A federal spending bill before the US Congress includes a provision called the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would change the legal requirements for law enforcement agencies seeking to gain access to data stored on overseas servers.
The CLOUD Act is in response to a dispute between Microsoft and other email service providers and the US Department of Justice (DOJ), which began in 2016.
Microsoft won a victory in federal appeals court over the DOJ in 2016, invalidating a warrant requiring the company to turn over user emails stored on a server located in Ireland. The case was appealed to the US Supreme Court, where it was heard in late February 2018 with a ruling still pending.
The CLOUD Act would eliminate the need for the Supreme Court to even issue a ruling, as it codifies the very issues under debate, making it easier for US law enforcement agencies to access data stored in overseas cloud servers regardless of the opinion of the organization hosting the data.
There is a lot for businesses and individuals to know about the CLOUD Act. Here are five essential things to be aware of as the act advances toward a vote.
1. It eliminates protection for data stored overseas
One of the first things that the CLOUD Act makes clear is that it doesn't matter where data is stored, and that hosting companies can't refuse to comply on that basis.
''A provider of electronic communication service or remote computing service shall comply ... regardless of whether such communication, record, or other information is located within or outside of the United States.''
The argument being made by Microsoft is that US-based courts and law enforcement have no jurisdiction over hardware located outside the US. The language of the section mentioned above eliminates that legal defense when coupled with other provisions, such as:
2. It allows the president to enter into agreements with other nations explicitly for the purpose of exchanging stored data
"It shall not be unlawful under this chapter for a provider of electronic communication service to the public or remote computing service to intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government that is subject to an executive agreement ..."
The US president can make agreements with foreign governments that allow their law enforcement officials to request data stored within the other's borders. In the Microsoft case, for example, Ireland could simply say that it's okay with Microsoft handing over data stored on an Irish Microsoft server, and Microsoft then has no legal recourse to withhold it.
3. Providers can still appeal requests
The CLOUD Act provides a way, albeit narrow, for content providers to appeal requests from US law enforcement to turn over data hosted overseas. Only two conditions fulfill a motion to modify or quash the process:
- If the customer/subscriber is not a US person and does not reside in the US, and
- That the disclosure would put the provider at risk of violating foreign law by handing data over.
Notice the use of the "and" qualifiers there—it's likely that all of the conditions mentioned would need to be met or the motion to be quashed.
4. Privacy advocates are fighting it
The Electronic Frontier Foundation calls the CLOUD Act "a dangerous expansion of police snooping on cross-border data" and gives several reasons why it believes the Act violates privacy rights:
- It "includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment."
- There is no inclusion of requiring notice, as is the case with a physical warrant. Under the language of the CLOUD Act, the EFF said, the government can access personal data without the target being aware.
- The act would give "unlimited jurisdiction to U.S. law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it." This argument is the same as the one it filed in support of Microsoft earlier in 2018.
The EFF's arguments boil down to the CLOUD Act being a massive overreach that violates norms of both US and international law. Whether that will be enough to keep it from passing remains to be seen.
5. It's still not decided
The spending bill to which the CLOUD Act is attached was only released by Congress on Wednesday, March 21, 2018. That could mean that the spending bill and the CLOUD Act's passage could take some time.
Reuters reported that the CLOUD Act has bipartisan support, which could speed its passage through the House and Senate, though it's unclear if the spending bill will be able to make it through without debate.
SEE: Cloud migration decision tool (Tech Pro Research)
The CLOUD Act isn't a done deal, but those who will be affected by it should still consider what it means for them and the future of their data storage. As the EFF stated, this isn't the first time, nor the second, that similar bills have been before Congress.
It's likely that, regardless of whether the CLOUD Act passes, similar legislation will appear in the near future. According to the CLOUD Act, law enforcement agencies consider the current process of requesting warrants for international data to be an impediment, which means that sooner or later the laws surrounding it will change to law enforcement's advantage.
- Special report: The future of Everything as a Service (free PDF) (TechRepublic)
- Microsoft bullish on Congress' inclusion of CLOUD Act in funding bill (ZDNet)
- 6 big data privacy practices every company should adopt in 2018 (TechRepublic)
- Cloud computing is eating the world: Should we be worried? (ZDNet)
- Report: Only 40% of data stored in cloud secured with encryption, key management (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.