The CLOUD Act — Clarifying Lawful Overseas Use of Data — is a set of regulations currently in the process of being passed by the U.S. government and signed into law as part of the Omnibus Spending Bill release on March 21, 2018.
It's raised concerns from numerous civil rights organizations, including the ACLU:
Specific objections have been enumerated by the Electronic Frontier Foundation:
- Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
- Fails to require foreign law enforcement to seek individualized and prior judicial review.
- Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
- Fails to place adequate limits on the category and severity of crimes for this type of agreement.
- Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
- The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.
I'm by no means an expert in this area. I'm also not an American. I, like many others around the world, have lived the vast majority of my life with most of our data stored by U.S. companies, on U.S.-based servers, subject to U.S. law enforcement uses and abuses, and under the jurisdiction of U.S. courts.
But I've spent a better part of the day looking into the CLOUD Act and what it may mean for Apple and Apple customers. And, perhaps my perspective from outside looking in, will be of interest.
Why is Apple, which has called privacy a human right, supporting the CLOUD Act?
Apple, along with Microsoft, Google, and Facebook, sent a letter of support (opens in new tab) to U.S. Senators Hatch, Coons, Graham, and Whitehouse, which said:
Microsoft (opens in new tab)'s president, Brad Smith, has also spoken out directly:
(Microsoft and the U.S. Government are currently arguing the issues covered by CLOUD Act in front of the U.S. Supreme Court.)
If I had to guess about Apple and the other tech companies, my guess would be that they see some even more disturbing writing on the wall:
- Other countries, outside the U.S. are growing increasingly frustrated over how long it takes to get data on their citizens from U.S. tech companies under existing Mutual Legal Assistance Treaties (MLATs).
- China has already passed laws forcing companies like Apple to relocate the data of their citizens to data centers located and owned and operated by companies on their soil.
- There is increased pressure from some nations, including the U.S. and those in the E.U. to restrict the use of encryption or create backdoors to make data more accessible to law enforcement and government agencies.
There are legitimate concerns about CLOUD Act but having to respond to each and every countries laws and demands, when those laws could require the repatriation of data, or the exiting of markets in the face of mandated insecurity, could well be seen as much, much worse by the major tech companies.
How will CLOUD Act affect the data transited or stored by Apple? Will Apple be required to keep more personal data for longer? To unencrypted currently encrypted services?
Far as I can tell, there is nothing in CLOUD Act that changes anything about what personal data Apple has and how its transited or stored.
Your iCloud messages that were encrypted pre-CLOUD Act will still be encrypted post-CLOUD Act. And no data will be stored after CLOUD Act that wasn't stored before CLOUD Act.
Since Apple isn't in the business of data harvesting, hoarding, or exploiting, it could potentially have a smaller footprint or smaller risk to customers than companies whose businesses do depend on persisting customer data.
Will CLOUD Act result in lowest-common-denominator privacy protection, where the laws of the least respectful nation will win out?
The version of the CLOUD Act currently being voted on requires the Secretary of State and the Attorney General of the United States to certify that any country entering into the CLOUD ACT "affords robust substantive and procedural protections for privacy and civil liberties."
- Protection from arbitrary and unlawful interference with privacy
- Fair trial rights.
- Freedom of expression, association, and peaceful assembly.
- Prohibitions on arbitrary arrest and detention.
- Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.
CLOUD Act also prohibits countries from using surveillance orders to chill freedom of speech, and — likely very important to Apple given the San Bernardino case — language that discourages governments from using this process to mandate U.S. companies create backdoors to compromise the security of their operating systems and devices.
Doesn't CLOUD Act take oversight away from the legislative branch and hand even more power to the executive branch?
It certainly seems to, especially in earlier versions. The version of CLOUD Act being voted on now includes new provisions for Congress to:
- Review new bilateral agreements for up to 180 days.
- Review changes to existing agreements for up to 90 days.
- Require written certification and explanation for how countries pass certification.
- Fast-track disapproval of bilateral agreements.
What about judicial oversight? Isn't CLOUD Act just a way to get around the courts?
Yes and no. I sincerely think Americans have gotten used to being the center of the technology world and don't really think about how things work beyond their borders.
For years, those of us outside the U.S. have had our data be subject to U.S. laws and courts. While some inside the U.S. might think that's great, in the post-Snowden, post-San Bernadino era it's simply not anything any fair-minded person can consider ideal. CLOUD Act mandates that any surveillance order issued by any country part of the agreement must be both individualized and "subject to review or oversight by a court, judge, magistrate, or other independent authority," and that this review must be "prior to, or in proceedings regarding, enforcement of the order."
It's totally understandable that some in the U.S. may consider privacy laws outside the U.S. to be problematic. Just understand that those of us outside the U.S. may consider U.S. privacy laws to be just as problematic.
But CLOUD Act just makes it easier for governments to access U.S.-based data?
I think that's part of the point. Again, other countries have grown increasingly frustrated with how long it takes to get data on their citizens from U.S. based companies.
Now, they're considering laws to try and force U.S. companies to hand over data without any regard to privacy, or to repatriate data so they can access it directly.
CLOUD tries to avoid that by establishing a reasonable, agreeable process in a way that's certainly not ideal but may just be workable.
That includes the certification process, the requirement for independent oversight and individualized orders, reasonable justification, and in response to "serious" crimes.
Doesn't CLOUD Act allow non-U.S. countries to wiretap inside the U.S. in a way even U.S.-based law enforcement can't?
Potentially, yes. Here are the restrictions under the CLOUD Act:
- Other governments are explicitly forbidden from surveilling a U.S. person directly or indirectly.
- Surveillance orders have to of fixed and of limited duration.
- Surveillance can only occur when it's reasonably necessary and the information being sought can't be reasonably obtained using less intrusive methods.
That's a lot of "reasonably" wiggle room but my understanding — as not a lawyer or legal scholar! — is that the CLOUD Act parallels the Wiretap Act, swapping the limitation to a list of predicate offenses for a restriction to serious crimes.
What that means in practice we'll likely only find out when it's implemented and challenged.
But won't U.S. data be collected alongside non-U.S. data? Isn't that unavoidable?
It certainly sounds like it. But CLOUD Act has several provisions to protect against that:
- Prohibits directly targeting of U.S. persons' data by non-U.S. governments.
- Prohibits asking a CLOUD Act certified country to target a U.S. persons' data.
- Prohibits targeting a non-U.S. persons' data for the purpose of collecting a U.S. persons' data (for example, their shared communications).
- Prohibits the dissemination of a U.S. persons' data except where there is evidence of a serious crime.
It's the nebulous nature, and potential for abuse of that last one, that's probably the greatest concern, because…
There's nothing to ensure other countries — or any country! — really follow those rules, though, is there?
There's the U.S. government. But, real talk time: There's nothing to ensure any country really follows any rule, as we've seen all too terrifyingly over the last decade.
But that doesn't mean you stop having laws and agreements. It means we all have to do a better job holding all governments accountable.
So why is everyone from the ACLU to the EFF so against CLOUD Act?
Because that's literally their job. Those organizations exist only and completely to protect the civil rights, including the privacy rights, of Americans and people around the world.
That stand in stark and necessary opposition to those in government and law enforcement who believe that the fewer rights we have, the better they can protect the state — and maybe us.
And we need the ACLU, EFF, and others to do this. Desperately.
Is there a way to limit exposure under CLOUD Act?
Potentially. Again, since Apple's business doesn't depend on harvesting, hoarding, and exploiting user data, it doesn't need to persist that data. It can use end-to-end encryption and not store anything longer than it absolutely has to.
If you're especially concerned, you can do things like:
- Disabling iCloud backup, which is safety rather than security focused, and keep encrypted backups locally.
- Disabling sync services that need to keep a copy of your data on the cloud (though this may be incredibly inconvenient).
- Delete old mail messages off the iCloud servers, keeping local, encrypted backups of anything you really need.
So, CLOUD Act?
In an ideal world, countries would be racing to have the best and most complete privacy laws possible and it would be law enforcement that was continually complaining about how much work it had to do and hoops it had to jump through to access anything and everything even remotely personal.
But, I fear we're increasingly looking at a scared world. At a withdrawn world. At a world that's nationalistic and intrusive. And that was ill-prepared for the realities of the internet and pocket-sized, perpetually connected devices.
So, CLOUD Act.
I have grave concerns about it. I'm guessing Apple does as well. But I have grave concerns about how things have been handled up until this point, and even graver concerns about how things may be handled in the future, given data repatriation, the assault on encryption, and the continued cries for backdoors.
Whether CLOUD Act really is the pragmatic compromise tech companies hope it will be, we'll have to wait and see.
Get the best of iMore in in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
The way that this was snuck into the budget at the last minute is a travesty. Congress had over 5000 pages to read in one night. Remind you of something? The reason why Apple and other big companies changed their minds on the Cloud Act is that the wording was changed so that they are protected from lawsuits. It's a travesty that this was passed. Our government can now get data overseas without a court order. US citizens are not protected. The only good thing about this is that the courts will probably throw a lot of this out because it's unconstitutional. I'm all for protecting our country against terrorists. But we don't have to give our constitutional rights in the process. This will end up just like the Patriot Act.
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.