For an Audio Version of this article click here:
The gun debate in America today has brought into question the future of the Second Amendment, but while everybody was watching the action, is it possible that a new target has quietly been attacked – the Fourth Amendment? Only a day before thousands demanded gun control in the March for Our Lives, the CLOUD Act was pushed through Congress, tacked on to the budget spending bill signed off by President Trump this week.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act gives governments new abilities to obtain digital evidence for criminal investigations, across national borders. While law enforcement and big tech companies have lobbied for the bill, civil liberties groups are concerned that it violates constitutional rights and poses a real risk to personal privacy.
CLOUD was slipped in on page 2,201 of the Omnibus Budget Bill, and is now law, having evaded any debate in Congress.
What is the CLOUD Act?
Imagine that you are a U.S. police officer investigating a drug trafficking case; you believe that a Microsoft user account has emails and other digital evidence that could help you with the case. You have a warrant and ask the tech company to hand over the details; they’re happy to give you the account information but refuse pass along the emails, on the grounds that they are stored on servers in Ireland, where U.S. law enforcement has no jurisdiction.
These are in fact the details of a real legal case, United States v. Microsoft Corp., that has been appealed in multiple courts including the Supreme Court, where a ruling is currently pending. A court decision is now moot, however, having just legislated new procedures for this very situation.
The CLOUD Act is designed to allow U.S. law enforcement to obtain digital evidence for criminal investigations overseas, regardless of local laws. Countries approved by the Attorney General and Secretary of State will also be able to investigate non-U.S. citizens, with access to data held on U.S. soil. CLOUD sidesteps the existing MLAT (Mutual Legal Assistance Treaty) system that requires foreign governments to work with the DOJ to obtain warrants before accessing information within the U.S.
Senator Orrin Hatch (R-UT), who introduced the bill in February, claims that:
“The CLOUD Act bridges the divide that sometimes exists between law enforcement and the tech sector by giving law enforcement the tools it needs to access data throughout the world while at the same time creating a commonsense framework to encourage international cooperation to resolve conflicts of law.”
Multinational tech companies have supported the bill, stating in a joint letter between Microsoft, Facebook, Apple, Google and Oath (a Verizon subsidiary that runs Yahoo and AOL):
The legislation would further allow law enforcement to investigate cross-border crime and terrorism in a way that avoids international legal conflicts…Our companies have long advocated for international agreements and global solutions to protect our customers and Internet users around the world. We have always stressed that dialogue and legislation – not litigation – is the best approach.
Companies would be able to dispute requests in court if they feel there are no legitimate grounds for investigation; however, it seems unlikely this will happen often given their show of support for the bill, their aim of avoiding further litigation and their well-established love of invading users’ privacy.
A Breach of Civil Rights and the Fourth Amendment?
One of the most pressing concerns for U.S. citizens presented by CLOUD is the creation of a “backdoor” whereby information obtained by foreign governments can be passed back to U.S. law enforcement without a warrant – creating a serious loophole in the Fourth Amendment. The U.S. is now able to demand that foreign governments hand over any digital evidence obtained via CLOUD procedures to be used against American citizens, without the need to prove probable cause. According to the Electronic Frontier Foundation, a nonprofit organization that works on civil liberties in digital matters, “That data sharing, and potential criminal prosecution, requires no probable cause warrant as required by the Fourth Amendment, violating our constitutional rights.”
The bill presents an additional range of concerns, such as the ability of foreign police to obtain a person’s data without informing them. Foreign governments will also be able to use surveillance on U.S. soil according to standards that do not meet U.S. law; this surveillance cannot be used to target U.S. citizens but may record Americans who come into contact with a target.
A coalition of 24 American civil rights organizations has objected to the bill, including Amnesty International and the American Civil Liberties Union. ACLU legislative counsel Neem Singh Guliani complained in an op-ed for The Hill that the law removes powers from Congress and the Judiciary, concentrating decision making in the Executive. The power to enter into data sharing agreements, known as “executive agreements,” will be largely in the hands of the Attorney General and Secretary of State, with no need for congressional or judiciary approval.
The act gives the U.S. Government the power to obtain information about any individual across the world, regardless of foreign laws. The European Digital Rights (EDRi) group – a collection of 13 human rights foundations across Europe – has also objected to the act, on the grounds that it could be used against European citizens regardless of local privacy laws. They also express concern that once a bilateral agreement has been made under CLOUD, there is “no review mechanism in the event of democratic backsliding in a third country,” making it almost impossible to revoke treaties after the fact. With free speech increasingly under attack in the U.K. and other European nations, CLOUD could be used to facilitate prosecutions for so-called online hate speech and the crime of being “offensive.”
The Omnibus Budget Bill has been widely criticized for a lack of scrutiny that has disappointed many. Legislators were only given 24 hours to read a document over 2,000 pages in length and it’s unlikely that many of them even knew what they were voting for if that even matters. The CLOUD Act sailed under the radar to become law and, with a minimum of press coverage, will likely continue to go unnoticed – that is the danger of looking the other way.
