Amid the many crises and political shenanigans going on in Washington this week, quietly, covertly, and without fanfare, privacy suffered a major blow. While the public was distracted by all things Facebook/Cambridge Analytica, Trump and a possible porn star fling, the Cloud Act, surreptitiously snuck into a $1.2 trillion, 2300 page budget bill, was passed into law.
This should give all reasonable-minded people (never mind privacy aficionados) cause for concern. In hindsight, Cloud ActTo be sure, law enforcement types of all stripes are hailing the law’s enactment. For starters, CLOUD clarifies the guidelines for law enforcement to see emails and other related communications stored on the internet, and doesn’t preclude the long arm of the law from stretching overseas if that’s where the information is stored.
“Now law enforcement won’t be blocked from accessing someone’s Outlook account, for example, just because Microsoft happens to store the user’s email on servers in Ireland,” news sources reported. But wait - as alarming as this development is far- it pales in comparison to the other provision in the law. In what the Electronic Frontier Foundation (EFF) calls “far-reaching” and “privacy-upending,” the CLOUD Act will also allow the transfer of private data from domestic servers in the US upon request by investigators in other countries - thereby emboldening the global surveillance state.
In the past few weeks, I have written several articles on this issue, as the CLOUD Act is at the heart of a dispute about which the U.S. Supreme Court has been hearing oral arguments in the U.S. v. Microsoft case. It seemed to be wishing that Congress would run with the ball and update the antiquated 1986 law that underpinned the legal action. I may not have stated my case exactly the way I wanted, or my article was misinterpreted. I was merely hoping that the Supreme Court wouldn’t have to rely on an arcane law promulgated before there was a cloud.
I naively thought that Congress was the body to update the three-decades-old statute, thoughtfully debate the pros and cons, weigh their merits, and bring it to an up or down vote. I wasn’t campaigning for this outcome, which was tacked onto a 2300-page bill as an afterthought. It deserved consideration as a standalone item with important implications.
The dangers to privacy that this law presents are apparent. Foreign governments will be enabled and empowered to abuse private data stored in the US without warrants or prior review by a judge. Not only that, governments who are friendly and maybe even human rights sensitive today, might not be so tomorrow. Yet there is no language to prevent their continued access to personal data in that eventuality. And the law purports to “protect public safety and combat serious crime, including terrorism.” Possibly hypocritically, it ends up actually empowering bad actor States.
Just as appalling, foreign police can now collect personal data without notifying the individual. There are other equally odious provisions, which all add up to what appears to be a sell-out of its citizens to foreign governments - good and bad, friend or foe. Why then, are US companies like Microsoft so quick to hail the CLOUD Act? This, for example, from Microsoft’s president and chief legal officer, Brad Smith. Endorsing it, he called the bill “a strong statute and a good compromise,” that “gives tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world.”
This is a head-scratcher, since not too long ago, Smith maintained that “information stored in the cloud should have the same protections as paper stored in your desk.” Call me stupid, but I don’t see this as a win for privacy-minded folks. He also pointed out, as I did, that to refer to an outdated 1986 law, which didn’t seem to have any semblance of relevance in today’s digital world, would be wrong. Time will only tell whether any benefits accruing to the likes of Microsoft won’t be undermined by an avalanche of foreign governments looking to take unfair advantage of the CLOUD Act’s largesse and loopholes.
Image credit: By Valery Brozhinsky/Shutterstock.