CLOUD Act hits Senate to lube up US access to data stored abroad

That's 'Clarifying Lawful Overseas Use of Data'. Nice

By Rebecca Hill

Posted in Cloud, 7th February 2018 13:41 GMT

Tech giants including Microsoft, Google and Apple have given a proposed US law on overseas data sharing the thumbs-up.

The bipartisan Clarifying Lawful Overseas Use of Data Act (PDF), introduced to the Senate yesterday, aims to iron out confusion around which laws apply when governments want access to data stored in the cloud.

Senators Orrin Hatch, Christopher Coons, Lindsey Graham and Sheldon Whitehouse said that the US government's efforts to access data stored overseas are impeded by exactly that.

"In today's world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws," said Hatch.

"We need a common-sense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries' differing privacy regimes."

The most obvious example where existing laws fail to address cloud storage is the ongoing legal wrangling between Microsoft and the US government.

The state says the Stored Communications Act requires Microsoft to share crime suspects' emails, but Redmond has refused, saying the search warrant can't reach beyond US borders.

The new bill would render this argument moot by adding a section to the SCA that says firms must pass on data in their possession, even if it is held outside the US:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

The proposal has won the approval of big tech firms, which have previously called for the SCA to be updated to reflect technological advances like the cloud.

Microsoft president Brad Smith said that his firm had "long argued for the US Congress to modernize laws" and that the proposal was "an important step toward enhancing and protecting privacy while reducing international legal conflicts".

Along with Apple, Facebook, Google and Oath, Microsoft wrote joint letters (PDF) of support to the senators and the representatives that have brought companion legislation.

Part of their support for the bill is because of the safeguards built into it.

These include a motion to quash or modify the legal process if it believes the customer isn't a US citizen and that disclosure "creates a material risk" that the firm would violate the laws of another government.

"The CLOUD Act encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise," the signatories write.

"The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary."

Oi, force Microsoft to cough up emails on Irish servers to the Feds, US states urge Supremes

READ MORE

As well as offering the US government access to data held overseas, the CLOUD Act aims to help foreign governments slurp up data held by US providers.

It would also allow for the US government to sign formal, bilateral data sovereignty agreements with other countries setting standards for cross-border investigative requests for digital evidence related to serious crime and terrorism.

The proposed law states that such deals could only be struck if certain conditions are met, including that the foreign country has "robust" standards on human rights and privacy protections, and that the agreement has taken steps to minimise data slurping on US citizens.

The foreign government must reciprocate by removing any legal restrictions that prevent compliance with requests from US law enforcement.

The US is in talks with the UK government over such an agreement and the UK's Prime Minister, Theresa May, last night endorsed the proposed Act in a phone call with President Trump.

"With it [the CLOUD Act], law enforcement officials in the US and the UK will be empowered to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking, and the sexual abuse of children regardless of where the suspect's email or messages happen to be stored," a Downing Street spokesperson said. ®

Sign up to our NewsletterGet IT in your inbox daily

37 Comments

More from The Register

Microsoft Store adds ‘private audience’ apps to its Store

A velvet rope for digital tat, to help with betas, promos and maybe Windows 10 S

Hawaii Live-Go! Microsoft launches Honolulu admin tool for cloud and on-prem

One tool to rule them all

Microsoft starts buying speculative execution exploits

Adds bug bounty class for Meltdown and Spectre attacks on Windows and Azure

Microsoft's Teams lights solitary candle, hipsters don't notice

Slacklike turns one

Microsoft ports its Quantum Development Kit to Linux and macOS

Now that it's not Windows-only, you can simulate a theoretical computer on a real computer

BlackBerry calls out between two worlds: Microsoft, Dynamics sandboxes walk with me

When container realms collide

Microsoft: Yes, we agree that Irish email dispute is moot... now what's this new warrant about?

Redmond backs down without actually backing down

Skype for Biz users: Go watch nature vids. Microsoft wants you to get good at migration

New roadmap for Teams does everything but name Skype's death date

Microsoft says 'majority' of Windows 10 use will be 'streamlined S mode'

Which is just-about an admission Win 10 is a mess

Microsoft lobs Skylake Spectre microcode fixes out through its Windows

Just go install Intel's patch while we hunt the next CPU-level security flaw in Intel's silicon