CLOUD: the law that passed under the table & concerns us all

CLOUD Act: The revelations of Facebook and Cambridge Analytica kept us busy for a long time, and the story goes on… until it fades. However, during the "scandal" that suddenly reminded us all of something we already knew, the US government managed to pass a bill that abuses privacy around the world.

The CLOUD Act, or CLOUD Act, eliminates all protections for data stored abroad, allowing US government agencies to pick and take your data wherever it's stored. The law fundamentally changes how US authorities can access data collected or stored by private companies such as Facebook, the and many others.

How we got to the CLOUD Act

CLOUD passed substantially under the mat. Nobody perceived something because lawmakers added it as a paragraph at the end of the US budget of 1,3 worth trillions of dollars.

Placing a very controversial bill in the state budget made the CLOUD Act almost invisible, and of course the fact is something that sparks a lot of debate. Too many Americans and generally everyone who has personal data on they have not heard anything about the law, let alone the fact that the confidentiality of their data is drastically changed.
The bill Clarifying Overseas Use of Data (CLOUD) is a series of laws that allow US authorities to access data stored abroad and vice versa. This is the update of the existing Electronic Communications Privacy Act (ECPA), which was passed to 1986. The government and many technology companies believe that these laws are outdated for modern digital communications, as ECPA voted for 1986 when they were around the 30.000 systems connected to the ARPANET internet precursor.

So why was such a big change in legislation not noticed? Here is some information…

Removes Protection of Oversized Data

Authorities can access your data, regardless of the country of storage, and your hosting companies can not refuse to hand them over to the authorities.

"Your ISP or Remote Storage service provider complies […] whether the data or other information is located inside or outside the United States."

Until last week, requests for access to data from the Authorities required a joint court decision (MLAT) and the other government. The MLAT sets out the exchange of data between the two countries, and to approve they needed to pass through Congress with the consent of two-thirds, but also by the government of the other country.

The CLOUD law changes everything, allowing the government to have "executive" relations with other countries that completely bypass existing MLAT legislation. The result is that any government agency can ask any technology company to deliver user data, regardless of location.

CLOUD Act: It works in two ways

But the law that allows US authorities to collect foreign data allows foreign countries to do the same. In fact, the scope of cooperation is growing, given the large collection of data from various government programs.

Neema Singh Guiliani, from ACLU's Legislative Council, confirms that the bill it will allow many countries to "enter US soil" for the first time. Targeted companies of course include Facebook, Google, Snapchat, private email servers, instant chats and anything else related to digital communication.

Here is an example of how it can work (from the related EFF article):

Η of London wants to investigate the private Slack messages of a British man suspected of bank fraud.
Σύμφωνα με τον νόμο CLOUD, η του Λονδίνου θα μπορούσε να “χτυπήσει την πόρτα” της Slack και να ζητήσει το ιστορικό των μηνυμάτων του χρήστη.
Slack will have to comply directly with the request, without any judicial review or notification of the decision to the US authorities.
But the history of Britain's London-based messages also contains private messages with US citizens.
The London police share the details of the Slack messages with the US authorities, and the messages can be used against US citizens. All this without a warrant, effectively destroying the Fourth Amendment of the United States Constitution.

Data collection provisions

However, there are some provisions in the CLOUD law that aim to stop this type of data collection. For example, the following are prohibited:

  • Direct data targeting of a US citizen by a foreign government using the CLOUD law.
  • Request from a country targeting a specific US citizen.
  • Η of a foreign national to collect data from a US citizen.
  • "Dissemination of US individuals" unless there is evidence of a serious crime.

But even with these provisions, ensuring that these rules are properly used and enforced is very difficult.

End the data request process

The CLOUD law undoubtedly speeds up the process of obtaining data from authorities, wherever they are based. Sometimes, completing a MLAT request took months. So the data was old or useless until the MLAT request was approved.

Terminates appeals procedures

The CLOUD law also gives a very limited "space" of expression to content and service providers. There are only two provisions of the CLOUD law that allow a technology company to make a request:

  • If the person is not a US citizen and does not reside in the US, and
  • If the disclosure of data places the provider at risk of violating the law in the country where he resides.

The "and" is very important, as an appeal must meet both of these criteria.

Provisions on encryption and other political freedoms

The CLOUD Act allows the collection of data from a wide range of services. Surprisingly, however, a slightly favorable one on privacy rights, it does not allow countries with enforceable agreements to compel any government to decrypt data.

The revision of the wording of the CLOUD law requires the US Secretary of State and the Attorney General to ensure that each country that is part of the executive agreement "offers strong and effective protections to protect privacy and individual freedoms."

The paragraph rather attempts to protect the rights of American citizens:

  • Protection against arbitrary and unlawful interference with privacy.
  • The right to a fair trial.
  • Freedom of expression, freedom of association and peaceful coexistence.
  • Prohibitions in any arbitrary arrest and detention.
  • Prohibitions of torture and any cruel, inhuman or degrading treatment or punishment.

However, skeptics point out that while these provisions "protect" civil liberties, there are already many examples of other government agencies (not just in the US) violating these rules. So how exactly will these provisions protect citizens from further data collection?

The answer is simple: you should trust the law enforcement authorities and your government.

Support from technology companies…

The CLOUD Act has the of many large tech companies as it creates a clear line between how the US government and foreign governments can access their data.cloud

A letter signed by Apple, Microsoft, Google, Facebook and Oauth says CLOUD:

"It encourages diplomatic dialogue, but also gives technology two separate institutional rights to protect consumers and resolve conflicts of law. The law provides for immediate notification mechanisms to foreign governments when a legal request involves the people of a country, which helps provide immediate legal assistance when necessary. ”

Of course the lobby of these companies prefers to be guaranteed by law.

The impact of the CLOUD law on your privacy

Does the CLOUD law completely destroy your privacy? It depends on what you do on the internet and of course who you trust.

The ACLU, EFF, and the Freedom of the Press Foundation strongly oppose the CLOUD Act. They argue that this is a dangerous, and essentially irreversible step towards permanent data insecurity. Both the ACLU and the EFF note that despite the global reach of this law, “it has never been given the necessary in Congress.”

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).