UPDATE: The Omnibus bill, which included the CLOUD Act, was passed by the Senate on Thursday night and signed into law by President Trump on Friday afternoon.
Congress is on the verge of passing a dangerous bill, known as the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), which will have disastrous implications for privacy, as it would allow foreign governments to access private data on American soil while circumventing important privacy protections. In particular, it poses a serious threat to foreign journalists who report on repressive regimes.
Current laws dictate that a foreign prosecutor who wants to access data stored by American companies cannot do so directly, since they lack jurisdiction. Instead, they have to go through the “mutual legal assistance treaty” (MLAT) process—which requires sign off from the Justice Department and an order by a judge in each individual case.
MLATs are agreements between two countries in which each agrees to help the other with criminal investigations. The U.S. has signed MLATs with more than 60 countries.
But under the CLOUD Act, instead of relying on the MLAT process, foreign governments could bypass this system and instead demand data directly from technology companies in the United States if they negotiate a blanket agreement with the executive branch.
This poses a real risk for journalists in repressive regimes who rely on internet services provided by American technology companies. For example, say that a journalist in a country like Egypt uses Gmail, and therefore some of their emails are stored on one of Google’s server farms in the United States. In recent years, Egypt has aggressively cracked down on dissent and put hundreds of journalists in jail on politically-motivated charges of terrorism.
Egypt is a strong U.S. ally, and the country currently has an MLAT with the United States. The CLOUD Act gives the power to certify governments under this act to the Trump administration. Trump has heaped praise on Egypt’s military dictator Abdel Fattah el-Sisi. So would his Justice Department give Egypt a blanket certification to proceed under the CLOUD Act?
If the Trump administration does label Egypt a "qualifying foreign government," then whenever the Egyptian government decides that it wants access to a journalist’s emails stored in the United States in order to prosecute that journalist, it could simply request that Google hand over the emails. The Justice Department does not need to approve each individual request, and neither does a federal judge.
Unless the technology company found a request so egregious that it goes to court to contest it, no federal judge would even know about the surveillance demand from a foreign government. Foreign governments would be given power to wiretap on U.S. soil in conversations that might involve U.S. persons.
To make matters worse, Congress has attached the CLOUD Act to this week’s $1.3 trillion Omnibus spending bill that includes allocation of funds to a wide variety of projects, including the border wall. On March 22, the United States House of Representatives passed the Omnibus spending bill. While it still must pass the Senate to become law, because the spending bill touches so many controversial issues, there will likely be no debate and no hearings on the CLOUD Act—despite its significance for the future of press and information freedom.
Proponents of the bill claim the process now is cumbersome and time consuming. It’s true the MLA process may takes time, but that’s for good reason: to ensure due process. It is immeasurably preferable to legislation that would expand law enforcement’s reach across the world.
Writing in Lawfare, Neema Singh Guliana of the ACLU and Naureen Shah of Amnesty International point out the serious problems with the CLOUD Act’s approach:
"In such a situation, the only real fail-safe to prevent a technology company from inadvertently acceding to a harmful data request is the technology company itself. But would even a well-intentioned technology company, particularly a small one, have the expertise and resources to competently assess the risk that a foreign order may pose to a particular human rights activist? Would it know, as in the example above, when to view Turkey’s terrorism charges in a particular case as baseless? In many cases, companies would likely rely on the biased assessments by foreign courts and fulfill requests."
The CLOUD Act has worrying implications not just for everyone's privacy rights, but to the ability of journalists around the world to protect their data. Urge your representatives to oppose the Omnibus spending bill as long as it includes the dangerous CLOUD Act..