The CLOUD Act was previously floating around Congress earlier this year. While facially innocuous, it has some very worrisome implications.
The law allows any country with which the US has an executive agreement to request that data held on US soil about non-residents be turned over to that government. No judicial process needed. First, this of course poses a danger to dissidents abroad who may be using U.S.-based services (Google?) for communications.
But more directly for Americans, there's another ugly tidbit. The law acknowledges that data belonging to Americans may inadvertently (with varying degrees of scare quotes) be pulled with whatever data is actually targeted. The foreign government is then free to turn that data over to the U.S. if it "relates to significant harm, or the threat thereof, to the United States or United States persons."
At least there's a standard, right? But the problem is that there's no one to enforce it, as the bill specifically precludes court review. As the EFF explains:
- The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans’ communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. government can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probable cause be shown. At no point need a search warrant be obtained.
That's just for content; for metadata, they don't even have to show harm.
This was originally proposed as a separate thing, but it has now been added onto the omnibus spending bill that's under consideration this week. See page 2,201 of the PDF.
If I didn't already have a reason to ditch GMail, I sure do now.
Such a motion shall be filed not later than 14 days after the date on which the provider was served with the legal process, absent agreement with the government or permission from the court to extend the deadline based on an application made within the 14 days. The right to move to quash is without prejudice to any other grounds to move to quash or defenses thereto, but it shall be the sole basis for moving to quash on the grounds of a conflict of law related to a qualifying foreign government. So, from what I understand, it's true that a judge need not approve the data collection before it is carried out, but it does not mean that a judge can not review the request to disclose. All the provider needs to do is submit a motion to quash on the grounds that the request to disclose conflicts with the law of the non-US host-nation. I don't think this is as scary as you're making it sound. Also, ‘‘(4) the agreement requires that, with respect to any order that is subject to the agreement— ‘‘(A) the foreign government may not intentionally target a United States person or a person located in the United States, and shall adopt targeting procedures designed to meet this requirement;‘‘(B) the foreign government may not target a non-United States person located outside the United States if the purpose is to obtain information concerning a United States person or a person located in the United States." This seems like a pretty deliberate motion to stop foreign governments from doing what people seem to fear that the U.S. wants to do, which is addressed in the first quote block.‘‘(2) MOTIONS TO QUASH OR MODIFY.—(A) A provider of electronic communication service to the public or remote computing service, including a foreign electronic communication service or remote computing service, that is being required to disclose pursuant to legal process issued under this section the contents of a wire or electronic communication of a subscriber or customer, may file a motion to modify or quash the legal process where the provider reasonably believes— ‘‘(i) that the customer or subscriber is not a United States person and does not reside in the United States; and ‘‘(ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.
‘‘ the foreign government has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement; ‘‘(3) the terms of the agreement shall not cre ate any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data; and
But notice, the judicial review of the request to disclose happens at the initial round, i.e. when the corporation is asked to disclose to a foreign government. Once this government has it, there is no judicial review should they decide to turn over that information to the U.S. For the second thing, the concern isn't that foreign companies will target U.S. citizens, it's that we'll end up in the mix anyway, after which we lose any 4th Amendment protections over the data involved. "Minimize" is an incredibly broad standard, and is ripe for abuse.
Noted. I'm just trying to force myself to read into the actual meat of this stuff instead of consuming the headlines.
I've been looking at this from a different perspective, recently. Basically, my company makes a SaaS product. A web-app. We have Canadian customers. Many of them are Canadian government agencies. The Canadian government has new regulations about where Canadian's data can be stored... and that is strictly within Canadian borders. Which is a weirdly provincial way to look at data and the internet, but physical lines on a map are what makes a government a government, so they want all Canadian data to remain in Canada. Which means we need to have a complete duplicate of our product, running in Canada, in a Canadian data center. And effectively double our costs, to provide a product to the 90% of the Canadian population that lives within 10 miles of the US border. Which is stupid, and weird, and totally makes sense. All at the same time. So their lawyers have been working on the CLOUD Act, and American laws, and are kinda suggesting - at this point - that Canadians cannot do business with ANY American companies... because of the far-reaching implications of the CLOUD Act and other laws. Your Canadian company has one email back and forth with an American? Well, if that American is under investigation in America, parts of the CLOUD Act and other surveillance acts now makes ALL OF YOUR COMPANY'S DATA available to the American investigative authorities... ... who have regularly shared foreign corporate secrets with American companies, to help American companies compete against foreign companies. So... yeah. America is isolating ourselves from the international market... except we are a big market that foreigners want to do business with... but it could be a double-edged sword... but ... but... Man.... the law can suck.
Better ditch all AWS services, outlook.com any email that you do not host yourself, stop using any web service that stores your metadata..... Yea this one is going to go to court, hopefully quickly, hopefully before we lose a ton of business to the EU.If I didn't already have a reason to ditch GMail, I sure do now.
Gmail is the only one on that list. As for self-hosting, I'm not sure that's necessarily the criterion. You have to trust whoever physically has your stuff either way, and that's not automatically bad.
HN has a nice thread on different services provided. As for validity of the services, a little more research is warranted. Thanks for the write-up on CLOUD.