|
12.11
Policy in the
Cloud: Part II — Issues Engaging Policy-Makers
By Chris Brantley and
Glenn Tenney
(Ed. Note: This article is
the second in a three-part series looking at the
policy implications of Cloud Computing.
Part one
focused on recent Congressional hearings. Part
three to appear next month will look
specifically at related legislation pending in
the 112th Congress).
According to a recent survey by
the Pew Research Center, 71% of IT experts
believe that by 2020, most people will do their
work with software and data residing in the
“Cloud,” and that “most innovative work will be
done in that domain, instead of designing
applications that run on a PC operating system.”
Cisco’s recent Global Cloud Index projects a
12-fold increase in global cloud computing
traffic, from 130 exabytes of data to over 1.6
zettabytes by 2015.
The transition to the Cloud
poses challenges and significant opportunities
for resource constrained governments, at the
federal, state and even local levels. The
federal government, for example, currently owns
and operates over 2000 data centers, but is
working to leverage Cloud service providers so
that it can close at least 800 centers by 2015.
Earlier this year, now departed White House CIO
Vivek Kundra announced a “Cloud First” federal
procurement strategy, along with a list of 78
Cloud projects to be undertaken by the 25
largest federal agencies. Planning ahead, the
federal Office of Management and Budget is
projecting that 25% of the federal IT budget
will be devoted to Cloud migration over the next
few years, which suggests $20 billion annually
in new opportunities for contractors to provide
cloud-related infrastructure, services and
training to the U.S. government.
Against this high-stakes
sea-change, policy-makers, planners, and
prospective contractors are struggling with a
wide-array of legal and policy issues that are
generated by the unique characteristics of Cloud
Computing as they relate to an increasingly
outdated legal and regulatory framework. The
following is by no means an exhaustive summary
of issues, which is offered to illustrate how
this new application of computing technology is
driving significant societal changes.
Physical Location and Access
Issues
Jurisdictional issues affecting
the Cloud are paramount. A number of countries have
adopted laws governing where certain types of
electronic information may be located, such as
the European Union, which prohibits consumer
data from being transferred to countries outside
the EU without consent unless the data host can
meet specific “safe harbor” requirements, a
European law enacted in reaction to the
extraterritorial application of the U.S. Patriot
Act.
In the United States, many
states, such as California, have laws which
restrict contracting of various state-funded
services to vendors located out-of-state, which
is hampering the ability of state IT planners to
utilize Cloud services. These restrictions are
motivated by a variety of policy interests, from
ensuring citizen access to data to protecting
jobs to promoting in-state businesses with tax
payer dollars.
There are also a number of
federal laws and associated regulations that can
limit Cloud service options. For example, the
U.S. Health Insurance Portability and
Accountability Act (HIPPA) opened the doors to
electronic health records but sets strict access
and audit requirements on organizations handling
personal health data in order to ensure patient
access.
U.S. trade law is another area
that poses location challenges for companies
that sell Cloud-related goods and services to
the U.S. government. The Trade Agreements Act of
1979 (TAA) prohibits government contractors from
manufacturing products or setting up shop in
countries that don’t have trade agreements with
United States. In a Cloud context, the law
creates unanswered questions about whether the
data hosting facility would have to be in a TAA-approved
country and/or whether a contracting company
located in a TAA-approved country could
subcontract data center management to a company
in another overseas location. To illustrate the
policy dilemma, Afghanistan, Yemen and Somalia
are TAA-designated countries, but India is not.
In October, the Government
Accountability Office forced the General
Services Administration to reopen a $2.5 federal
Cloud computing contract based on a challenge by
Technosource Information Systems of Annapolis,
Md., and TrueTandem of Reston, Va., to
GSA’s requirement that bidders locate their data
centers in TAA-designated countries. The GAO
essentially concluded that the TAA only requires
that bidding companies be incorporated in TAA-designated
countries. Although forced to rebid the
contract, GSA defended the geographic
restriction to TAA-designated countries as a
compromise
between information security and free trade,
arguing that
the
government has a need to know where its data
resides and transits, as well as a need to
assure access to the data. Those rationales
resonate with many policy-makers and others, who
are likely to seek clarification through the
legislative process and/or in the courts.
The trade issue becomes
particularly significant since other free trade
commitments under regional and international
trade agreements may also create a legal basis
for challenges to geographic location
requirements negotiated into federal procurement
contracts.
The uncertainty about many of
these regulatory requirements, combined with
access concerns has prompted several enterprise
Cloud vendors to modify their offerings so that
they can assure clients that their data is
geographically accessible and where it is
physically located at all times.
Cloud computing can also raise
issues in the context of U.S. controls over the
export or reexport of software and technology
regulated under the International Traffic in
Arms Regulations (ITAR) and Office of Foreign
Assets Control (OFAC) rules and regulations.
Generally, U.S. Export Administration
Regulations (EAR) make no distinction between
export of physical items and electronic
transmission of software or technology when
defining what constitutes an “export.” Movement
of software across U.S. borders in the Cloud,
especially software containing restricted
encryption source code, can trigger these U.S.
export controls, creating legal obligations and
potential liability for Cloud service providers
and their customers.
Privacy, Security and the
Cloud
Privacy and security concerns
about personal or confidential business data in
the Cloud have generated much of the interest
and concern with Cloud-related law and policy to
date. At the core of the discussion is a concern
that under current laws, data stored in the
Cloud is somehow less protected than other in
other contexts.
A number of complaints have been
filed with the Federal Trade Commission and
lawsuits initiated over Cloud-based social media
sites like Classmates.Com, Facebook, Netflix and
Google “Buzz” for deceptive practices and
unauthorized sharing or release of personal
data, such as film rental information or
personal contact lists.
New types of legal claims are
also emerging as Cloud Computing grows in
popularity, including litigation against Cloud
service providers for inadequate security or
protection against cyber attacks resulting in
the loss of user data, for personal damages
resulting from sharing of data mined
information, improper dissemination of
investment information on social net-working
sites in violation of securities laws, and
participation in prohibited censorship or
surveillance activities.
There is also a fundamental
concern about the security of essential business
and government information and processes
maintained in the Cloud. Attacks on corporate
and government information systems have been
steadily increasing as the sophistication of the
tools and techniques available to cyber
criminals
increase, and as more resources become
accessible to attacks via the Internet. The U.S.
Army has declared “cyberspace” a potential zone
of conflict between nations and established a
special military command to manage U.S. defenses
in that area. Reports of security breaches,
exposure of sensitive data, and even use of the
Internet to access control systems and attack
critical infrastructures are on the rise.
Earlier this year, for example, the Department
of Defense announced that a foreign intelligence
service accessed 24,000 files related to weapons
technology by hacking into the computer system
of an unnamed defense contractor. Just three
months later, the Department of Energy announced
that sophisticated cyberattacks had been
launched against several U.S. national
laboratories with critical homeland security
missions over the July 4th weekend,
resulting in disruption of internet service and
email.
In October, the Government
Accountability Office released a report,
accompanied by testimony to the House
Subcommittee on Cybersecurity Infrastructure
Protection and Security Technologies. In their
report, GAO addressed information security
concerns related to Cloud Computing. What the
GAO found was that Cloud computing has both
positive and negative security implications for
federal agencies. Among the potential benefits
are the use of automation to expedite the
implementation of new security configurations on
devices, the reduced need to carry data on
removable media because of broad network access,
and the lower cost of disaster recovery and data
storage, which frees up resources for other
security needs. On the other hand, GAO noted
that the Cloud makes users dependent on the
security practices and assurances of vendors.
Surveyed federal agencies expressed concerns
about limitations of their ability to conduct
independent audits and assessments of security
controls of cloud computing service providers.
One emerging security concern
for government IT planners is
the adequacy of background security
investigations for service provider employees
and the fear of an increased risk of wrongful
activities by malicious insiders.
GAO also spotlighted risks of
inadvertent releases of sensitive data that can
affect users of “multitenancy” Cloud services,
which partition client data with firewalls but
operate using shared computing resources. Such
releases could be deliberate or inadvertent, and
result from technical glitches or poorly
implemented authentication or authorization
systems. For corporate clients and federal
agencies, one way to manage this risk is by
utilizing “private” Clouds.
Law Enforcement and the Cloud
Many
of the privacy issues manifest in a law
enforcement context and revolved around the
legal protections against unreasonable search
and seizure of data stored in a Cloud context.
Congress is currently reviewing a proposed
update to the Electronic Communications Privacy
Act, key legislation which originally extended
telephone wire-tapping restrictions and
requirements to other modes of electronic
communications such as emails, but which needs
further updating to reflect advances in
information technology such as the Cloud.
Under
current law derived from the Fourth
Amendment of the U.S. Constitution, law
enforcement officials are generally required to
obtain a search warrant from a judge, based on a
showing of probable cause, before they can
conduct a search and seize evidence from a home,
private business or in other contexts where
there is a reasonable expectation of privacy.
The extent to which information in the Cloud
carries a legal expectation of privacy is not
well defined in current law. The Supreme Court
has yet to decide how emails and other data
stored online will be treated under Fourth
Amendment doctrine, and only a few lower courts
have addressed the issue, often with
inconsistent reasoning and results. Cloud
vendors may be uncertain whether and to what
extent they are obligated to respond to access
requests by law enforcement officials.
Privacy proponents stress that the reasonable
expectation of privacy should not be diminished
by the use of the Cloud. Many policy advocates
argue that state and federal law should be
"technologically neutral," meaning that search
and seizure requirements would apply uniformly,
regardless of the technology involved so that
all forms of private communication are governed
by the same rules of evidence gathering.
On the
other hand, law enforcement officials assert
that adding additional restrictions limiting law
enforcement seizure and surveillance of data in
the cloud would jeopardize public safety. In
recent testimony before the House Constitution,
Civil Rights and Civil Liberties Subcommittee.,
Thomas Hurbanek, of the New York State Police
computer crime unit described the challenge
facing law enforcement, noting "we are rapidly
moving to an environment where software
applications run on virtual computers and
servers that can instantly be deleted and
restarted ... removing traces of data," He added
"data will also be stored outside of this
country and not only in jurisdictions that have
a friendly relationship with the United States."
The
act of seizing data stored in the Cloud, such as
business or tax records, also provides some
technical challenges in a law enforcement
context. It is not uncommon for law enforcement
officials to take possession of the entire
server array, which can disrupt the business and
other concerns of other Cloud clients whose data
also happened to be located on that server.
Alternatively, in cases where law enforcement
officials “clone” server data in order to obtain
the evidence sought without disrupting the
Cloud, they may also ultimately access
information belonging to other clients outside
the scope of the original investigation.
Intellectual Property (IP)
and the Cloud
The basic concerns for corporate
business planners and their legal advisors is
whether and under what circumstances to put
valuable intellectual property, trade secrets or
copyrighted material in a Cloud environment.
Lawyers have also posed a number
of Cloud-related questions that remain
unanswered to a significant degree. If you
create IP using content, processes or hardware
integral to the Cloud, is the Cloud vendor a
partial owner of your IP? Does the resale or use
of meta or log data collected by the vendor
about your use of the cloud generate any IP
rights in addition to privacy or security
expectations? If you inadvertently access
third-party data or other intellectual property
through the Cloud, is there a duty to provide
notice in order to limit potential liability? As
a Cloud customer, do you share potential
liability with the Cloud vendor for violations
of intellectual property rights that you may
unknowingly benefit from?
Cloud-based entertainment
services, especially those involving streaming
music, movies and other digital content, have
raised some interesting questions of copyright
that are already being challenged in the courts.
In 2009, for example, the Federal Court of
Appeals for the 2d Circuit ruled in Cartoon
Network v. CSC Holdings that the buffering
of copyrighted data in an RS-DVR’s RAM memory
during transmission did not constitute a “fixed”
copy in violation of the Copyright Act.
The Digital Millennium Copyright
Act provides a safe harbor protection to online
service providers from infringement liability
for copyright violations if they adhere to
certain guidelines and promptly block access or
remove infringing materials from their systems
upon notification. The scope of the DMCA safe
harbor has been tested in several cases
involving Cloud-based file-sharing services,
most notably the Supreme Court’s decision in MGS
vs. Grokster. Last June, a Federal District
Court in New York threw out a $1 billion dollar
lawsuit by Viacom against Google for copyright
violations for files shared on YouTube, after
concluding that Google’s practices qualified for
the DMCA “safe harbor.”
Federal Budget Cutting and
the Cloud
It is
also important to understand the federal transition
to the Cloud in the context of current budget
politics centered on the growing federal budget
deficit.
With federal agencies ramping up
their budget requests for the migration to Cloud
services, it is unclear whether Congress has the
stomach to make the short-term investments
necessary to achieve the long-term savings and
benefits offered by the shift to Cloud-based
government services.
Recently, the so-called
congressional “Supercommittee” failed in its
task to identify $1.2 billion in federal budget
cuts, which will trigger a significant
across-the-bard sequestration of discretionary
spending under current law unless amended.
Although the Obama White House has made the
Cloud migration a federal IT priority, it is not
clear that Congress will see it the same way as
they look to minimize the budgetary impacts of a
sequestration on other federal functions such as
defense, homeland security, agriculture, etc.
Global Competition and the
Cloud
Cloud Computing presents
tremendous business opportunities for U.S.
companies to sell IT products and services
globally. Forrester Research has projected the
global market for cloud services will grow to
nearly $250 Billion by 2020. As U.S. companies
position themselves to compete for a share of
that market, U.S. laws can hinder their efforts
or put them at a competitive disadvantage.
One such example is the U.S.
Patriot Act, the law passed post-9/11 that was
designed to help support the war on terror in
part by giving U.S. intelligence agencies
enhanced powers to gather data on suspected
terrorists. The U.S. has used the Patriot Act
powers in various ways, such as compelling
foreign airlines to provide passenger
information. Now, non-U.S. Cloud competitors
are using the Patriot Act to discourage foreign
countries from signing on with U.S.-based cloud
providers like Google and Microsoft. The sales
pitch asserts that use of U.S.-based cloud
services makes your confidential business data
accessible to U.S. intelligence agencies under
the Patriot Act.
Conclusion
Cloud Computing,
like all new technologies that are widely
adopted, is socially disruptive. It not only is
changing how we live and work, it is also
creating legal ambiguities and raising policy
questions that require a rebalancing of public
interests. Over time, these issues will be
resolved in the courts and by our legislatures
with the passage of new laws. The speed and
effectiveness of the solutions depends, to a
significant degree, on how well informed the
policy-makers are about the new technology and
how it works. This simple fact suggests that
technical professionals have an important role
to play in actively engaging the policy-process
as advisors and advocates at all levels of
government.
Chris Brantley is IEEE-USA's
managing director in Washington, D.C.
Glenn Tenney is a senior
member of the IEEE and has been chair and
vice-chair of the IEEE-USA Intellectual Property
Committee. He is a software and systems
architecture designer, information security
professional, and has been a consulting expert
on several patent related law suits.
home
|
Comments
on this story may be
sent directly to
