House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It
from the hearty-debate-was-enjoyed-by-none dept
Just as the Supreme Court is considering the legality of extraterritorial demands for communications held by US internet service providers in overseas data storage, Congress is doing all it can to short-circuit the debate. Tucked away towards the back of a 2,200-page spending bill is something called the "Clarifying Lawful Overseas Use of Data Act" or (of course) "CLOUD Act." (h/t Steve Vladeck)
The CLOUD Act [PDF - starting at p. 2201] would make any decision by the Supreme Court extraneous. If it agrees with Microsoft -- as lower courts have -- that the US has no right to demand communications stored overseas with a normal warrant, the Act would immediately overturn the decision. If it decides against Microsoft, it will be aligned with the new law. As it stands now, the route most likely to be taken by the Supreme Court is a punt. Legislation on point is in play and the Court will probably be more than happy to let legislators make the final call.
Beyond the obvious problem of giving US law enforcement permission to use regular warrants to bypass mutual assistance treaties, the law also allows for reciprocation. We can't go around waving SCA (Stored Communications Act) warrants in foreign lands without expecting pushback from locals. So, we'll have to give foreign countries the same privileges, even if the criminal charges being investigated wouldn't be considered criminal acts in this country and the country enjoying this reciprocation doesn't care much about its own citizens' rights and privacy.
The EFF is especially critical of the shoehorned-in CLOUD Act. As it points out, the law would result in backdoor searches of anyone's communications via reciprocal communication demands. In the US, we've already seen the Fourth Amendment circumvented by US government agencies via their access to NSA collections. The same would happen in reverse when other countries start playing by the CLOUD Act's new rules.
When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.
Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.
In addition, the law allows the US to enter into agreements with almost any country on earth, even those whose respect for human rights is nearly nonexistent. There's a provision in the law that says countries must meet a vague human rights standards before they're allowed to start searching US-based cloud services, but those guidelines are roughly 100% useless. Unless a more rigorous vetting standard is applied, countries like Turkey could soon be trawling for US persons' communications. As the ACLU points out, Turkey might still be considered to be compliant with the humans rights guidelines despite its ever-increasing level of citizen-directed abuse.
For example, in early 2014, Turkey may have met the CLOUD Act’s vague human rights criteria; Freedom House even rated it a three and four on its index for political and civil rights. But since the attempted coup in mid-2016, the Turkish government has arrested more than 50,000 people — including journalists and activists such as the chair and director of Amnesty International’s Turkey section — many on bogus terrorism charges. According to U.N. experts: “Most of these accusations of terrorism are based solely on actions such as downloading data protection software, including the ByLock application, publishing opinions disagreeing with the Government’s anti-terrorism policies, organizing demonstrations, or providing legal representation for other activists.”
Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium for a case like Turkey. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.
What few positives the bill provides revolve around challenging demands for communications. The bill provides avenues for US tech companies to challenge orders targeting foreign servers, as well as pushing back against foreign government demands for communications held in the US. But these will mainly be of use to the largest tech companies with the manpower and legal acumen to throw at the problem. Smaller companies will likely just find themselves handing over anything to anyone who comes asking, rather than risk punitive action by domestic and foreign governments.
And the standards are extremely weak. While the bill claims to hold foreign countries to US standards, it never specifically says foreign countries demanding communications need to have US-equivalent rights. It refers to "international universal human rights" which sounds great, but this is a feel-good term that isn't recognized by US or international law.
Even if communications are subject to some restrictions, metadata isn't. Anything foreign governments collect on American citizens can be handed over to the US government without further legal review. And it carves out a hole for wiretapping electronic communications, allowing demands like these to bypass the privacy protections of the Wiretap Act.
Considering it's been stapled to end of must-pass funding bill, chances are the bill will receive zero debate before being forwarded to the president. The House has already passed its version, which means the Senate needs to step up to block the CLOUD Act stuffed into its spending bill. As we saw during the last several months of 2016, very few reps were in any hurry to challenge the expansion of Rule 41 authorities, despite having more than a year to generate opposition. Even when time is a luxury, inaction is the preferred response. The CLOUD Act, hidden under more than 2,000 pages of funding requests, is probably as close to a sure thing as it's ever been. And it will do little more than further damage privacy protections across the globe.
Filed Under: cloud act, extraterritorial, jurisdiction, omnibus, privacy, search, stored communications act, surveillance, warrants
