As Congress scrambles to agree on a spending bill, a dangerous piece of legislation that would redefine how law enforcement collects data is being snuck in at the last minute. Through convoluted provisions, the CLOUD Act would give the Executive Branch broad power in deciding how data is exchanged between countries and could severely compromise Americans’ privacy.
On Thursday, Senators Ron Wyden and Rand Paul released a joint statement opposing the measure that was roundly condemned by the ACLU and nearly two dozen other human rights and privacy advocates this week. Paul and Wyden asked the leaders of the Senate Appropriations Committee to not include the legislation in the spending bill and called for extended debate before it ever becomes law.
A source with direct knowledge of the negotiations in the Senate told Gizmodo that it is “highly likely” that the CLOUD Act (S.2383, H.R.4943)
will be included in the must-pass spending bill that Congress is cobbling together this week. The controversial regulations are being pushed hard by lobbyists from the big tech companies and foreign allies like UK Prime Minister Theresa May, the source said.
You may be vaguely familiar with Section 702 of the FISA Amendments Act. It’s the one that allows US intelligence to search, read, and share private electronic messages without a warrant when investigating foreign targets. But data from Americans can get swept up in the incidental collection of that intelligence, which critics of the bill say amounts to a violation of constitutional protections against unreasonable search and seizure. The Electronic Freedom Foundation compares the CLOUD Act to Section 702 and explains how it amounts to a new backdoor around the fourth amendment:
The CLOUD Act has two major components. First, it empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules. Second, it empowers the president to unilaterally enter executive agreements with any nation on earth, even known human rights abusers. Under such executive agreements, foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.
When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.
Currently, the sharing of intelligence and data across borders is possible through mutual legal assistance treaties. When foreign police need data stored in the US, it can be provided as long as the process follows the Fourth Amendment’s warrant requirements. Likewise, if the US seeks data from foreign law enforcement, it must follow the privacy protections of the government it’s petitioning.
The CLOUD Act would weaken those privacy protections and open up a free for all of data sharing. A foreign government could request data about a non-US citizen from a company storing it on US soil without the need for a warrant. It could also intercept communications or metadata of a non-US citizen target in real time. If, by chance, that foreign government collected communications or content from an American in the course of their surveillance, it could then turn it over to US law enforcement. As long as the information “relates to significant harm, or the threat thereof, to the United States or United States persons,” that information could then be used to investigate or criminally charge a US citizen.
To recap: Section 702 gives US intelligence broad power to surveil foreign targets outside the US, and if some US citizens get caught up in it, well, that’s just life. The CLOUD Act gives foreign intelligence broad powers to surveil foreign targets in the US, and if an American citizen gets caught up in it, it could be handed over to US intelligence and be used against them—no warrant necessary.
The EFF joined the ACLU, Human Rights Watch, and many other activist organizations in issuing a coalition letter to Congress opposing the CLOUD Act. The letter outlines the specific issues that need to be addressed in the bill, which “fails to protect the rights of Americans and individuals abroad, and would place too much authority in the hands of the Executive Branch with few mechanisms to prevent abuse.” It highlights specific areas in which vague language could be interpreted in a way that could nullify the protections the bill’s defenders say have been included.
This isn’t just a terrifying prospect for Americans, as many of the world’s largest tech and Internet-related companies are based in the US. The CLOUD Act would put tremendous power into the US President’s hands for how a company like Google might treat the data of a citizen from another country.
Under the CLOUD Act, the US Attorney General and Secretary of State would have to sign off on a foreign data request, certifying that the government in question offers “robust substantive and procedural protections for privacy and civil liberties.” Congress would then have 90 days to pass a resolution blocking the agreement. But let’s say, for example, that President Trump really likes the despotic ruler of the Philippines. He could, theoretically, lean on his embattled Attorney General Jeff Sessions to give the Philippines wide leeway in grabbing data about dissidents that is stored on the servers of American companies. The Secretary of State (likely recently nominated flunky Mike Pompeo) could then concur with Sessions, and Congress would only have 90 days to stop it. If you’ve been paying attention to the way Congress works these days, the idea of both houses coming together to oppose each agreement individually in a short time should be laughable.
We’re told the rush to include this five-week-old legislation in the upcoming spending bill is due to two lanes of pressure. Big tech lobbies are leaning on their senators to get it done and foreign allies are lobbying through back channels.
Apple, Facebook, Google, Microsoft, and Oath all expressed their support for the legislation in a letter released last month. Microsoft is currently involved in a Supreme Court case fighting the US Justice Department’s demands that data stored on an overseas server must be turned over if a warrant is issued by a US court. Microsoft says that’s against the law, and a decision isn’t expected to arrive until June. The CLOUD Act would make that case unnecessary. It’s easy to see why these companies might find it convenient to just remove any legal questions, and submit to the enemies of privacy, but their claim that this legislation “is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer” conflicts with the analysis of the ACLU and other legal scholars.
Another win for Silicon Valley would come from appeasing lawmakers in Europe. British PM Theresa May has been increasingly vocal with her threats against tech companies if they don’t do more to fight terrorism. In February, May said that President Trump had agreed that the CLOUD Act was “vital” to both nations’ security.
Senators’ Wyden and Paul have asked their colleagues to pump the brakes on the bill until further debate has been had, and they request that it be amended to allow Congress to review each international agreement individually rather than “supplying a blanket preapproval.”
The ACLU’s coalition is more direct in its analysis of what should be done, writing, “We urge you to oppose the CLOUD Act, and efforts to attach it to other pieces of legislation.”
[Letter]