Home / Blogs

The Proposed "Cloud Computing Act of 2012," and How Internet Regulation Can Go Awry

Eric Goldman

Sen. Amy Klobuchar has introduced a new bill, the "Cloud Computing Act of 2012” (S.3569), that purports to "improve the enforcement of criminal and civil law with respect to cloud computing." Given its introduction so close to the election, it's doubtful this bill will go anywhere. Still, it provides an excellent case study of how even well-meaning legislators can botch Internet regulation.

What the Bill Does

From its 1980s origins as a law restricting hacking into government computers, the Computer Fraud and Abuse Act (CFAA) has morphed into a general-purpose federal law against trespassing on anyone else's computers. With that breadth, the CFAA extends to a wide variety of activities, ranging from data scraping (see, e.g., EF Cultural Travel v. Explorica) to fake profiles (see, e.g., the Lori Drew prosecution related to Megan Meier's death) to ex-employees walking out the door with competitively sensitive information (see, e.g., US v. Nosal and WEC v. Miller).

The proposed bill's main substantive provisions attempt to give "cloud computing services" extra protections under the CFAA. First, the bill says that each unauthorized access of a cloud computing account counts as a separate CFAA offense. Second, the bill specifies a formula for computing losses in CFAA violations involving cloud computing services, setting a minimum floor of $500 loss per affected cloud computing account.

Problems with the Bill

The CFAA is Already a Mess. Good luck trying to read the CFAA's text. Constant amendments over the years have created spaghetti code. This bill adds only slightly to the CFAA's overall lack-of-tidiness, but every incremental amendment makes the CFAA more unwieldy.

The Definition of "Cloud Computing Service" is Incoherent. The bill seeks to protect cloud computing services, but what are those? Check out the bill's definition:

the term "cloud computing service" means a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.

What??? This sounds more like a vendor's sales pitch than a basis for criminal prosecution. We can reinforce the definition's weakness by trying to determine what isn't a cloud computing service. Every user-generated content website seems to qualify; but so should every online bank. In fact, this definition of cloud computing service probably becomes co-extensive with the Internet generally.

To be fair, the failed definition isn't totally the drafter's fault. I don't think it's possible to define "cloud computing service" precisely. Tip to legislators: if you can't clearly define your subject matter of your legislation, you're probably doing something wrong.

What's the Problem That Needs to Be Solved? I can't figure out how the proposed amendments address any problem we're seeing in the field. It's possible I've missed some relevant case, but I can't think of a single case I've seen where the CFAA underprotected a cloud computing service or this legislation would have changed the outcome. Seeking some clarity, I submitted a press inquiry to Sen. Klobuchar's office last week and got no response. So I have no idea what problem this bill purports to solve.


This bill exemplifies several ongoing problems with efforts to legislate the Internet:

1) Legislative grandstanding. It's flashy for legislators to tell their constituents that they are fighting hard to protect emerging technologies like "cloud computing." But legislators rarely understand cutting-edge technologies, and usually rapidly evolving technologies are poor candidates for legislative intervention. So legislators' efforts to push buzzword-laden legislation are often more for show than substance.

2) Regulatory exceptionalism. As I explain here, legislators keep creating new "exceptionalist" rules for subsets of the Internet ecosystem — online dating sites, social networks, cloud computing services, etc. We saw how well that worked in California's effort to ban employers from asking employees for social media login credentials. California so utterly failed at defining "social media" that it simply covered the entire Internet...and all non-networked electronic data too! Yet, legislators seemingly haven't learned from their colleagues' repeated failed efforts to precisely define the contours of some Internet subcommunity. The proposed CFAA amendment, and its gibberish definition of "cloud computing service," exemplifies this.

3) Code proliferation. For every problem, real or perceived, legislators think they can fix the problem with more regulatory code. But the manufacturing of new legal code exacts a toll of its own. This bill increases the CFAA's complexity with minimal or zero commensurate benefit. If Sen. Klobuchar or anyone else really wants to "fix" the CFAA, a good start would be to reduce the law's length, organize it better, and reduce its implications for users' ordinary Internet activity.

By Eric Goldman, Professor, Santa Clara University School of Law. More blog posts from Eric Goldman can also be read here.

Related topics: Cloud Computing, Internet Governance, Law, Policy & Regulation


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

i2Coalition to Host First Ever Smarter Internet Forum

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

What Holds Firms Back from Choosing Cloud-Based External DNS?

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Dyn Comments on ICG Proposal for IANA Transition

Hybrid Cloud Proves Clouds Are Worthy of Email Infrastructure

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Season's Greetings - 2014 End of Year Message from DotConnectAfrica