Controversial CLOUD Act Sneaked into Omnibus – Governments No Longer Need Warrant to Access Your Data
While the media was focused on the United States avoiding a government shutdown, the $1.3 trillion budget spending bill that was passed by the House of Representatives also included the controversial CLOUD Act - Clarifying Lawful Overseas Use of Data Act. This legislation enables internal and foreign law enforcement to access user data without a search warrant or a strong probable cause.
The legislation passed by the US Congress last night is part of the massive spending bill and it expands law enforcement's access to data held overseas. As the companies store data across international borders on servers located everywhere from Europe to Asia to the United States, governments have been pushing for a law that could be used to request data kept outside national borders. One case that attracted the attention was Microsoft's fight with the US government when the law enforcement demanded the company to hand over data stored in Ireland without going through the MLAT (mutual legal assistance treaties) process.
Those who support the CLOUD Act suggest that MLAT is no longer sustainable as it depends on one country abiding by another country’s court system. For all the local crimes, the proponents argue, foreign countries cannot be brought in or even pushed to deliver data on time.
Privacy advocates and nonprofit groups, however, have opposed the bill for its overreaching clauses. The Act enables an attorney general to unilaterally enter into agreements with foreign countries, bypassing court protections. It also enables law enforcement and tech companies to avoid notifying the user or the local government when a data request is sent, which means there is close to no oversight.
"Because of failures by some lawmakers to review and markup legislation in a responsible manner, the dangerous cross-border data bill the CLOUD Act was just approved by the House of Representatives in a 256-167 vote for a massive omnibus spending bill." - Electronic Frontier Foundation.
EFF said that representatives were handed a 2,232-page bill at 8PM to review and approve for a floor vote by the next morning. As always, legislation that hurt user privacy was added in the final pages as an afterthought. The CLOUD Act has never been reviewed by any committee in either the House or the Senate or has received a hearing.
"It was robbed of a stand-alone floor vote because Congressional leadership decided, behind closed doors, to attach this un-vetted, unrelated data bill to the $1.3 trillion government spending bill," EFF wrote. "Congress has a professional responsibility to listen to the American people’s concerns, to represent their constituents, and to debate the merits and concerns of this proposal amongst themselves, and this week, they failed."
No warrant needed - how CLOUD Act could easily be misused
The CLOUD Act not only enables the United States to seize data across the globe, it also enables foreign governments to do the same. The police can collect communications from private companies without ever needing a warrant or a probable cause. The Act enables the US to demand personal data stored elsewhere and foreign police to do the same with the data stored in the US.
No judge is involved, no review of the process, no oversight. CLOUD Act also enables the US president to enter into "executive agreements" with foreign nations that may have weaker privacy laws to access data stored in the country while ignoring privacy laws. As EFF wrote, this is how the CLOUD Act would work in practice:
London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would not necessarily need prior judicial review for this request. The London police would not be required to notify U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.
Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge the U.S. person in a U.S. court, even though a warrant was never issued.
The bill carrying huge privacy implications globally will now move to the Senate, after which President Donald Trump has pledged to sign it. Facebook, Apple, Microsoft, and Google all supported the Act in a letter authored in February, calling it a "notable progress to protect consumers' rights." Tech companies are supporting this bill amid fears that foreign government may move to pass laws that demand tech companies store data locally, within the borders of the country of which they are a citizen.
There was clearly a need for legislation that could enable law enforcement to prosecute criminals without being limited by data stored outside of the country. However, the CLOUD Act appears to be another way of wiretapping users considering there's no oversight and it is inadequate to protect individual rights. While the CLOUD Act may have been improved over time, the way it was stuck onto the Omnibus to avoid public debate only makes it even more controversial.