The CLOUD Act was previously floating around Congress earlier this year. While facially innocuous, it has some very worrisome implications.
The law allows any country with which the US has an executive agreement to request that data held on US soil about non-residents be turned over to that government. No judicial process needed. First, this of course poses a danger to dissidents abroad who may be using U.S.-based services (Google?) for communications.
But more directly for Americans, there's another ugly tidbit. The law acknowledges that data belonging to Americans may inadvertently (with varying degrees of scare quotes) be pulled with whatever data is actually targeted. The foreign government is then free to turn that data over to the U.S. if it "relates to significant harm, or the threat thereof, to the United States or United States persons."
At least there's a standard, right? But the problem is that there's no one to enforce it, as the bill specifically precludes court review. As the EFF explains:
- The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans’ communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. government can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probable cause be shown. At no point need a search warrant be obtained.
That's just for content; for metadata, they don't even have to show harm.
This was originally proposed as a separate thing, but it has now been added onto the omnibus spending bill that's under consideration this week. See page 2,201 of the PDF.
If I didn't already have a reason to ditch GMail, I sure do now.