By Karissa Murphy, Executive Editor
In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA).[1] This Act regulated how United States law officials could access data stored overseas.[2] Over 30 years, and countless technological developments later, Congress enacted the CLOUD Act, which seeks to update its predecessor.[3] The CLOUD Act, which stands for Clarifying Overseas Use of Data Act, was passed in March 2018 and was first introduced following the FBI’s difficulties in obtaining data stored remotely.
These struggles were outlined in the Supreme Court case United States v. Microsoft, where a warrant was issued requiring Microsoft to disclose all emails and other information associated with one of its users believed to be engaging in drug trafficking.[4] It was determined that the contents of the emails were stored in Dublin, Ireland, and Microsoft moved to quash the motion on that basis.[5] The motion was denied, and the District Court held Microsoft in contempt for refusing to comply with the warrant.[6] On appeal, the Court of Appeals for the Second Circuit reversed the denial of the motion and vacated the civil contempt finding.[7] The court found that requiring Microsoft to disclose electronic communications held in Dublin would be an unauthorized extraterritorial application of the Stored Communications Act.[8] The government appealed, and the Supreme Court grant certiorari.
However, shortly before deciding the case, Congress passed — and the president signed into law — the CLOUD Act, which amends the Stored Communications Act. Specifically, the CLOUD Act adds the following provision:
A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
CLOUD Act § 103(a)(1).[9] The government soon thereafter obtained a warrant under this section, and the case became moot.
While the Act seems to clarify the job of law enforcement, it also blurs the boundaries of privacy. Up until the CLOUD Act was passed, the U.S. could only access data stored overseas through mutual legal-assistance treaties (MLATs).[10] This process required two countries to put into writing their agreement regarding what data may be assessed; the Senate then voted on each MLAT, which required a two-thirds approval.[11] Now, however, the CLOUD Act skirts this process and allows law enforcement to compel tech companies to disclose user data, regardless of where that data is stored.[12] The Act also gives the executive branch the ability to enter into “executive agreements” with foreign nations — possibly allowing other countries to obtain this data.[13]
Some proponents of the Act argue that it has the potential to keep Americans safer. For instance, MLAT requests took approximately 10 to 12 months to fill and authorize.[14] By that time, this information could no longer be available or could be obsolete. Through the CLOUD Act, law enforcement officials are able to gain access to data much faster and with fewer obstacles, thereby enabling them to prevent crime and prosecute criminals faster. This could aid the government in its continuous battle to prevent terroristic threats.
However, this enhanced security requires us to sacrifice some of our digital privacy in return. The text of the CLOUD Act does not limit U.S. law enforcement to serving orders on U.S. companies or companies operating in the United States. And it allows any level of law enforcement, from local police to federal agents in Immigration and Customs Enforcement, to access “contents of wire or electronic communication” from a person regardless of where they live.[15] Critics of the Act worry that it gives law enforcement officers and the President powers that are too broad, while negating constitutional procedures and safeguards.[16] Additionally, because the Act only offers some protections to U.S. citizens, it leaves individuals who are not citizens but who are living in the U.S. completely exposed and without protection. This is a dramatic move away from previous U.S. privacy laws (e.g., the Stored Communications Act, which applied to the “public”[17]). The Act also calls into question any respect for foreign privacy policies.
The language of the CLOUD Act is not new. In 2016, the Department of Justice first proposed very similar legislation, which would have allowed the executive branch to enter into bilateral agreements with foreign governments to allow direct access to stored data.[18] In 2017, the DOJ resubmitted the bill, this time with even broader language that would permit extraterritorial application of U.S. warrants outside of the United States.[19] The executive agreement language in the CLOUD Act is nearly identical to the DOJ’s 2017 bill.[20]
While we have yet to see the full impact of the CLOUD Act, debates will likely continue over whether it violates privacy rights and gives law enforcement too much power, or whether broad power is necessary to prosecute criminals who may otherwise escape justice simply by storing their data in foreign locations.[21]
Sources
[1] See Stored Communications Act, Pub. L. 99-508, tit. II, 100 Stat. 1848, 1860-68 (1986) (codified as amended at 18 U.S.C. §§ 2701-12).
[2] Electronic Communications Privacy Act, U.S. Department of Justice, OJP.gov (last revised July 30, 2013), https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285.
[3] H.R. 4943 CLOUD Act, Congress.gov, https://www.congress.gov/bill/115th-congress/house-bill/4943 (last visited May 2, 2018).
[4] United States v. Microsoft, 138 S. Ct. 1186, 1187 (2018).
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id. at 1188.
[10] Mutual Legal Assistance Treaties, Accessnow.org, https://www.mlat.info/ (last visited May 2, 2018).
[11] Kristen Houser, Everything You Need to Know About the CLOUD Act, Futurism (Mar. 26, 2018), https://futurism.com/everything-need-know-cloud-act/.
[12] Id.
[13] Id.
[14] See Richard A. Clarke et al., Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies 227 (2013), https://obamawhitehouse.archives.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf.
[15] Camille Fischer, The CLOUD Act: A Dangerous Expansion of Police Snooping on Cross-Border Data, Electronic Frontier Foundation (Feb. 8, 2018), https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data#_ftn1.
[16] Id.
[17] Id.
[18] Id.
[19] Id.
[20] See Jennifer Daskal, Microsoft Ireland, the CLOUD Act, and International Law Making, 71 Stan. L. Rev. Online 9 (2018).
[21] See Brad Smith, The CLOUD Act is an important step forward, but now more steps need to follow, Microsoft Blog (April 2018), https://blogs.microsoft.com/on-the-issues/2018/04/03/the-cloud-act-is-an-important-step-forward-but-now-more-steps-need-to-follow/.