The CLOUD Act Appears…Here’s What You Need to Know

The CLOUD Act Appears…Here’s What You Need to Know

While Washington is a place to find one interesting story after another, few in the tech industry seemed to be watching the formation and the passing of the “CLOUD Act.”  Moreover, they don’t understand what needs to be done to comply. 

On the surface, it seems to provide a mechanism for law enforcement to access American companies’ data that is stored on overseas servers. In actuality, the act opens the door to compliance issues and questions around technology that the act itself does not seem to address.

So, what is the CLOUD Act exactly? The law is called the Clarifying Overseas Use of Data (CLOUD) Act. It’s an update to the Electronic Communications Privacy Act (ECPA), which is a series of 1986 laws that regulate how U.S. law enforcement officials can access data stored overseas.

Up until last week, the U.S. could only access data stored overseas through mutual legal-assistance treaties (MLATs), where two or more nations put in writing exactly how they are willing to help each other with legal investigations. The Senate has to vote on each MLAT, and it must receive two-thirds approval to pass. That seems like more trouble than it’s worth, and perhaps that’s what drove the new Act. 

Through this CLOUD Act, US local, state, and federal law enforcement officials can now force tech companies, including cloud computing companies, to turn over a customer’s data regardless of where it’s stored, inside or outside of the US. 

The Act also provides the executive branch with the ability to produce “executive agreements” with foreign nations, which could provide the ability to access data stored in other countries. This, no matter the state of the host nation’s privacy laws. The larger issue is that these agreements don’t require congressional approval, thus disclosure will be an issue as well. The companies getting their data accessed may not know it’s going on, unless they’re provided notice by law enforcement. 

So, what else do most people not know about the cloud act? The bill was introduced by the Senate and House of Representatives on February 6.  Instead of voting on it as its own legislation, they folded it into a $1.3 trillion catch-all bill necessary to keep the government open. Because the larger bill passed, so does the CLOUD Act.

Since 9-11, we’ve accepted that some privacy will have to be scarified in order to provide more security. However, the desire to have controls in place that allow our government to access data as it needs it, no matter where it resides, is getting a bit old to the American public and the businesses it effects. Indeed, the new revelations about Facebook data being grabbed, and the focus on data that can be derived from innocuous user data, is like to draw some pushback as well. 

That said, law enforcement has not kept up with technology which basically limits their ability to grab the data that they need. While the CLOUD Act does change their legal ability to access the data, technology has not been considered. An example would be a corporation that has encrypted data, and thus authorities would need the cooperation of those being investigated to provide the keys needed to access the data. 

While the government has technology to decrypt some data, count on counter measures to arise that will make it impossible to decrypt all data. Moreover, other counter measures will surely arise that the government will need to deal with in the future. It seems there are several outstanding issues that could drive more tweaks to the Act. 

  

Michael Owen

MD @ Cirro Solutions | Cloud Services | IoT | Cyber | SaaS

6 年

A very interesting article and an alternative approach to how this is handled in Europe, where it is a legal requirement to hold certain data sets (typically ‘personal data’) within the European Union, this ensures compliance between nations. It would be interesting to see the CLOUD Act in practise. If you have a company like BP (originally British Petroleum) where a huge amount of operations are in the US, how would this Act be enforced? Clearly this is to handle issues such as Microsoft rejecting the US Supreme Court order for data held in Ireland. The issue of EU data law transfer still remains part of the EU Data Protection (GDPR).

Lukasz (Luke) Lubczynski

Delivering Innovation in SAP Security & Data Governance

6 年

"Through this CLOUD Act, US local, state, and federal law enforcement officials can now force tech companies, including cloud computing companies, to turn over a customer’s data regardless of where it’s stored, inside or outside of the US. (...) No matter the state of the host nation’s privacy laws." I wonder what will be the reaction of the non-US customers of the US cloud service providers and the EU opinion about it.?dr Maciej Kawecki?Jacek Frankowski?

荣利陈

新加坡宥云亚洲有限公司 - 加密远程办公-协助中小型企业成功转型使用云服务提高效率减低成本

6 年

Thanks for sharing

回复
Ravi Vallem

Business Transformation with Cloud & Data Intelligence.

6 年

Well written article!

要查看或添加评论,请登录

David Linthicum的更多文章

社区洞察

其他会员也浏览了