U.S. CLOUDy thinking will lead to data grabs, not data privacy assurance

The long-running battle between the U.S. Department of Justice (DoJ) and Microsoft over data held on a server in Ireland has been declared moot by the former, which now wants the Supreme Court to drop the matter following the signing of new U.S. legislation with huge data protection implications.

New readers start here - the DoJ has been insisting that Microsoft should provide it with access to data relating to a drug-trafficking investigation. The demand followed the issues of a domestic warrant issued by a U.S. judge in 2013. But the data in question doesn’t reside in the U.S. It's on a server in Dublin.

The DoJ takes the view that the physical location of where the data is stored is irrelevant and that Microsoft, as a U.S. company, should comply with the U.S. warrant.

For its part, Microsoft has resisted this argument on the basis of the precedent it would set for U.S. law enforcement organizations to extend their remit to a global reach. It argued that sharing data stored on foreign soil could violate international treaties and policies.

The DoJ case is built on an interpretation of the U.S. Stored Communications Act, but this dates back to 1986, well-before email was a universal communications channel and pre-cloud computing.

The matter has rumbled on for the best part of 5 years, reaching the U.S. Supreme Court. But over the weekend, the DoJ made public a filing that calls for the Supreme Court to drop the case, citing President Donald Trump’s signing of new legislation that it says renders the argument moot. And to top it off, it’s legislation that Microsoft worked on with the U.S. legislators!.

Storm CLOUD

The CLOUD Act - Clarifying Lawful Overseas Use of Data -  allows U.S. law enforcement officers to force technology companies to hand over user data regardless of the storage location. It also permits the DoJ, the State Department and other members of U.S. Government executive branch to enter into agreements with other nations to access information stored in the other, regardless of the location of the data.

Such agreements can be set up with the approval of Congress, which seems appropriate as the CLOUD Act itself received no legislative review or approval, but was bundled in with the Trump administration’s $1.3 trillion Omnibus spending bill in late March.

All told, that looks like a win for the DoJ, so Microsoft might be expected to be kicking up a fuss. In reality however the vendor looks rather painted into a corner here, having supported government officials in drafting the legislation. Other big tech firms also helped on this vital data privacy legislation, including Apple, Google and, er, Facebook.

So it is that Microsoft’s Chief Legal Officer, the normally outspoken Brad Smith, is calling the CLOUD Act a “good compromise”. Prior to it passing into law on 23 March, Smith wrote in a blog post:

The proposed CLOUD Act creates a modern legal framework for how law enforcement agencies can access data across borders. It’s a strong statute and a good compromise that reflects recent bipartisan support in both chambers of Congress, as well as support from the Department of Justice, the White House, the National Association of Attorneys General and a broad cross section of technology companies.

It also responds directly to the needs of foreign governments frustrated about their inability to investigate crimes in their own countries. The CLOUD Act addresses all of this, while ensuring appropriate protections for privacy and human rights. And it gives tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world.

The bill also includes a strong statement about the importance of preventing governments from using the new law to require that U.S. companies create backdoors around encryption, an important additional privacy safeguard.Once passed, the U.S. government will need to move quickly to establish with other like-minded countries new international agreements, similar to what has already been negotiated between the U.S. and the United Kingdom.

Other vendors take a different view. Nicky Stewart, Commercial Director at British cloud provider UKCloud, warns:

This latest twist in the Microsoft e-mail saga puts paid to any doubt that data held by US companies is subject only to the jurisdiction of the country where the  data resides, and will give privacy activists further, concrete ammunition in their efforts to discredit Privacy Shield and SCCs.

Liberties

Civil liberties activists also have serious concerns. In a joint response, Neema Singh Guliani, a legislative counsel with the American Civil Liberties Union Washington Legislative Office, and Naureen Shah, Senior Director of Campaigns at the U.S. arm of Amnesty International, called the CLOUD Act:

a dangerous abdication of responsibility by the U.S. government and technology companies.

They warn that the need to strike bi-lateral agreements between nations is fraught with human rights and civil liberties dangers:

In the case of countries certified by the executive branch certifies, the CLOUD Act would not require the U.S. government to scrutinize data requests by the foreign governments—indeed, the bill would not even require notifying the U.S. government or a user regarding a request.

The only line of defense would be technology companies, which hypothetically could refuse the request and refer it to the MLA [Mutual Legal Assistance] process, but which may not have the resources, expertise, or even financial incentive to deny a foreign government request.

Likewise, the bill requires that countries permit “periodic” reviews for compliance with civil liberties and privacy protections, but does not specify what these reviews will entail. It also doesn’t require even a cursory individual review of all orders or explain how the U.S. government can effectively ensure compliance in a timely fashion when without being aware of requests in real time. For this reason, the periodic U.S. government reviews contemplated in the bill are an insufficient substitute for case-by-case consideration.

The activists cite Turkey as a case in point, noting that since the 2016 coup that country’s civil liberties track record has been blotted:

Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium for a case like Turkey. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.

In such a situation, the only real fail-safe to prevent a technology company from inadvertently acceding to a harmful data request is the technology company itself. But would even a well-intentioned technology company, particularly a small one, have the expertise and resources to competently assess the risk that a foreign order may pose to a particular human rights activist? Would it know, as in the example above, when to view Turkey’s terrorism charges in a particular case as baseless? In many cases, companies would likely rely on the biased assessments by foreign courts and fulfil requests.

They conclude by calling for the CLOUD Act to be sent back to the drawing board:

If members of Congress and technology companies want to address concerns with the MLA process while protecting privacy and human rights, they should abandon the CLOUD Act and craft a rights-respecting solution.

My take

A highly suspect and unwelcome piece of U.S. legislation wrapped up and tucked away in a wider spending package, with no real legislative oversight or engagement by elected representatives in Congress. I’d like to say I’m surprised, but these days…

This is no more a well-thought out solution to a genuine problem of the digital age than the ludicrous Privacy Shield botched-job between the U.S. and the European Union. It has massive privacy and human rights implications, both in the U.S and overseas. Yes, it allows U.S. law enforcement and security organizations to grab data no matter where it’s stored, but it also allows foreign nations to demand personal data stored in the U.S., without judicial review. How likely those demands are to be met is another question, of course.

We all deserve better than this, regardless of where we reside in the digital world. Trump warned Congress that he would never again sign off a bill like the Omnibus one. If only that were the case...