Cloud computing vendors need to band together to create rules on privacy and security or face the prospect of having the U.S. Congress pass regulations, Microsoft General Counsel Brad Smith said Wednesday.
During a speech at the Brookings Institution, a Washington, D.C., think tank, Smith called for new “truth-in-cloud-computing” principles that would let consumers and businesses know how their information will be accessed by service providers and how it will be stored online.
“These principles should ensure that there is transparency over how data is protected,” he said. “Simply put, it should not be enough for service providers simply to say that their services are private and secure,” Smith added. “There needs to be some transparency about why this is the case.”
Cloud providers should maintain a comprehensive security program and should disclose whether their security efforts meet security standards, Smith said. Customers should know how they can reclaim their documents and data, he added.
Cloud computing vendors could create a self-regulatory code, or they could face regulation from Congress, Smith said. Action from Congress is “likely,” he said. If regulation happens, Microsoft would prefer it on the national, rather than state level, he said.
“Simply put, it should not be enough for service providers simply to say that their services are private and secure,” Smith added. “There needs to be some transparency about why this is the case.”
Smith also called for the U.S. government to work with other nations on an agreement that would allow cloud providers to operate without having to comply with laws in every country they have customers. The U.S. and other countries should establish a multilateral “free trade zone” for data packets, he said.
A handful of other governments have already tried to gain access to data stored in the U.S., he said.
“Where different laws conflict, a decision to comply with a lawful demand for user data in one jurisdiction may place a provider at risk of violating laws elsewhere,” he said. “This also makes it more difficult to provide consumers with accurate information about when and how their personal information might be accessed by law enforcement.”
Microsoft also supports efforts to update privacy protection laws to deal with online activities, and it wants changes to computer crime laws that would make it easier for prosecutors to charge cybercriminals, Smith said. In some cases, it’s difficult for prosecutors now to place monetary values on stolen documents, e-mail or digital photos, he said.
One way of dealing with this problem would be a change in the law that would fix the value of such items for each victim, then allow prosecutors to multiply that amount by the number of victims to determine charges, Smith said.
Smith also called for Congress to allow cloud providers greater latitude to pursue civil lawsuits against attacks, and he called for larger fines for attackers that break into data centers. In most cases, the fines for breaking into a data center are the same as for attacking a single computer, he said.
Smith didn’t directly address critics who say that cloud computing locks customers into one vendor, but he noted that a recent survey commissioned by Microsoft found that 75 percent of senior business leaders said safety, security and privacy are the top potential risks of cloud computing. More than 90 percent of the general population and business leaders would be concerns about the security and privacy of their own data in a cloud computing environment, according to the survey, by Penn Schoen & Berland.
But cloud computing, although not well understood by the general public, offers great potential benefits, Smith added.
“Cloud computing, properly implemented, provides users with greater flexibility, portability and choice in their computing options,” he said. “You can rely on the cloud for as little or as much of your computing needs — and keep as much data and computing functions locally on site — as you want.”