Up in the CLOUD: What the New Congressional Act Means for Data Security

Until this past week, Microsoft looked as though they would receive an unfavorable ruling from the Supreme Court. In 2013, the U.S. Justice Department issued a warrant for the emails of individuals they were investigating as drug dealers, but the technology giant refused to hand them over on the grounds that the information in question was hosted on a server in Ireland and warrants are only applicable in the United States. The Court was likely to rely on the Electronic Communications Privacy Act (ECPA) passed in 1986. However, with the Clarifying Lawful Overseas Use of Data (CLOUD) Act now passed as part of the federal spending bill, it would be easier for the U.S. government to access data for law enforcement purposes regardless of where it is hosted. As such, the Department of Justice has requested that the case be dismissed, and the CLOUD Act will be the prevailing law of technology and cloud storage moving forward.

How the CLOUD Act Works

The CLOUD Act enables governments to enter into agreements with the United States, through which law enforcement agencies could immediately request access to the data stored in the servers of those countries. Unfortunately, the 180 day period established in ECPA often made the information no longer relevant to the investigation in time-sensitive matters. The 180 day period could also be circumvented with mutual legal-assistance treaties (MLATs), but these could take a long time to parse through, too. Now, with the CLOUD Act, the following agreements would facilitate timely access by law enforcement to pertinent information, and resolve any ambiguity as to whether the information can be legally furnished. Furthermore, before the CLOUD Act, foreign entities could threaten and have threatened to prosecute employees of Microsoft and other similar technology organizations if they complied with the warrants issued by courts in the United States, as NPR reported. Now, the company can do so without worrying that their employees will suffer consequences for assisting in an investigation.

There is a framework for how these agreements could go through, at least as far as the government is concerned. According to Chris Calabrese of the Center for Democracy and Technology, the United Kingdom and the United States already have an agreement in place that would be of the kind that the CLOUD Act promotes. Although the terms of this agreement are not public, one would hope that the terms of the agreement were useful and expedient enough to have positively influenced the decision to pass this act.

The Dangers of the CLOUD Act

On the other hand, there are valid reasons to be concerned about the CLOUD Act. While it may speed up the process when gathering information about actual criminals and the like, there is the very real concern that the United States government will not thoroughly vet the requests that come through for information regarding its citizens if these agreements go through, as each request would require the approval of the Attorney General. The Attorney General would need to determine that “the foreign government has adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated by being a party to the Convention on Cybercrime […] demonstrates respect for the rule of law and principles of nondiscrimination; adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights.”  The Act also gives U.S. law enforcement the ability to seize data, all-encompassing as it is, from any country and also distribute information of its citizens to those countries it has an agreement with. It could seriously infringe upon privacy rights of individuals across the globe and enable greater surveillance, especially because foreign countries would only need to abide by their privacy laws when obtaining information on U.S. citizens, and vice versa. Between countries with radically different standards of privacy, there is likely to be tension over the ease with which certain information will be shared.

There are hypothetical safeguards in place to prevent willful and harmful oversharing and breaches of privacy, but the current language of the CLOUD Act does not require these safeguards to be followed in a proper timeline. While it would make sense that an independent party or a court, judge, or other judicial official should review a foreign government’s request before it is sent to a technology company, all the CLOUD Act requires is that the review happens at some point during the process, including afterwards. There is also a definitions section of this act, but it leaves out a key component of the Attorney General’s factors to consider: the definition of a “serious crime” committed by a foreign government. This leaves much more discretion in the hands of the A.G. to determine whether a foreign entity is in good enough standing to receive this information.

In the end, what the CLOUD Act establishes is greater convenience and timeliness in access of information stored on the internet while increasing concerns about privacy through electronic mediums, a concern that has not been dissuaded by recent tech company gaffes.

Comments are closed.