Proposed legislation looks to build confidence in cloud computing

During a forum held at the Brookings Institution yesterday in Washington, D.C. Microsoft senior vice president and general council, Brad Smith, proposed federal legislation meant to address the emerging practice of computing over the Internet, also known as cloud computing. Smith and other forum participants stressed the need to raise privacy and security issues associated with cloud computing to a federal level – and the need to do it quickly.

During his opening remarks, Smith spoke about the benefits of cloud computing and the results of a recent survey conducted by the consulting and market research firm Penn Schoen and Berland Associates (PSB). “Cloud computing offers new benefits for almost every part of society,” Smith said. According to the PSB survey, 58 percent of consumers and 86 percent of senior business leaders are excited about the potential of cloud computing and a majority of respondents believe cloud computing has the potential to help make government more efficient and effective. But the PSB survey also found more than 75 percent of senior business leaders believe that safety, security, and privacy are top potential risks of cloud computing, and more than 90 percent of the general population and senior business leaders are concerned about the security and privacy of personal data.

To assuage these fears and to address other unknown factors, Smith proposed the “Cloud Computing Advancement Act” to promote innovation, protect consumers and provide government with the new tools needed to address the critical issues of data privacy and security. Smith identified areas where the government should modernize or amend existing legislation, where Congress should enact new legislation and ways the technology industry could impose its own set of best practices and guidelines.

Major legal questions need to be clarified, Smith and other forum participants said, including Fourth Amendment issues in addressing search and seizure of private information. As a first step, Smith advocated reforming the 1986 statute for protecting user privacy in electronic communications, the Electronic Communications Privacy Act (ECPA).

Fellow forum participant, Michael Nelson – a leading author and technologist – echoed the need for more transparency in how, when and why certain privacy controls are used. Jonathan Rochelle, Group Product Manager at Google, also urged incremental updates to existing legislation like ECPA. He cited current e-mail laws as being in need of updating, but he said wholesale change wasn’t needed in many cases.

Secondly, the Cloud Computing Advancement Act calls on Congress to allocate resources for the development of law enforcement tools to deter malicious hackers and deter instances of online-based crimes. Mr. Smith identified the Computer Fraud and Abuse Act (CFAA) as needing to be updated to account for the increased level of damage that could be done were a data center to be hacked.

For industry’s part, Smith introduced a concept based on financial and adverting self-regulation that he believed could guide the cloud computing community and help the government craft binding legislation. “We need new ‘truth in cloud computing’ principles,” he said, referring to the financial sector’s truth in lending practices, “so consumers and businesses have full knowledge of how their information will be accessed and used by service providers and how it will be stored.”

The “truth in cloud computing” principles, along with the proposed legislative tools, would begin to foster confidence in the cloud, unlocking the full potential of the technology. But the group also expressed a need for urgency, so a patchwork of laws did not emerge from other levels of government – state, local or international. Political and legal problems could arise in pre-empting state laws, the group said. And internationally, the forum agreed that the United States could help drive multi-lateral agreements or serve as a model driver of best practices.

The window of opportunity to set privacy, ownership and other standards was diminishing by the day, Mr. Nelson said. “We don’t have five or ten years,” to demonstrate how government should handle data access. “We must act quickly.”

But as industry moves forward with new technologies, and as more citizens begin using cloud computing, Congress has a central role to play in providing security and stability for consumers, Smith said.

“Just as I can buy a stronger door and better locks for my house, government still needs to provide a stronger police force and better laws to defend against emerging threats.”