On September 19, 2012, Senator Klobuchar introduced a bill titled “Cloud Computing Act of 2012” (the “Act”) that would amend the Computer Fraud and Abuse Act (“CFAA”). Essentially, the intent of the Act is to make it a criminal offense to access a server without authorization that is owned by a cloud provider. The Act defines a “cloud computing service” as “a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.” While others have criticized the Act for this definition alone, Senator Klobuchar used the definition of “cloud computing” that was developed by the National Institute of Standards and Technology, which is the generally accepted definition of “cloud computing.”
The problem with Senator Klobuchar’s bill is that it adds to the already confusing CFAA without adding any meaningful protection. The Act applies to a “protected computer” that is part of a “cloud computing service.” The term “protected computer” under the CFAA already has the broadest definition possible; namely, “a computer *** which is used in or affecting interstate . . . commerce or communication.” There is no distinction made as to the location of the computer or its connectivity to other computers. By this definition, every computer connected to the Internet is a “protected computer” because as it interacts with various websites, it is being used in interstate commerce.
Cloud computing is a delivery method for software. It is not, as the Act seems to suggest, a new type of computer that the CFAA failed to account for. It is back to the drawing board for Senator Klobuchar.