Report: Cloud computing means export laws need updating

Could some Americans be breaking export-control laws just by sending e-mail? That's one of many questions raised by the increase in cloud computing, according to a Brookings report released on Monday.

Regulators need to provide clear guidance to users of the cloud, said John Villasenor, senior fellow in governance studies and the Center for Technology Innovation at the Brookings Institution and a professor of electrical engineering at the University of California (Los Angeles).

"Regulators can ... play an important role in providing guidance and potentially in updating regulations to help American businesses benefit from cloud computing while also maintaining appropriate protections against the unauthorized export of sensitive software and technology," he wrote.

He said that the technology, which often crosses borders and features servers located in multiple countries, poses many challenges to export-control laws, which regulate what information and software can be shared overseas. And the uncertainty will only get worse as the market grows - Villasenor cites an April 2011 report from Forrester Research that shows the overall size of the cloud computing market will reach $40 billion in 2011 and grow to more than $240 billion in 2020.

"While the concept of the cloud is centered on the premise of removing the need to track the details of data movement among various destinations, export-control regulations are built largely around restrictions tied to those very movements," Villasenor wrote.

He cites a hypothetical example of a person opening an e-mail while traveling internationally, unaware that it contains information restricted by Export Administration Regulations. Currently, sending restricted information in a physical letter overseas can be a clear violation of export laws. What is less clear, Villasenor says, is what happens when restricted information is sent by e-mail and opened in another country. Neither the sender nor the recipient may have intended for the information to be sent overseas, but export laws could have been broken.

Or, for instance, a company could unknowingly host restricted software on servers overseas. Companies that are used to dealing with export-controlled information or software are usually well positioned to ensure that their businesses are in compliance. But a growing number of businesses and individuals need to consider export rules as they switch to cloud-based services, according to the report.

The report recommends that service providers offer users control over where their information or software is based. Companies and people that deal with restricted content also need to be aware of the issues of cloud computing and take steps to make sure they comply with export laws.

Congress will have to take a hard look at export-control laws, Villasenor said, because it looks as if the cloud is here to stay. Just last week, the Obama administration said it was closing 800 data centers by 2015 to cut $3 billion worth of duplication and inefficiency, moving much of the work to the cloud.

"A hands-off regulatory approach with respect to cloud computing would constitute a de facto weakening of U.S. export-control regulations, as cloud computing has created numerous new vectors for information movement," Villasenor wrote.

"However, if American companies are subject to overly conservative restrictions regarding cloud computing that greatly reduce their ability to benefit from its efficiencies, they will be less able to compete globally. While regulation is always an exercise in navigating tradeoffs, the tradeoffs at the intersection of cloud computing and export control are particularly nuanced."

Villasenor says that lawmakers could update export laws to support increased security in cloud computing and provide guidance to users of such services.