The attorneys general of 35 US states on Wednesday signed an open letter calling for the quick passage of the Clarify Lawful Overseas Use of Data (CLOUD) Act – with some qualifications.
The proposed legislation, if passed by Congress, will allow the Feds to demand people's emails and other personal communications from overseas computers with a simple subpoena issued by a US judge.
In effect, it means the FBI can ask, say, a California court for a subpoena to obtain files from a San Francisco upstart's servers hosted in France, sidestepping French privacy laws and legal system. The act's wording also does not limit the Feds to serving orders for communications on US companies and entities – agents would be able to demand information from whomever they wished, if a US judge approved.
The draft law also allows foreign governments to ask for non-US-citizens' personal data stored in America, under new sharing agreements that would be worked out by the White House.
The CLOUD Act was drawn up in part as a result of the ongoing court battle between Microsoft and US law enforcement: Uncle Sam wants a Microsoft customer's email messages stored on a Microsoft-run server in Ireland. The Feds went to a judge in New York for the information, but Redmond wants prosecutors to go to Ireland and ask an Irish judge for permission.
Microsoft, essentially, is arguing that, because the data in question is stored on servers in Ireland, the g-men's request – made under the 1986 US Stored Communications Act – is invalid. The US Supreme Court will consider the case this year.
"We believe the CLOUD Act is an important step toward resolving this dispute. The Act both confirms law enforcement’s ability to obtain probable-caused based warrants for electronic communications stored abroad and creates a clear avenue for service providers to challenge an SCA warrant that targets a foreign person and which would require a provider to violate foreign law," the attorneys' general letter [PDF] stated.
"The Act also creates incentives for our foreign partners to enter into bilateral agreements that will facilitate cross-border criminal investigations, while ensuring that privacy and civil liberties are respected."
The legislation, introduced earlier this month, has the support of President Trump, the British Prime Minister Theresa May, and a host of technology companies – including Microsoft. Redmond's support seems a little odd, since the company has been painting itself as a champion of liberty in the Irish case, but Microsoft's president and chief legal officer is all for the new bill:
To help protect Internet users, we’ve long argued for the US Congress to modernize laws. The new, bipartisan CLOUD Act is an important step toward enhancing & protecting privacy while reducing international legal conflicts. https://t.co/MQhRMMvTuJ— Brad Smith (@BradSmi) February 6, 2018
Human and internet rights groups are strongly opposed to the legislation, since it would basically allow the US to grab any data from anywhere in the world, and make it much easier for foreign governments to spy on their own citizens.
"The CLOUD Act would give unlimited jurisdiction to US law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it," said Camille Fischer, Frank Stanton Fellow at the EFF.
"This applies to content, metadata, and subscriber information – meaning private messages and account details could be up for grabs. The breadth of such unilateral extraterritorial access creates a dangerous precedent for other countries who may want to access information stored outside their own borders, including data stored in the United States."
Even the attorneys general have their own reservations about some of the powers the CLOUD Act would give the government. They note in the final paragraph that the new legislation shouldn't trump ongoing alterations with the Electronic Communications Privacy Act that could strengthen consumer protections. ®