Lawmakers have a talent for confusing issues and scaring people unnecessarily. The current example is the proposed Cloud Computing Act of 2012. As Professor Eric Goldman at the Santa Clara University School of Law says of the Act, “I have no idea what problem this bill purports to solve.”
The laws regarding criminal trespass in cyberspace are hopelessly out of date and need to be fixed. The problem is, law enforcement and Congress are pushing to update the laws to include cloud and mobile applications, but their poor understanding of new technologies only threatens to cause more problems.
A Lot Can Happen in 25 Years
The two most important pieces of cyberlaw, the Computer Fraud and Abuse Act and Electronic Communications Privacy Act (ECPA) were both passed in 1986. E-mail, instant messaging, cloud computing, cell phones, global positioning systems, and geolocation tracking are just some technologies that have became available since those laws went into effect. These laws were very prescient and forward looking in that they limited law enforcement access to electronic communications and associated data, including emerging wireless and Internet technologies. But the legislative aides who wrote the law in the 1980’s using typewriters and fax machines couldn’t possibly have anticipated all of the new technology of the Internet age.
For example, because of archaic language in the existing laws, any e-mail left on a server over 180 days is considered abandoned and can be accessed by law enforcement without a warrant. However, today storage has become so inexpensive that Internet providers commonly leave email and other communications on cloud-based servers indefinitely.
Beginning in March of 2010, a new and diverse coalition called Digital Due Process Coalition has brought a new focus to addressing the problem. That group includes influential companies such as Google, Internet activists like the Electronic Frontier Foundation (EFF), more traditional civil liberties groups as the ACLU, and even a number of conservative groups such as anti-tax crusader and small government libertarian Grover Norquist. The organization published a number of specific principles hoping for a clear, single standard for access to digital information in criminal investigations.
Unfortunately, proposed legislation above only muddles and complicates the law, and does not modernize it. According to the legislation, cloud computing is defined as, “a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service
That kind of definition is so vague and confusing as to be useless. As professor Goldman says, “What??? This sounds more like a vendor’s sales pitch than a basis for criminal prosecution.”
What Kind of Law Do We Need?
Cloud computing fundamentally streamlined the deployment of business software. That’s why all of our technology is built on the cloud. The problems in existing laws do not affect Nextpoint’s business, but it is important that lawmakers update the law to fix these outdated and arbitrary irregularities. The public is already too confused about what cloud computing is, the government shouldn’t be adding to it.
The Digital Due Process Coalition hopes to promote legislative updates that prohibit an Internet provider, cloud computing, or geolocation information service provider from voluntarily disclosing the contents of its customer’s email or other electronic communications to the government. However, exceptions would be made allowing for a delay in providing notice to the subject of a warrant if it could endanger national security.
That’s a sensible and workable law for collecting information in the modern age while protecting national security interests. So much misinformation exists about cloud platforms, that it’s time for Congress to forget trying to catch up with technology every 25 years, and instead simply treat all communications the same, without creating multiple standards and obscure definitions.
