The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is currently working its way through US Congress but opposition to the legislation is starting to ramp up.
It is supposed to be a new set of laws and mechanisms which brings law enforcement up to date in a world which is increasingly governed by the cloud, but privacy and human rights groups are raising concerns. Any changes to fundamental laws will of course raise intense debate, most of which is virtue signalling, but in this cause the concerns are completely warranted. Any changes which impact our right to privacy should be deeply scrutinized.
The idea of the CLOUD Act is to essentially streamline and make the process of securing information on an individual simpler. Under the current mutual legal assistance (MLA) process, foreign governments ask for a review by the Justice Department and a warrant issued by a US judge. Because the biggest cloud companies worldwide are US companies and under the jurisdiction of the US government, accessing data stored on the Google cloud (for instance) can be a red tape maze. The US government acts as a middleman to force open the folders. The current system is cumbersome, slow and in need of updating to deal with the growing influence of the cloud.
There are many different components to the CLOUD Act, though we are going to focus on the objections of the privacy and human rights groups. Under new rules, foreign governments would undergo a review of their legal process to ensure it meets the standards of the US, before they would be ‘safe-listed’. Once ‘safe-listed’ these governments would not have to go through the MLA process to secure information on non-US individuals. It removes a number of the barriers which enforcement agencies have to negotiate for a period of five years.
Groups like the American Civil Liberties Union argue that this new process would essentially be an abdication of responsibility of the US government, essentially giving a blank cheque to foreign governments for a five-year period without review. Most of the time this would not be an issue but there are examples where a drastic change in government would perhaps make the ‘partner’ country inappropriate under the CLOUD Act. Take Turkey for instance.
In 2015, Freedom House rated Turkey as 3.5/7 (1 being the best) for its ‘freedom’ rating, which is by no-means great but considering the US governments ability to turn a blind eye, it perhaps might have been accepted into the criteria to be ‘safe-listed’ for five years. In 2016, a coup d’état attempt took place resulting in the deaths of 300 people and injuries to more than 2000 more. Following this period of violence, 40,000 arrests were made, 2,745 judges and 15,000 education staff were suspended. More than 100,000 people have been arrested or fired from their jobs, on accusations of connections to the attempted coup.
For 2018, Freedom House rates Turkey as 5.5/7 for freedom, 5/7 for political rights and 6/7 for civil rights. The Freedom Status is ‘Not Free’ and the press status is the same. In a three year period, Turkey has gone from being a country which would qualify under the CLOUD Act to one that certainly doesn’t. American Civil Liberties Union points out that unless there are more regular reviews during the five-year period, the risk of abuse is evident. Turkey is a prime example of this concern.
While we agree that giving a free pass to countries without review is completely irresponsible of the US government, there is a need to update the rules and offer something along these lines. If not, abuses to privacy could become much more prominent.
Under the current system foreign governments are becoming frustrated. If this frustration continues it is perfectly feasible to assume governments would write localization and data residency laws. This would prove to be an expensive move for the cloud companies, and in some circumstances, freedoms would be compromised further. Let’s use Turkey as the example again. Freedom House do not rate the government very highly when it comes to privacy and civil liberties, so if the tech companies were to be forced to store data in Turkey they would be under the jurisdiction of Turkish law. What is there to stop humans rights and privacy abuses then?
This is of course a hypothetical example, but it is worth remembering that not government in the world considers privacy rights in the same light as the US.
There are other examples of where these rules fall short. For example, the bill states the Justice Department must consider whether a country respects ‘international universal human rights’ without definition or clarity regarding how to assess this. This is the kind of grey area which no-one likes.
Another important area to consider is these rules are also designed for the US government to secure information outside its borders. This is one area which we do not like at all as it allows governments to obtain information from foreign partners under standards that may be lower than their own domestic law. This clause includes the US. In short, US intelligence agencies might be able to go around US law in securing data. This is a loop-hole which is open to incredible abuse.
The US government has shown on numerous occasions it is not trustworthy enough to act without accountability, yet Congress seem happy to pass rules which would make it legal to act illegally as long as it isn’t within US jurisdiction. The ability for US flagbearers to act completely contradictory is absolutely incredible at times.
This bill seems rushed, and while there is a need to update laws to make them suitable for the digital economy, this attempt seems to cause more damage than it does good. That said, we are talking about US politicians now, when was the last time they were concerned with the great unwashed.