In a move that may surprise some, Microsoft is pushing for legislation on cloud computing that comes down firmly on the side of the consumer. Microsoft general counsel Brad Smith recently broached the topic in a speech at the Brookings Institute, calling for privacy protection and provider disclosure to be enshrined in law.
"The world really needs a safe and open cloud," Smith said.
Microsoft has since put forward a formal proposal for the Cloud Computing Advancement Act, which states that laws are needed to boost confidence in cloud computing. In his speech, Smith said that the rapid pace of technological change was making it hard for companies to be sure where they stood.
"Over the past two decades, technology has moved forward and the law has become increasingly antiquated as a result," he said.
He called for Congress to update the Electronic Communications Privacy Act, enacted in 1986, to ensure users could maintain a "reasonable standard of privacy" when storing personal and business information in the cloud.
He also said that the Fourth Amendment had been "thrown into doubt" in the online world and that people should feel as secure from snooping in the cloud as they do in their homes and businesses.
Smith said that after privacy comes protection from attackers. He wants 1984's Computer Fraud and Abuse Act updated to include stiffer penalties for attackers who steal data and attempt intrusion.
Give service providers policing power
He also called for a "private right of action" for cloud computing providers to go after hackers themselves, instead of having to report potential abuse to authorities and attempt legal remedies. Smith was not specific on what kinds of action Microsoft would consider justifiable against a potential cracker or data thief before alerting authorities to a potential breach.
Smith also requested a robust international agreement on data protection to make it easier for companies to share data across international borders. Currently, he said, the situation is so fraught with potential pitfalls and hazards that it encumbers global IT trade. He cited cases in Belgium, Brazil and Italy where courts had attempted to impose criminal judgments on U.S.-based service providers over data losses and similar outages.
That cuts both ways; current European Union privacy protections forbid the electronic storage of their citizens' personal information in the U.S. because American providers are subject to secret, invasive searches and seizures under the 2001 USA PATRIOT Act.
But what is Microsoft really pushing for? The software giant is better known for aggressively driving competitors out of business and protecting its illegal monopolies than for looking after the little guy. Redmond says it's trying to level the playing field for everyone, from end users of webmail services to software and Web services providers. But the proposal isn't much more than lip service, according to some.
Where's the meat, Microsoft?
"The one thing Microsoft is not going to champion is some sort of consequences," said Richard Goldberg, a Washington, D.C. lawyer who specializes in IT law. Goldberg, an expert on the potential legal pitfalls of cloud, said that Smith's call for privacy and transparency from cloud providers is nice but conspicuously lacks statutory penalties for providers who don't comply.
Goldberg pointed to HIPAA's cash penalties as an example. He said even modest incentives, like HIPAA's $100 per violation of user privacy, are enough to make healthcare providers watch their backs. There's none of that in Microsoft's legislative proposal.
Goldberg said that if Microsoft really wanted to see a law that would impact the industry, it would strictly define penalties on violators. What it really wants, said Goldberg, is to put a ground floor under cloud computing that starts with things it can already do.
"It's probably worth noting that if Microsoft really wants to do all this stuff, they can just do it," he said.
While not necessarily trivial, said Goldberg, Microsoft could enshrine consumer privacy and protection into its products and make that transparent to partners, vendors and users if it so desired.
Microsoft's call to legislate isn't necessarily a screwball idea, said Goldberg. The actions outlined by Smith are not necessarily bad for the public because they would benefit the firm, but it's important to remember that Microsoft is ultimately interested in protecting itself from legal harm. The company also wants to look trustworthy, especially after their Sidekick debacle last fall that lost millions of users' personal information from their phones in a monumental operations gaffe.
Goldberg said that smaller service providers are the ones most likely to be left out in the cold with legislation like this, since they may have a tough time coughing up for expensive security measures and making their operations more transparent.
"Smaller companies [may not] be able to provide the real transparency that Microsoft can do by just throwing money at it," he said.
He also added that it's an opportune time to talk about legislation, since it could well fly under the radar.
"You're not going to have some crazy debate about cloud, nobody knows what it is" on Capitol Hill, he said.
Goldberg has no faith that Microsoft's proposal will reach the books in its current state, but it's a good conversation starter, since it is practically inevitable that laws will be passed around cloud computing.
State laws already cover data breaches
Goldberg said that Microsoft's push was coming at the right time. Legislating the ever-growing frontier of remotely housed data and services is already a nightmare for big providers.
"As cloud computing gains popularity, [vendors] will become vast stores of sensitive information," he said. An because that information is often far from where it originated, there's already a headache-inducing forest of state laws to navigate.
"There are just a crazy amount of state laws on data breaches," said Goldberg, and most of them conflict in some way with other states' laws. He pointed to the TJ Maxx breach in Massachusetts, which rocked the retail world after some 68 million credit card numbers were stolen in 2006.
Massachusetts enacted the strictest privacy and disclosure laws in the nation (M.G.L. 93h and 201 CMR 17) and found the requirements to be so tough to fulfill the state has repeatedly pushed back the compliance date. It's now set for May 1, which coincides with a new Federal Trade Commission "Red Flag Rule" that requires speedy disclosure of ID thefts and data breaches.
Goldberg thinks Microsoft may well come up smelling like roses by being so forward on the issue, especially since its interest and consumers' interest intersect here.
"Everyone's stepping into cloud, and everyone wants to be trusted, and it's not a bad deal to be the one to say we did it."
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.
Dig deeper on Cloud computing standards and compliance