On September 19, 2012, Senators Amy Klobuchar (D-MN) and John Hoeven (R-ND) introduced the “Cloud Computing Act of 2012.” The bill is a bipartisan effort to amend the Computer Fraud and Abuse Act (“CFAA”). If the bill passes, it would purportedly provide greater civil and criminal protections under the CFAA against unlawful computer activites related to cloud computing than currently exist. The introduction of the bill was delayed until this year after Senator Orrin Hatch (R-Utah) withdrew his support for the original bill in mid-2011.
Cloud computing was defined in the previous press statement involving Klobuchar’s bill as the “use of remote data centers to take over the task of computing from the personal computer.” Social media websites commonly use such cloud computing, and more recently, businesses have increased utilizing it to increase productivity and lower IT costs.
Under the terms of the proposed legislation, federal agencies would be required to publish periodic reports about their progress in shifting computer infrastructures toward cloud computing. Additionally, federal agencies would have to comply with the Office of Management and Budget’s (“OMB”) Federal Cloud Computing Strategy, and submit periodic reports to the OMB and the Office of Electronic Government and Information Technology about their compliance efforts. These reports would also require a “three year forecast of the plans of the agency relating to the procurement of cloud computing services and support relating to such services.”
The bill definines “cloud computing service” as “a service that enables convenient on demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.” This definition comports with that of the National Institute of Standards and Technology’s definition of the term. Similarly, a cloud computing account is defined as “information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual.” Under this definition, a single user can have multiple cloud computing accounts.
Passage of the bill would amend the CFAA to provide an additional, separate offense or claim for unauthorized access of a cloud computing account. Essentially, accessing a cloud computing account without authorization or in excess of authorization would become a criminal offense and as well as provide civil liability. Specifically under the bill “if the protected computer is part of a cloud computing service, each instance of unauthorized access of a cloud computing account, access in excess of authorization of a cloud computing account, or attempt or conspiracy to access a cloud computing account without authorization or in excess of authorization shall constitute a separate offense.”
According to a press statement, Klobuchar previously indicated under the existing terms of the CFAA, if a cloud service has millions of individual accounts, and a hacker were to take a few dollars from each, the hacker cannot be prosecuted for a felony because the law addresses the individual attacks, and not the aggregate effect. According to the press statement, such security breaches can cost the public up to $1 trillion annually.
The bill provides for presumed loss. Specifically, it provides “[i]f an offense under this section involves a protected computer that is part of a cloud computing service, the value of the loss of the use of the protected computer for purposes of subsection (a)(4), the value of the information obtained for purposes of subsection (c)(2)(B)(iii), and the value of the aggregated loss for purposes of subsection (c)(4)(A)(i)(I) shall be the greater of–(1) the value of the loss of use, information, or aggregated loss to 1 or more persons; or (2) the product obtained by multiplying the number of cloud computing accounts accessed by $500.”
Critics of the bill argue that it defines cloud computing too broadly. Legal critics have criticized the bill’s definition of cloud computing, calling it incoherent and “co-extensive with the Internet generally.” The Cloud Computing Act of 2012 applies to a protected computer which acts as part of a cloud computing service. The phrase “protected computer” is defined broadly by the CFAA to include any computer “used in or affecting interstate. . . commerce or communication.” Critics argue that under this definition, every computer connected to the internet would constitute a “protected computer” since such computers can be used to access websites involved in interstate commerce.
The bill has also been criticized for its failure to add “meaningful protection” to the already confusing CFAA. Opponents suggest it is unclear “what problem this bill purports to solve” and question whether there have been cases where “the CFAA underprotected a cloud computing service or this legislation would have changed the outcome.” They argue the bill simply increases the CFAA’s complexity without much benefit, and the proper fix for the CFAA would be to “reduce the law’s length, organize it better, and reduce its implications for user’s ordinary Internet activity.” Others argue that the proper approach is to allow for voluntary methods, rather than legislation.
The bill, presently in committee, has a long road to travel in order to become law. We will continue to keep you apprised of future developments with this bill, as well as other legislation pertaining to the CFAA.