Emergence of Cloud Computing = Government Regulation Can’t Be Far Behind

by on January 22, 2010 · 3 comments

Brad Smith, Microsoft’s Senior Vice President and General Counsel addressed the Brookings Institution earlier this week calling for government to get involved to enhance the safety, security and privacy of the “Cloud.” (Here’s a transcript of his remarks)

Smith alluded to the fact that cloud computing is undergoing a powerful transformation and correctly pointed out that, even though millions of Americans are using cloud computing platforms today (and have been for years), a far majority of them have no real concept of what cloud computing actually is or does — and neither to most policymakers.

This speech was very well timed, given the current Google-China kerfuffle from the past couple of weeks. Essentially, who is in charge of the data in the cloud? How can we guarantee that best practices are being used by providers? And, what role will the federal government play in the regulation of this powerful emerging technology?

Without getting into too many specifics, Smith called for a Cloud Computing Advancement Act, which would promote innovation, protect consumers and provide the Executive Branch with new tools needed for a new technology area. Now, it seems that protecting consumers is the only one of those three points in which the government should play an active role. Legislating innovation seldom works how legislators foresee and giving any administration more tools for controlling the Internet has been met with some skepticism.

But there are modernizations that can take place within existing consumer protection laws, as Smith points out. One of the more interesting and valid examples Smith highlights is that many of the existing laws were written with the single PC in mind. A data thief breaks into a business’ or person’s computer and steals data — when caught the perpetrator may face only a single charge for each break-in. But when dealing with data centers that hold thousands of servers hosting potentially hundreds of thousands or millions of users’ data, the stakes need to be upped. Perpetrators of data center break ins should face charges for each user affected, or thereabouts.

Another point at which I will agree with Smith is his insistance that much of this new, or strengthened policy, be worked out on the federal level instead of having the states take the issue of cloud computing regulation on separately. It would be unfortunate if all 50 states jumped onto the regulatory bandwagon for a product that knows no boundaries.

The cloud computing platform is changing and growing extremely fast; it’s been a scant couple of years since the term really even took off. And government regulators will, as always, be forced to play catch-up (which most of the time is just fine). And as far as the transparency or, “truth in cloud computing” Smith wants among cloud providers, that may be tougher than he thinks; or it could be a veiled swipe at other providers who aren’t as transparent as Smith wants. He does suggest, lastly, that perhaps the cloud provider industry come together around a new self-regulatory code. This option should be first and foremost, before bringing in the FTC.

Nevertheless, it was an interesting speech because Microsoft, for all its ups and downs fighting for marketshare in the cloud, is now a major player in this discussion and perhaps this speech set the tone for the next year in how policy and cloud computing will collide.

For more on the issue of regulatory control and the Cloud, check out this piece by Holman Jenkins in today’s The Wall Street Journal.

  • http://www.guerilla-ciso.com/ rybolov

    Awww, come on, guys. If the government gets involved in looking at the security, their answer is going to be rules and audits which will effectively stifle innovation in the market–look at what it's done to IT innovation in just about every industry where IT security is regulated. You're shocking me by suddenly saying that the market is broken and citing google and china as an example when in my opinion, the market here worked.

    There is a community cloud security effort at self-regulation, have a look at http://www.cloudsecurityalliance.org/ and what Chris Hoff and Andy Ellis are doing with A6: it's an API to audit the cloud. http://www.scribd.com/doc/18515297/A6-API-Docum

  • http://www.guerilla-ciso.com/ rybolov

    Awww, come on, guys. If the government gets involved in looking at the security, their answer is going to be rules and audits which will effectively stifle innovation in the market–look at what it's done to IT innovation in just about every industry where IT security is regulated. You're shocking me by suddenly saying that the market is broken and citing google and china as an example when in my opinion, the market here worked.

    There is a community cloud security effort at self-regulation, have a look at http://www.cloudsecurityalliance.org/ and what Chris Hoff and Andy Ellis are doing with A6: it's an API to audit the cloud. http://www.scribd.com/doc/18515297/A6-API-Docum

  • http://jerrybrito.com Jerry Brito

    Every time I hear a service provider asking the government to regulate him (and his competitors) I get very suspicious.

Previous post:

Next post: