The CLOUD Act.pdf) — Clarifying Lawful Overseas Use of Data — is a set of regulations handling how data stored in one country can be accessed by an entity in a different country. It was signed into law on March 23, 2018 as part of the Omnibus Spending Bill.
It's been praised by technology companies and a joint letter (opens in new tab) from Apple, Facebook, Google, Microsoft, and Oath (Yahoo!) lending support to the bill was published on February 6, 2018. it states, in part:
But privacy and civil rights organizations have a different opinion of the legislation. The ACLU had this to say:
- Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
- Fails to require foreign law enforcement to seek individualized and prior judicial review.
- Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
- Fails to place adequate limits on the category and severity of crimes for this type of agreement.
- Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
- The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.
The two sides seem to take the language in the CLOUD Act very differently. That's to be expected with almost any legal document, and most bills introduced to Congress are written in the same type of language. It purposefully leaves things open to the interpretation of the reader, and in the case of laws, the enforcing body. We all will have our own opinion on the bill, and that's a healthy discussion to have. But it's important to know what this means for your data stored on Google's servers.
Why would Google support this?
It's important to remember that organizations like the ACLU and EFF exist to examine the worst-case scenario surrounding any rules or laws that govern our personal data. They help create a balance so that courts and legislators can make informed rulings and seeing their objection to the CLOUD Act isn't a surprise because it makes some major changes to the existing laws. It's very difficult for a foreign government to gain access to data saved on a U.S. server and for the U.S. government to obtain data stored on a foreign server because the laws vary from country to country.
An example of this in action is currently happening, as the U.S. Supreme Court is deciding if Microsoft needs to turn over data stored on an Irish server that the Department of Justice wants as evidence in a case that dates back to 2013.
Companies like Google would rather see a single set of rules adopted by the U.S. and many other countries that they do business in that might prevent this sort of costly hearings and procedures. They feel the language in the CLOUD Act serves to provide access to our data when a genuine need arises but also protects our privacy against requests that don't show a legitimate need.
Civil rights organizations would also like to see a single set of rules adopted around the world, but do not think the CLOUD Act sufficiently protects our information from foreign governments. They take issue with how it changes the judicial review process and the ways it may circumvent the 4th Amendment to the U.S. Constitution, as well as how the bill was introduced and packaged into a larger spending bill which won't have the scrutiny and publicity a change like this deserves before it's written as law.
Taken at face value, both sides here seem to be correct. That's because both sides are fulfilling their intended purposes. Google's legal team and privacy experts want a simple set of rules that apply in every country it operates in and thinks that circumventing a court hearing or obtaining multiple individual warrants can be done in a way that still protects it's users personal data under the CLOUD act. The ACLU and EFF are against anything that circumvents a judicial process for each individual request and they feel that the current system provides better privacy standards. It's important for lawmakers to hear both arguments.
What does this mean for me and my data?
There is no language in the CLOUD act that changes the way Google stores your data or the data it can collect. Nothing there strips away the protections of encryption nor does it prevent you from deleting your data from Google's servers at any time. The only thing the CLOUD act affects is how your data stored on a server in your country, can be shared with another nation's government. But that is something we all should be concerned about, too, so let's look at some specifics.
Are my civil liberties being protected?
The CLOUD act requires the Secretary of State and the Attorney General of the United States to certify that any country entering into the CLOUD ACT "affords robust substantive and procedural protections for privacy and civil liberties." Some specifics are mentioned in the bill to protect our rights as Americans. They include:
- Protection from arbitrary and unlawful interference with privacy
- Fair trial rights
- Freedom of expression, association, and peaceful assembly
- Prohibitions on arbitrary arrest and detention
- Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.
This means any country that participates in the CLOUD act can't trample the basic civil rights afforded to us as citizens of the U.S. — and that rights of citizens in other countries can't be trampled by the U.S. government. Protections against a foreign government requiring Google to place a backdoor into Android or Chrome are also in place under the CLOUD act and that Google can't be asked by any government to perform surveillance on us while we use their products.
Does the CLOUD act give the executive branch complete control over our data rights?
No. While it does allow the State Department and Attorney General's office to make agreements with foreign nations there is some Congressional oversight built in. Congress will have the power to:
- Review new bilateral agreements for up to 180 days.
- Review changes to existing agreements for up to 90 days.
- Require written certification and explanation for how countries pass certification.
- Fast-track disapproval of bilateral agreements.
It also states that a surveillance order issued by any member country be individually based and "subject to review or oversight by a court, judge, magistrate, or other independent authority," and that this review must be "prior to, or in proceedings regarding, enforcement of the order."
It would be better to have these protections in place as part of the way agreements between participating countries are made, but they are there, and in language that's surely enforceable should a country be found to be overstepping its bounds.
Does the CLOUD act make it easier for foreign nations to access my U.S.-based data?
Yes. The CLOUD act removes many of the obstacles currently in place when another country wants your data stored on a Google server inside the United States. This is where civil rights organizations and Google disagree on the merits of the law.
Because of how any data requests must go through the court system, then be subject to appeal or approval from a higher court, countries are forming their own laws that try and force companies like Google to hand over data without any court involvement if the company wants to do business there out of frustration with the process. The U.S. also tries to claim that U.S. law requires a U.S. company to hand over data even when it's hosted outside the country like we're seeing in the Microsoft case presented to the Supreme Court.
The CLOUD act is designed to stop these laws from being enacted and enforced by building a process all countries can agree on and adhere to when it comes to requests for our private data. This is where Apple, Google, Microsoft and other tech companies see the benefit of it. They will know what the laws are and how to follow them in all the countries that participate instead of being subject to individual laws or fighting them in courts.
Civil rights organizations take issue that the CLOUD act can force data hosted inside the U.S. to be handed to another nation without being subject to our existing privacy laws. Some countries provide civil liberties that are equal or better than what the Constitution offers, but others do not. They feel that your data hosted in the U.S. should be protected by your rights as a U.S. citizen and not subject to laws and rights another country observes no matter what the review or admittance process entails.
Does the CLOUD act give foreign countries more power to surveil U.S. citizens and target their data for collection?
No, and yes. Broader power is granted for intelligence gathering but there are restrictions and rules in place that cover any wiretapping or surveillance.
- Foreign governments are "explicitly forbidden from surveilling a U.S. person directly or indirectly".
- Surveillance orders must be of a fixed and of limited duration.
- Surveillance can only happen when it has been shown to be "reasonably necessary" and there is no other way to get the information.
When collecting data for approved cases, there are rules in place that aim to protect our individual rights:
- Direct targeting of a U.S. citizen's data by non-U.S. governments is prohibited.
- Asking a CLOUD Act certified country to target a U.S. persons' data is prohibited.
- The targeting a non-U.S. persons' data for the purpose of collecting a U.S. persons' data is prohibited. (A country can't target me to see the conversations you and I have in Facebook Messenger, for example.)
- The "dissemination of a U.S. persons' data" is prohibited unless there is evidence of a serious crime presented.
There is a lot of room for legal maneuvering in these regulations, which leads us to the biggest question — how will this be enforced? Who will be there to make sure France (for example) follows the laws and regulations about collecting my data inside the U.S.? That's worrisome. Even more so when you replace France with Afghanistan, or if you live in Europe and replace France with the United States. Current laws are in place to protect our data and we've grown accustomed to having them. the CLOUD act would replace many of those protections.
Do I need to worry, and should I delete all of my data and go dark?
I'm not a legal expert so I can't form an opinion on the legality of the CLOUD act. That's what we elect officials to do. But I can express a few thoughts on it all. I'm of the opinion that my data stored in the U.S. is protected under the laws of the U.S. and secured with my rights as a U.S. citizen regardless of what France (or Afghanistan) thinks of those protections.
Guaranteed liberties like the 4th amendment (the protection against unreasonable search and seizure defined as an individual right of every U.S. citizen) or its equivalent in other countries should always apply and supersede any type of unilateral act between governments. Every instance where my privacy is to be breached is deserving of its own review in the U.S. courts, especially if I'm not proven guilty of any serious crimes.
But I also see the value that Google sees in the CLOUD act. A legitimate set of rules that apply across the board for all member nations could be a great thing; not only to save money and time in courts but so that I know in advance how my data is protected both inside and outside of the U.S.
We should be able to trust our elected officials to make the right choices, and if you do then there isn't much to be concerned about here. It seems that Google trusts the "right" way to guarantee our privacy will be put in place, as does Apple and Microsoft. These three companies may have a very different set of offerings to present to us, but one thing they all have in common is the willingness to fight to protect our data. That's a good reason to assume the sky isn't falling.
The ACLU and EFF, as well as other privacy and civil rights groups, have also done a great job of making sure we know when our rights may be subject to abuse. We should pay attention to their warnings even if we think they are reaching the worst conclusion. This is a good reason to be against the CLOUD act in any form.
Right now, all we can do is watch the process in action and hope everyone involved is thinking about our individual rights when they make their decision. Once that decision is reached, we can decide how to react. What's most important is that we know and understand when the laws surrounding our personal data are going to be changed, and what the consequences may be.
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
Android Central Newsletter
Get instant access to breaking news, the hottest reviews, great deals and helpful tips
Technology vs Lawyers -3GB. I'll take the lawyers and give the 3GB.
At the end of the day, this means that you can trust the cloud storage even less. Store nothing sensitive outside of your direct control. Particularly those surveillance videos from gullible owner devices.
I don't get it. Any more understandable resources?
Not liking the looks of this, at all, and based on previous history, no, I do not believe this will be handled well, as in the best interest of individual citizens of participating nation's. The baseline will be set by the member nation with the lowest amount of respect for the rights and privacy of it's citizens by law and applied as the defacto baseline across the participating member nation's with a wink and a nod at the loss of legal protections and rights for citizens of all member nation's. This is globalization to the lowest common denominator for the convenience of a few large entities at the expense of the sovereign citizens of all signatory nation's. This is 1000X worse than whining about the possibility of paid fastlanes from your good ole' local ISP. The EFF and the ACLU have the right take on this simply because human nature seeks the lowest, most convenient level, and not the highest, most aspirational level by default, and nature. Sorry about the length of this, but I find it almost indescribably troubling, and no, I don't participate in criminal activities, but then again, those definitions are changed all the time, all over the world, for convenience, inclusion, and entrapment based simply on a whim.
tl;dr the US government signed a bill that makes it possible/easier for them to access data stored overseas, that they should not be able to access. In other words don't use the cloud and don't be a customer of any company that does. On a side note, I'll also take this moment to point out that it's a human right to encrypt your data in a way that prevents anyone other than yourself from accessing it, and that you cannot be forced to make it accessible to any other party. Anyone who disagrees is uneducated, ignorant and/or a traitor to the human race.
Bloody hell that's strong.
I agree it's an individual's right to protect their data but going so far as to call it a human right has certain connotations.
Maybe it should be added to the Geneva convention.
As long as a court is required to inforced disclosure of data from a 3rd party I would be satisfied.
You lost all credibility after the last ignorant sentence. Not to mention a "human right"? Really?
All I keep reading about is US citizens. What about the 6 billion plus people like me who are not. So does that mean that the US government cannot obtain information about me be it stored on a US server or elsewhere because I don't live in the US and as such I am not subject to their laws? If their are no laws against piracy of movies and music in my country and I should download let's say 3 terabytes of movies and store them online, that means as a citizen of a non US country I cannot be investigated by the US government. If and only if this bill states that a citizen can only be investigated by his/her country I would be kind of OK with it. But if it covers only us citizens but allows the US government to spy on non US citizens, then you're saying that might is right and this is just plain wrong
Organizations like the ACLU and EFF exist as mission driven not for profit organizations, not to "examine worse case scenarios" (as stated in article). Non profits are not beholden to shareholders to make a profit. Therefore they examine scenarios including those that a profit seeking business would stand to benefit from financially.
Time to use my iCloud account and dump Google
Get instant access to breaking news, the hottest reviews, great deals and helpful tips
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.