The Clarifying Overseas Use of Data (CLOUD) Act was signed into law on 23 March 2018. It piggybacked onto a 2,300-page budget bill authorizing $1.3 trillion in government spending. This was a very shabby move by the US government, as it bypassed any congressional debate on what is a far-reaching mass surveillance law with profound privacy implications.
What is the CLOUD Act?
The CLOUD Act aims to allow the US government to access data stored on overseas servers. In order to provide a legal framework for this at home, and to keep overseas governments where the data is stored sweet, it authorizes the President to enter into reciprocal agreements with other governments.
Or to put it another way: I’ll show you my data, if you show me yours. The legislation was introduced by Senator Orrin Hatch (R-UT), who explained its purpose thus:
“We need a common sense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes. The CLOUD Act creates such a framework and will also help set a precedent for our allies as they deal with this problem, too.”
If no such agreement exists between a country and the demand for data breaches local privacy laws, then tech companies can quash the demand.
It allows foreign governments to require US communications companies to provide them with real-time customers’ emails, text and phone communications, and to log their internet activity. They can also demand access to any existing such data.
All this without any kind of oversight from a judge or need to inform the target. As such, the CLOUD Act does not meet the warrant requirement specified by the Fourth Amendment.
US authorities will be able to do likewise for data stores overseas, no matter where it is stored or whether it belongs to a US citizen.
Foreign companies requesting data belonging to US citizens must abide by certain restrictions, but these protections do not seem to be extended to the US requesting data belonging to citizens of other countries (although this may depend on the exact terms of each reciprocal agreement).
Some background - United States v. Microsoft Corp
To understand the CLOUD Act is very useful to understand why it came about. Like all the big tech companies caught with their pants down by Edward Snowdon’s revelations that they fully cooperated with the NSA over spying on their customers, Microsoft has ever since been desperate to claw back public confidence.
Back in January 2014, Microsoft announced plans to allow non-US-citizens to store their data overseas:
“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”
The implication was that this would protect data belonging to non-US citizens from being accessed by US intelligence services. As I noted with a somewhat raised eyebrow at the time, however,
“It should clearly understood that US companies are legally required under the Patriot Act to hand over information on their servers to US intelligence agencies, even if that information resides on servers outside the US. Basically, US agencies can access any data held by a US company, regardless of whether that data is stored outside the US, so it is unclear to us what benefits it will bring.”
The Foreign Intelligence Surveillance Act (FISA) similarly allows US agencies to access information stored in cloud databases located in the EU, but owned by US companies. All that US authorities need do is get a secret court to issue a secret surveillance order, which when presented to a US company they have no option but to comply with.
It therefore came as no surprise when almost immediately following its announcement, a US judge ordered Microsoft to hand over a customer’s emails, even though these were stored in Ireland. Interestingly, the FBI made the request under the 1986 Stored Communications Act, which many regard as obsolete in the modern digital age.
Were Microsoft to comply, it would have damaged already shaky consumer confidence, as customers would know their data was not safe with US companies. It would also have put Microsoft in an impossible position with regards to international law, which requires that companies operating within a legal jurisdiction obey the data protection laws of that jurisdiction
Backed into a corner, Microsoft fought back and became embroiled in a long-running legal battle with the US government over the issue.
After losing the last round of this prolonged contest, the government in June last year asked the Supreme Court to intervene. It agreed and began to hear oral arguments for the United States v. Microsoft Corp. case in February 2018.
The CLOUD Act, however, effectively renders any verdict the Supreme Court comes to moot. Whether it is simply a timely modernization of the outdated Stored Communications Act, or an act of deliberate sabotage against the upcoming Supreme Court decision is a matter for debate.
Microsoft, many US Cloud technology companies, and much of the mainstream media have welcomed the CLOUD Act, describing it a victory for privacy and international law.
“The CLOUD Act is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.”
How the legislation can possibly be seen as a victory for privacy is baffling given that it widely expands both the US and foreign government’s warrantless surveillance capabilities.
Microsoft and the tech industry’s support, however, is more easily understood. It allows them to comply with data demands from the US and other governments without falling foul of international and local data protection laws.
The fact that the CLOUD Act will also inevitably result in many reciprocal arrangements with other governments also blunts concerns that US companies are uniquely hostile to privacy by ensuring that similar rules apply to most companies no matter where they are based.
The CLOUD Act therefore lets Microsoft off both hooks it was fighting the United States v. Microsoft Corp case over, and is a win for tech companies in general. What it is not a win for, however, is privacy and the digital rights of netizens everywhere.
The Cloud Act hugely expands the surveillance capabilities of the US government and its agencies by providing a framework for accessing private data belonging to anyone, no matter where in the world it is stored or if they are US citizens.
It can do this bypassing both US warrant requirement standards and, indeed, oversight rules in countries with reciprocal agreements.
It allows foreign governments’ to access data stored on US soil with very minimal judicial oversight. US citizens enjoy greater legal protections in this situation, but this is itself deeply problematical. It creates a two-tier system where the data of some people in the US is treated more inherently valuable than that of others. As the Electronic Frontier Foundation (EFF) explains:
“These privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation. This denial of privacy rights is unlike other U.S. privacy laws. For instance, the Stored Communications Act protects all members of the “public” from the unlawful disclosure of their personal communications.”
The law has come under further criticism for its lack of any mechanism for withdrawal from reciprocal arrangements once they have been made. This means that if diplomatic relations deteriorate, or if a country is discovered to have committed serious human rights abuses, it will still be able to access data stored on US servers.
This includes data belonging to dissidents and political opponents of what may be very repressive regimes. Indeed, such wide expansion of surveillance powers by the US government is likely to legitimize similar tactics by governments everywhere, and therefore to greatly increase government surveillance throughout the world.
In a statement the EFF said:
“Make no mistake—you spoke up. You emailed your representatives. You told them to protect privacy and to reject the CLOUD Act, including any efforts to attach it to must-pass spending bills. You did your part. It is Congressional leadership—negotiating behind closed doors—who failed.
Because of this failure, U.S. and foreign police will have new mechanisms to seize data across the globe. Because of this failure, your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information. Because of this failure, U.S. laws will be bypassed on U.S. soil.”
Despite being widely lauded as a victory for privacy and “common sense,” the Cloud Act is anything but. It is a large expansion of government surveillance powers with lower requirement and oversight standards than are currently required by US, international, and most local law.
It is therefore a major loss for ordinary citizens everywhere, as digital privacy standards are further eroded.
The fact that the US government felt a need to sneak the legislation in on the back of an unrelated budget bill releasing a very large number of funds that the opposition Democrat Party has been demanding for ages, was a cynical move designed to quash any opposition to its provisions.
When such wide-ranging and profound changes are made to the privacy standards upheld by law, the public deserves a robust and fully-informed discussion to occur, in which its views are taken into account. In bypassing this fundamental democratic process, the US government has proved yet again that it is a shabby self-serving shadow of the institution it claims to be.
Image credit: By Sherry V Smith/Shutterstock.
Image credit: By Ivan Marc/Shutterstock.
Image credit: By Bob Venezia/Shutterstock.