Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part IV: The US CLOUD Act Passes Without Public Debate

Previous parts:



Cloudwashing law
Congress quietly slips cloud-spying powers into page 2,201 of emergency spending bill



Summary: "In 2013, the DoJ demanded that Microsoft grant it access to emails related to a narcotics case from a Hotmail account hosted in Ireland."

When Edward Snowden blew the whistle on the National Security Agency's PRISM program in 2013 and revealed what many had suspected – namely that US intelligence agencies were collecting vast amounts of data not only from US citizens, but from all around the world – public opinion received a badly needed wake-up call about the dangers of mass surveillance.



In the wake of these revelations, many countries became increasingly concerned about who could access their national information and the potential implications of cross-border data transfers. These concerns provided a catalyst for discussions focussing on the topic of what has come to be called "digital sovereignty" and/or "data sovereignty".

Another incident that put these topics into the spotlight was a dispute between Microsoft and the US Department of Justice (DoJ) which started in 2013.

"Despite having a major impact on how tech companies can be obliged to share user data with US and foreign governments, the CLOUD Act was passed by Congress without any public debate on 21 March 2018 and entered into force two days later."In 2013, the DoJ demanded that Microsoft grant it access to emails related to a narcotics case from a Hotmail account hosted in Ireland. Microsoft refused, arguing that a warrant issued under Section 2703 of the Stored Communications Act could not compel US companies to produce data stored in servers outside the US and that compliance with the requested transfer would result in the company breaking EU data protection law.

The initial ruling was in favour of the DoJ, with the presiding judge concluding that American companies “must turn over private information when served with a valid search warrant from US law enforcement agencies". Microsoft appealed to the US Second Circuit Court of Appeals which ruled in its favour in 2016 and invalidated the warrant. In response, the DoJ appealed to the US Supreme Court.

In March 2018, while the case was pending before the US Supreme Court, the US Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act which amended and extended the ECPA (Electronic Communications Privacy Act) and the SCA (Stored Communications Act).

"This highly controversial measure was buried on page 2,201 of a voluminous 2,232-page spending bill - the Consolidated Appropriations Act of 2018 - which was tabled and adopted as an emergency measure to prevent an impending government shutdown."Following agreement from both the DoJ and Microsoft, the US Supreme Court determined that the case had been rendered moot by the passage of the CLOUD Act and the issuing of a new warrant under the terms of the new legislation.

Despite having a major impact on how tech companies can be obliged to share user data with US and foreign governments, the CLOUD Act was passed by Congress without any public debate on 21 March 2018 and entered into force two days later.

This highly controversial measure was buried on page 2,201 of a voluminous 2,232-page spending bill - the Consolidated Appropriations Act of 2018 - which was tabled and adopted as an emergency measure to prevent an impending government shutdown.

Senators Rand Paul from Kentucky and Ron Wyden from Oregon raised procedural objections to the manner in which the CLOUD Act had been sneaked in as an appendage to the spending bill but ultimately they failed to block or stall the bill's adoption.

Ron Wyden on CLOUD Act
Ron Wyden complained about the CLOUD Act but failed to block its adoption



Privacy advocates at groups like the American Civil Liberties Union, the Center for Democracy and Technology and the Electronic Frontier Foundation criticized the legislation as “a new backdoor around the Fourth Amendment" which permitted the circumvention of constitutional protections against unreasonable searches by law enforcement agencies. They also argued that it could lead the US to send user data to police in countries known for abusing the human rights of their citizens.

"Privacy advocates at groups like the American Civil Liberties Union, the Center for Democracy and Technology and the Electronic Frontier Foundation criticized the legislation as “a new backdoor around the Fourth Amendment" which permitted the circumvention of constitutional protections against unreasonable searches by law enforcement agencies."On the other hand, US tech giants such as Microsoft, Google, Facebook, Apple, and Oath, applauded the legislation and sent a joint letter to the US Senate proclaiming that the CLOUD Act represented “notable progress to protect consumers’ rights".

The main effect of the CLOUD Act was to strengthen the powers of US law enforcement and intelligence agencies to access data held by US companies on foreign soil.

In a nutshell, the CLOUD Act amounted to a consolidation and expansion of the arrangements established by the earlier 2001 PATRIOT Act which had significantly extended the government's powers of access to data held by US-based global providers, irrespective of the storage location of that data.

This might help to explain why those pushing for the adoption of the measure preferred to avoid public debate by sneaking it in as a hidden appendage to an emergency spending bill.

On the other side of the Atlantic, the passage of the CLOUD Act gave a new impulse to the ongoing political debate about "digital sovereignty".

A year after the passage of the Act, an article in the French paper Les Echos reported that "[m]any observers feel that American justice could be deploying [the Cloud Act] for purposes of economic espionage.”

"In a nutshell, the CLOUD Act amounted to a consolidation and expansion of the arrangements established by the earlier 2001 PATRIOT Act which had significantly extended the government's powers of access to data held by US-based global providers, irrespective of the storage location of that data."The French politician Ms Laure de la Raudiere who co-chairs a parliamentary cyber-security and sovereignty committee described the CLOUD Act as "a wakeup call for Europe to accelerate its own sovereign capabilities in the data sector".

In response to the concerns articulated by various political and business leaders, the French government called upon French companies to rely on "CLOUD-Act-safe" data providers.

In the meantime, on 25 May 2018, a few months after the adoption of the CLOUD Act by the US Congress, the General Data Protection Regulation (GDPR) entered into effect. In the next part of this series we will look at the GDPR and its implications for transatlantic data traffic between the EU and the US.

Recent Techrights' Posts

Cybercrimes and Online Abuse From Extremists and Militants on a VPN/Tor
A straitjacket or lobotomy won't solve this issue
Links 02/12/2023: Pfizer Sued for Lies About Efficacy, Censorship of Scientific Dissent, More Pfizer Layoffs
Links for the day
Selling Free Software
by Richard Stallman
 
Links 02/12/2023: ChatGPT Drowns in Bad Press, Censorship Worldwide Increases Some More
Links for the day
[Meme] Screenshots of Web Pages (Relevant to One's Article) Are Not Copyright Infringing Anywhere in the World
bullying and hate crimes
IRC Proceedings: Friday, December 01, 2023
IRC logs for Friday, December 01, 2023
A Year of Doing Techrights 'Full Time'
been a year!
Microsoft and Its Boosters Worsen Linux Security
The circus goes on and on
Links 01/12/2023: Facebook Infested With Malicious Campaigns by Imposters, ACLU Gives Advice on Doxxing and Online Harassment
Links for the day
Just Like Its Budget Allocation, the Linux Foundation Devotes About 3% Of Its Latest Newsletter to Linux, Devotes More to Linux's Rivals
It's just exploiting the brand
Links 01/12/2023: Google Invokes Antitrust Against Microsoft
Links for the day
Over at Tux Machines...
GNU/Linux news
UK Government Allowing Microsoft to Take Over Activision Blizzard Will Destroy Jobs
Over 30,000 fired this year? More?
It's Cheaper to Pay Bribes (and Produce Press Releases) Than to Pay Fines (After Lots of Negative Publicity)
Does the UK still have real sovereignty or do corporations from overseas purchase decisions and outcomes?
November 2023 Over With GNU/Linux at All-Time Highs According to statCounter
ChromeOS+GNU/Linux combined are about 7% of the "market"
New Report Provides Numerical Evidence That Google Hired Too Many People From Microsoft (and Became Malicious, Evil, Sociopathic)
"Some 12,018 former Microsoft employees currently work for the search and data giant"
Google: Keep Out, Don't Save Your Files, and Also Let Us Spy on Everything You Do
Do you still trust "clown" storage?
IRC Proceedings: Thursday, November 30, 2023
IRC logs for Thursday, November 30, 2023
Links 01/12/2023: Many Suppressions in Hong Kong and Attempts to Legitimise Illegal and Unconstitutional Fake Patent 'Court' in EU (UPC)
Links for the day
Gemini Not Deflated Yet (Soon Turning 5!)
Gemini numbers still moving up, the protocol will turn five next summer
Links 30/11/2023: Belated End of Henry Kissinger and 'Popular Science' Shuts Online Magazine
Links for the day
Site Priorities and Upcoming Improvements
pages are served very fast
[Meme] One Person, Singular Pronoun
Abusing people into abusing the English language is very poor diplomacy
Ending Software Patents in Recent Years (Software Freedom Fighters MIA)
not a resolved issue
New Article From Richard Stallman Explains Why He Says He and She for Unknown Person (Not 'They')
"Nowadays I use gender-neutral singular pronouns for a person whose gender I don't know"
IRC Proceedings: Wednesday, November 29, 2023
IRC logs for Wednesday, November 29, 2023
Over at Tux Machines...
GNU/Linux news
Links 30/11/2023: Rushing Patent Cases With Shorter Trial Scheme (STS), Sanctions Not Working
Links for the day
Links 30/11/2023: Google Purging Many Accounts and Content (to Save Money), Finland Fully Seals Border With Russia
Links for the day