CLOUD Act hits Senate to lube up US access to data stored abroad
That's 'Clarifying Lawful Overseas Use of Data'. Nice
Tech giants including Microsoft, Google and Apple have given a proposed US law on overseas data sharing the thumbs-up.
The bipartisan Clarifying Lawful Overseas Use of Data Act (PDF), introduced to the Senate yesterday, aims to iron out confusion around which laws apply when governments want access to data stored in the cloud.
Senators Orrin Hatch, Christopher Coons, Lindsey Graham and Sheldon Whitehouse said that the US government's efforts to access data stored overseas are impeded by exactly that.
"In today's world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws," said Hatch.
"We need a common-sense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries' differing privacy regimes."
The most obvious example where existing laws fail to address cloud storage is the ongoing legal wrangling between Microsoft and the US government.
The state says the Stored Communications Act requires Microsoft to share crime suspects' emails, but Redmond has refused, saying the search warrant can't reach beyond US borders.
The new bill would render this argument moot by adding a section to the SCA that says firms must pass on data in their possession, even if it is held outside the US:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
The proposal has won the approval of big tech firms, which have previously called for the SCA to be updated to reflect technological advances like the cloud.
Microsoft president Brad Smith said that his firm had "long argued for the US Congress to modernize laws" and that the proposal was "an important step toward enhancing and protecting privacy while reducing international legal conflicts".
Along with Apple, Facebook, Google and Oath, Microsoft wrote joint letters (PDF) of support to the senators and the representatives that have brought companion legislation.
Part of their support for the bill is because of the safeguards built into it.
These include a motion to quash or modify the legal process if it believes the customer isn't a US citizen and that disclosure "creates a material risk" that the firm would violate the laws of another government.
"The CLOUD Act encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise," the signatories write.
"The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary."
Oi, force Microsoft to cough up emails on Irish servers to the Feds, US states urge SupremesREAD MORE
As well as offering the US government access to data held overseas, the CLOUD Act aims to help foreign governments slurp up data held by US providers.
It would also allow for the US government to sign formal, bilateral data sovereignty agreements with other countries setting standards for cross-border investigative requests for digital evidence related to serious crime and terrorism.
The proposed law states that such deals could only be struck if certain conditions are met, including that the foreign country has "robust" standards on human rights and privacy protections, and that the agreement has taken steps to minimise data slurping on US citizens.
The foreign government must reciprocate by removing any legal restrictions that prevent compliance with requests from US law enforcement.
The US is in talks with the UK government over such an agreement and the UK's Prime Minister, Theresa May, last night endorsed the proposed Act in a phone call with President Trump.
"With it [the CLOUD Act], law enforcement officials in the US and the UK will be empowered to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking, and the sexual abuse of children regardless of where the suspect's email or messages happen to be stored," a Downing Street spokesperson said. ®
Sponsored: Becoming a Pragmatic Security Leader