The massive Facebook and Cambridge Analytica revelations continue to provide shocking news concerning your privacy. But during this Facebook-dominated news cycle, the US government has sneacked through a piece of legislation that drastically abuses privacy around the globe.

The CLOUD Act eliminates any protection for overseas data, allowing government agencies to pick and choose where they take your data from. It also fundamentally alters how the police access data held by private companies, like Facebook, Google, and so on.

So, what is the CLOUD Act and how is it destroying your privacy?

The CLOUD Act Explained

The CLOUD Act passed with little fanfare as legislators tacked it onto the end of the must-pass $1.3 trillion government spending bill. Tacking it onto the end of another enormous bill stopped the CLOUD Act coming under serious debate, meaning a considerable amount of citizens have never even heard of it, let alone understand how it drastically alters data privacy.

The Clarifying Overseas Use of Data (CLOUD) Act is a series of laws allowing US law enforcement to access data stored overseas and vice versa. It is an update to the existing Electronic Communications Privacy Act (ECPA), passed in 1986. The government and many tech companies believe these laws are ill-equipped for modern digital communications. And the ECPA probably was, given that in 1986 there were between 2,000 to 30,000 systems connected to internet precursor ARPANET.

So, why would such a far-reaching change to legislation fly under the radar? Here are some key facts and information for you.

1. It Removes Protection for Overseas Data

Law enforcement can request your data, no matter its storage location. Hosting companies cannot refuse to provide your data on that basis, either.

"A provider of electronic communication service or remote computing service shall comply [...] regardless of whether such communication, record, or other information is located within or outside of the United States."

Up until last week, data requests required a mutual legal-assistance treaty (MLAT) with another government. The MLAT defines data sharing between the two countries, including what types of data and the context for a request. MLATs have to pass through the Senate with two-thirds approval.

The CLOUD Act changes this, allowing the government to enter "executive" relationships with other countries that bypass existing MLAT legislation. The result is that any agency can request any tech company to turn over user data, regardless of location.

In 2013, the US Department of Justice issued a warrant to Microsoft, requesting they hand over the data of a customer suspected of illegal activity. The customer, however, was Irish, living in Ireland, and their data was stored on a server located in... you guessed it, Ireland. Microsoft took the case all the way to the Supreme Court, arguing the DOJ warrant was overreach as their customer wasn't a US citizen.

The CLOUD Act bypasses this entire situation, allowing the DOJ to request the data, compelling Microsoft to comply. In fact, the DOJ asked the Supreme Court to "moot" the case, citing the introduction of the new law.

2. It Works Both Ways

Just as the CLOUD Act allows US law enforcement to collect foreign data, it enables foreign police forces to do the same. In fact, it muddies the waters even further (given the sweeping data collection under various government agency programs).

Neema Singh Guiliani, legislative council with the ACLU, confirms that the bill allows "countries to wiretap on US soil for the first time, including conversations that foreign targets may have with people in the US, without complying with Wiretap Act requirements." Those communication targets include Facebook, Google, Snapchat, private email servers, instant messenger conversations, and anything in-between. (Check out our Facebook privacy guide.)

Here's an example of how it might work (paraphrased from the linked EFF article):

  1. London police want to investigate private Slack messages of a British target suspected of committing bank fraud.
  2. Under the CLOUD Act, the London police could go to Slack and ask for the users' message history.
  3. Slack would have to comply with the request, without judicial review or requiring the notification of US law enforcement; probable cause warrants are not required.
  4. Slack hand over the British targets message history to the London police; the message log contains private messages with US citizens.
  5. The London police share the details of the Slack messages with US law enforcement; the messages are then used against a US target within the country---all without a single warrant (essentially destroying the Fourth Amendment).

Data Collection Provisions

There are, however, some provisions in the CLOUD Act that aim to stop this sort of data collection. For instance, the following acts are prohibited:

  • The direct targeting of a US citizen's data by a foreign government using the CLOUD Act.
  • Requesting a country with an executive agreement targets a specific US citizen.
  • Specifically targeting a foreign citizen's data to simultaneously collect data on a US citizen.
  • The "dissemination of a US persons' data" unless there is evidence of a serious crime.

Even with these provisions, ensuring the correct use of and enforcing these rules is difficult. A late change to the CLOUD Act forces the US Attorney General to report to Congress justifying the use of an executive agreement, offering another provision.

3. It Reduces the Data Request Process Timeline

While opening up almost anyone to a data request, the CLOUD Act undoubtedly speeds up the data acquisition process. At times, completing an MLAT request can take months. Sometimes the data is outdated or useless by the time the data request processes. A reduction in data processing time could allow police to solve crimes faster, or even stop some taking place.

4. It Has a Narrow Appeal Process

The CLOUD Act also has an extremely narrow appeal window for content and service providers. There are only two provisions in the CLOUD Act allowing for a tech company to appeal a data request.

  1. If the person is not a US citizen and does not reside in the US, and
  2. The data disclosure puts the provider at risk of violating the law in their resident country.

The "and" is pretty significant here. An appeal will need to meet both of these criteria before it even sees the light of day.

The second point is a major issue for tech companies. Data doesn't always remain on US soil. In many cases, it never enters it. But the tech companies are now caught in the middle of the US government and their foreign host nations. As such, tech companies have provisions in the CLOUD Act to shut down any requests that would compromise them, so long as the company appeals within 14 days.

But even then, the request isn't dead. The tech company and the US government enter a complex comity process whereby a court balances the data requirements of the government versus the disruption/law breaking criminal act forced upon the tech company.

5. Provisions for Encryption and Civil Liberties

The CLOUD Act allows data collection from a vast range of services. But, in a slight boon for privacy rights, the executive agreements cannot compel any government to decrypt data. In some cases, decrypting data is extremely difficult, and the government would likely not waste time on those data sources (such as WhatsApp or Telegram).

A revision to the wording of the CLOUD Act requires the US Secretary of State and the Attorney General to make sure that any country entering an executive agreement "affords robust substantive and procedural protections for privacy and civil liberties." This aspect attempts to protect the rights of American citizens from the consequences of the law, including:

  • Protection from arbitrary and unlawful interference with privacy.
  • The right to a fair trial.
  • Freedom of expression, association, and peaceful assembly.
  • Prohibitions on arbitrary arrest and detention.
  • Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.

However, skeptics will point out that while these provisions "protect" civil liberties, there are already numerous examples of other government agencies (not just in the US) breaking those rules. So, what is to say any of the provisions, in this section or elsewhere, will protect citizens from further data collection? The answer is simple: you have to trust law enforcement and the government to do the right thing.

Tech Company Support

The CLOUD Act has the support of many major tech companies. The law itself creates a clear line between how the US government and foreign governments can access data, both home and on foreign soil.

A letter signed by Apple, Microsoft, Google, Facebook, and Oauth states that the CLOUD Act "encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary."

These companies have long lobbied for clarity enshrined in law, especially given the antiquated laws previously in place. And, if you take a step back from the overbearing privacy issues, that does make sense, for both consumers and tech companies.

The Impact of the CLOUD Act on Your Privacy

Does the CLOUD Act utterly demolish your privacy? Well, that depends what you read. Moreover, it depends who you trust.

The ACLU, EFF, and Freedom of the Press Foundation vocally oppose the CLOUD Act. They argue it is a dangerous, essentially irrevocable step toward permanent data-insecurity. Not only that, both the ACLU and EFF note that despite the global reach of this law, it "was never given the attention it deserved in Congress."

The CLOUD Act represents a sea change in US data privacy. It was swept along with a spending bill that had to pass lest the country experience yet another government shutdown. And you didn't even get a look in.