Microsoft Calls For Stronger Cloud Computing Laws

Microsoft called for modernising existing statutes and new federal laws on 19 Jan. to provide privacy, security and transparency for consumers, businesses and government migrating to cloud computing.

In addition to strengthened U.S. laws, Microsoft General Counsel Brad Smith said cloud computing regulations should be driven by commitments from other governments to ensure data sovereignty.

Delivering a keynote address at the Brookings Institute in Washington, Smith said while cloud computing is a major extension of existing computer models it has also become the next frontier beset with new obstacles and challenges.

“The PC revolution empowered individuals and democratised technology in new and profoundly important ways,” said Smith. “As we move to embrace the cloud, we should build on that success and preserve the personalisation of technology by making sure privacy rights are preserved, data security is strengthened and an international understanding is developed about the governance of data when it crosses national borders.”

Smith recommended that Congress pass a law that Smith called the Cloud Computing Advancement Act that would promote innovation, protect consumers and provide the White House with the new tools needed for a new technology era. “We need Congress and the administration to address three issues in particular — privacy, security and international sovereignty,” Smith added.

Smith also proposed Congress make improvements in the ECPA (Electronic Communications Privacy Act) to clearly define and provide stronger protections for consumers and businesses; modernisation of the CFAA (Computer Fraud and Abuse Act) so law enforcement has the tools it needs to go after malicious hackers and deter instances of online-based crimes; and truth-in-cloud-computing principles to ensure that consumers and businesses will know whether and how their information will be accessed and used by service providers and how it will be protected online.

“The rise of cloud computing should not lead to the demise of the privacy safeguards in the Bill of Rights,” Smith said. “The public needs prompt and thoughtful action to ensure that the rights of citizens and government are fairly balanced so that these rights remain protected.”

Smith noted that changes in technology have forced Congress into action before. In the 1980s, Congress approved the ECPA to provide Americans with statutory privacy protection for electronic and stored communication and clarifying when and how law enforcement can access such data. Passed before the Internet era, Smith said the ECPA was increasingly antiquated and should be updated to address data stored in the cloud.

Equally, Smith said the CFAA needs to be updated since the level of fines for hacking into a single PC is essentially the same as hacking into the cloud.

“This is because it’s often unclear how to place a specific monetary value on the theft of content such as documents, e-mails, or digital photos,” Smith said. “A better approach would be for Congress to give prosecutors the option of applying a specified statutory amount, such as $500, for each individual victim and then multiply this by the number of victims affected.

Smith also said Congress should strengthen the legal ability of cloud service providers to pursue their own civil claims against security violators.

“In some areas of the law, such as under the CAN-SPAM Act, it’s clear that service providers have a private right of action. Congress should amend the law to provide service providers with a similar private right of action for security attacks on the cloud,” Smith said.

On the eve of a major speech on global Internet freedom by Secretary of State Hilary Clinton, Smith made reference to Google’s current flap with the Chinese government over unauthorised intrusions on the cloud.

“As last week’s issues continue to illustrate, we should not take the benefits of technology for granted. We can’t afford to close our eyes to new obstacles we need to overcome. We need to build confidence in the cloud,” Smith said. “And that requires a new conversation about the opportunity — and need — for industry and government each to take new steps to move forward.”