|
01.12
Policy and the Cloud: Part III – Congress Looks at Legislation
By Chris Brantley and
Glenn Tenney
(Ed. Note: This article is
the third in a three-part series looking at the
policy implications of Cloud Computing.
Part one
focused on recent Congressional hearings.
Part two
highlighted specific Cloud policy issues facing
Congress and federal regulators.)
As a myriad of policy issues
have emerged around Cloud Computing, in areas
ranging from privacy, security, law enforcement
powers, intellectual property and global
competition, a number of voices have called out
for Congress to enact legislation to clear the
way for new legal and regulatory approaches.
In 2010, Microsoft Senior VP and
General Counsel Brad Smith told a group gathered
at the Brookings Institution that “In
order to make the cloud a success, those of us
in the industry need to pursue new initiatives
to address issues such as privacy and security.
At the same time the private sector cannot meet
all of these challenges alone. We need Congress
to modernize the laws, adapt them to the cloud,
and adopt new measures to protect privacy and
promote security.”
Kaspersky Lab CTO Nikolay Grebennikov took a
similar tact in an address at Infosecurity
Europe last Spring, noting that "it's not
currently a technical issue – it's mostly about
legislation and how cloud providers should
communicate with customers to provide this.
Currently I really believe that we need some
non-technical steps and actions to make it
work.”
The Cloud Computing Act
In April 2011,
Senator Amy Klobuchar
(D-Minn.) announced that she would be joining
Senator Orin Hatch (R-NV) in introducing the
“Cloud Computing Act of 2011,” draft legislation
designed to encourage harmonization of online
security and cloud computing laws with other
nations, as well as providing new investigative
and enforcement authorities for individuals who
violate online privacy and security in the
Cloud.
In an
associated statement, Klobachar explained “the
technology is moving ahead fast, and it’s
essential for our laws to keep pace with it.
This legislation will clarify the rules of the
road to make it safer and more convenient for
both consumers and companies to zoom along on
the information superhighway. It’s pro-consumer,
pro-business, and pro-innovation.”
A
rising star in the Senate, Klobachar chairs the
Senate Subcommittee on Competitiveness,
Innovation, and Export Promotion and has a
reputation for being savvy on tech issues.
Senator Hatch is a member of the subcommittee,
as well as serving in other Senate leadership
posts.
Shortly after news of its imminent introduction
was released, however, plans for the bill were
put on hold to enable Klobachar and Hatch to
seek additional feedback on key provisions from
various groups and forums. With Congress
currently focused on other cyber-legislation,
including the controversial Stop Online Piracy
Act (SOPA), it seems the Cloud Computing Act has
been put on the back burner indefinitely.
Other Legislation
Last June, Rep. Michael McCall
of Texas introduced cybersecurity legislation
(H.R. 2096) that includes a narrow provision
that would require the Director of the National
Institute of Standards and Technology, in
collaboration with the federal Chief Information
Officers Council, to continue development and
implementation of a comprehensive strategy for
the use and adoption of cloud computing services
by the federal government.
The McCall bill was reported by
the House Science, Space and Technology
Committee in October and is on hold, pending
House action. A companion bill in the Senate (S.
1152) introduced by Senator Robert Menendez of
Florida lacks a similar cloud computing strategy
provision and is still awaiting consideration by
the Senate Commerce, Science and Transportation
Committee.
Cloud issues related to privacy
and law enforcement are also touched on in
legislation introduced by Senator Patrick Leahy
(D-CT), dubbed the Electronic Communications
Privacy Amendments Act (S. 1011). Leahy’s bill
would update restrictions on disclosures, expand
warrant requirements for searches and seizures
of electronic information, and limit tracking of
geolocation information (i.e. establish a
privacy interest in protecting information about
your current “location”). Leahy’s bill was
introduced in May 2011 and referred to the
Senate Judiciary Committee, where it has seen no
action.
Non-Legislative Approaches
Not
everyone agrees, it seems, that legislation is
needed at the present time.
In
July 2011, the Software Industry Information
Association released a “Guide for Cloud
Computing for Policy-Makers, which asserts there
“is no need for cloud-specific legislation or
regulations to provide for the safe and rapid
growth of cloud computing, and in fact, such
actions could impede the great potential of
cloud computing.”
Ari
Schwartz, a senior policy advisor at the
Commerce Department and member of the
Administration’s Internet Policy Task Force, has
publicly made the case for voluntary compliance
based on collective codes of conduct and best
practices related to security, privacy and other
cloud issues.
According to Schwartz, voluntary methods should
be explored before government takes a more
active role in legislating or regulating the
Cloud. To that end, the Internet Policy Task
Force is focused on the areas of privacy,
copyright, free-flow of information, and
cybersecurity and is working with business to
develop codes of conduct.
In a
similar vein, in December, the Federal Trade
Commission released a preliminary staff report
outlining a proposed framework for businesses
and policy-makers entitled “Protecting Consumer
Privacy in an Era of Rapid Change.”
Also
in December, in an address to the Second Annual
European Data Protection and Privacy Conference
on “Transatlantic Solutions for Data Privacy,”
Commerce Department General Counsel Cameron
Ferry told European policymakers that the Obama
Administration was pursuing a four part
framework for advancing privacy protections. The
key components include the voluntary Consumer
Privacy Bill of Rights, plans for a
multi-stakeholder process designed to develop
legally enforceable codes of conduct, plans to
request legislation empowering the FTC and State
Attorney’s General to enforce the Consumer
Privacy Bill of Rights, and a diplomatic
commitment to pursuing global interoperability
of privacy frameworks.
Closing Notes
With the Obama Administration
taking a deliberate approach focused on
voluntary codes of conduct, Congress divided
along partisan lines on a variety of issues, and
national elections looming in October, it seems
unlikely that cloud computing legislation will
be given any significant priority in 2012.
On the other hand, many of the
issues that need to be addressed are
non-partisan in nature and legislation could
move if bill sponsors can get the attention of
the leadership and avoid getting their bills
entangled in controversial issues.
In that vein, one interesting
development was the release this October of a
report by the GOP’s Cybersecurity Task Force,
comprised of 12 House Republicans, which
outlined a series of limited, near-term
“industry-friendly” recommendations for
cybersecurity legislation, emphasizing voluntary
standards rather than government regulation.
What seems likely is that key
issues will be addressed through bills focused
on specific issues, such as cybersecurity or
enforcement powers, rather than in a
comprehensive Cloud Computing bill.
For Further Reading:
Federal Trade Commission,
Protecting Consumer Privacy in an Era of Rapid
Change: A Proposed Framework for Businesses and
Policymakers, Prelimary FTC Staff Report
(December 2011), Available online at:
http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
Recommendations of the House
Republican Cybersecurity Task Force (October
2011). Available online at:
http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf
Software and Information
Industry Association, Guide to Cloud Computing
for Policy-Makers (2011). Available online at:
http://siia.net/index.php?option=com_docman&task=doc_download&gid=3040&Itemid=318
Chris Brantley is IEEE-USA's
managing director in Washington, D.C.
Glenn Tenney is a senior
member of the IEEE and has been chair and
vice-chair of the IEEE-USA Intellectual Property
Committee. He is a software and systems
architecture designer, information security
professional, and has been a consulting expert
on several patent related law suits.
home
|
Comments
on this story may be
sent directly to
