The CLOUD Act, or to give it full nomenclature, the Clarifying Lawful Overseas Use of Data Act, has been passed into law by POTUS 45. This little act has been touted as an update to the ECPA, or Electronic Communications Privacy Act, and ostensibly, this is the case. What is worrying, though, is the way that it has been signed into law as a part of the Omnibus Spending Bill, without the oversight that a base privacy law should have been given. It feels like it has been smuggled through.
This is an act that has been praised by technology companies. The below is an outtake from a joint letter from Apple, Google, Facebook, Microsoft, and Oath (the new name for Yahoo).
The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.
And vilified by privacy and civil rights organizations. This is an outtake of what the ACLU thinks of the law.
The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people.
The Electronic Frontier Foundation also had a list of objections:
- Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
- Fails to require foreign law enforcement to seek individualized and prior judicial review.
- Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
- Fails to place adequate limits on the category and severity of crimes for this type of agreement.
- Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
- The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.
It seems that there are two sides to this story, and they are diametrically opposed. Why would the technology companies be on one side of the fence, and the civil rights organisations on the other? Especially considering Google’s mantra of “Do no Evil.” The wordings of legal documents often cause this type of result. Their intention is to be clear and leave little to no wriggle room for interpretation, but as you can see, the act has been read completely differently.
What Does It Mean?
What this article will attempt to do is open the curtain on the act and see what it actually means for you, the US citizen, and me, a noncitizen. Why would it affect me? Simple: this act is transnational in nature.
One of the main instruments for cross-border information sharing used to be management by a method called MLAT, or mutual legal assistance treaties. Via one of these treaties, two or more nation states would enter into an agreement on how they were willing to help each other with legal investigations. Each MLAT would have to undergo a Senate vote and receive a two-thirds majority to be activated. Now, any law-enforcement agency at any level—so theoretically a beat cop from the local police or a federal agent—can force a company to hand over data regardless of the location. Even more worrying, they can do this without the need for judicial oversight in the form of a warrant.
What is also interesting is that this is a two-way street. In a mannger similar to MLAT, nation states can enter into mutual agreements regarding the sharing of data; however, now, the authorisation is with the Secretary of State, the Attorney General, or POTUS. That’s right, the executive branch: no oversight by Congress, the Senate, or SCOTUS.
Now, if we look at this from the perspective of national security, this new law could possibly make US citizens more secure, as a MLAT would take up to ten months to become active, and in that time, any information could cease to be useful, as it might become outdated. This could be acceptable in theory. However, the lack of oversight is worrying. Also worrying is that the replacement MLAT is also bidirectional. The foreign governments’ law and secret services have exactly the same rights of access in the other direction.
This still does not answer the question of why the tech companies appear to approve of it. This position is particularly odd considering the fact that the US government and Microsoft are still partaking in legal action over a US demand for data stored in Microsoft’s Irish data centers.
There is currently a bit of an information war going on. Who owns the data, the individual identified in the information or the company that is storing the information? The US corporate position is on the side of less public privacy. The “If it is on our servers, it is our data, regardless of personal identifiers or the right to be forgotten” position. The rest of the world is being led by the EU, which, with its new GDPR regulations, believes that there is an inherent right to privacy and a right for things pertaining to individual citizens to be forgotten.
The US has wrapped the CLOUD Act up in a layer of national security bibble-babble. However, it is one of the biggest invasions of digital privacy that the US citizen, home or abroad, has ever had thrust upon them. This would not be that bad from the perspective of the rest of the world if it only affected US citizens, but the new concept of mutual agreements between nation states without any judicial or government oversight is a worrying move.
It is as yet unclear what the fallout of the CLOUD Act—or, in fact, the EU GDPR regulations—will be, but a few people will be getting richer, and that is not the common folk, but lawyers.