Microsoft is not alone in asking for legislation that clarifies the specifics of cloud computing. Despite the general tendency of corporations to battle against more restrictions, more companies and organizations are calling for new laws that govern this emerging technology. The reason is simple: Existing communications laws cannot adequately govern the modern internet.

Problems in the Cloud

Many of the laws that define the legal details of the internet and telecommunications are now decades old. Some, such as 1986’s Electronic Communications Privacy Act, were drafted when most users still accessed the internet through company- or university-operated mainframes, and consumers didn’t have access to the internet at all.

Today, things are very different, of course. Any user with a PC and an internet connection can gain access to the full run of the internet in no time. And with cloud services taking the place of more local software applications, even a task as simple as sending an email message might involve a half-dozen computers scattered in different locations around the country or even around the world.

The result is that existing computer laws drafted in the days of mainframes fall short when applied to modern issues of technology law. Questions of jurisdiction and privacy quickly arise: If a user sends an email from New Jersey to a user in Ohio using a cloud service based in New York, the question of the email’s jurisdiction is better answered by a philosopher than a judge. If one of those users happens to be in another country, the result isa legal and jurisdictional quandary.

Blurring jurisdiction is quickly becoming a major problem with legal matters that involve cloud computing, according to Jorge Espinosa, an intellectual property lawyer with Espinosa Trueba, PL and author of cloud law blog LexNimbus. "In the 1990s, a lot of the services that were provided were still intra-territorial. They were within the United States from a U.S. perspective," he says. "So, yes, you still had privacy issues and security issues involving paying with credit cards and transferring e-mail. However, you knew that the data was located domestically, you knew that you had access to domestic law to seek remedies, and you didn’t have to worry about order restrictions or export controls."

However, cloud computing changed all that. "One of the aspects of the cloud is that data can reside anywhere in the world," says Espinosa. "It can shift across international boundaries. And oftentimes in negotiating agreements, some of the larger providers like Microsoft refuse to restrict to single -country service providers."

For John Blossom, lead analyst and president of Shore Communications, Inc., cloud security is generating plenty of user attention. "In a world where your data could be anywhere in the world at any time, the need for these types of laws becomes more important," he says. "There will always be ‘rogue states’ that will not comply with international standards for security and legal prosecution of data theft, but the majority of nations that stand to profit most from cloud computing are now moving rapidly to establish laws such as those proposed in the Cloud Computing Act [broad legislation that calls for reform in the way the law handles cloud computing security and privacy]."

Although some cloud providers agree to confine computing services to a single country, this is far from the norm, and Espinosa notes that it may be out of the reach of smaller organizations to demand such terms. And because certain types of protected information, such as healthcare data, place strict controls on their disclosure and use, entire industries may be reluctant or unable to make use of cloud computing services.

"Until such laws are in place, it will be far more difficult for major information repositories housing private data to take full advantage of cloud computing’s significant cost and service advantages," says Blossom. "Laws protecting the privacy of medical records such as HIPAA [Health Insurance Portability and Accountability Act], for example, will make many organizations hesitate to move toward cloud services until such standards are in place."

Espinosa says that another issue with cloud computing is a legal notion called privity, which "is a legal concept that says that I have a contractual relationship with you and that I have a right to take legal action against you for relief if you violate that contract," he says. "Well, oftentimes in a cloud context there are a couple of middlemen between you, the owner of the data, and the entity that is actually storing your data on a server somewhere."

If a legal situation arises due to the actions of a middleman, a business may not have the right to pursue legal action against the company or organization that is actually responsible for the loss or misuse of its data. If the organization responsible is outside the U.S., the question of local laws also comes into play, says Espinosa.

Espinosa notes that his own legal practice has been hindered in its attempt to use cloud technologies as a result of legal obligations. Because the firm could not get a guarantee from its cloud provider that storage would only take place within the U.S., it can only use the cloud solution in certain areas of the practice that don’t involve sensitive information.

That makes the cloud service less valuable to us, but at the same time we fulfill our obligations to our clients," says Espinosa.

A Chilling Effect

The confusion over jurisdiction and policy specifics has made some companies wary of investing in cloud computing to a greater extent, according to John Clippinger of the Massachusetts Institute of Technology’sMedia Lab. "There’s a lot of expectation that things are going to be happening and moving to the cloud, but I think there’s also a lot of reservation about what will be the governing legal regimes there, and what one can expect from different kinds of jurisdictions and what kind of policy of laws will prevail," he says. "There’s just a lot of unknowns there, I guess, that people are uncomfortable in investing in it until they get resolved."

Clippinger ‘s own work with cloud computing is over the issue of sharing and protecting personal information. "How do you develop and enforce different kinds of trust frameworks that provide compliant ways of meeting fair information practices in an interoperable environment? And that, to my mind, is one of the bigger issues that you’re going to have in all cloud platforms," he says.

Clippinger notes that different jurisdictions, even within the U.S., have different sets of laws about sharing and protecting personal information. "The question is," he says, "when you’re trying to run businesses across different jurisdictions, then what is going to be the prevailing set of principles? And in order to do that, I think you have to develop a different way of thinking about it that breaks with the traditional privacy/security model."

The National Strategy for Trusted Identities in Cyberspace (NSTIC) introduced one possible model – a proposal by the Obama administration that aims to simplify certain aspects of internet privacy by creating a trusted system of online identity that could be used by businesses and the government alike. Shared standards for identity and privacy such as NSTIC could allow freer movement of data to the cloud while ensuring that protected data, such as healthcare information, is handled in a uniform and reliable fashion.

An International Matter

Blossom compares today’s enterprise information resources in the cloud to "money in the bank." They can be "more securely managed in common repositories by security experts, more easily ‘put to work’ via data harvesting and aggregation services that can combine it with other information resources more readily, and more quickly translating their value into marketable advantages," he says. The global transparency required for corporate and state governance is also likely to push more information resources into the cloud, making it harder to cover up whitecollar crimes. "Private enterprise computing services will focus increasingly on specialized trig data’ harvesting and analysis efforts," he says, "much as financial institutions do today for real-time securities markets analysis. …"

In April 2011, Sens. Amy Klobuchar, D-Minn., and Orrin Hatch, RUtah, announced that they planned to introduce the Cloud Computing Act of 2011. Since the bill is still being drafted, specifics about its contents are difficult to ascertain. A draft of the bill was briefly leaked online but was quickly removed.

However, the senators have stated that the bill would address topics such as penalties for hacking cloud systems, and they encourage the U.S. to pursue international treaties covering cloud computing and data sharing. In many ways, the proposed bill seems to address many of the issues Microsoft’s Smith initially pinpointed in his January 2010 presentation, although the final nature of the bill remains to be seen. (A Microsoft spokesperson declined to comment for this article.)

Although Espinosa says he cannot say for certain since he hasn’t seen the text of the bill, he speculates that international treaties will likely be necessary to address the legal issues of cloud computing.

"A lot of our laws are out-of-date with how they handle everything from e-mail security to data transfers," says Espinosa. "However, when we’re talking about the cloud, I think we need to appreciate that national solutions are never going to be fully adequate. What I mean by that is that the only way you’re going to come up with a solution that adequately protects the growth and expansion of cloud computing is with a multinational approach."

But not all enterprises are rushing to the cloud. "In truth, it’s not clear that even with such laws many major enterprises will ever put all of their ‘crown jewels’ of data resources out in cloud computing services," says Blossom. "However, as security and legal standards improve, it is becoming an increasingly compelling proposition."

Espinosa speculates that the future of cloud computing legislation may take the form of an international treaty such as the World Intellectual Property Organization (WIPO) Copyright Treaty, a 1996 treaty that standardized international intellectual property law and led to the U.S.’s Digital Millennium Copyright Act.

"You’re going to have to have a group approach such as what we have with WIPO," says Espinosa. "Right now, if you want to challenge a URL used by somebody else, WIPO provides a streamlined process that whether you’re in Germany, the United Kingdom, or the United States you can do. And it’s simple, it works, and it’s efficient. But it only works because Germany, the United Kingdom, and the U.S. are all signed onto this approach. If each country had its own rules for how you challenge a URL in that jurisdiction, you’d have a mess."

The global transparency required for corporate and state governance is also likely to push more information resources into the cloud. …