The CLOUD Act was previously floating around Congress earlier this year. While facially innocuous, it has some very worrisome implications.

The law allows any country with which the US has an executive agreement to request that data held on US soil about non-residents be turned over to that government. No judicial process needed. First, this of course poses a danger to dissidents abroad who may be using U.S.-based services (Google?) for communications.

But more directly for Americans, there's another ugly tidbit. The law acknowledges that data belonging to Americans may inadvertently (with varying degrees of scare quotes) be pulled with whatever data is actually targeted. The foreign government is then free to turn that data over to the U.S. if it "relates to significant harm, or the threat thereof, to the United States or United States persons."

At least there's a standard, right? But the problem is that there's no one to enforce it, as the bill specifically precludes court review. As the EFF explains:

    The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans’ communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. government can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probable cause be shown. At no point need a search warrant be obtained.

That's just for content; for metadata, they don't even have to show harm.

This was originally proposed as a separate thing, but it has now been added onto the omnibus spending bill that's under consideration this week. See page 2,201 of the PDF.

If I didn't already have a reason to ditch GMail, I sure do now.


I've been looking at this from a different perspective, recently.

Basically, my company makes a SaaS product. A web-app. We have Canadian customers. Many of them are Canadian government agencies. The Canadian government has new regulations about where Canadian's data can be stored... and that is strictly within Canadian borders.

Which is a weirdly provincial way to look at data and the internet, but physical lines on a map are what makes a government a government, so they want all Canadian data to remain in Canada.

Which means we need to have a complete duplicate of our product, running in Canada, in a Canadian data center. And effectively double our costs, to provide a product to the 90% of the Canadian population that lives within 10 miles of the US border.

Which is stupid, and weird, and totally makes sense. All at the same time.

So their lawyers have been working on the CLOUD Act, and American laws, and are kinda suggesting - at this point - that Canadians cannot do business with ANY American companies... because of the far-reaching implications of the CLOUD Act and other laws.

Your Canadian company has one email back and forth with an American?

Well, if that American is under investigation in America, parts of the CLOUD Act and other surveillance acts now makes ALL OF YOUR COMPANY'S DATA available to the American investigative authorities...

... who have regularly shared foreign corporate secrets with American companies, to help American companies compete against foreign companies.

So... yeah.

America is isolating ourselves from the international market... except we are a big market that foreigners want to do business with... but it could be a double-edged sword... but ... but...

Man.... the law can suck.

posted by johnnyFive: 305 days ago