House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It

from the hearty-debate-was-enjoyed-by-none dept

Just as the Supreme Court is considering the legality of extraterritorial demands for communications held by US internet service providers in overseas data storage, Congress is doing all it can to short-circuit the debate. Tucked away towards the back of a 2,200-page spending bill is something called the "Clarifying Lawful Overseas Use of Data Act" or (of course) "CLOUD Act." (h/t Steve Vladeck)

The CLOUD Act [PDF - starting at p. 2201] would make any decision by the Supreme Court extraneous. If it agrees with Microsoft -- as lower courts have -- that the US has no right to demand communications stored overseas with a normal warrant, the Act would immediately overturn the decision. If it decides against Microsoft, it will be aligned with the new law. As it stands now, the route most likely to be taken by the Supreme Court is a punt. Legislation on point is in play and the Court will probably be more than happy to let legislators make the final call.

Beyond the obvious problem of giving US law enforcement permission to use regular warrants to bypass mutual assistance treaties, the law also allows for reciprocation. We can't go around waving SCA (Stored Communications Act) warrants in foreign lands without expecting pushback from locals. So, we'll have to give foreign countries the same privileges, even if the criminal charges being investigated wouldn't be considered criminal acts in this country and the country enjoying this reciprocation doesn't care much about its own citizens' rights and privacy.

The EFF is especially critical of the shoehorned-in CLOUD Act. As it points out, the law would result in backdoor searches of anyone's communications via reciprocal communication demands. In the US, we've already seen the Fourth Amendment circumvented by US government agencies via their access to NSA collections. The same would happen in reverse when other countries start playing by the CLOUD Act's new rules.

When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.

Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.

In addition, the law allows the US to enter into agreements with almost any country on earth, even those whose respect for human rights is nearly nonexistent. There's a provision in the law that says countries must meet a vague human rights standards before they're allowed to start searching US-based cloud services, but those guidelines are roughly 100% useless. Unless a more rigorous vetting standard is applied, countries like Turkey could soon be trawling for US persons' communications. As the ACLU points out, Turkey might still be considered to be compliant with the humans rights guidelines despite its ever-increasing level of citizen-directed abuse.

For example, in early 2014, Turkey may have met the CLOUD Act’s vague human rights criteria; Freedom House even rated it a three and four on its index for political and civil rights. But since the attempted coup in mid-2016, the Turkish government has arrested more than 50,000 people — including journalists and activists such as the chair and director of Amnesty International’s Turkey section — many on bogus terrorism charges. According to U.N. experts: “Most of these accusations of terrorism are based solely on actions such as downloading data protection software, including the ByLock application, publishing opinions disagreeing with the Government’s anti-terrorism policies, organizing demonstrations, or providing legal representation for other activists.”

Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium for a case like Turkey. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.

What few positives the bill provides revolve around challenging demands for communications. The bill provides avenues for US tech companies to challenge orders targeting foreign servers, as well as pushing back against foreign government demands for communications held in the US. But these will mainly be of use to the largest tech companies with the manpower and legal acumen to throw at the problem. Smaller companies will likely just find themselves handing over anything to anyone who comes asking, rather than risk punitive action by domestic and foreign governments.

And the standards are extremely weak. While the bill claims to hold foreign countries to US standards, it never specifically says foreign countries demanding communications need to have US-equivalent rights. It refers to "international universal human rights" which sounds great, but this is a feel-good term that isn't recognized by US or international law.

Even if communications are subject to some restrictions, metadata isn't. Anything foreign governments collect on American citizens can be handed over to the US government without further legal review. And it carves out a hole for wiretapping electronic communications, allowing demands like these to bypass the privacy protections of the Wiretap Act.

Considering it's been stapled to end of must-pass funding bill, chances are the bill will receive zero debate before being forwarded to the president. The House has already passed its version, which means the Senate needs to step up to block the CLOUD Act stuffed into its spending bill. As we saw during the last several months of 2016, very few reps were in any hurry to challenge the expansion of Rule 41 authorities, despite having more than a year to generate opposition. Even when time is a luxury, inaction is the preferred response. The CLOUD Act, hidden under more than 2,000 pages of funding requests, is probably as close to a sure thing as it's ever been. And it will do little more than further damage privacy protections across the globe.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    K`Tetch (profile), 22 Mar 2018 @ 12:11pm

    #isitok

    Is It ok that I thought the headline said "extraterrestrial" and I shook my head and thought 'yeah, doesn't F**king surprise me.

    "And pray that there's intelligent life somewhere out in space,
    'Cause there's bugger all down here on Earth! "

    (monty python)

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 22 Mar 2018 @ 12:13pm

    Encrypt everything!

    Much the way police intrusions into devices lead to Apple and Android encryption-by-default, this may lead us towards an era in which the common internet end user uses end-to-end encryption for all communication.

    Still, it won't happen until enough people are persecuted that it scares the public.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2018 @ 12:20pm

    Well what do you want?

    When so many public officials are using Obama's Time Machine it makes sense that the future looks like it does in the book...

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 22 Mar 2018 @ 12:20pm

    TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!

    Okay, I admit expect(ed) Supreme Court to toss out that LOONY assertion long before Congress got around to it, but clearly it's so OBVIOUSLY NECESSARY that it's been pre-empted.

    Now all I have to do is wait for the accolades from fanboys for being RIGHT yet again...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2018 @ 12:53pm

      yeah, but how does common law affect this?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2018 @ 1:00pm

      Re: TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!

      Errrnt! Wrong again!

      If the assertion was loony, there would be no need for a law. Since they're passing a law, obviously it's currently allowable and they need to change the law so that tech companies can no longer refuse such a request.

      However, by doing so they have opened a major can of worms. There are two things that will inevitably happen:

      1. Countries will refuse to do business with American tech companies because now their data is no longer safe from the US government.

      2. Foreign countries can now request data on any US person and tech companies have to turn it over.

      America just shot itself in both feet and it will come back to bite us, hard.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2018 @ 1:31pm

      Re: TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!

      This one is incoherent, even for you.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2018 @ 12:24pm

    Senate filibuster

    Rumors are swirling that Senator Rand Paul will filibuster this bill, causing the government to run out of money and shutdown this weekend.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2018 @ 12:25pm

    Did they exclude themselves? Someone might want to point out to them that this means foreign governments can demand communications from political candidates. And even of they excluded themselves, once they are out of office they are fair game along with the rest of us.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2018 @ 12:48pm

    Meltdown/Spectre legislative process

    You get to read the legislation only after you pass it.

    Heck, it worked great for Intel.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2018 @ 1:15pm

    What if foreign countries decide they are not cooperate with the United States?

    reply to this | link to this | view in chronology ]

    • icon
      Rapnel (profile), 22 Mar 2018 @ 1:42pm

      Re:

      The United States is a top exporter of freedom. The United States will simply export more freedom to the, uh, undecided country. That's what freedom exporters do.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 22 Mar 2018 @ 1:29pm

    backdoor to hell..

    tHIS IS A BACKDOOR.
    1. Countries have Their OWN laws, and now we are giving other nations Access to OUR communications FOR their OWN USES?? There are Big holes in that idea.
    2. Do we have access to theirs??

    Umm, the USA can request the other country to DO a data search from OUTSIDE the USA, that has no Constitutional restrictions..

    Hasnt the USA already made deals for tracking Incoming Foreign communications from Those with terrorist ties??

    Couldnt we already be giving Foreign agencies access to trace TO the USA those same persons of interest, SENT to the USA??

    This idea would give OUR Policing agencies the ability to SIT over there, and Gather personal info with out the constitution Protections WE HAVE NOW..

    reply to this | link to this | view in chronology ]

  • icon
    brandx (profile), 22 Mar 2018 @ 2:19pm

    Keep smiling

    Mike, I have no idea how you manage to stay so optimistic. With things like this and SESTA, and the whole USA government, I am feeling overwhelmed.

    reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 22 Mar 2018 @ 3:10pm

    or china, china has been looking for people and groups critical of it's govt. and with their cyber capabilities...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2018 @ 3:27pm

      Re:

      Organ doners for sick rich people have to come from somewhere, also I hear silicon valley needs the blood of children, or at least paypal founders do...

      reply to this | link to this | view in chronology ]

  • identicon
    Captain Obvious, 22 Mar 2018 @ 3:23pm

    Covertly Legitimising Awful Overseas Use of Data Act

    fixed that for you.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 22 Mar 2018 @ 4:06pm

    At what point is someone going to ask for an audit of how much better our protection efforts have gotten after every increase in getting ALL the data?

    Pretty sure with the giant ass panopticon they already had they haven't stopped anything, except the FBI stings against the mentally ill.

    Would this new information suddenly stop all the school shooters, serial bombers, hate attacks & all the other bad?
    Or is it just giving into the fear mongering of if we don't get this we might miss something!!!! (Ignoring all of the shit we are already missing because the focus is on imagined possible threats while ignoring actual threats)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2018 @ 5:20pm

      Re:

      Granted there have been no underware or shoe bombers of late but they where just getting started, With multiple contacts with the FBI and local cops what do we know about this latest school shooter? apparently nothing given what I have seen on the intertubz, many calls to have his parents dragged in shows that most people don't know they are dead, a fucked up kid that had lost pretty much everything is a prime target for them..

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 22 Mar 2018 @ 5:41pm

    HAVE TO ASK..

    WE are paying our gov. to DO WHAT???
    NOW we are going to pay another GOV. to DO WHAT??

    really sounds like Another way to ship money OUTSIDE this country..

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 23 Mar 2018 @ 2:13am

    Red flag large enough to cover a football field

    When you have to slip your pet bill into another, 'must pass' bill you are all but admitting that you do not think it could withstand scrutiny and challenge.

    If it's a good bill then great, discuss and vote for it on it's own merits, don't tack it on to a completely unrelated bill and try to slip it through.

    reply to this | link to this | view in chronology ]

  • icon
    freedomfan (profile), 23 Mar 2018 @ 10:57am

    Gaping 4th Amendment Hole

    So, someone in the U.S. Government who has no probable cause wants to fish through a U.S. citizen's data that's stored in the U.S. That person (who could be law enforcement, or just a politically connected slimer) finds a compliant shithole country* and has them demand the information from the email / cloud storage / remote backup / forum site / etc. provider and then turn it over to the U.S. person conducting the fishing expedition. This seems like an obvious end-run around the 4th Amendment.

    (* Apologies, but I understand that to be the term used by top U.S. officials.)

    I am annoyed that such a loophole has found its way into law. But, I am even more annoyed that it is such and obvious problem and still the law was passed. Legislation like this should only be introduced as a test. Any politician who votes for it is disqualified from voting on any actual legislation. They still get to wear a suit and pretend to be a grown up. But, much like those Fisher-Price car seat toys for kids with the plastic steering wheel and horn so that toddlers can pretend they are driving while mom or dad actually pilots the car, the politicians' voting devices aren't actually connected to anything. It just accepts the vote and says, "Thank you for voting on this important legislation. You are a big boy now!"

    reply to this | link to this | view in chronology ]

  • identicon
    Mike Stimpson, 23 Mar 2018 @ 1:20pm

    I'm not sure the Supreme Court is out of it

    Congress can pass whatever legislation it wants. The Supreme Court can still declare the legislation unconstitutional. Congress can't fix that just by passing another piece of legislation.

    Or does the current Supreme Court case merely claim that the government doesn't have authorization to get the data? That's a weaker claim than "unconstitutional", and one that Congress can fix...

    reply to this | link to this | view in chronology ]

    • icon
      The Wanderer (profile), 23 Mar 2018 @ 2:40pm

      Re: I'm not sure the Supreme Court is out of it

      The Supreme Court sometimes takes cases that aren't about the constitutionality of a law, but about which of two conflicting lower-court interpretations of a law is correct, or about whether a decision made by a lower court comports with the law, or about whether a law or regulation established by a lower authority is compatible with overriding law passed by Congress, or indeed about whether a law or regulation overrides other (e.g. state) laws or not.

      If, while the Court is hearing one of those latter types of cases, Congress changes the law in a way that would govern the outcome of the case, my understanding is that the Supreme Court can't overrule them - unless the newly-changed law is itself overruled by something higher, the Constitution being the main candidate.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.