Imagine you’re a detective in London, investigating a robbery. You have reason to believe the suspect communicated with an accomplice by using Gmail. What’s your next move?
First, contact the US Department of Justice to request a warrant. Second, buy a lot of tea, because you’re in for a long wait.
At least that’s the way it was until a few days ago. Police in other countries often found that suspects relied on US-based communications services — Google, Amazon, Apple, Microsoft, Facebook. Getting the online evidence against them required a long, hard slog through the US courts.
Now Congress has made it easier, with new legislation to allow overseas investigators access to that material. But some say the Clarifying Overseas Use of Data (CLOUD) Act , included in the big spending bill President Trump signed Friday, will make it too easy for countries with poor human rights records to root around inside controlled US databases.
Activist groups, including the American Civil Liberties Union and Amnesty International, warn that the CLOUD Act doesn’t offer the same level of judicial scrutiny that similar data requests would get in US courts.
“We’re swapping out strong US protections for whatever protections the foreign governments have,” said Gregory Nojeim, senior counsel at the Center for Democracy and Technology, a Washington, D.C.-based online privacy watchdog.
Supporters of the bill, including America’s biggest Internet companies, say it’s better than nothing. Longtime Internet privacy activist Peter Swire, a law professor at Georgia Tech, said that without the CLOUD Act, “it will be worse for privacy and for law enforcement, and we’ll have a more splintered Internet.”
The legislation was partly inspired by a case now before the US Supreme Court. Microsoft Corp. refused to comply with a warrant seeking data belonging to a user, because that data is stored on a computer in Ireland. Microsoft argues that Irish and not US law applies in this case. A federal appeals court agreed. The CLOUD Act would settle the matter by establishing that US warrants cover data stored by US Internet companies, wherever their servers may be.
But the CLOUD Act will also help foreign police see online data held by US companies. According to a 2013 report from the Obama White House, it took around 10 months to comply with a foreign government’s request for US-stored data. The process was so slow that the US Justice Department predicted a backlog of 16,000 such requests by 2020.
Under CLOUD, nations that demonstrate “robust substantive and procedural protections for privacy and civil liberties” can be put on a fast track by the US attorney general, in consultation with the State Department. Approved countries would be able to directly demand information from US Internet companies. The demand must relate to the investigation of a serious crime, and can’t target US citizens or residents. Each country’s certification would have to be renewed every five years.
Under CLOUD, our British police detective might get those e-mails in days or hours, rather than months.
Some worry that CLOUD doesn’t require the United States to demand strict human rights standards from certified countries. Instead, it’s a judgment call by the US attorney general.
What if the detective was in Istanbul rather than London? Turkey is notorious for practicing torture and locking up political dissenters, but it’s also a US ally. Nojeim said that nations such as Turkey could be approved for CLOUD for purely political reasons and argued that governments should have to meet specific human rights standards to be considered for the expedited access.
In addition, CLOUD-approved countries would be able to listen to their citizens’ voice communications without meeting the US government’s high probable-cause standard for a wiretap warrant. Nojeim fears we could be helping foreign investigators conduct open-ended fishing expeditions against their own people.
Swire concedes that CLOUD isn’t perfect. But the alternative is worse, he said, because of a worrisome trend called data localization — or countries demanding that Internet data about their citizens be stored on their territory, to ensure their laws apply, and not those of the United States.
China is obsessed with data localization. It recently forced Apple Inc.’s iCloud service to keep all information uploaded by Chinese customers at a government-run data center in that country. This lets Chinese investigators get their citizens’ data without playing “Mother, may I?” with a US court.
It’s scary stuff, because of China’s unabashed contempt for its citizens’ rights. But even more-liberal countries are chafing at US domination of the Internet cloud. Some countries make it mandatory to store government files or citizens’ medical records on domestic servers. Without CLOUD, Swire said some countries would increasingly demand localization of even more of their citizens’ files.
If that happens, companies like Google might have to run separate networks in many of the nations where they operate. And people in less-free countries could end up with fewer privacy protections. Under the CLOUD Act, Swire said, a country like Turkey would have to agree to at least some human rights protections to see files stored in a US-controlled cloud. But if Turkey follows China’s lead and forces Internet companies to store their citizens’ data locally, the government could do whatever it wants.
“The choice is the CLOUD Act or weaker safeguards down the line,” Swire said.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.