to amend the CFAA's penalty provisions to ensure that the penalties for maliciously hacking into a single cloud datacenter correspond to the number of user accounts illegally accessed and are not subject to the same limits that apply to a person who hacks into a single PC (currently $250,000). Accordingly, the CFAA should be amended to make clear that a separate violation occurs for every individual or business whose information is accessed (i.e., $250,000 per user account illegally accessed)." • "Congress should amend the CFAA's civil action provision to make clear that cloud service providers have a private right of action against those who illegally access their datacenters or gain unauthorized access to the accounts of their customers." Third, there are substantial benefits to be derived from clarifying jurisdictional issues in the international realm when it comes to maintaining client privacy while allowing for government to exercise legitimate public safety and national security powers. The following is suggested in "Building Confidence in the Cloud": "One ambitious, but also the most effective, avenue for a solution would be for governments to seek a multilateral framework on these issues in the form of a treaty or similar international instrument. While this option would undoubtedly require significant diplomatic leadership and resources, it offers perhaps the best hope of addressing legitimate government needs in a coherent fashion while ensuring that business and consumer interests in privacy and freedom of expression are adequately met on a global scale." These are sound steps that would boost confidence in cloud computing by providing a firmer foundation upon which the private sector can build and flourish. As noted in the previous SBE Council Technology & Entrepreneurs piece, the agenda is clear: protect private information in much the same way as private property is protected; give government the ability to punish theft and other wrongdoing; and expand the ability of firms to serve and capitalize on opportunities in international markets. _______________ Raymond J. Keating serves as chief economist for the Small Business & Entrepreneurship Council.
|
