The 'Cloud Computing Act Of 2012'... Or How Internet Regulation Can Go Awry

from the paved-with-good-intentions dept

Fri, Oct 12th 2012 12:29pm — Eric Goldman

Sen. Amy Klobuchar has introduced a new bill, the "Cloud Computing Act of 2012" (S.3569), that purports to "improve the enforcement of criminal and civil law with respect to cloud computing." Given its introduction so close to the election, it's doubtful this bill will go anywhere. Still, it provides an excellent case study of how even well-meaning legislators can botch Internet regulation.

What the Bill Does

From its 1980s origins as a law restricting hacking into government computers, the Computer Fraud and Abuse Act (CFAA) has morphed into a general-purpose federal law against trespassing on anyone else's computers. With that breadth, the CFAA extends to a wide variety of activities, ranging from data scraping (see, e.g., EF Cultural Travel v. Explorica) to fake profiles (see, e.g., the Lori Drew prosecution related to Megan Meier's death) to ex-employees walking out the door with competitively sensitive information (see, e.g., US v. Nosal and WEC v. Miller).

The proposed bill's main substantive provisions attempt to give "cloud computing services" extra protections under the CFAA. First, the bill says that each unauthorized access of a cloud computing account counts as a separate CFAA offense. Second, the bill specifies a formula for computing losses in CFAA violations involving cloud computing services, setting a minimum floor of $500 loss per affected cloud computing account.

Problems with the Bill

The CFAA is Already a Mess. Good luck trying to read the CFAA's text. Constant amendments over the years have created spaghetti code. This bill adds only slightly to the CFAA's overall lack-of-tidiness, but every incremental amendment makes the CFAA more unwieldy.

The Definition of "Cloud Computing Service" is Incoherent. The bill seeks to protect cloud computing services, but what are those? Check out the bill's definition:

the term "cloud computing service" means a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.

What??? This sounds more like a vendor's sales pitch than a basis for criminal prosecution. We can reinforce the definition's weakness by trying to determine what isn't a cloud computing service. Every user-generated content website seems to qualify; but so should every online bank. In fact, this definition of cloud computing service probably becomes co-extensive with the Internet generally.

To be fair, the failed definition isn't totally the drafter's fault. I don't think it's possible to define "cloud computing service" precisely. Tip to legislators: if you can't clearly define your subject matter of your legislation, you're probably doing something wrong.

What's the Problem That Needs to Be Solved? I can't figure out how the proposed amendments address any problem we're seeing in the field. It's possible I've missed some relevant case, but I can't think of a single case I've seen where the CFAA underprotected a cloud computing service or this legislation would have changed the outcome. Seeking some clarity, I submitted a press inquiry to Sen. Klobuchar's office last week and got no response. So I have no idea what problem this bill purports to solve.

Implications

This bill exemplifies several ongoing problems with efforts to legislate the Internet:

1) Legislative grandstanding. It's flashy for legislators to tell their constituents that they are fighting hard to protect emerging technologies like "cloud computing." But legislators rarely understand cutting-edge technologies, and usually rapidly evolving technologies are poor candidates for legislative intervention. So legislators' efforts to push buzzword-laden legislation are often more for show than substance.

2) Regulatory exceptionalism. As I explain here, legislators keep creating new "exceptionalist" rules for subsets of the Internet ecosystem--online dating sites, social networks, cloud computing services, etc. We saw how well that worked in California's effort to ban employers from asking employees for social media login credentials. California so utterly failed at defining "social media" that it simply covered the entire Internet...and all non-networked electronic data too! Yet, legislators seemingly haven't learned from their colleagues' repeated failed efforts to precisely define the contours of some Internet subcommunity. The proposed CFAA amendment, and its gibberish definition of "cloud computing service," exemplifies this.

3) Code proliferation. For every problem, real or perceived, legislators think they can fix the problem with more regulatory code. But the manufacturing of new legal code exacts a toll of its own. This bill increases the CFAA's complexity with minimal or zero commensurate benefit. If Sen. Klobuchar or anyone else really wants to "fix" the CFAA, a good start would be to reduce the law's length, organize it better, and reduce its implications for users' ordinary Internet activity.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: amy klobuchar, cloud computing, privacy, regulations

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Titania Bonham-Smythe (profile), 12 Oct 2012 @ 12:36pm

This is a law that makes it illegal for the US government to delete legitimate user data on Megaupload?
[ link to this | view in chronology ]
- weneedhelp (profile), 12 Oct 2012 @ 12:41pm
  
  Re:
  Silly silly netizen, US laws dont apply to the US Government. Those are for the peasants.
  [ link to this | view in chronology ]
  - gary, 12 Oct 2012 @ 8:29pm
    
    Re: Re:
    All Netizens we are under attack it's time to unite regardless of where you are' if you have a vpn get involved whether it's CETA or some other change your settings the Internet is under attack don't wait for them to pick us off one at a time .
    [ link to this | view in chronology ]
BreadGod (profile), 12 Oct 2012 @ 12:43pm

As the old saying goes, the road to hell is paved with good intentions.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Oct 2012 @ 4:03am
  
  Re:
  Or bribery. Is somebody bribing Klobuchar to do this? If we could figure out who is bribing her and why, then her actions might at least appear slightly more sane. They might be a lot less moral, too, but at least things could be more understandable.
  
  Maybe some member of the cloud computing industry is trying to get themselves some sort of government-protected status?
  [ link to this | view in chronology ]
weneedhelp (profile), 12 Oct 2012 @ 12:46pm

Clueless
The bill seeks to protect cloud computing services, but what are those? - All computers.

"reduce its implications for users' ordinary Internet activity." - They (she) have (has) no idea what that is. Hopefully they have kids over 11 to explain it to them.
[ link to this | view in chronology ]
weneedhelp (profile), 12 Oct 2012 @ 12:47pm

Clueless
The bill seeks to protect cloud computing services, but what are those? - All computers.

"reduce its implications for users' ordinary Internet activity." - They (she) have (has) no idea what that is. Hopefully they have kids over 11 to explain it to them.
[ link to this | view in chronology ]
- weneedhelp (profile), 12 Oct 2012 @ 12:48pm
  
  Re: Clueless
  Sorry for the double post.
  [ link to this | view in chronology ]
  - Hothmonster, 12 Oct 2012 @ 1:25pm
    
    Re: Re: Clueless
    Spamming an online comment board? I think you just violated the CFAA
    [ link to this | view in chronology ]
    - weneedhelp (profile), 12 Oct 2012 @ 2:13pm
      
      Re: Re: Re: Clueless
      Seems like they want to turn the simple act of turning on a computer to violate the (insert_idiotic_acronym_here)
      [ link to this | view in chronology ]
Anonymous Coward, 12 Oct 2012 @ 12:52pm

Access to a virtual machine must be a virtual crime with a virtual punishment unless a special law is enacted.
[ link to this | view in chronology ]
Eric, 12 Oct 2012 @ 12:54pm

I have the solution
As part of the difficulty with this law is identifying what cloud computing services actually are, the govt should set up an agency that all service providers will be required to register with. At this time they will clearly identify what services they offer (Social Networking, Cloud Computing, evil file sharing, etc...).

The service providers will then be granted a license to participate in this industry. If during their license period they choose to get involved in an additional service type, they will need to apply for these additional licenses.

These groups will have to re-register each year and of course pay a fee to help fund this new agency. If they cover multiple service areas a fee will be paid to each. Each service area will consist of government appointed experts to assist in any confusion a service provider has when trying to categorize itself.

If a fee is not paid in a timely manner the RIAA has the right to shut down your service. End of story.

I can't see anything wrong with my idea :)
[ link to this | view in chronology ]
- weneedhelp (profile), 12 Oct 2012 @ 12:58pm
  
  Re: I have the solution
  An easier solution would be just get rid of the AA's.
  
  You forgot your /sarc
  
  Marked funny anyway.
  [ link to this | view in chronology ]
Get off my cyber-lawn! (profile), 12 Oct 2012 @ 12:59pm

Cyber-Lawn's Rule of Law
ANY law longer than one, single-typed page (10 font) or which requires the reader to have a law degree or frontal lobotomy (sometimes these are interchangeable) to understand is fundamentally useless and will not be enforced.
[ link to this | view in chronology ]
Zachariah Serhus (profile), 12 Oct 2012 @ 1:09pm

Wrong answer
I'm sorry, what we were looking for was abolishment of force ie government. fixing the bill is a paradox. u can not fix that which was never working
[ link to this | view in chronology ]
dfed, 12 Oct 2012 @ 1:13pm

Congress learns from Oracle: Repackage the same bullshit and just add the word 'Cloud'
[ link to this | view in chronology ]
John Fenderson (profile), 12 Oct 2012 @ 1:24pm

In all fainess
"The cloud" is little more than meaningless marketing-speak anyway. It's hard to define something when it doesn't mean much to begin with.
[ link to this | view in chronology ]
Anonymous Coward, 12 Oct 2012 @ 1:44pm

Would this inroduction of the Cloud Computering Act of 2012 have anything to do with Megaupload by chance?
[ link to this | view in chronology ]
jupiterkansas (profile), 12 Oct 2012 @ 1:44pm

So basically these laws are like the constant patches that Microsoft applies to Windows, causing the program to become less and less reliable over time so that the only real fix is to wipe it all away and start fresh; with new code based on the same old code.

And republicans want the states to have more say, which is essentially creating multiple operating systems that all must somehow be compatible with each other.

Good thing you can't patent laws.
[ link to this | view in chronology ]
- weneedhelp (profile), 12 Oct 2012 @ 2:18pm
  
  Re:
  "And republicans want the states to have more say, which is essentially creating multiple operating systems that all must somehow be compatible with each other."
  
  Not to seem like I am endorsing a party, but the other end is to have a country wide or world wide governance and if you think its tough to protest/change laws now, imagine when we are under a world government. The little guy then will really be a spec of sand in the desert.
  
  I can learn multiple OS's and choose which is best for me.
  [ link to this | view in chronology ]
  - weneedhelp (profile), 12 Oct 2012 @ 2:19pm
    
    Re: Re:
    I support neither the republican, or democratic party.
    
    I am weneedhelp and I approve this message.
    [ link to this | view in chronology ]
  - jupiterkansas (profile), 12 Oct 2012 @ 2:41pm
    
    Re: Re:
    Well I shouldn't have mentioned a party - just how state laws compare to national laws.
    [ link to this | view in chronology ]
  - Gary, 12 Oct 2012 @ 8:50pm
    
    Re: Re:
    Again I say it's time to unite worldwide,no matter it's a worldwide problem.
    [ link to this | view in chronology ]
gorehound (profile), 12 Oct 2012 @ 2:56pm

I am staying away from any Clouds.I do not need a Storm in my life and that is what Cloud Computing is to me.
Like I really need to store my Data and Apps on some Server only to see it all taken down like what happened to all the legal users of MegaUpload.
I like my Desktop and my new VPN ! And I also like those various Forefox Plugins I use like better privacy,adblock,do not track,ghostery.............ETC.
[ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2012 @ 5:14am

would it not be easier, more prudent and more sensible (sorry for using a swear word!) to scrap the lot and start again, using people that have the technical knowledge, the internet knowledge, think with their brains instead of their wallets and hopefully come up with a proper, working solution?
[ link to this | view in chronology ]
Daniel Lucraft, 14 Oct 2012 @ 11:44pm

Cloud computing definition
It actually seems quite reasonable to me. Whenever I get annoyed at the wide misuse of the term cloud computing, what I am thinking it should be restricted to is pretty much the definition given there. There is a difference between AWS and Gmail, and that definition pretty much captures that difference.

Why do you think that a UGC website qualifies under that, or a bank? I can't provision computing resources from YouTube, or my banks websites. (WordPress qualities, because I can rapidly roll out new copies of the "application" which is a type listed.)

If I try really hard, I can sort of imagine that as a user, a bank has to "provision" access to a computer (which is by definition configurable...) in order to service my request. But that's a long way from the plain reading which says I can provision configurable computing resources for myself to use.

Maybe it could be tightened up, to avoid maliciously wide interpretations, but for someone who isn't a lawyer (and is a developer), that definition is absolutely fine, and quite narrow compared to most uses of the term, which nowadays people seem to use for any website at all...
[ link to this | view in chronology ]
Ninja (profile), 15 Oct 2012 @ 6:30am

Narrow laws
I think that most of the problems with new legislation could be solved by narrowing down what is supposed to be regulated in any form and establishing review deadlines. By the time we have a set of laws that address a similar action (ie: murder) we can gather them together to reduce the number of scattered laws while maintaining the review deadlines.

It's like major international treaties. Why can't we have smaller, narrow and focused provisions to be signed and then gather then in a major treaty once it gets well tested and verified?

Surely my method have flaws but wouldn't it be better to narrow down the targets?
[ link to this | view in chronology ]