Sen. Amy Klobuchar (D-MN) introduced a new bill aimed to “improve the enforcement of criminal and civil law with respect to cloud computing.”
The proposed “Cloud Computing Act of 2012” (S.3569), limits unlawful access to cloud computing services and strictly calls for penalization for each individual breach. The bill also cites a formula for losses, setting a minimum of $500 loss per affected cloud computing account.
According to Eric Goldman, Professor of Law at Santa Clara University, the bill will not go far.
Goldman says, “Given its introduction so close to the election, it’s doubtful this bill will go anywhere. Still, it provides an excellent case study of how even well-meaning legislators can botch Internet regulation.”
History of Computer Fraud Legislation
Goldman reports that involvement of the law in hacking restriction began in the 1980s as a protection for government computers, called the Computer Fraud and Abuse Act (CFAA,) and has since evolved into a general law against hacking into anyone’s computer.
“With that breadth,” Goldman says, “the CFAA extends to a wide variety of activities, ranging from data scraping (see, e.g., EF Cultural Travel v. Explorica) to fake profiles (see, e.g., the Lori Drew prosecution related to Megan Meier’s death) to ex-employees walking out the door with competitively sensitive information (see, e.g., US v. Nosal and WEC v. Miller).”
Problems with the Bill
Goldman sites two reasons that the bill may not pass, aside from it being proposed so close to a presidential election:
1. The CFAA is Already a Mess. Constant amendments over the years have turned the CFAA into “spaghetti code.” “This bill adds only slightly to the CFAA’s overall lack-of-tidiness, but every incremental amendment makes the CFAA more unwieldy,” Goldman says.
2. The Definition of “Cloud Computing Service” is Incoherent. “The bill seeks to protect cloud computing services, but what are those?” Goldman asks. Here is the bill’s definition: “the term “cloud computing service” means a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.”
This definition seems very broad. Goldman says, “Every user-generated content website seems to qualify; but so should every online bank. In fact, this definition of cloud computing service probably becomes co-extensive with the Internet generally.”
Although this bill will probably not amount to much – at least not this time around – Goldman suggests that if anyone wants to improve the CFAA, instead of adding more unclear and complicated bills, it might be more effective to organize and trim the existing act.