How the CLOUD Act Will Damage Your Data Privacy Forever

Gavin Phillips 11-04-2018

The massive Facebook and Cambridge Analytica revelations Facebook Addresses the Cambridge Analytica Scandal Facebook has been embroiled in what has come to be known as the Cambridge Analytica scandal. After staying silent for a few days, Mark Zuckerberg has now addressed the issues raised. Read More continue to provide shocking news concerning your privacy. But during this Facebook-dominated news cycle, the US government has sneacked through a piece of legislation that drastically abuses privacy around the globe.


The CLOUD Act eliminates any protection for overseas data How to Protect Your Most Sensitive Data Information With Tomb Encryption is a security essential. Here's how Tomb can keep your sensitive information encrypted and hidden out of sight. Read More , allowing government agencies to pick and choose where they take your data from. It also fundamentally alters how the police access data held by private companies, like Facebook, Google, and so on.

So, what is the CLOUD Act and how is it destroying your privacy?

The CLOUD Act Explained

The CLOUD Act passed with little fanfare as legislators tacked it onto the end of the must-pass $1.3 trillion government spending bill. Tacking it onto the end of another enormous bill stopped the CLOUD Act coming under serious debate, meaning a considerable amount of citizens have never even heard of it, let alone understand how it drastically alters data privacy.

The Clarifying Overseas Use of Data (CLOUD) Act is a series of laws allowing US law enforcement to access data stored overseas and vice versa. It is an update to the existing Electronic Communications Privacy Act (ECPA), passed in 1986. The government and many tech companies believe these laws are ill-equipped for modern digital communications. And the ECPA probably was, given that in 1986 there were between 2,000 to 30,000 systems connected to internet precursor ARPANET.

So, why would such a far-reaching change to legislation fly under the radar? Here are some key facts and information for you.


1. It Removes Protection for Overseas Data

Law enforcement can request your data, no matter its storage location. Hosting companies cannot refuse to provide your data on that basis, either.

“A provider of electronic communication service or remote computing service shall comply […] regardless of whether such communication, record, or other information is located within or outside of the United States.”

Up until last week, data requests required a mutual legal-assistance treaty (MLAT) with another government. The MLAT defines data sharing between the two countries, including what types of data and the context for a request. MLATs have to pass through the Senate with two-thirds approval.

The CLOUD Act changes this, allowing the government to enter “executive” relationships with other countries that bypass existing MLAT legislation. The result is that any agency can request any tech company to turn over user data, regardless of location.


In 2013, the US Department of Justice issued a warrant to Microsoft, requesting they hand over the data of a customer suspected of illegal activity. The customer, however, was Irish, living in Ireland, and their data was stored on a server located in… you guessed it, Ireland. Microsoft took the case all the way to the Supreme Court, arguing the DOJ warrant was overreach as their customer wasn’t a US citizen.

The CLOUD Act bypasses this entire situation, allowing the DOJ to request the data, compelling Microsoft to comply. In fact, the DOJ asked the Supreme Court to “moot” the case, citing the introduction of the new law.

2. It Works Both Ways

Just as the CLOUD Act allows US law enforcement to collect foreign data, it enables foreign police forces to do the same. In fact, it muddies the waters even further (given the sweeping data collection What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More under various government agency programs).


Neema Singh Guiliani, legislative council with the ACLU, confirms that the bill allows “countries to wiretap on US soil for the first time, including conversations that foreign targets may have with people in the US, without complying with Wiretap Act requirements.” Those communication targets include Facebook, Google, Snapchat, private email servers, instant messenger conversations, and anything in-between. (Check out our Facebook privacy guide The Complete Facebook Privacy Guide Privacy on Facebook is a complex beast. Many important settings are hidden out of sight. Here's a complete look at every Facebook privacy setting you need to know about. Read More .)

Here’s an example of how it might work (paraphrased from the linked EFF article):

  1. London police want to investigate private Slack messages of a British target suspected of committing bank fraud.
  2. Under the CLOUD Act, the London police could go to Slack and ask for the users’ message history.
  3. Slack would have to comply with the request, without judicial review or requiring the notification of US law enforcement; probable cause warrants are not required.
  4. Slack hand over the British targets message history to the London police; the message log contains private messages with US citizens.
  5. The London police share the details of the Slack messages with US law enforcement; the messages are then used against a US target within the country—all without a single warrant (essentially destroying the Fourth Amendment).

Data Collection Provisions

There are, however, some provisions in the CLOUD Act that aim to stop this sort of data collection. For instance, the following acts are prohibited:

  • The direct targeting of a US citizen’s data by a foreign government using the CLOUD Act.
  • Requesting a country with an executive agreement targets a specific US citizen.
  • Specifically targeting a foreign citizen’s data to simultaneously collect data on a US citizen.
  • The “dissemination of a US persons’ data” unless there is evidence of a serious crime.

Even with these provisions, ensuring the correct use of and enforcing these rules is difficult. A late change to the CLOUD Act forces the US Attorney General to report to Congress justifying the use of an executive agreement, offering another provision.


3. It Reduces the Data Request Process Timeline

While opening up almost anyone to a data request, the CLOUD Act undoubtedly speeds up the data acquisition process. At times, completing an MLAT request can take months. Sometimes the data is outdated or useless by the time the data request processes. A reduction in data processing time could allow police to solve crimes faster, or even stop some taking place.

4. It Has a Narrow Appeal Process

The CLOUD Act also has an extremely narrow appeal window for content and service providers. There are only two provisions in the CLOUD Act allowing for a tech company to appeal a data request.

  1. If the person is not a US citizen and does not reside in the US, and
  2. The data disclosure puts the provider at risk of violating the law in their resident country.

The “and” is pretty significant here. An appeal will need to meet both of these criteria before it even sees the light of day.

The second point is a major issue for tech companies. Data doesn’t always remain on US soil. In many cases, it never enters it. But the tech companies are now caught in the middle of the US government and their foreign host nations. As such, tech companies have provisions in the CLOUD Act to shut down any requests that would compromise them, so long as the company appeals within 14 days.

But even then, the request isn’t dead. The tech company and the US government enter a complex comity process whereby a court balances the data requirements of the government versus the disruption/law breaking criminal act forced upon the tech company.

5. Provisions for Encryption and Civil Liberties

The CLOUD Act allows data collection from a vast range of services. But, in a slight boon for privacy rights, the executive agreements cannot compel any government to decrypt data Why We Should Never Let the Government Break Encryption Living with terrorist means we face regular calls for a truly ridiculous notion: create government accessible encryption backdoors. But it's not practical. Here's why encryption is vital to day to day life. Read More . In some cases, decrypting data is extremely difficult 10 Basic Encryption Terms Everyone Should Know and Understand Everyone's talking about encryption, but if you find yourself lost or confused, here are some key encryption terms to know that'll bring you up to speed. Read More , and the government would likely not waste time on those data sources (such as WhatsApp or Telegram Forget WhatsApp: 6 Secure Communication Apps You've Probably Never Heard Of The Electronic Frontier Foundation (EFF) is a lobby group dedicated to "defending civil liberties in the digital world". They maintain the Secure Messaging Scorecard, which makes for worrying reading for fans of instant messaging. Read More ).

A revision to the wording of the CLOUD Act requires the US Secretary of State and the Attorney General to make sure that any country entering an executive agreement “affords robust substantive and procedural protections for privacy and civil liberties.” This aspect attempts to protect the rights of American citizens from the consequences of the law, including:

  • Protection from arbitrary and unlawful interference with privacy.
  • The right to a fair trial.
  • Freedom of expression, association, and peaceful assembly.
  • Prohibitions on arbitrary arrest and detention.
  • Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.

However, skeptics will point out that while these provisions “protect” civil liberties, there are already numerous examples of other government agencies Avoiding Internet Surveillance: The Complete Guide Internet surveillance continues to be a hot topic so we've produced this comprehensive resource on why it's such a big deal, who's behind it, whether you can completely avoid it, and more. Read More (not just in the US) breaking those rules. So, what is to say any of the provisions, in this section or elsewhere, will protect citizens from further data collection 6 Surprising Ways Your Data Is Being Collected You know that your data is being collected, mainly by your ISP and the surveillance apparatus of the NSA and GCHQ. But who else is mining cash out of your privacy? Read More ? The answer is simple: you have to trust law enforcement and the government to do the right thing.

Tech Company Support

The CLOUD Act has the support of many major tech companies. The law itself creates a clear line between how the US government and foreign governments can access data, both home and on foreign soil.

A letter signed by Apple, Microsoft, Google, Facebook, and Oauth states that the CLOUD Act “encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary.”

These companies have long lobbied for clarity enshrined in law, especially given the antiquated laws previously in place. And, if you take a step back from the overbearing privacy issues, that does make sense, for both consumers and tech companies.

The Impact of the CLOUD Act on Your Privacy

Does the CLOUD Act utterly demolish your privacy? Well, that depends what you read. Moreover, it depends who you trust.

The ACLU, EFF, and Freedom of the Press Foundation vocally oppose the CLOUD Act. They argue it is a dangerous, essentially irrevocable step toward permanent data-insecurity. Not only that, both the ACLU and EFF note that despite the global reach of this law, it “was never given the attention it deserved in Congress.”

The CLOUD Act represents a sea change in US data privacy. It was swept along with a spending bill that had to pass lest the country experience yet another government shutdown. And you didn’t even get a look in.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. SamG
    April 20, 2018 at 12:43 pm

    That explains WHY Yahoo/Verizon/Oauth would not let me sign in until I agreed to their new terms. Oauth is handling all communication and can do what they please with any of it. So I started removing all Yahoo mail. They wouldn't allow access to it or My Yahoo if I disagreed with their new terms. "When something is free on the 'net, it's the sale product." Or whatever. And one has to wonder how this will change VPNs privacy.

  2. Gazoo
    April 11, 2018 at 9:18 pm

    Governments and companies (telcos, internet, etc) have been (backroom) colluding on data-sharing for a long time. The CLOUD Act (retroactively) alleviates a number of legal issues as a result of this relationship.

    These companies are "off the hook" from legal repercussions going forward and no longer need to worry about working within the shady gray areas of the law.

    Occasionally you'll see a high-profile case where a tech company makes a lot of noise about privacy. It's always been a dog and pony show.

  3. dragonmouth
    April 11, 2018 at 8:54 pm

    "The answer is simple: you have to trust law enforcement and the government to do the right thing."

    "The Impact of the CLOUD Act on Your Privacy"
    Now US inhabitants will find out how it was living in the Soviet Union, Nazi Germany, East Germany and/or under any other dictatorship. The Constitution is being figuratively thorn up by the government.

    • SamG
      April 20, 2018 at 12:45 pm

      Can we all say 1984? Has been evolving and is here?

      • dragonmouth
        April 23, 2018 at 9:17 pm

        Except in 1984 Orwell could not even begin to dream of the tools and methods that are employed today.