A new US-UK data agreement is worrisome but it won’t give access to encrypted comms

CLOUD Act details surfacing in a fog of confusion

A new treaty between the US and UK will require social media companies like Facebook to hand over private messages but, contrary to recent reports, will not break end-to-end encryption or force them to add backdoors to their software.

That’s the upshot of a weekend of frantic commentary and debate over the CLOUD Act, which will likely be signed next month. The legislation is troubling, especially since it will legally require tech companies to hand over messages when requested by the authorities - an approach that has been wildly and consistently abused in the past - but it will not force those companies to provide them in a readable format.

The confusion is understandable: the security services have been pushing hard for the new legislation and have talked about the law allowing them to place "virtual crocodile clips" on modern forms of communication such as encrypted chat and call apps.

But there is a significant degree of justification behind the law, at least in concept. Currently, authorities in the US and UK are required to fall back on a law from the 1980s in requesting electronic information on criminal suspects.

That causes significant delays in the provision of potentially important information because it requires UK authorities to go through the US courts to get the information, and vice versa. The CLOUD Act will make that information exchange much faster.

Advocates of the law have been flagging notable cases, such as the murder of 13-year-old UK citizen Lucy McHugh. In that case, the man suspected of murdering her, Stephen Nicholson, had interacted with the girl through Facebook Messenger and the authorities wanted to know what was in those messages, for obvious reasons.

In the end, Facebook - which is based in the US - only handed over a log of the messages, with no content, and that log only arrived on the day the trial started. It was very far from perfect; the only good news being that Nicholson ended up being convicted and jailed for life.


Facebook Messenger does not have encryption turned on as a default - you have to select it - and as such, under the new law, the UK authorities would have had access to messages sent between the two.

The situation is different when it comes to apps like WhatsApp - also owned by Facebook, however. WhatsApp has end-to-end encryption turned on by default and that is what may have caused confusion in media reports at the weekend.

The head of WhatsApp, Will Cathcart, responded on Sunday to the reports, noting “we were surprised to read this story and are not aware of discussions that would force us to change our product.”

He added: “We believe people have a fundamental right to have private conversations… We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these we must stand up both for the security and the privacy of our users everywhere. We will continue do so.”

A lengthier analysis by former Facebook CISO Alex Stamos on Twitter digs into the history of the new CLOUD Act, the current situation and what will change under the new law. In a nutshell, it will give the UK authorities the right to issue a request that is equivalent to that of a US court; and the US authorities to do the same for a UK court.


But, crucially, it will not give either country additional rights. So the US courts are not (currently) allowed to force a company to unencrypt messages, or install backdoors in their software to do so, and so neither will the UK authorities be allowed to do so.

There are also some additional safeguards: US authorities will only use their new powers to investigate cases based in the US; and UK authorities only with the cases in the UK. Additionally, the US authorities have agreed that no information provided by the UK can be used as evidence in cases where the death penalty is under consideration, which isn't really an issue as capital punishment has been banned in the UK since 1969.

That doesn’t mean that the CLOUD Act is all good news however. The NSA in the US and GCHQ in the UK have a long history of abusing the law, often through secret interpretations of it, in order to gain as much access as possible to private citizens’ communications.


GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms


It is a virtual certainty that the security services have attempted to introduce language - and likely have succeeded in doing so - that they are confident they can later re-interpret in a way that grants them greater access than was envisioned.

You only need look at the aftermath of the Snowden revelations and the ridiculous interpretations that still exist within current spying programs in both the UK and US to see what direction the law is headed.

That said, it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence because the company that offers the communication service is based in a different country.

In that sense, the CLOUD Act will not help bring laws that everyone is comfortable with into the digital era. And it does extend or expand powers beyond that. At least not on paper and not yet. ®

Similar topics

Broader topics

Other stories you might like

  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading

Biting the hand that feeds IT © 1998–2022