CLOUD Act: The revelations of Facebook and Cambridge Analytica kept us busy for a long time, and the story goes on… until it fades. However, during the "scandal" that suddenly reminded us all of something we already knew, the US government managed to pass a bill that abuses privacy around the world.
The CLOUD or CLOUD Act eliminates any protection for data stored abroad, allowing US government departments to select and receive your data wherever they are stored. The law fundamentally changes the way in which US authorities can access data collected or stored in private companies such as Facebook, Google and many others.
How we got to the CLOUD Act
CLOUD passed substantially under the mat. Nobody perceived something because lawmakers added it as a paragraph at the end of the US budget of 1,3 worth trillions of dollars.
Putting a very controversial bill into the state budget made the CLOUD law almost invisible, and of course it is something that sparks a lot of debate. Too many Americans and generally all who have personal data on the Internet have heard nothing about the law, let alone drastically change the privacy of their data.
The bill Clarifying Overseas Use of Data (CLOUD) is a series of laws that allow US authorities to access data stored abroad and vice versa. This is the update of the existing Electronic Communications Privacy Act (ECPA), which was passed to 1986. The government and many technology companies believe that these laws are outdated for modern digital communications, as ECPA voted for 1986 when they were around the 30.000 systems connected to the ARPANET internet precursor.
So why was such a big change in legislation not noticed? Here is some information…
Removes Protection of Oversized Data
Authorities can access your data, regardless of the country of storage, and your hosting companies can not refuse to hand them over to the authorities.
"Your ISP or Remote Storage service provider complies […] whether the data or other information is located inside or outside the United States."
Until last week, requests for access to data from the Authorities required a joint court decision (MLAT) and the other government. The MLAT sets out the exchange of data between the two countries, and to approve they needed to pass through Congress with the consent of two-thirds, but also by the government of the other country.
The CLOUD law changes everything, allowing the government to have "executive" relations with other countries that completely bypass existing MLAT legislation. The result is that any government agency can ask any technology company to deliver user data, regardless of location.
CLOUD Act: It works in two ways
But the law that allows US authorities to collect foreign data allows foreign countries to do the same. In fact, the scope of cooperation is growing, given the large collection of data from various government programs.
Neema Singh Guiliani, from ACLU's Legislative Council, confirms that the bill will allow many countries to "enter American territory" for the first time. Target companies of course include Facebook, Google, Snapchat, private email servers, instant messaging and everything else related to digital communication.
Here is an example of how it can work (from the related EFF article):
The London police want to investigate private messages in Slack of a British suspected of banking scams.
Under CLOUD, London police could "knock on Slack's door" and ask for the user's message history.
Slack will have to comply directly with the request, without any judicial review or notification of the decision to the US authorities.
But the history of Britain's London-based messages also contains private messages with US citizens.
The London police share the details of the Slack messages with the US authorities, and the messages can be used against US citizens. All this without a warrant, effectively destroying the Fourth Amendment of the United States Constitution.
Data collection provisions
However, there are some provisions in the CLOUD law that aim to stop this type of data collection. For example, the following are prohibited:
- Direct data targeting of a US citizen by a foreign government using the CLOUD law.
- Request from a country targeting a specific US citizen.
- Tracking a foreign citizen to collect data from a US citizen.
- "Dissemination of US individuals" unless there is evidence of a serious crime.
But even with these provisions, ensuring that these rules are properly used and enforced is very difficult.
End the data request process
The CLOUD law undoubtedly speeds up the process of obtaining data from authorities, wherever they are based. Sometimes, completing a MLAT request took months. So the data was old or useless until the MLAT request was approved.
Terminates appeals procedures
The CLOUD law also gives a very limited "space" of expression to content and service providers. There are only two provisions of the CLOUD law that allow a technology company to make a request:
- If the person is not a US citizen and does not reside in the US, and
- If the disclosure of data places the provider at risk of violating the law in the country where he resides.
The "and" is very important, as an appeal must meet both of these criteria.
Provisions on encryption and other political freedoms
The CLOUD law allows the collection of data from a wide range of services. Paradoxically, however, a slightly favorable provision on privacy, does not allow countries with implementing agreements to force a government to decipher the data.
The revision of the wording of the CLOUD law requires the US Secretary of State and the Attorney General to ensure that each country that is part of the executive agreement "offers strong and effective protections to protect privacy and individual freedoms."
The paragraph rather attempts to protect the rights of American citizens:
- Protection against arbitrary and unlawful interference with privacy.
- The right to a fair trial.
- Freedom of expression, freedom of association and peaceful coexistence.
- Prohibitions in any arbitrary arrest and detention.
- Prohibitions of torture and any cruel, inhuman or degrading treatment or punishment.
However, skeptics point out that while these provisions "protect" civil liberties, there are already many examples of other government agencies (not just in the US) violating these rules. So how exactly will these provisions protect citizens from further data collection?
The answer is simple: you should trust the law enforcement authorities and your government.
Support from technology companies…
CLOUD has the support of many major technology companies as it creates a clear line between how the US government and foreign governments can access their data.
A letter signed by Apple, Microsoft, Google, Facebook and Oauth says CLOUD:
"It encourages diplomatic dialogue, but also gives technology two separate institutional rights to protect consumers and resolve conflicts of law. The law provides for immediate notification mechanisms to foreign governments when a legal request involves the people of a country, which helps provide immediate legal assistance when necessary. ”
Of course the lobby of these companies prefers to be guaranteed by law.
The impact of the CLOUD law on your privacy
Does the CLOUD law completely destroy your privacy? It depends on what you do on the internet and of course who you trust.
The ACLU, the EFF and the Freedom of the Press Foundation are categorically opposed to the CLOUD law. They argue that this is a dangerous, and virtually irreversible step towards permanent data insecurity. Both the ACLU and the EFF note that despite the law's global reach, "it has never received the attention it needs in Congress."