Proposed “Cloud Computing Act of 2012″

Sen. Amy Klobuchar has introduced a new bill, the “Cloud Computing Act of 2012” (S.3569), that purports to “improve the enforcement of criminal and civil law with respect to cloud computing.”

The Cloud Computing Act seeks to amend 18 USC 1030 by purporting:

  • It is a separate offense to have unauthorized access (including exceeding the authorized access) to a cloud computing account, or even conspiring to have unauthorized access.
  • Defining “cloud computing account” as “information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual”
  • Defining “cloud computing service” as a service that “enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.”
  • The losses are (1) the value of the loss of use, information, or aggregated loss to 1 or more persons; or (2) the product obtained by multiplying the number of cloud computing accounts accessed by $500.”

As a reminder, 18 USC 1030, a person who acts or conspires to act in violation of the Act is to be

  • (1) fined or imprisoned for not more than 10 years or both, when the conviction does not occur after another offense under the section; or
  • (2) fined or imprisoned for not more than 20 years or both, when the conviction occurs after another offense

 

The problems with this proposed bill are alarming due to the vagueness of the definitions.  In employment, I can see this Act (if it goes through) being used against employees.

For example, say if your authorized access is limited to “work” use.  If an employee uses the computer network to go to a social network, how would this pan out?  The employee, in this case, uses a password to get into the network of the employer.

Or say that authorized access is limited to using email for work purposes only.  What if the employee sends a personal email or an email to an attorney using the work email?  The email account is, after all, protected by a password and it is in the alleged protected network of the employer.

Or say that authorized access is limited to accessing the email at work.  Yet, the employee and other employees, and say even management, use their smartphones to keep up with work.

I can see potential issues in employment law, where the situation does not arise out of the purported intent of the Act.  None of these cases involve a person getting into a network or service to steal information.  None of these cases involve a disgruntled employee accessing information they are not supposed to have access to.

It is my guess that if the Act gets through, there will be a need for a lot of updates on employee policies, manuals, and trainings.

About these ads

3 Comments

Filed under Pending Legislation, technology

3 responses to “Proposed “Cloud Computing Act of 2012″

  1. Very great post. I simply stumbled upon your weblog and wished to mention that I have truly enjoyed surfing around your
    weblog posts. After all I will be subscribing to your rss
    feed and I hope you write again soon!

  2. Thank you! I’m glad you have enjoyed my posts :)

  3. dorado

    This is interesting and somewhat frightening. Wouldn’t it allow law enforcement agencies to use network usage in the same way many large employers/copyright holders can?

    Many such employers almost never enforce their contracts preventing employees from checking social networks, reading email, or surfing the web as almost all employees do at some point. When they want to fire someone for other reasons (personal or otherwise), it creates a very easy way to fire someone without benefits (IMHO).

    Copyright holders like the RCAA sue people for tens of thousands of dollars for downloading single records, even though they aren’t suing 99.99% of the other people that do it much more often.

    Similarly, won’t this allow law enforcement agencies to start convicting people of doing things they don’t even realize are illegal because they can’t find evidence for other crimes?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s