House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It

from the hearty-debate-was-enjoyed-by-none dept

Just as the Supreme Court is considering the legality of extraterritorial demands for communications held by US internet service providers in overseas data storage, Congress is doing all it can to short-circuit the debate. Tucked away towards the back of a 2,200-page spending bill is something called the “Clarifying Lawful Overseas Use of Data Act” or (of course) “CLOUD Act.” (h/t Steve Vladeck)

The CLOUD Act [PDF – starting at p. 2201] would make any decision by the Supreme Court extraneous. If it agrees with Microsoft — as lower courts have — that the US has no right to demand communications stored overseas with a normal warrant, the Act would immediately overturn the decision. If it decides against Microsoft, it will be aligned with the new law. As it stands now, the route most likely to be taken by the Supreme Court is a punt. Legislation on point is in play and the Court will probably be more than happy to let legislators make the final call.

Beyond the obvious problem of giving US law enforcement permission to use regular warrants to bypass mutual assistance treaties, the law also allows for reciprocation. We can’t go around waving SCA (Stored Communications Act) warrants in foreign lands without expecting pushback from locals. So, we’ll have to give foreign countries the same privileges, even if the criminal charges being investigated wouldn’t be considered criminal acts in this country and the country enjoying this reciprocation doesn’t care much about its own citizens’ rights and privacy.

The EFF is especially critical of the shoehorned-in CLOUD Act. As it points out, the law would result in backdoor searches of anyone’s communications via reciprocal communication demands. In the US, we’ve already seen the Fourth Amendment circumvented by US government agencies via their access to NSA collections. The same would happen in reverse when other countries start playing by the CLOUD Act’s new rules.

When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.

Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.

In addition, the law allows the US to enter into agreements with almost any country on earth, even those whose respect for human rights is nearly nonexistent. There’s a provision in the law that says countries must meet a vague human rights standards before they’re allowed to start searching US-based cloud services, but those guidelines are roughly 100% useless. Unless a more rigorous vetting standard is applied, countries like Turkey could soon be trawling for US persons’ communications. As the ACLU points out, Turkey might still be considered to be compliant with the humans rights guidelines despite its ever-increasing level of citizen-directed abuse.

For example, in early 2014, Turkey may have met the CLOUD Act’s vague human rights criteria; Freedom House even rated it a three and four on its index for political and civil rights. But since the attempted coup in mid-2016, the Turkish government has arrested more than 50,000 people — including journalists and activists such as the chair and director of Amnesty International’s Turkey section — many on bogus terrorism charges. According to U.N. experts: “Most of these accusations of terrorism are based solely on actions such as downloading data protection software, including the ByLock application, publishing opinions disagreeing with the Government’s anti-terrorism policies, organizing demonstrations, or providing legal representation for other activists.”

Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium for a case like Turkey. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.

What few positives the bill provides revolve around challenging demands for communications. The bill provides avenues for US tech companies to challenge orders targeting foreign servers, as well as pushing back against foreign government demands for communications held in the US. But these will mainly be of use to the largest tech companies with the manpower and legal acumen to throw at the problem. Smaller companies will likely just find themselves handing over anything to anyone who comes asking, rather than risk punitive action by domestic and foreign governments.

And the standards are extremely weak. While the bill claims to hold foreign countries to US standards, it never specifically says foreign countries demanding communications need to have US-equivalent rights. It refers to “international universal human rights” which sounds great, but this is a feel-good term that isn’t recognized by US or international law.

Even if communications are subject to some restrictions, metadata isn’t. Anything foreign governments collect on American citizens can be handed over to the US government without further legal review. And it carves out a hole for wiretapping electronic communications, allowing demands like these to bypass the privacy protections of the Wiretap Act.

Considering it’s been stapled to end of must-pass funding bill, chances are the bill will receive zero debate before being forwarded to the president. The House has already passed its version, which means the Senate needs to step up to block the CLOUD Act stuffed into its spending bill. As we saw during the last several months of 2016, very few reps were in any hurry to challenge the expansion of Rule 41 authorities, despite having more than a year to generate opposition. Even when time is a luxury, inaction is the preferred response. The CLOUD Act, hidden under more than 2,000 pages of funding requests, is probably as close to a sure thing as it’s ever been. And it will do little more than further damage privacy protections across the globe.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It”

Subscribe: RSS Leave a comment
Anonymous Coward says:


Okay, I admit expect(ed) Supreme Court to toss out that LOONY assertion long before Congress got around to it, but clearly it’s so OBVIOUSLY NECESSARY that it’s been pre-empted.

Now all I have to do is wait for the accolades from fanboys for being RIGHT yet again…

Anonymous Coward says:


Errrnt! Wrong again!

If the assertion was loony, there would be no need for a law. Since they’re passing a law, obviously it’s currently allowable and they need to change the law so that tech companies can no longer refuse such a request.

However, by doing so they have opened a major can of worms. There are two things that will inevitably happen:

1. Countries will refuse to do business with American tech companies because now their data is no longer safe from the US government.

2. Foreign countries can now request data on any US person and tech companies have to turn it over.

America just shot itself in both feet and it will come back to bite us, hard.

ECA (profile) says:

backdoor to hell..

1. Countries have Their OWN laws, and now we are giving other nations Access to OUR communications FOR their OWN USES?? There are Big holes in that idea.
2. Do we have access to theirs??

Umm, the USA can request the other country to DO a data search from OUTSIDE the USA, that has no Constitutional restrictions..

Hasnt the USA already made deals for tracking Incoming Foreign communications from Those with terrorist ties??

Couldnt we already be giving Foreign agencies access to trace TO the USA those same persons of interest, SENT to the USA??

This idea would give OUR Policing agencies the ability to SIT over there, and Gather personal info with out the constitution Protections WE HAVE NOW..

That Anonymous Coward (profile) says:

At what point is someone going to ask for an audit of how much better our protection efforts have gotten after every increase in getting ALL the data?

Pretty sure with the giant ass panopticon they already had they haven’t stopped anything, except the FBI stings against the mentally ill.

Would this new information suddenly stop all the school shooters, serial bombers, hate attacks & all the other bad?
Or is it just giving into the fear mongering of if we don’t get this we might miss something!!!! (Ignoring all of the shit we are already missing because the focus is on imagined possible threats while ignoring actual threats)

Anonymous Coward says:

Re: Re:

Granted there have been no underware or shoe bombers of late but they where just getting started, With multiple contacts with the FBI and local cops what do we know about this latest school shooter? apparently nothing given what I have seen on the intertubz, many calls to have his parents dragged in shows that most people don’t know they are dead, a fucked up kid that had lost pretty much everything is a prime target for them..

That One Guy (profile) says:

Red flag large enough to cover a football field

When you have to slip your pet bill into another, ‘must pass’ bill you are all but admitting that you do not think it could withstand scrutiny and challenge.

If it’s a good bill then great, discuss and vote for it on it’s own merits, don’t tack it on to a completely unrelated bill and try to slip it through.

freedomfan (profile) says:

Gaping 4th Amendment Hole

So, someone in the U.S. Government who has no probable cause wants to fish through a U.S. citizen’s data that’s stored in the U.S. That person (who could be law enforcement, or just a politically connected slimer) finds a compliant shithole country* and has them demand the information from the email / cloud storage / remote backup / forum site / etc. provider and then turn it over to the U.S. person conducting the fishing expedition. This seems like an obvious end-run around the 4th Amendment.

(* Apologies, but I understand that to be the term used by top U.S. officials.)

I am annoyed that such a loophole has found its way into law. But, I am even more annoyed that it is such and obvious problem and still the law was passed. Legislation like this should only be introduced as a test. Any politician who votes for it is disqualified from voting on any actual legislation. They still get to wear a suit and pretend to be a grown up. But, much like those Fisher-Price car seat toys for kids with the plastic steering wheel and horn so that toddlers can pretend they are driving while mom or dad actually pilots the car, the politicians’ voting devices aren’t actually connected to anything. It just accepts the vote and says, "Thank you for voting on this important legislation. You are a big boy now!"

Mike Stimpson says:

I'm not sure the Supreme Court is out of it

Congress can pass whatever legislation it wants. The Supreme Court can still declare the legislation unconstitutional. Congress can’t fix that just by passing another piece of legislation.

Or does the current Supreme Court case merely claim that the government doesn’t have authorization to get the data? That’s a weaker claim than "unconstitutional", and one that Congress can fix…

The Wanderer (profile) says:

Re: I'm not sure the Supreme Court is out of it

The Supreme Court sometimes takes cases that aren’t about the constitutionality of a law, but about which of two conflicting lower-court interpretations of a law is correct, or about whether a decision made by a lower court comports with the law, or about whether a law or regulation established by a lower authority is compatible with overriding law passed by Congress, or indeed about whether a law or regulation overrides other (e.g. state) laws or not.

If, while the Court is hearing one of those latter types of cases, Congress changes the law in a way that would govern the outcome of the case, my understanding is that the Supreme Court can’t overrule them – unless the newly-changed law is itself overruled by something higher, the Constitution being the main candidate.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...