CLOUD AST: New US Bill Opens Access to Personal Data Abroad

    Last week, March 23, 2018, the U.S. Congress passed a bill called the CLOUD Act. It greatly enhances the ability of United States law enforcement to access private information online.

    We will describe in more detail about the act and how the community and IT companies reacted to it. / photo angela n. CC

    What is CLOUD AST

    The Clarifying Lawful Overseas Use of Data Act was first proposed on February 6, 2018. The bill is an amendment to the Stored Communications Act (SCA), a 1986 act regulating the provision of US government access to data held by Internet providers. The CLOUD Act became part of the 2232-page document approving the state budget, therefore, there was no separate debate regarding its content, as well as a separate hearing in Congress.

    There are two key points in the act that facilitate US law enforcement access to PD.

    1. Request PD users from IT companies

    First, from now on, law enforcement agencies (from police officers to agents of the federal migration service) have the right to request access to data from IT companies, regardless of where this information is stored. In other words, the U.S. police may oblige Google or Facebook to provide PD users, even if they are stored, for example in Europe.

    Given that many global IT companies are in US jurisdiction, authorities gain access to correspondence, metadata, and user accounts around the world. Now companies will not be able to refuse to provide data, even if it is prohibited by the laws of another state (as was the case with the Microsoft Ireland case ).

    2. Providing information to other states

    The second part of the act gives the President and the US Attorney General the opportunity to enter into special data exchange agreements with other states. Under these agreements, countries may request user data from US IT companies, provided that they [users] are not American citizens and do not reside in the United States.

    There are no restrictions with which countries the USA can conclude these agreements. Moreover, the Act allows initiating such agreements between countries without the approval of Congress.

    Support Act

    The IT giants Microsoft, Google, Facebook, Apple and Oath (formerly Yahoo) wrote a letter endorsing the bill, calling it “notable progress in consumer protection.” They also pointed out that the CLOUD Act would “better protect users through international agreements.”

    When the act was approved, Microsoft's Director of Legal Affairs, Brad Smith, tweeted that “this is an important day for international relations and the protection of personal data around the world.” He also noted that the act will increase confidence in the technologies that we use every day. However, the tweet was met with clear criticism from netizens.

    / photo Alexandre B CC

    Criticism of the act

    The rest of the technical community does not so clearly support the new act ( especially cryptocurrency enthusiasts). Fears are being discussed that it will lead to data localization , that is, the desire of each country to keep citizens' PDs on "local" servers.

    Also, the act was criticized by many American public organizations for the protection of human rights. More than twenty organizations, including the EFF (Electronic Frontier Foundation - Electronic Frontier Foundation) and ACLU (American Civil Liberties Union), wrote an open letter to Congress, which pointed to apparent human rights violations in the CLOUD Act.

    It is about regulating information transfer agreements. Suppose a certain country, in cooperation with the US government, turns to Slack in order to receive personal correspondence from a person who is a resident of that country. Slack, in the case of transmission of the message history, also involuntarily discloses the messages of all involved persons in the correspondence.

    Moreover, CLOUD provides an opportunity for the state, which has thus obtained confidential information about American citizens, to transmit it directly to US law enforcement without any additional approvals , warrants or court orders. This can be interpreted as a direct violation of the Fourth Amendment to the US Constitution .

    Alternative: Mutual Legal Assistance Treaty

    Prior to the adoption of the CLOUD Act, the legal aspects of gaining access to information abroad were regulated through the MLAT (Mutual Legal Assistance Treaties). This agreement was drawn up in 2001 with the active participation of the USA and European countries (Russia did not recognize the decision of the Convention). It allows law enforcement agencies of different countries to access data stored abroad, with the assistance of the state in which they are stored.

    MLAT has its drawbacks. On average, the processing time for one request is about 10 months, and by the time information is received from another state, in most cases it is no longer relevant. Despite the imperfection, the system is an important transitional stage in the development of international relations in the field of cybersecurity, especially since the Council of Europe plans to improve it soon. However, the adoption of the CLOUD Act does not contribute to this process in any way, but to a greater extent is its alternative .

    PS More materials from the First Corporate IaaS Blog:

    Also popular now: