The term “cloud computing” is something of a misnomer. Data stored on the cloud may feel like it’s floating freely in the ether because it’s accessible at a moment’s notice, but it’s still stored in physical locations somewhere on planet Earth. Under a new bill backed by a bipartisan group of senators, known as the CLOUD Act, data stored on that cloud could soon be more readily accessible to the federal government and foreign governments around the world.
Everything you see on the Internet—emails, tweets, search results, funny videos, this article—physically exists as electrons humming inside a computer server. Sometimes those servers are owned by individuals, as we’ve learned in excruciating detail from Hillary Clinton over the past few years. But our digital lives and deepest secrets are generally held by corporations like Amazon, Google, and Microsoft in climate-controlled warehouses scattered around the world.
One of those data centers, owned by Microsoft in Dublin, Ireland, is at the center of a current Supreme Court case. In 2013, federal prosecutors obtained a warrant to access a personal email account held by the tech giant that they believed was connected to a drug-related crime. While Microsoft could access the data from the United States, the company argued that the emails’ physical presence in Ireland placed it beyond the Justice Department’s reach under current federal law.
That law—the Electronic Communications Privacy Act of 1986—predates the world’s near-universal adoption of the Internet, but still defines how federal law enforcement and tech companies interact when trying to obtain data. “ECPA sat on a stool with three legs: one for the provider, one for law enforcement, and one for user privacy,” Chris Calabrese, vice president for policy at the Center for Democracy and Technology (CDT), said. “The provider gets a consistent system, law enforcement knows the standard, and users could know their information would have a high bar for privacy.”
The CLOUD Act, he added, also gives tech giants and law enforcement what they want, but leaves out key protections for users. A coalition of civil-liberties and human-rights groups, including the ACLU, Amnesty International, CDT, and the Electronic Frontier Foundation urged Congress in a joint letter last September not to weaken cross-border data sharing protections. Calabrese said that the biggest privacy concern is what’s not in the bill. “What’s missing here in this agreement is we’ve got something to harmonize and help providers when they’ve got something for DOJ to get the information it wants, but nothing for users,” he said.
The CLOUD Act has two halves. First, it would require tech companies to comply with warrant requests from federal prosecutors even if the targeted data is stored overseas. This would essentially resolve the Supreme Court case in the federal government’s favor. (The justices will hold oral arguments on it on February 27; a decision is expected by June.)
Second, the bill would ease other countries’ access to data stored by those companies inside the United States. Under current law, foreign governments that have mutual legal assistance treaties with the U.S. can request access to data stored here as part of their own criminal investigations. The Justice Department then obtains a warrant and reviews the data with a judge to ensure the request won’t compromise others’ privacy or be used to violate human rights.
Under the new legislation, foreign countries could request the data directly from the tech company, using a lower legal threshold than the probable-cause standard required for a warrant. Foreign governments could only target non-U.S. citizens in their requests, but the law would also remove protections that help ensure U.S. citizens’ data isn’t swept up along the way.
The legislation’s goal is to smooth the process for requesting data across international borders. Jennifer Daskal, an American University law professor who supports the legislation, noted in Just Security that foreign governments often complain that current U.S. policies can hinder them from investigating crimes committed by their own citizens. Existing restrictions can also cause headaches for U.S. tech companies that operate in foreign countries and could face penalties for not handing over U.S.-stored data from there.
But those changes would lower privacy protections for the data of Americans and non-Americans alike. “One concern in this specific context is that how a U.S. person could essentially contest this is pretty weak,” Calabrese said. “If a U.S. person’s information is gathered, there’s no way for the person to know that’s happening.” He also pointed to provisions in the bill that exempt providers from legal liability. And by cutting out the middleman, the privacy implications for non-U.S. citizens living here would be even greater. “This bill would ... explicitly treat non-U.S. persons differently,” he said. “It would actively lower the standard for non-U.S. persons.”
The CLOUD Act has received the enthusiastic support of British Prime Minister Theresa May, who called President Donald Trump on Tuesday to lobby in its favor. “The Prime Minister stressed the great importance of the legislation to the UK authorities in investigating criminal and terrorist activity in the UK,” May’s office said in a summary of the call. “The Prime Minister and President Trump agreed the passage of the Act through the U.S. legislative system was vital for our collective security.”
Microsoft also supports the bill as an overdue update to the Electronic Communications Privacy Act. As President Brad Smith tweeted earlier this week:
But Camille Fischer, in a blog post at the Electronic Frontier Foundation, wrote that “the legislation reduces protections for the personal privacy of technology users in an attempt to mollify tensions between law enforcement and U.S. technology companies. Legislation to protect the privacy of technology users from government snooping has long been overdue in the United States. But the CLOUD Act does the opposite, and privileges law enforcement at the expense of people’s privacy.”
Some argue the act will even weaken America’s constitutional standard for privacy. “Most times, people want to be protected by the standards of their own country,” Calabrese said. “But the U.S. actually has very high standards when applying the Fourth Amendment. Using foreign rules is a diminution of that standard.” The website Lawfare, which calls the bill “a welcome legislative fix” and a “very good start,” even acknowledges as much: “If you compare the due process protections in this bill with those provided under the Fourth Amendment, it is likely less-privacy protective—meaning that foreign governments will get access to more information than they do currently. But that is not the right comparison.”