According to both the USA Patriot Act and the Foreign Intelligence Surveillance Act (FISA), US agencies can access any data held by a US company, regardless of whether that data is stored outside the US.
This is a major headache for US tech companies because:
a) It damages consumer confidence, as customers will know their data is not safe with US companies.
b) It puts them in an impossible position with regards to international law, which requires that companies operating within a legal jurisdiction obey the data protection laws of that jurisdiction
This issue came to a head when the US government issued a warrant for emails relating to a drug investigation that were stored on Microsoft’s servers in Ireland. Microsoft refused to comply, and has since been embroiled in a long running legal battle with the US government over the issue.
The Cloud Act
The Clarifying Lawful Overseas Use of Data (CLOUD) Act aims to establish reciprocal agreements that allow the US government to access data stored overseas in exchange for allowing foreign governments to access data stored in the US. The bill was introduced by Senator Orrin Hatch (R-UT), who explained its purpose thus:
“We need a common sense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes. The CLOUD Act creates such a framework and will also help set a precedent for our allies as they deal with this problem, too.”
If no such agreement exists with a country and the demand for data breaches local privacy laws, then tech companies can quash the demand. This neatly solves headache b) for Microsoft, as it will allow the company to comply with demands for overseas data without breaking international law.
It is therefore unsurprising that Microsoft CEO Brad Smith has praised the legislation, and that multiple technology trade associations that lobby for Microsoft have signed a letter (.pdf) in its support:
“The bill would establish a clear statutory right for providers to challenge an order that would create a conflict of law with a qualifying foreign government — that is, a foreign government that has a reciprocal agreement with the U.S.”
Anyone who cares about digital privacy, however, should be very worried…
A dangerous expansion of government surveillance powers
The Cloud Act gives the US government and law enforcement bodies explicit powers to access “the contents of a wire or electronic communication and any record or other information” about a person regardless of where they live or where in the world that data is a stored.
In many ways this simply reiterates the current situation. Both the Foreign Intelligence Surveillance Act (FISA) and the USA Patriot Act require US companies to hand over data no matter where it is stored or who it belongs to.
This, in fact, what the entire Microsoft legal battle has been about – whether or not these laws give the US government the power to do this! The Cloud Act explicitly does, and thereby renders the upcoming Supreme Court decision moot (the new law is ambiguous about whether non-US companies can also be coerced).
In order to smooth this rather confrontational demand with foreign governments, the Cloud Act allows the President to enter reciprocal agreements with “qualifying” governments that would allow the US to access data stored in those countries without the need to comply with their privacy laws.
As the Electronic Frontier Foundation (EFF) points out, the standards of oversight for handing over data via these reciprocal agreements:
- do not meet US Forth Amendment warrant requirements
- do not require any foreign internal or judicial review procedures, and
- do not meet US domestic surveillance rules mandated by the Wiretap Act.
Indeed, the foreign country where the data is stored does not even to be notified when a company is required to hand over data stored there.
“The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation. This denial of privacy rights is unlike other U.S. privacy laws.”
The Cloud Act co-opts the upcoming Supreme Court ruling on the Microsoft case by explicitly granting the US government power to access data stored overseas, while at the same time providing a legal framework that allows it to do so without upsetting other countries.
This is a win for both the US and partner foreign governments, as it grants them to access vast troves of data that are currently off-bounds. It is also a win for US tech companies, as it allows them to comply with demands for such data without breaching international law (and power to refuse them when it does).
The end result is a large expansion of government surveillance powers with lower requirement and oversight standards than are currently required by US, international, and most local law. It is therefore a major lose for ordinary citizens everywhere, as digital privacy standards are further eroded.