Updated, 3/26/2018, 12:20pm PT: President Trump signed the omnibus spending bill after first threatening to veto it (for reasons unrelated to the CLOUD Act) on Friday.
EPIC, a digital rights organization, submitted an amicus brief in the related Microsoft vs. Ireland court case that's now being heard by the Supreme court. EPIC believes that law enforcement access to data stored in foreign countries should be obtained under international consensus and comply with human rights norms. Many organizations have endorsed the Madrid Privacy Declaration, which would establish strong international privacy protections for personal data.
Original article, 3/23/2018, 8:30am PT:
After finally being able to renew and extend the Foreign Intelligence Surveillance Act (FISA), despite much criticism and controversy, Congress passed yet another warrantless surveillance law called the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) mere months later.
The bill, which was added to the omnibus spending bill at the last minute, without any debate, also received support from big technology companies such as Microsoft, Apple, Google, Facebook, and others. The bill is yet to be signed by President Trump.
What Is The CLOUD Act?
The CLOUD Act will allow foreign law enforcement to request data from American companies, even if the data is hosted on U.S. soil, without obtaining any judicial approval or warrant from a U.S. judge. It will also work in reverse, and it will essentially undo an Appeals Court's ruling in the U.S. that said that law enforcement can't get an American's data if it was stored on servers abroad.
It will also do away with the Mutual Legal Assistant Treaty (MLAT), which required foreign powers seeking data to jump through several hoops. First, they had to send a request to the U.S. Department of Justice (DOJ), then the DOJ had to get a judge’s approval, and then the foreign government would finally be able to get the data from the American tech company.
Why Big Tech Supports It
As the name suggests, the CLOUD Act seems to have been written on behalf of technology companies, because the law would presumably convince other nations that they don’t have to require American tech companies to store their data locally to be able to access their citizens’ data.
The data localization bills came about only after Edward Snowden showed the extent of the NSA's mass surveillance. That revelation gave many governments an excuse to require tech companies to build local data centers presumably for national security purposes. However, some of the first governments to require it were China and Russia, which had at least as big of an interest in more easily obtaining their own citizens’ data from foreign services as they had in ensuring that foreign services aren’t backdoored by American intelligence agencies.
The U.S. Congress seems to want to “fix” this situation by giving the foreign powers exactly what they wanted all along: easy access to their citizens' data with no judicial approval (or even any approval from the U.S. government) required. Democratic nations may still be able to require their law enforcement to at least get a warrant from their local judges before requesting someone’s data from a foreign service, but this will probably not be the case for less democratic ones.
Despite all of these issues and the fact that the original MLAT had much stronger human rights protections built into it, U.S. tech companies seem to be calling the CLOUD Act a “notable progress to protect consumers’ rights”, perhaps to disguise the fact that it’s really about potentially saving them billions of dollars by not having to build data centers in other countries.
Additionally, if the bill was so good for consumers' rights, then it wouldn't have to be added to the last pages of the must-pass spending bill at the last minute and without any debate in Congress.
Consequences Of The CLOUD Act
According to the EFF, the bill will:
- Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.
- Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.
- Allow the U.S. president to enter "executive agreements" that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.
- Allow foreign police to collect someone's data without notifying them about it.
- Empower U.S. police to grab any data, regardless if it's a U.S. person's or not, no matter where it is stored
Tucked away in the omnibus spending bill is a provision that allows Trump, and any future president, to share Americans’ private emails and other information with countries he personally likes. That means he can strike deals with Russia or Turkey with nearly zero congressional involvement and no oversight by U.S. courts.
This bill contains only toothless provisions on human rights that Trump’s cronies can meet by merely checking a box. It is legislative malpractice that Congress, without a minute of Senate debate, is rushing through the CLOUD Act on this must-pass spending bill.
How The CLOUD Act Could Be Misused
In an example for how the law would work in practice and how it could be misused, the EFF said that British police could ask for chat messages between both a British citizen and an American, if they are investigating the British person. The British authorities would no longer have to notify the U.S. government about this request, as they were supposed to do with the MLAT, nor will they need to obtain judicial review.
Foreign countries are supposed to “minimize” the data they store on Americans, but they could also share it back with the U.S. government, and then that warrantlessly obtained data could be used against the U.S. person in courts. This would be possible because the data will technically come from a different government, and it wouldn't be the U.S. government that obtains it. This could be another way for law enforcement to bypass the Fourth Amendment in the United States.
There was already evidence of some back-and-forth sharing between intelligence agencies, in the sense that two countries agree to spy on each other’s populations and then share the data with each other, because they can’t legally spy on their own without too many restrictions. The CLOUD Act could further expand such operations, while also further legalizing this practice.
Additionally, as we’ve seen with FISA, some nations could use this sort of request as a backdoor search on Americans, too. For instance, if Russia was to target a high-profile American citizen, it could request data on Russians speaking to that American citizen, even if they have no interest in those particular Russians. However, this way, they could get the American citizen’s data, all without a warrant or without U.S. law enforcement even knowing about it, because the CLOUD Act allows foreign nations to go straight to the tech companies to request the data.
The CLOUD Act may save companies some money because they won’t have to relocate some of their data centers abroad (which was a problem created in the first place by the widespread surveillance of the American government). However, it will likely lead to many abuses by foreign nations, too, or even U.S. local law enforcement.
The CLOUD Act hasn’t been signed into law yet by President Trump. However, considering it’s been tacked onto the last few pages of the spending bill, chances are that its passing is now imminent, unless President Trump decides to veto the whole spending bill.