The Cloud now has no borders

The US is charting a new path when it comes to how law enforcement can better obtain digital evidence from overseas. But while authorities claim the new legislation will enable them to crack down on crime, it has left questions pertaining to the future of cloud storage and digital privacy.

Having passed silently in March as part of the colossal 2018 Omnibus Spending Bill, the Cloud Act, or the Clarifying Lawful Overseas Use of Data Act, has marked a significant cornerstone in the fight for data access, which has typically seen tech companies acting as ombudsman between user privacy and the warrants of federal agencies.

Now, the resulting framework under the law has privacy advocates, both home and abroad, raising the red flag over a lack of oversight and ease at which a government can demand personal information be handed over.

“We are very concerned about this legislation,” said Greg Nojeim of the Center for Democracy & Technology, an American non-profit that has been providing recommendations on the bill since it was first tabled in 2014.

“It [The Cloud Act] does two things,” he told The Daily Swig.

“First, it makes it so the US legal process for communications data subpoenas, court orders, and warrants have extraterritorial effect and can compel a provider, over which the US has jurisdiction, to disclose data no matter where it is stored.”

Getting a warrant for criminal investigation has long been overdue to catch up with the digital age, where information can act like an offshore bank account and be stored outside of the owner’s country of residence.

Internet connectivity and the increasingly global nature of crime has meant previously used domestic search warrants and legislatively exhausting bilateral data sharing agreements are, from point of view of the US Department of Justice (DOJ), no longer effective in the prosecution of serious offences – a warrant issued for searching a house is not the same as seizing data from the cloud.

This is what Microsoft argued in 2013, when a drug-trafficking investigation led the DOJ to data stored on one of the company’s servers in Dublin, where the Cloud Act and streamlined process of data exchange between American tech and government would begin to take shape.

Fearing governments could start requiring their citizens to store data locally, tech conglomerates welcomed the legislation that resulted nearly five years later – Microsoft, Google, Apple, Facebook, and Oath are all supporters of the Cloud Act.

Brad Smith, Microsoft president and chief legal officer, reiterated Big Tech’s position in a blog posted in February.

It said: “It’s a strong statute [The Cloud Act] and a good compromise that reflects recent bipartisan support in both chambers of Congress, as well as support from the Department of Justice, the White House, the National Association of Attorneys General, and a broad cross section of technology companies.

“It also responds directly to the needs of foreign governments frustrated about their inability to investigate crimes in their own countries.”

Smith said that Microsoft, and other companies like it, were confident that the Act would ensure consumer privacy was protected, seen most predominately through a clause aimed at preventing governments from demanding the creation of any backdoor around encryption.

But civil rights groups aren’t convinced, viewing the Cloud Act’s disposal of an independent reviewer for warrant requests a significant stepping stone toward abuse of power and the violation of US citizens’ right to privacy.

More worrisome, however, is when the legislation becomes implemented in countries where laws do not afford the same liberties as those granted under the US Constitution.

“The other thing it [The Cloud Act] does is permit foreign governments, to which the US enters into agreement, to demand the data of anyone anywhere under the foreign country’s laws, as opposed to under the laws of the United States,” said Nojeim.

“In other words, once the United States enters into an agreement with another country, that country will get access to data of people in a worldwide basis, so it’s important that the country has strong surveillance protections.”

Nojeim explained that the concern here was that the DOJ would place a greater importance on its political relations with a country, rather than any human rights criteria when deciding to let it join the Cloud Act – granting a foreign government access to its citizens’ data stored on a US provider.

“The climate in the country is already pretty bad when it comes to exercising right of freedom of assembly and expression,” said Barbora Cernusakova, speaking of Amnesty International’s work in Poland – a nation that has seen a massive crackdown on freedom of speech and assembly since a new conservative government came to power in 2016.

“So this [The Cloud Act] adds to already broad or shrinking space for anybody who doesn’t agree on the narrative or the policies that this government is introducing.”

Cernusakova added that digital surveillance of protestors had already been made easier with additional powers granted for government access to data with few oversight mechanisms in place.

“So it [Poland] seeks a person’s Gmail, and uses that information for something that would be a speech crime in the United States. That person is being prosecuted for their speech and the US provider becomes complacent in that violation of the right to free expression,” said Nojeim.

“The law [Cloud Act] says that orders issued under it can’t violate freedom of expression, but it doesn’t say whose version of that right is to be respected.”

The DoJ has since issued Microsoft a new warrant under the Cloud Act.