Microsoft's top legal official yesterday called on the US Congress to create new laws that would give data stored in the cloud the same protections as data stored on a PC. He also called for tougher penalties for hackers who access data centers, citing significant damage that's often done in such attacks.
Brad Smith, senior vice president and general counsel at Microsoft, told an audience at a Brookings Institution forum here today that laws now protecting electronic data were written in the early days of PCs. "We need Congress to modernize the laws and adapt them to the cloud," he said.
While many consumers have adopted cloud computing by subscribing to e-mail services like Google Gmail, to social networks like Facebook and to Microsoft's increasing online services offerings, enterprises have been somewhat cautious about moving corporate data to hosted systems due to legal and security concerns both here and abroad. Those fears have been causing problem for IT vendors, forcing some to provide significant protections to large users.
The city of City of Los Angeles' move to implement Google Apps is one example of how cloud providers must tweak contracts to win business.
The city's $US7.2 million agreement with Google to move 30,000 employees to Google Apps included an unlimited damages provision that makes the Google legally responsible for the release of data in violation of a non-disclosure agreement.
Moreover, the contract signed last October obligates Google to keep the city's data physically located in the United States. The contract allows the city to audit the data to ensure compliance.
Smith outlined a number of changes to the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act that he says are needed to clearly extend privacy rights to data stored in the cloud and to boost penalties for hacking data centers.
Providers of cloud computing products, meanwhile, are also hoping for an international accord that would ensure similar rules to data regardless of whether it is stored on servers in India, France or Brazil.
"Are we going to end up with a Tower of Babel version of the cloud where there are different rules in different countries?" said Darrell West, vice president and director of governance studies, the Brookings Institution, who led a panel discussion on the topic.
"We need a free trade agreement for data and information,' said Smith.
Michael Nelson, a visiting professor at Georgetown University, offered a stark warning about the future if Congress fails to act. "We are going to see the cloud as something that is controlled by two or three companies," he said.
He called for creating a cloud environment built on open source technology and open standards so users can take something from one cloud and combine it with another. "We don't want to be locked into one company's solution," he said.
Users of cloud services will need to know what is happening to their data, Nelson added. Cloud providers will not only have to ensure data is safe, but "we are going to have to show them why it is safe," he said, and that will mean having technology that can show customers when their data is accessed.
Jonathan Rochelle, a group product manager at Google, said there is nothing special about the privacy and security risks in the cloud, but those risk are "more transparent, more collective and more open. "
Users can keep their data on their PCs, but "while it feels more comfortable, the same way the money under your mattress feels more comfortable, it may not be the best way to manage your information,' said Rochelle.