House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It
from the hearty-debate-was-enjoyed-by-none dept
Just as the Supreme Court is considering the legality of extraterritorial demands for communications held by US internet service providers in overseas data storage, Congress is doing all it can to short-circuit the debate. Tucked away towards the back of a 2,200-page spending bill is something called the “Clarifying Lawful Overseas Use of Data Act” or (of course) “CLOUD Act.” (h/t Steve Vladeck)
The CLOUD Act [PDF – starting at p. 2201] would make any decision by the Supreme Court extraneous. If it agrees with Microsoft — as lower courts have — that the US has no right to demand communications stored overseas with a normal warrant, the Act would immediately overturn the decision. If it decides against Microsoft, it will be aligned with the new law. As it stands now, the route most likely to be taken by the Supreme Court is a punt. Legislation on point is in play and the Court will probably be more than happy to let legislators make the final call.
Beyond the obvious problem of giving US law enforcement permission to use regular warrants to bypass mutual assistance treaties, the law also allows for reciprocation. We can’t go around waving SCA (Stored Communications Act) warrants in foreign lands without expecting pushback from locals. So, we’ll have to give foreign countries the same privileges, even if the criminal charges being investigated wouldn’t be considered criminal acts in this country and the country enjoying this reciprocation doesn’t care much about its own citizens’ rights and privacy.
The EFF is especially critical of the shoehorned-in CLOUD Act. As it points out, the law would result in backdoor searches of anyone’s communications via reciprocal communication demands. In the US, we’ve already seen the Fourth Amendment circumvented by US government agencies via their access to NSA collections. The same would happen in reverse when other countries start playing by the CLOUD Act’s new rules.
When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.
Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.
In addition, the law allows the US to enter into agreements with almost any country on earth, even those whose respect for human rights is nearly nonexistent. There’s a provision in the law that says countries must meet a vague human rights standards before they’re allowed to start searching US-based cloud services, but those guidelines are roughly 100% useless. Unless a more rigorous vetting standard is applied, countries like Turkey could soon be trawling for US persons’ communications. As the ACLU points out, Turkey might still be considered to be compliant with the humans rights guidelines despite its ever-increasing level of citizen-directed abuse.
For example, in early 2014, Turkey may have met the CLOUD Act’s vague human rights criteria; Freedom House even rated it a three and four on its index for political and civil rights. But since the attempted coup in mid-2016, the Turkish government has arrested more than 50,000 people — including journalists and activists such as the chair and director of Amnesty International’s Turkey section — many on bogus terrorism charges. According to U.N. experts: “Most of these accusations of terrorism are based solely on actions such as downloading data protection software, including the ByLock application, publishing opinions disagreeing with the Government’s anti-terrorism policies, organizing demonstrations, or providing legal representation for other activists.”
Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium for a case like Turkey. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.
What few positives the bill provides revolve around challenging demands for communications. The bill provides avenues for US tech companies to challenge orders targeting foreign servers, as well as pushing back against foreign government demands for communications held in the US. But these will mainly be of use to the largest tech companies with the manpower and legal acumen to throw at the problem. Smaller companies will likely just find themselves handing over anything to anyone who comes asking, rather than risk punitive action by domestic and foreign governments.
And the standards are extremely weak. While the bill claims to hold foreign countries to US standards, it never specifically says foreign countries demanding communications need to have US-equivalent rights. It refers to “international universal human rights” which sounds great, but this is a feel-good term that isn’t recognized by US or international law.
Even if communications are subject to some restrictions, metadata isn’t. Anything foreign governments collect on American citizens can be handed over to the US government without further legal review. And it carves out a hole for wiretapping electronic communications, allowing demands like these to bypass the privacy protections of the Wiretap Act.
Considering it’s been stapled to end of must-pass funding bill, chances are the bill will receive zero debate before being forwarded to the president. The House has already passed its version, which means the Senate needs to step up to block the CLOUD Act stuffed into its spending bill. As we saw during the last several months of 2016, very few reps were in any hurry to challenge the expansion of Rule 41 authorities, despite having more than a year to generate opposition. Even when time is a luxury, inaction is the preferred response. The CLOUD Act, hidden under more than 2,000 pages of funding requests, is probably as close to a sure thing as it’s ever been. And it will do little more than further damage privacy protections across the globe.
Filed Under: cloud act, extraterritorial, jurisdiction, omnibus, privacy, search, stored communications act, surveillance, warrants
Comments on “House Staples Extraterritorial Search Permissions Onto 2,232-Page Budget Bill; Passes It”
#isitok
Is It ok that I thought the headline said “extraterrestrial” and I shook my head and thought ‘yeah, doesn’t F**king surprise me.
“And pray that there’s intelligent life somewhere out in space,
‘Cause there’s bugger all down here on Earth! “
(monty python)
Re: #isitok
I read it as permission to search for ET. I wish it was permission to search for ET.
Encrypt everything!
Much the way police intrusions into devices lead to Apple and Android encryption-by-default, this may lead us towards an era in which the common internet end user uses end-to-end encryption for all communication.
Still, it won’t happen until enough people are persecuted that it scares the public.
Well what do you want?
When so many public officials are using Obama’s Time Machine it makes sense that the future looks like it does in the book…
TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!
Okay, I admit expect(ed) Supreme Court to toss out that LOONY assertion long before Congress got around to it, but clearly it’s so OBVIOUSLY NECESSARY that it’s been pre-empted.
Now all I have to do is wait for the accolades from fanboys for being RIGHT yet again…
Re: yeah, but how does common law affect this?
Re: Re: yeah, but how does common law affect this?
It doesn’t next question.
Re: TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!
Errrnt! Wrong again!
If the assertion was loony, there would be no need for a law. Since they’re passing a law, obviously it’s currently allowable and they need to change the law so that tech companies can no longer refuse such a request.
However, by doing so they have opened a major can of worms. There are two things that will inevitably happen:
1. Countries will refuse to do business with American tech companies because now their data is no longer safe from the US government.
2. Foreign countries can now request data on any US person and tech companies have to turn it over.
America just shot itself in both feet and it will come back to bite us, hard.
Re: TOLD YA! NO WAY IN HELL CAN MICROSOFT GET DATA, BUT NOT GOV'T!
This one is incoherent, even for you.
Senate filibuster
Rumors are swirling that Senator Rand Paul will filibuster this bill, causing the government to run out of money and shutdown this weekend.
Did they exclude themselves? Someone might want to point out to them that this means foreign governments can demand communications from political candidates. And even of they excluded themselves, once they are out of office they are fair game along with the rest of us.
Re: Re:
Ha! they drank the tea an now the queen is coming to reign tyranny over the US, MP’s and GCHQ employees are exempt from monitoring in the UK, you have fallen for her trap!
Re: Re: Re:
Only took about 244 years to work.
Re: Re: Re:
UK resident here… you’re talking crap.
If anyone is exercising tyranny over the US it’s your beloved corporations, who write laws for you using ALEC, etc.
Meltdown/Spectre legislative process
You get to read the legislation only after you pass it.
Heck, it worked great for Intel.
What if foreign countries decide they are not cooperate with the United States?
Re: Re:
The United States is a top exporter of freedom. The United States will simply export more freedom to the, uh, undecided country. That’s what freedom exporters do.
backdoor to hell..
tHIS IS A BACKDOOR.
1. Countries have Their OWN laws, and now we are giving other nations Access to OUR communications FOR their OWN USES?? There are Big holes in that idea.
2. Do we have access to theirs??
Umm, the USA can request the other country to DO a data search from OUTSIDE the USA, that has no Constitutional restrictions..
Hasnt the USA already made deals for tracking Incoming Foreign communications from Those with terrorist ties??
Couldnt we already be giving Foreign agencies access to trace TO the USA those same persons of interest, SENT to the USA??
This idea would give OUR Policing agencies the ability to SIT over there, and Gather personal info with out the constitution Protections WE HAVE NOW..
Keep smiling
Mike, I have no idea how you manage to stay so optimistic. With things like this and SESTA, and the whole USA government, I am feeling overwhelmed.
Re: Keep smiling
Court challenges to SESTA will soon sort that problem out. It’s clearly unconstitutional.
or china, china has been looking for people and groups critical of it’s govt. and with their cyber capabilities…
Re: Re:
Organ doners for sick rich people have to come from somewhere, also I hear silicon valley needs the blood of children, or at least paypal founders do…
Covertly Legitimising Awful Overseas Use of Data Act
fixed that for you.
At what point is someone going to ask for an audit of how much better our protection efforts have gotten after every increase in getting ALL the data?
Pretty sure with the giant ass panopticon they already had they haven’t stopped anything, except the FBI stings against the mentally ill.
Would this new information suddenly stop all the school shooters, serial bombers, hate attacks & all the other bad?
Or is it just giving into the fear mongering of if we don’t get this we might miss something!!!! (Ignoring all of the shit we are already missing because the focus is on imagined possible threats while ignoring actual threats)
Re: Re:
Granted there have been no underware or shoe bombers of late but they where just getting started, With multiple contacts with the FBI and local cops what do we know about this latest school shooter? apparently nothing given what I have seen on the intertubz, many calls to have his parents dragged in shows that most people don’t know they are dead, a fucked up kid that had lost pretty much everything is a prime target for them..
Re: Re: Re:
Sorry I mean to imply that FBI stings against the mentally ill have not stopped and to illustrate that.
HAVE TO ASK..
WE are paying our gov. to DO WHAT???
NOW we are going to pay another GOV. to DO WHAT??
really sounds like Another way to ship money OUTSIDE this country..
Red flag large enough to cover a football field
When you have to slip your pet bill into another, ‘must pass’ bill you are all but admitting that you do not think it could withstand scrutiny and challenge.
If it’s a good bill then great, discuss and vote for it on it’s own merits, don’t tack it on to a completely unrelated bill and try to slip it through.
Gaping 4th Amendment Hole
So, someone in the U.S. Government who has no probable cause wants to fish through a U.S. citizen’s data that’s stored in the U.S. That person (who could be law enforcement, or just a politically connected slimer) finds a compliant shithole country* and has them demand the information from the email / cloud storage / remote backup / forum site / etc. provider and then turn it over to the U.S. person conducting the fishing expedition. This seems like an obvious end-run around the 4th Amendment.
(* Apologies, but I understand that to be the term used by top U.S. officials.)
I am annoyed that such a loophole has found its way into law. But, I am even more annoyed that it is such and obvious problem and still the law was passed. Legislation like this should only be introduced as a test. Any politician who votes for it is disqualified from voting on any actual legislation. They still get to wear a suit and pretend to be a grown up. But, much like those Fisher-Price car seat toys for kids with the plastic steering wheel and horn so that toddlers can pretend they are driving while mom or dad actually pilots the car, the politicians’ voting devices aren’t actually connected to anything. It just accepts the vote and says, "Thank you for voting on this important legislation. You are a big boy now!"
I'm not sure the Supreme Court is out of it
Congress can pass whatever legislation it wants. The Supreme Court can still declare the legislation unconstitutional. Congress can’t fix that just by passing another piece of legislation.
Or does the current Supreme Court case merely claim that the government doesn’t have authorization to get the data? That’s a weaker claim than "unconstitutional", and one that Congress can fix…
Re: I'm not sure the Supreme Court is out of it
The Supreme Court sometimes takes cases that aren’t about the constitutionality of a law, but about which of two conflicting lower-court interpretations of a law is correct, or about whether a decision made by a lower court comports with the law, or about whether a law or regulation established by a lower authority is compatible with overriding law passed by Congress, or indeed about whether a law or regulation overrides other (e.g. state) laws or not.
If, while the Court is hearing one of those latter types of cases, Congress changes the law in a way that would govern the outcome of the case, my understanding is that the Supreme Court can’t overrule them – unless the newly-changed law is itself overruled by something higher, the Constitution being the main candidate.