In mid-March 2012, a German court took a first step toward judicial regulation of the cloud. A court in Hamburg ruled that the file-hosting site Rapidshare must proactively filter the content uploaded by its users. The ruling may well be the first of its kind. In America, for example, as long as sites that host content take down any uploads that infringe a copyright when they receive notice, they are under no obligation to filter content as it is added to the site. In contrast, the Rapidshare decision (which came as the result of a lawsuit by German booksellers) requires the site to filter out infringing content before it is posted to the Web.
The specter of court-imposed rules relating to the operation of cloud-based services raises a number of important issues as governments transition to more efficient cloud structures. First, and most obviously, to the extent that a federal or state government uses a public cloud service, its content could be subject to this or other types of private sector scanning to enforce a variety of laws. Plainly, that would be unacceptable to any government user charged with maintaining the confidentiality of government data. The result, if it becomes widespread, would be to restrict governments to the private cloud, thereby significantly limiting their efficiency.
Conversely, given the uncertainties that seem to attend the use of public clouds, we need to be cautious in how we proceed. It seems particularly precipitous for Congress to mandate some federal agencies (like the Department of Defense) to use commercial cloud services instead of in-house private clouds – yet that is precisely what it has done. How to square that mandate with, say, a cloud filtering requirement is a radically indeterminate issue.
But a second lesson from the Rapidshare case is a more fundamental one about the allocation of policy-making authority. The executive branches of governments think that they are responsible for setting cloud policy – perhaps with a helpful assist from the legislative branch. But as the Rapidshare case shows, cloud policy may well be set by the judicial branch. Content filtering may or may not be wise policy, it may or may not be an executive priority and it may or may not be affordable or feasible. But it is now the law in Germany (at least until the appeal is heard) and that decision was made by a judge, not the German Minister of Interior or the Bundestag.
Nor is it a phenomenon limited to foreign courts. In America recently, a standard federal contracting dispute seemed to turn on critical cloud policy considerations. Microsoft won a bid to provide cloud services to the Department of Interior (DOI). Google sued alleging, in part, that the DOI’s security requirements for cloud services were too onerous and favored Microsoft. When the Federal Claims Court indicated that it might agree with Google, the DOI agreed to withdraw the award. And so, federal government cloud security standards are now the fodder for litigation before the courts.
The lessons from these two episodes should be clear. It is not enough for the executive branch to set cloud policy. Those policy determinations must also be backed up with a statutory framework that grounds the policy in law. Only with a solid statutory grounding (and a good legal strategy) will we actually get the case law and cloud policy we need. The stakes here are sufficiently high that the vendors are virtually guaranteed to litigate – with or without legislative guidance.
And so, the task ahead is clear. Congress needs to work aggressively to develop a comprehensive set of cloud policies and laws – addressing not only security concerns, but also issues of contracting, content filtering, interoperability requirements and the like. Perhaps that effort will not be as “sexy" as the cybersecurity debate that is just in the offing but it is equally as critical.
And meanwhile, the administration needs to do more to pronounce broad strategies and policies. It needs to work hand-in-glove with Congress to develop a concrete set of legislative proposals and then do a far better job of defending those proposals in the courts. Without knowing the details, one can, of course, offer no opinion on the merits of the Google/Microsoft dispute – but one can be justly disturbed that it was a federal court setting government cloud security policy rather than the executive or legislative branches.
One final amusing note demonstrates the dangers of relying on the courts to make these sorts of judgments – they are not always very consistent or coherent. To filter content, you must, of course, review content. That poses privacy issues. And though the German court has ruled that content filtering is mandatory, a competing decision from an EU court suggests that filtering may well be prohibited by EU law as a privacy violation.
For anyone wishing to provide cloud services in Europe, these conflicting judgments are the worst of all possible worlds – emphasizing again the need for focused executive and legislative action.
Richard Falkenrath is the former New York City Police Department Deputy Commissioner for Counterterrorism (2006-2010) and Deputy Homeland Security Advisor to the President (2002-2004). He is currently a principal at The Chertoff Group, a global security advisory firm, which advises clients on cyber security including cloud computing.