The CLOUD Act Appears…Here’s What You Need to Know

While Washington is a place to find one interesting story after another, few in the tech industry seemed to be watching the formation and the passing of the “CLOUD Act.”  Moreover, they don’t understand what needs to be done to comply. 

On the surface, it seems to provide a mechanism for law enforcement to access American companies’ data that is stored on overseas servers. In actuality, the act opens the door to compliance issues and questions around technology that the act itself does not seem to address.

So, what is the CLOUD Act exactly? The law is called the Clarifying Overseas Use of Data (CLOUD) Act. It’s an update to the Electronic Communications Privacy Act (ECPA), which is a series of 1986 laws that regulate how U.S. law enforcement officials can access data stored overseas.

Up until last week, the U.S. could only access data stored overseas through mutual legal-assistance treaties (MLATs), where two or more nations put in writing exactly how they are willing to help each other with legal investigations. The Senate has to vote on each MLAT, and it must receive two-thirds approval to pass. That seems like more trouble than it’s worth, and perhaps that’s what drove the new Act. 

Through this CLOUD Act, US local, state, and federal law enforcement officials can now force tech companies, including cloud computing companies, to turn over a customer’s data regardless of where it’s stored, inside or outside of the US. 

The Act also provides the executive branch with the ability to produce “executive agreements” with foreign nations, which could provide the ability to access data stored in other countries. This, no matter the state of the host nation’s privacy laws. The larger issue is that these agreements don’t require congressional approval, thus disclosure will be an issue as well. The companies getting their data accessed may not know it’s going on, unless they’re provided notice by law enforcement. 

So, what else do most people not know about the cloud act? The bill was introduced by the Senate and House of Representatives on February 6.  Instead of voting on it as its own legislation, they folded it into a $1.3 trillion catch-all bill necessary to keep the government open. Because the larger bill passed, so does the CLOUD Act.

Since 9-11, we’ve accepted that some privacy will have to be scarified in order to provide more security. However, the desire to have controls in place that allow our government to access data as it needs it, no matter where it resides, is getting a bit old to the American public and the businesses it effects. Indeed, the new revelations about Facebook data being grabbed, and the focus on data that can be derived from innocuous user data, is like to draw some pushback as well. 

That said, law enforcement has not kept up with technology which basically limits their ability to grab the data that they need. While the CLOUD Act does change their legal ability to access the data, technology has not been considered. An example would be a corporation that has encrypted data, and thus authorities would need the cooperation of those being investigated to provide the keys needed to access the data. 

While the government has technology to decrypt some data, count on counter measures to arise that will make it impossible to decrypt all data. Moreover, other counter measures will surely arise that the government will need to deal with in the future. It seems there are several outstanding issues that could drive more tweaks to the Act.