House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It
from the hearty-debate-was-enjoyed-by-none dept
Just as the Supreme Court is considering the legality of extraterritorial demands for communications held by US internet service providers in overseas data storage, Congress is doing all it can to short-circuit the debate. Tucked away towards the back of a 2,200-page spending bill is something called the "Clarifying Lawful Overseas Use of Data Act" or (of course) "CLOUD Act." (h/t Steve Vladeck)
The CLOUD Act [PDF - starting at p. 2201] would make any decision by the Supreme Court extraneous. If it agrees with Microsoft -- as lower courts have -- that the US has no right to demand communications stored overseas with a normal warrant, the Act would immediately overturn the decision. If it decides against Microsoft, it will be aligned with the new law. As it stands now, the route most likely to be taken by the Supreme Court is a punt. Legislation on point is in play and the Court will probably be more than happy to let legislators make the final call.
Beyond the obvious problem of giving US law enforcement permission to use regular warrants to bypass mutual assistance treaties, the law also allows for reciprocation. We can't go around waving SCA (Stored Communications Act) warrants in foreign lands without expecting pushback from locals. So, we'll have to give foreign countries the same privileges, even if the criminal charges being investigated wouldn't be considered criminal acts in this country and the country enjoying this reciprocation doesn't care much about its own citizens' rights and privacy.
The EFF is especially critical of the shoehorned-in CLOUD Act. As it points out, the law would result in backdoor searches of anyone's communications via reciprocal communication demands. In the US, we've already seen the Fourth Amendment circumvented by US government agencies via their access to NSA collections. The same would happen in reverse when other countries start playing by the CLOUD Act's new rules.
When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.
Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.
In addition, the law allows the US to enter into agreements with almost any country on earth, even those whose respect for human rights is nearly nonexistent. There's a provision in the law that says countries must meet a vague human rights standards before they're allowed to start searching US-based cloud services, but those guidelines are roughly 100% useless. Unless a more rigorous vetting standard is applied, countries like Turkey could soon be trawling for US persons' communications. As the ACLU points out, Turkey might still be considered to be compliant with the humans rights guidelines despite its ever-increasing level of citizen-directed abuse.
For example, in early 2014, Turkey may have met the CLOUD Act’s vague human rights criteria; Freedom House even rated it a three and four on its index for political and civil rights. But since the attempted coup in mid-2016, the Turkish government has arrested more than 50,000 people — including journalists and activists such as the chair and director of Amnesty International’s Turkey section — many on bogus terrorism charges. According to U.N. experts: “Most of these accusations of terrorism are based solely on actions such as downloading data protection software, including the ByLock application, publishing opinions disagreeing with the Government’s anti-terrorism policies, organizing demonstrations, or providing legal representation for other activists.”
Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium for a case like Turkey. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.
What few positives the bill provides revolve around challenging demands for communications. The bill provides avenues for US tech companies to challenge orders targeting foreign servers, as well as pushing back against foreign government demands for communications held in the US. But these will mainly be of use to the largest tech companies with the manpower and legal acumen to throw at the problem. Smaller companies will likely just find themselves handing over anything to anyone who comes asking, rather than risk punitive action by domestic and foreign governments.
And the standards are extremely weak. While the bill claims to hold foreign countries to US standards, it never specifically says foreign countries demanding communications need to have US-equivalent rights. It refers to "international universal human rights" which sounds great, but this is a feel-good term that isn't recognized by US or international law.
Even if communications are subject to some restrictions, metadata isn't. Anything foreign governments collect on American citizens can be handed over to the US government without further legal review. And it carves out a hole for wiretapping electronic communications, allowing demands like these to bypass the privacy protections of the Wiretap Act.
Considering it's been stapled to end of must-pass funding bill, chances are the bill will receive zero debate before being forwarded to the president. The House has already passed its version, which means the Senate needs to step up to block the CLOUD Act stuffed into its spending bill. As we saw during the last several months of 2016, very few reps were in any hurry to challenge the expansion of Rule 41 authorities, despite having more than a year to generate opposition. Even when time is a luxury, inaction is the preferred response. The CLOUD Act, hidden under more than 2,000 pages of funding requests, is probably as close to a sure thing as it's ever been. And it will do little more than further damage privacy protections across the globe.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cloud act, extraterritorial, jurisdiction, omnibus, privacy, search, stored communications act, surveillance, warrants
Reader Comments
Subscribe: RSS
View by: Time | Thread
#isitok
"And pray that there's intelligent life somewhere out in space,
'Cause there's bugger all down here on Earth! "
(monty python)
[ link to this | view in chronology ]
Re: #isitok
[ link to this | view in chronology ]
Encrypt everything!
Much the way police intrusions into devices lead to Apple and Android encryption-by-default, this may lead us towards an era in which the common internet end user uses end-to-end encryption for all communication.
Still, it won't happen until enough people are persecuted that it scares the public.
[ link to this | view in chronology ]
Well what do you want?
[ link to this | view in chronology ]
TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!
Now all I have to do is wait for the accolades from fanboys for being RIGHT yet again...
[ link to this | view in chronology ]
yeah, but how does common law affect this?
[ link to this | view in chronology ]
Re: yeah, but how does common law affect this?
[ link to this | view in chronology ]
Re: TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!
If the assertion was loony, there would be no need for a law. Since they're passing a law, obviously it's currently allowable and they need to change the law so that tech companies can no longer refuse such a request.
However, by doing so they have opened a major can of worms. There are two things that will inevitably happen:
1. Countries will refuse to do business with American tech companies because now their data is no longer safe from the US government.
2. Foreign countries can now request data on any US person and tech companies have to turn it over.
America just shot itself in both feet and it will come back to bite us, hard.
[ link to this | view in chronology ]
Re: TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!
[ link to this | view in chronology ]
Senate filibuster
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
If anyone is exercising tyranny over the US it's your beloved corporations, who write laws for you using ALEC, etc.
[ link to this | view in chronology ]
Meltdown/Spectre legislative process
Heck, it worked great for Intel.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
backdoor to hell..
1. Countries have Their OWN laws, and now we are giving other nations Access to OUR communications FOR their OWN USES?? There are Big holes in that idea.
2. Do we have access to theirs??
Umm, the USA can request the other country to DO a data search from OUTSIDE the USA, that has no Constitutional restrictions..
Hasnt the USA already made deals for tracking Incoming Foreign communications from Those with terrorist ties??
Couldnt we already be giving Foreign agencies access to trace TO the USA those same persons of interest, SENT to the USA??
This idea would give OUR Policing agencies the ability to SIT over there, and Gather personal info with out the constitution Protections WE HAVE NOW..
[ link to this | view in chronology ]
Keep smiling
[ link to this | view in chronology ]
Re: Keep smiling
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Covertly Legitimising Awful Overseas Use of Data Act
[ link to this | view in chronology ]
Pretty sure with the giant ass panopticon they already had they haven't stopped anything, except the FBI stings against the mentally ill.
Would this new information suddenly stop all the school shooters, serial bombers, hate attacks & all the other bad?
Or is it just giving into the fear mongering of if we don't get this we might miss something!!!! (Ignoring all of the shit we are already missing because the focus is on imagined possible threats while ignoring actual threats)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
HAVE TO ASK..
NOW we are going to pay another GOV. to DO WHAT??
really sounds like Another way to ship money OUTSIDE this country..
[ link to this | view in chronology ]
Red flag large enough to cover a football field
When you have to slip your pet bill into another, 'must pass' bill you are all but admitting that you do not think it could withstand scrutiny and challenge.
If it's a good bill then great, discuss and vote for it on it's own merits, don't tack it on to a completely unrelated bill and try to slip it through.
[ link to this | view in chronology ]
Gaping 4th Amendment Hole
So, someone in the U.S. Government who has no probable cause wants to fish through a U.S. citizen's data that's stored in the U.S. That person (who could be law enforcement, or just a politically connected slimer) finds a compliant shithole country* and has them demand the information from the email / cloud storage / remote backup / forum site / etc. provider and then turn it over to the U.S. person conducting the fishing expedition. This seems like an obvious end-run around the 4th Amendment.
(* Apologies, but I understand that to be the term used by top U.S. officials.)
I am annoyed that such a loophole has found its way into law. But, I am even more annoyed that it is such and obvious problem and still the law was passed. Legislation like this should only be introduced as a test. Any politician who votes for it is disqualified from voting on any actual legislation. They still get to wear a suit and pretend to be a grown up. But, much like those Fisher-Price car seat toys for kids with the plastic steering wheel and horn so that toddlers can pretend they are driving while mom or dad actually pilots the car, the politicians' voting devices aren't actually connected to anything. It just accepts the vote and says, "Thank you for voting on this important legislation. You are a big boy now!"
[ link to this | view in chronology ]
I'm not sure the Supreme Court is out of it
Congress can pass whatever legislation it wants. The Supreme Court can still declare the legislation unconstitutional. Congress can't fix that just by passing another piece of legislation.
Or does the current Supreme Court case merely claim that the government doesn't have authorization to get the data? That's a weaker claim than "unconstitutional", and one that Congress can fix...
[ link to this | view in chronology ]
Re: I'm not sure the Supreme Court is out of it
If, while the Court is hearing one of those latter types of cases, Congress changes the law in a way that would govern the outcome of the case, my understanding is that the Supreme Court can't overrule them - unless the newly-changed law is itself overruled by something higher, the Constitution being the main candidate.
[ link to this | view in chronology ]