Legislation recently proposed in the senate would give US and foreign governments unprecedented access to our real-time communications and sensitive personal information stored on the servers of private companies like Google, Facebook, and Microsoft. On February 6th, Senators Orrin Hatch (R-UT), Chris Coons (R-DE.), Lindsay Graham (R-SC), and Sheldon Whitehouse (D-RI) introduced the Clarifying Overseas Use of Data (CLOUD) Act, which would allow the US government to obtain user data from US tech companies regardless of where the data is stored. If enacted, the bill would also authorize the executive branch to enter into agreements with foreign governments to exchange data outside the existing legal process, with dangerously weak privacy protections and insufficient oversight, putting human rights and privacy at risk all over the world.
Under current law, when a foreign government seeks to collect data stored by US tech companies, it must comply with the process and regulations of its Mutual Legal Assistance Treaty (MLAT) with the US. Due to increasing numbers of MLAT data requests, the DOJ’s processing time has slowed. Foreign governments have grown frustrated with the longer wait times, and some US officials have called for a more efficient replacement for the MLAT process. But the DOJ has recently undertaken measures to handle demand. In 2016, it invested an additional $12.2 million into the process, hiring 51 more employees. Though the administration of the MLAT system may need an update—it doesn’t even have an online form—the system’s core civil liberties protections, including requiring probable cause for searches and prohibiting foreign governments from accessing real-time communications, should not be altered. Unfortunately, the CLOUD Act would do just that, by allowing governments to bypass the MLAT process and its protections. This blog post explores the core problems with the CLOUD Act, and explains why congress should oppose it.
Problem one: Unchecked executive authority.
The CLOUD Act would grant the Executive Branch far too much authority to determine with which countries to form MLAT bypass agreements. Normally, Congress has the power to approve or ratify bilateral and multilateral treaties. But this bill eliminates the requirement for Congressional approval, declaring that any executive branch decision “shall not be subject to judicial or administrative review.” The bill would give the attorney general and secretary of state essentially unchecked power to choose partner countries with which to enter into bypass agreements. The bill merely requires that executive branch officials consider whether a potential partner “has adequate substantive and procedural laws on cybercrimes and electronic evidence,” “demonstrates respect for the rule of law and principles of nondiscrimination,” “adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights,” and has taken effort to protect the data and maintain transparency regarding its collection. The attorney general and secretary of state may nonetheless choose to partner with a government that fails to meet any or all of these considerations. (The consequences of this could be extremely dire for human rights all over the world. Consider, for example, that the current administration has expressed admiration for Philippines president Rodrigo Duterte, who brags about executing drug users, and has overseen what some human rights advocates are calling a genocide in his country.)
Congress’ only recourse to prevent these partnerships would be to pass a joint resolution of disapproval within 90 days of the attorney general’s certification of an agreement. For the resolution to stand, however, it would need presidential approval. Therefore the CLOUD Act would grant the executive branch a dangerous amount of power, which could easily be used to aid those who violate basic human rights and civil liberties.
The CLOUD Act would also amend the Stored Communications Act to require US tech companies to hand over users’ communication contents, even if the information is stored on servers outside of the United States. The bill would shield companies that turn over users’ information from liability, even if their actions lead to human rights violations.
Problem two: Foreign government real-time wiretaps of US communications.
In an unprecedented move, the CLOUD act would authorize foreign governments to surveil US tech companies’ users in real-time. Pursuant to the Electronic Communications Privacy Act, foreign governments must procure warrants through the MLAT process to obtain user information from US service providers. But that process only allows foreign governments to receive stored electronic communication content, not to wiretap live communications. Under current law, the US government alone can obtain wiretap orders to tap the electronic communications of US persons in real time. The Wiretap Act is the strictest surveillance law in the US, enabling real time surveillance only during the investigation of specific felony crimes such as murder and kidnapping. To get a wiretap order, the government must demonstrate probable cause that one of those crimes occurred or will occur. It must also demonstrate that a wiretap is the least invasive investigative method investigators can use to obtain the information they need, and it must take strict, cautionary measures to prevent collecting and retaining communications that are irrelevant to the alleged illegal activity that is the subject of the investigation. Wiretap orders expire after 30 days and require reauthorization for extension.
The CLOUD Act would threaten these protections by making it possible for foreign governments to access real-time electronic communications, and with substantially fewer civil liberties protections than what are afforded US persons under the Wiretap Act. The CLOUD Act would institute only vague minimization procedures and does not specify a surveillance time limit aside from what is “longer than is reasonably necessary.”
Problem three: No probable cause or independent review requirements.
Not only would the bill enable foreign governments to wiretap communications in real time; it would also allow them to conduct surveillance with significantly weaker standards of proof and protections than required by the MLAT process. Currently, a foreign government must demonstrate probable cause of a crime before it can access communications content. The alleged offense under investigation must also be a crime serious enough to warrant over a year of imprisonment under US law. The CLOUD Act eliminates the probable cause requirement and instead merely states that orders should be “based on a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.”
Making matters worse, the CLOUD Act stipulates that foreign governments be allowed to use these weak standards of proof and limited oversight to secure surveillance orders to “obtain[] information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism.” The act does not define the criteria for a “serious” crime, and it allows foreign governments to collect data simply related to it—meaning people could be targeted even if they are not suspected of engaging in any illegal activity. Foreign governments should not be able to obtain data under standards lower than probable cause or ones that meet human rights standards, should have standards for when metadata can be obtained, and should be limited from requesting intelligence information.
Under the MLAT process, after the foreign government establishes probable cause, a US judge decides whether to grant the Department of Justice a warrant for the data. Before making a decision, the judge also considers whether the requested information would be used to conduct human rights violations that would violate the Constitution. If so, the judge may refuse to grant a warrant. If a warrant is granted, the DOJ then turns the information over to the foreign government.
Under the CLOUD Act, however, the oversight responsibility shifts from the US government to the foreign government. The bill merely states that an order be “subject to review or oversight by a court, judge, magistrate, or other independent authority.” This provision opens the door to a host of problems including “after-the-fact generalized oversight” and unjustified surveillance orders. Independent, individual review of each order, as required by the MLAT system, is essential to protect human rights and civil liberties.
Problem four: A workaround of the Fourth Amendment for US law enforcement.
The CLOUD Act would allow the US government to obtain and use communications collected by foreign governments under the weak standards outlined above, essentially instituting a statutory loophole to get around Fourth Amendment requirements. Generally, the US government must obtain court orders to demand sensitive communications records, probable cause warrants to access stored communications content, and wiretap orders to access real-time communications. But the CLOUD Act makes it substantially easier for foreign governments to collect such data, and the legislation allows those foreign officials to pass that information to the US government. The act dictates that foreign governments can share Americans’ communications with the US government if they pertain to “significant harm, or the threat thereof, to the United States or United States persons, including crimes involving national security such as terrorism, significant violent crime, child exploitation, trinational organized crime, or significant financial fraud.” But governments can also share data if it relates to or is “necessary to understand or to assess the important of information that is relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person.” These parameters are extremely broad and fail to define key terms like “significant harm” or “threat,” meaning either government may interpret these terms as broadly as they wish.
Worse still, the act does not mandate any limitations on a foreign government’s metadata sharing with the US. Under the bill, the US government could get metadata from a foreign government and then use it in criminal investigations without informing the targets of the surveillance—effectively enabling warrantless searches that skirt due process requirements. The bill also allows foreign governments to share individuals’ communication content with other governments—a substantial and dangerous privacy violation.
Problem five: Threats to encryption.
Finally, the CLOUD Act does not eliminate the risk that foreign governments may try to create backdoors into encrypted systems or force US tech companies to comply with data localization policies. Many countries have expressed frustration with what they say is an inefficient MLAT process, and some people fear that these governments will resort to extreme measures, like hacking, to avoid it. While its supporters say the CLOUD Act weakens foreign governments’ incentive to take these measures, it attempts to do so by severely compromising civil liberties. And it’s not even clear that handing over so much power to foreign governments to conduct surveillance of US systems will address the threat. Indeed, because the CLOUD Act does not forbid any partner country from requiring encryption backdoors or data localization, the bill may be seen as tacit authorization of those very tactics.
Civil liberties and privacy are under threat all over the globe. Companies like Google and Facebook collect, process, and store more and more sensitive information about more people across the world than ever before. Instead of making it easier for governments to access this sensitive data, Congress should pass comprehensive privacy law to restrict government surveillance. The CLOUD Act does the opposite, by making it easier than ever before for foreign and US governments to spy on us. The MLAT system’s administration may need to be made more efficient, but that does not warrant disposing of the system altogether. The CLOUD Act is a dangerous and misguided step in the wrong direction, and congress should oppose it.
UPDATE: President Trump signed the CLOUD Act into law on March 23, 2018.
This blog post was written by Iqra Asghar, an intern with the ACLU of Massachusetts Technology for Liberty Program.