Senator Amy Klobuchar [D-MN] introduced on September 19 a bill, S.3569, the “Cloud Computing Act of 2012”, which is “[a]bill to improve the enforcement of criminal and civil law with respect to cloud computing, and for other purposes.” Senator John Hoeven [R-ND] co-sponsored the bill, which has been referred to the Committee on Commerce, Science, and Transportation.
The Act would amend the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, which incriminates access to computers without authorization or by exceeding authorized access, to obtain information considered to be protected data, or anything of value. It also incriminates transmitting a program, information, code, or command, which, as result causes damage to a protected computer.
Defining Cloud Computing
The Cloud Computing Act would make each instance of unauthorized access a separate offense when the protected computer is part of a cloud computing service. The Act defines ‘cloud computing service’ as:
“a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by he provider.”
Isn’t the life of a cloud computing service customer great? The service is “convenient”, the access “on-demand” and all of this service involves “minimal management effort.” Where do I sign? I am writing this only half in jest, but if I would ever represent a cloud computing service company sued under the Cloud Computing Act of 2012, I would make sure that the judge is convinced that my client runs an inconvenient service, whose access is spotty at best, and involves great management effort.
Defining what is cloud computing in a somewhat more neutral way is apparently a difficult exercise, and the author of the bill probably took inspiration from the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, which defined cloud computing in a paper published last May as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
How the Act Would Calculate Damages
Violating the CFAA is punishable under 18 USC § 1030(c)(2) (B) (iii) by a fine or imprisonment for not more than 5 years, or both, if the value of the information obtained exceeds $5,000. Under the Cloud Computing Act, the value of the loss of the use of a protected computer that is part of a cloud computing service, the value of the information obtained, and the value of the aggregated loss would be the greater of either the value of the loss of use, information, or aggregated loss to one or more persons, or the product of multiplying the number of cloud computing accounts accessed by $500.
Therefore, if the number of cloud computing accounts is at least 11, plaintiffs could prove the value of their losses met the threshold for punishment under the CFAA. This is welcome, as plaintiffs often fail to prove that they have suffered more than $5,000 in damages.
For instance, in In re Doubleclick Inc. Privacy Litigation (S.D.N.Y. 2001) plaintiffs claimed, inter alia, that by placing cookies on their computers, DoubleClick had violated the CFAA. Defendant did not contend that plaintiffs’ computers were not “protected" under the CFAA, nor that their access was unauthorized, but rather argued that their losses did not meet the $5,000 threshold set by the CFAA. Plaintiffs had claimed invasion of privacy, trespass to their personal property, and misappropriation of confidential data, but failed to prove that this represented a loss of more than $5,000.
Promoting Interoperability with Foreign Laws
The Act would also suggests that there should be work at the international level, including consultations between the United States and the European Union, in order to ensure that the Act is interoperability with foreign laws. This is certainly welcome, as data in the cloud often resides on servers located in foreign jurisdictions.
It would also direct the Secretary of State to conduct each year, for four years, a study on international cooperation regarding data privacy, retention, and security. The study would include recommendations for best practices.