Securities & Exchange Commission Charges Former Equifax Executive With Insider Trading
Airlines Want To Extend 'Dynamic Pricing' Capabilities To Set Ticket Prices By Each Person

The 'CLOUD Act' - What It Is And What You Need To Know

Chances are, you probably have not heard of the "CLOUD Act." I hadn't heard about it until recently. A draft of the legislation is available on the website for U.S. Senator Orrin Hatch (Republican - Utah).

Many people who already use cloud services to store and backup data might assume: if it has to do with the cloud, then it must be good.  Such an assumption would be foolish. The full name of the bill: "Clarifying Overseas Use Of Data." What problem does this bill solve? Senator Hatch stated last month why he thinks this bill is needed:

"... the Supreme Court will hear arguments in a case... United States v. Microsoft Corp., colloquially known as the Microsoft Ireland case... The case began back in 2013, when the US Department of Justice asked Microsoft to turn over emails stored in a data center in Ireland. Microsoft refused on the ground that US warrants traditionally have stopped at the water’s edge. Over the last few years, the legal battle has worked its way through the court system up to the Supreme Court... The issues the Microsoft Ireland case raises are complex and have created significant difficulties for both law enforcement and technology companies... law enforcement officials increasingly need access to data stored in other countries for investigations, yet no clear enforcement framework exists for them to obtain overseas data. Meanwhile, technology companies, who have an obligation to keep their customers’ information private, are increasingly caught between conflicting laws that prohibit disclosure to foreign law enforcement. Equally important, the ability of one nation to access data stored in another country implicates national sovereignty... The CLOUD Act bridges the divide that sometimes exists between law enforcement and the tech sector by giving law enforcement the tools it needs to access data throughout the world while at the same time creating a commonsense framework to encourage international cooperation to resolve conflicts of law. To help law enforcement, the bill creates incentives for bilateral agreements—like the pending agreement between the US and the UK—to enable investigators to seek data stored in other countries..."

Senators Coons, Graham, and Whitehouse, support the CLOUD Act, along with House Representatives Collins, Jeffries, and others. The American Civil Liberties Union (ACLU) opposes the bill and warned:

"Despite its fluffy sounding name, the recently introduced CLOUD Act is far from harmless. It threatens activists abroad, individuals here in the U.S., and would empower Attorney General Sessions in new disturbing ways... the CLOUD Act represents a dramatic change in our law, and its effects will be felt across the globe... The bill starts by giving the executive branch dramatically more power than it has today. It would allow Attorney General Sessions to enter into agreements with foreign governments that bypass current law, without any approval from Congress. Under these agreements, foreign governments would be able to get emails and other electronic information without any additional scrutiny by a U.S. judge or official. And, while the attorney general would need to consider a country’s human rights record, he is not prohibited from entering into an agreement with a country that has committed human rights abuses... the bill would for the first time allow these foreign governments to wiretap in the U.S. — even in cases where they do not meet Wiretap Act standards. Paradoxically, that would give foreign governments the power to engage in surveillance — which could sweep in the information of Americans communicating with foreigners — that the U.S. itself would not be able to engage in. The bill also provides broad discretion to funnel this information back to the U.S., circumventing the Fourth Amendment. This information could potentially be used by the U.S. to engage in a variety of law enforcement actions."

Given that warning, I read the draft legislation. One portion immediately struck me:

"A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

While I am not an attorney, this bill definitely sounds like an end-run around the Fourth Amendment. The review process is largely governed by the House of Representatives; a body not known for internet knowledge nor savvy. The bill also smells like an attack on internet services consumers regularly use for privacy, such as search engines that don't collect nor archive search data and Virtual Private Networks (VPNs).

Today, for online privacy many consumers in the United States use VPN software and services provided by vendors located offshore. Why? Despite a national poll in 2017 which found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers, the Republican-led Congress proceeded with that rollback, and President Trump signed the privacy-rollback legislation on April 3, 2017. Hopefully, skilled and experienced privacy attorneys will continue to review and monitor the draft legislation.

The ACLU emphasized in its warning:

"Today, the information of global activists — such as those that fight for LGBTQ rights, defend religious freedom, or advocate for gender equality are protected from being disclosed by U.S. companies to governments who may seek to do them harm. The CLOUD Act eliminates many of these protections and replaces them with vague assurances, weak standards, and largely unenforceable restrictions... The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people."

I agree. Seems like this bill creates far more problems than it solves. Plus, something this important should be openly and thoroughly discussed; not be buried in a spending bill. What do you think?


Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

The Cloud Act - What It Is And What You Need To Know

In re: The United States v. Microsoft, there are two issues. One is easy to resolve by traditional legal authority. The second issue also isn’t that difficult based on precedent and the constitutional mandates of the Fourth, Fifth, and Fourteenth Amendments. The only complication here is that the question of producing evidence involves evidence held in a foreign jurisdiction.

The easy doctrine is this: Since the goal of a legal action, whether criminal or civil, is to do justice based on law and the facts, whenever a party, whether a party to the action or a third party, is in possession of information that is relevant to any issue of law or fact, the court may use its process to compel that party, which is subject to its jurisdiction and which is in possession or control of that relevant information, to produce that information for the record. Microsoft has relevant information, that is, it is a third party in possession and/or control of the relevant information, and so is obliged to produce it in court subject to a duly promulgated subpoena.

There are few exceptions to this principle that would permit Microsoft to object. One objection would be that the production is unduly burdensome. That is not true here. Microsoft, however, raises another objection: That the information is held in a foreign jurisdiction. To which the dispositive response is so what? If producing the information doesn’t violate a law of the foreign jurisdiction and/or the foreign jurisdiction isn’t resisting Microsoft producing the subpoenaed information, then Microsoft is, under traditional principles and precedents, obliged to honor the subpoena. That’s that, because getting to a lawful result based on true and correct facts takes precedence over Microsoft’s objection and, since this is court process, any party’s right to privacy. However, if the foreign jurisdiction objects based on its law or in exercise of its sovereignty, then and only then would Microsoft’s objections have merit.

The second issue raised is The Cloud Act, which purports to give the U.S. Attorney General the authority to enter into agreements with foreign states to permit those states to seek information about U.S. citizens who are resident on U.S. territory and/or even have access to monitoring of those U.S. citizens without honoring those citizens’ constitutional rights under the U.S. Const. and other applicable law. That simply is repugnant to the U.S. Constitution and would be null, void, and prohibited ab initio. The only time that a foreign power can acquire information or be privy to the monitoring of a U.S. citizen on U.S. territory is when that complies with applicable U.S. law. That means that, unless a U.S. citizen is violating some U.S. law, so that a police authority in the United States or a state thereof would have the warrant of law to monitor that citizen or seize his property or information, a foreign government can never acquire the information of or be privy to the monitoring of a U.S. citizen on U.S. territory, and even then only the proper police authority of the United States or a state thereof can conduct such monitoring and/ seizure of such information, and only the agencies of the United States or a state thereof can lawfully posses that information. Theses rights, constitutional and otherwise, belong to each citizen of the United States, Congress has no competence or authority to impair, trade them to a foreign power, or lessen them in any way or to authorize the U.S. Attorney General to do so.

And there is yet a third issue, that of requiring those who are subject to the jurisdiction of the federal courts to keep records of transactions on the Internet, such as logs of sites visited and things done on those sites. That Congress can probably do that, provided that it does so in a manner consistent with a citizen’s constitutional rights. The problem for citizens is that by transferring or just exposing their information to third parties typically destroys the expectation of privacy, which is necessary to invoke the Fourth Amendment right against unreasonable searches, seizure, and/or monitoring. The only certain remedy here is to not use the Cloud, don’t use social media, and use a good VPN that encrypts your data, conceals your IP address, and that does not keep any logs of your activities on the Internet, which, given what some believe is the effect of The Cloud Act, may require using a VPN service that is not subject to U.S. jurisdiction. And if you must use the cloud, store only encrypted data in the cloud, so that you at least have a plausible legal argument that you have shared nothing with a third party, nothing other than encrypted data, which is unintelligible to all but you, thus at least arguably maintaining your expectation of privacy.

The comments to this entry are closed.