The modern world of cloud computing, where data can moves seamlessly across most borders, presents challenges for law enforcement agencies and tech companies working with laws designed for a different era. A new law designed to address these international issues that has the support of both parties is pending before Congress, but privacy advocates and others are worried this solution will create an entirely new set of problems.
The CLOUD (Clarifying Lawful Overseas Use of Data) Act was introduced by Utah Senator Orrin Hatch and Georgia Representative Doug Collins in early February, and it seeks to change the way U.S. law enforcement agencies go about getting data from tech companies that is stored outside the U.S., as well as how foreign governments conduct their own investigations seeking data from U.S. tech companies. It has the support of both Department of Justice and Microsoft, who are awaiting the decision of the Supreme Court on a case that involves many of the same issues, and the broader tech industry.
However, privacy advocates such as Neema Singh Guliani of the American Civil Liberties Union are concerned about how the proposed law gives a great deal of leeway to the executive branch when it comes to determining which countries are allowed to subpeona U.S. tech companies, removing a judicial review. And those concerns are growing this week after Gizmodo reported Thursday that the Senate is likely to tack the CLOUD Act onto the much larger spending bill scheduled for next week that will need to pass to avoid shutting down the government.
“I think the CLOUD Act and some of the proposals in it, are one of the more consequential pieces of legislation I’ve seen,” said Guliani, legislative council with the ACLU, in an interview with GeekWire. “This is a big change, and a big shift in the way things are done.”
Seeing through the cloud
The CLOUD Act is designed to streamline the process through which law enforcement organizations — both foreign and domestic — obtain the personal data of users on U.S.-based tech services. The idea is to encourage countries to sign mutual legal assistance treaties with the U.S. that set out rules for how such requests are processed, and clarifies that data belonging to U.S. citizens is subject to a lawful warrant even if it is stored overseas, one of the key issues in the Microsoft-DOJ case argued earlier this year.
It does this by removing a few steps in the process. Right now, foreign governments that are conducting investigations on their citizens and want to access data stored by a U.S.-based tech company must have a mutual assistance treaty with the U.S. on the books and then submit a request to the Department of Justice, which must also get sign-off from a U.S. judge before it is passed on to the tech company.
Under the proposed law, that judicial review will be removed, and the executive branch’s only responsibility will be to negotiate the treaties with foreign governments. Foreign governments would then submit requests directly to tech companies, which would still have the ability to fight a request if they deemed it unlawful or excessive.
Microsoft and other big tech companies think this is the best way to go.
“The CLOUD Act creates both the incentive and the framework for governments to sit down and negotiate modern bi-lateral agreements that will define how law enforcement agencies can access data across borders to investigate crimes,” Microsoft President and Chief Legal Officer Brad Smith said in a blog post entitled “A problem Congress should solve” the day his company argued its case before the Supreme Court. “It ensures these agreements have appropriate protections for privacy and human rights and gives the technology companies that host customer data new statutory rights to stand up for the privacy rights of their customers around the world.”
Some supporters of the bill think it will stave off the data-localization movements that have been gathering steam in the post-Snowden era. Cloud companies are freaked out about the extremely expensive possibility that without a new procedure for handling these requests, foreign countries could simply declare that all data generated by its citizens be stored within its borders, making it applicable to its laws. After all, if the U.S. wants to declare that it can obtain data on its citizens stored in a foreign country like Ireland, as the DOJ argued before the Supreme Court, it’s harder to argue that the U.S. government should be able to closely review applications for such data when placed by other countries seeking data stored inside the U.S.
Data localization laws would put a sizable dent in the operating margins of cloud tech companies, and would also present new technical challenges. One of the big advantages of cloud computing stems from the fact that data can be stored wherever efficiency dictates it should be, and adding new gates into the connection between tech companies and their users could hurt performance and reliability.
Making the world a better place?
However, the last couple of years haven’t really been banner ones for mass surveillance efforts by law enforcement agencies and big platform tech companies. Distrust of both organizations is probably at an all-time high, thanks to the Snowden revelations and the growing alarm at the amount of personal data generated on services like Facebook, Google, and other social media and internet companies that use cloud computing services.
Critics of the CLOUD Act are concerned that it allows the executive branch of the U.S. government way too much power to decide which countries it will share information with, and how, at a time when a sizable portion of the country is wary of the motives of the current executive branch. There is language in the bill that says the executive branch can only negotiate treaties with countries that adhere to human rights agreements, or demonstrate respect for due process when it comes to seeking information on their citizens, but there is no specific definition or remedy for how to determine if a country’s laws really offer things like “protection from arbitrary and unlawful interference with privacy,” as one section of the bill states.
For example, take a country like Turkey, Guliani said. A few years ago, Turkey might have been considered a country with good-enough respect for human rights, but things changed have very quickly in Turkey, and treaties are hard to rip up once they’ve been signed. The bill would also allow countries that inadvertently collect intelligence on U.S. citizens while investigating their own citizens — following laws that may or may not be consistent with U.S. law — to turn that data over to the U.S. government, without any kind of warrant process, she said.
Guliani and others believe this bill exposes individuals to abuse by law-enforcement agencies and also puts an undue burden on smaller tech companies to respond directly to requests from foreign governments. Companies like Microsoft, Amazon, and Google can throw lawyers around with the best of them, but startups operating moderately popular services don’t necessarily have the same legal budgets to draw upon should they be confronted a request for user data they believe to be excessive.
And what happens when a foreign government pressures a tech company to either give up user data or face business consequences in that country? Most tech companies at least talk the talk of being forces for good in the world, but they are massive corporations, and massive corporations tend to wind up doing things that are in the best interest of the massive corporation.
We’re voting on what?
As is fashionable in Washington D.C. in 2018, it’s quite likely the CLOUD Act will come to a vote without any hearings or public discussions about the merits of the bill, should it get attached to the omnibus bill scheduled for a vote next week. The usual chaos surrounding the possibility of a government shutdown and the general circus that has enveloped our modern edition of Congress suggests there will be little time to discuss a bill that could have wide-ranging ramifications for tech companies, their users, and surveillance efforts around the world.
But supporters of the bill argue that without quick passage of the CLOUD Act, foreign countries will simply abandon the current system of funneling requests through the DOJ in favor of data localization laws that might likely provide fewer privacy protections than the meager ones laid in out the bill.
“In short, the United States has a time-limited moment to use its current, but perhaps fleeting, leverage as the holder of so much of the world’s data to set privacy-protective standards that foreign governments can be pushed to meet,” wrote Jennifer Daskal and Peter Swire in Lawfare this week. “Once foreign governments implement data localization mandates or find alternative ways to bypass the U.S. system, the U.S. leverage will be lost.”
Washington has never really been able to keep up with the pace of change in Silicon Valley, which has amassed immense power over the few decades in part because few legislators actually understand how technology works. Perhaps the passage of the CLOUD Act could offer forward-thinking regulators an opportunity: if we’re going to remove one set of government review of cases involving the transfer of sensitive personal data from massive tech companies to foreign governments, perhaps it is time to regulate those massive tech companies with a stronger hand.