A new US-UK data agreement is worrisome but it won’t give access to encrypted comms

CLOUD Act details surfacing in a fog of confusion

A new treaty between the US and UK will require social media companies like Facebook to hand over private messages but, contrary to recent reports, will not break end-to-end encryption or force them to add backdoors to their software.

That’s the upshot of a weekend of frantic commentary and debate over the CLOUD Act, which will likely be signed next month. The legislation is troubling, especially since it will legally require tech companies to hand over messages when requested by the authorities - an approach that has been wildly and consistently abused in the past - but it will not force those companies to provide them in a readable format.

The confusion is understandable: the security services have been pushing hard for the new legislation and have talked about the law allowing them to place "virtual crocodile clips" on modern forms of communication such as encrypted chat and call apps.

But there is a significant degree of justification behind the law, at least in concept. Currently, authorities in the US and UK are required to fall back on a law from the 1980s in requesting electronic information on criminal suspects.

That causes significant delays in the provision of potentially important information because it requires UK authorities to go through the US courts to get the information, and vice versa. The CLOUD Act will make that information exchange much faster.

Advocates of the law have been flagging notable cases, such as the murder of 13-year-old UK citizen Lucy McHugh. In that case, the man suspected of murdering her, Stephen Nicholson, had interacted with the girl through Facebook Messenger and the authorities wanted to know what was in those messages, for obvious reasons.

In the end, Facebook - which is based in the US - only handed over a log of the messages, with no content, and that log only arrived on the day the trial started. It was very far from perfect; the only good news being that Nicholson ended up being convicted and jailed for life.


Facebook Messenger does not have encryption turned on as a default - you have to select it - and as such, under the new law, the UK authorities would have had access to messages sent between the two.

The situation is different when it comes to apps like WhatsApp - also owned by Facebook, however. WhatsApp has end-to-end encryption turned on by default and that is what may have caused confusion in media reports at the weekend.

The head of WhatsApp, Will Cathcart, responded on Sunday to the reports, noting “we were surprised to read this story and are not aware of discussions that would force us to change our product.”

He added: “We believe people have a fundamental right to have private conversations… We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these we must stand up both for the security and the privacy of our users everywhere. We will continue do so.”

A lengthier analysis by former Facebook CISO Alex Stamos on Twitter digs into the history of the new CLOUD Act, the current situation and what will change under the new law. In a nutshell, it will give the UK authorities the right to issue a request that is equivalent to that of a US court; and the US authorities to do the same for a UK court.


But, crucially, it will not give either country additional rights. So the US courts are not (currently) allowed to force a company to unencrypt messages, or install backdoors in their software to do so, and so neither will the UK authorities be allowed to do so.

There are also some additional safeguards: US authorities will only use their new powers to investigate cases based in the US; and UK authorities only with the cases in the UK. Additionally, the US authorities have agreed that no information provided by the UK can be used as evidence in cases where the death penalty is under consideration, which isn't really an issue as capital punishment has been banned in the UK since 1969.

That doesn’t mean that the CLOUD Act is all good news however. The NSA in the US and GCHQ in the UK have a long history of abusing the law, often through secret interpretations of it, in order to gain as much access as possible to private citizens’ communications.


GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms


It is a virtual certainty that the security services have attempted to introduce language - and likely have succeeded in doing so - that they are confident they can later re-interpret in a way that grants them greater access than was envisioned.

You only need look at the aftermath of the Snowden revelations and the ridiculous interpretations that still exist within current spying programs in both the UK and US to see what direction the law is headed.

That said, it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence because the company that offers the communication service is based in a different country.

In that sense, the CLOUD Act will not help bring laws that everyone is comfortable with into the digital era. And it does extend or expand powers beyond that. At least not on paper and not yet. ®

Similar topics

Broader topics

Other stories you might like

  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022