CLOUD Act and Apple: What you need to know

The CLOUD Act — Clarifying Lawful Overseas Use of Data — is a set of regulations currently in the process of being passed by the U.S. government and signed into law as part of the Omnibus Spending Bill release on March 21, 2018.

It's raised concerns from numerous civil rights organizations, including the ACLU:

The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill.  There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people.

Specific objections have been enumerated by the Electronic Frontier Foundation:

  • Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
  • Fails to require foreign law enforcement to seek individualized and prior judicial review.
  • Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
  • Fails to place adequate limits on the category and severity of crimes for this type of agreement.
  • Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
  • The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.

I'm by no means an expert in this area. I'm also not an American. I, like many others around the world, have lived the vast majority of my life with most of our data stored by U.S. companies, on U.S.-based servers, subject to U.S. law enforcement uses and abuses, and under the jurisdiction of U.S. courts.

But I've spent a better part of the day looking into the CLOUD Act and what it may mean for Apple and Apple customers. And, perhaps my perspective from outside looking in, will be of interest.

Why is Apple, which has called privacy a human right, supporting the CLOUD Act?

Apple, along with Microsoft, Google, and Facebook, sent a letter of support to U.S. Senators Hatch, Coons, Graham, and Whitehouse, which said:

The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.

If enacted, the CLOUD Act would create a concrete path for the U.S. government to enter into modern bilateral agreements with other nations that better protect customers. Importantly, the legislation would require baseline privacy, human rights and rule of law standards in order for a country to enter into an agreement. That will ensure customers and data holders are protected by their own laws and that those laws are meaningful. The legislation would further allow law enforcement to investigate cross-border crime and terrorism in a way that avoids international legal conflicts.

The CLOUD Act encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary.

Our companies have long advocated for international agreements and global solutions to protect our customers and Internet users around the world. We have always stressed that dialogue and legislation - not litigation - is the best approach. If enacted, the CLOUD Act would be notable progress to protect consumers' rights and would reduce conflicts of law. We appreciate your leadership championing an effective legislative solution, and we support this compromise proposal.

Microsoft's president, Brad Smith, has also spoken out directly:

The proposed CLOUD Act creates a modern legal framework for how law enforcement agencies can access data across borders. It's a strong statute and a good compromise that reflects recent bipartisan support in both chambers of Congress, as well as support from the Department of Justice, the White House, the National Association of Attorneys General and a broad cross section of technology companies. It also responds directly to the needs of foreign governments frustrated about their inability to investigate crimes in their own countries. The CLOUD Act addresses all of this, while ensuring appropriate protections for privacy and human rights. And it gives tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world. The bill also includes a strong statement about the importance of preventing governments from using the new law to require that U.S. companies create backdoors around encryption, an important additional privacy safeguard.

(Microsoft and the U.S. Government are currently arguing the issues covered by CLOUD Act in front of the U.S. Supreme Court.)

If I had to guess about Apple and the other tech companies, my guess would be that they see some even more disturbing writing on the wall:

  1. Other countries, outside the U.S. are growing increasingly frustrated over how long it takes to get data on their citizens from U.S. tech companies under existing Mutual Legal Assistance Treaties (MLATs).
  2. China has already passed laws forcing companies like Apple to relocate the data of their citizens to data centers located and owned and operated by companies on their soil.
  3. There is increased pressure from some nations, including the U.S. and those in the E.U. to restrict the use of encryption or create backdoors to make data more accessible to law enforcement and government agencies.

There are legitimate concerns about CLOUD Act but having to respond to each and every countries laws and demands, when those laws could require the repatriation of data, or the exiting of markets in the face of mandated insecurity, could well be seen as much, much worse by the major tech companies.

How will CLOUD Act affect the data transited or stored by Apple? Will Apple be required to keep more personal data for longer? To unencrypted currently encrypted services?

Far as I can tell, there is nothing in CLOUD Act that changes anything about what personal data Apple has and how its transited or stored.

Your iCloud messages that were encrypted pre-CLOUD Act will still be encrypted post-CLOUD Act. And no data will be stored after CLOUD Act that wasn't stored before CLOUD Act.

Since Apple isn't in the business of data harvesting, hoarding, or exploiting, it could potentially have a smaller footprint or smaller risk to customers than companies whose businesses do depend on persisting customer data.

Will CLOUD Act result in lowest-common-denominator privacy protection, where the laws of the least respectful nation will win out?

The version of the CLOUD Act currently being voted on requires the Secretary of State and the Attorney General of the United States to certify that any country entering into the CLOUD ACT "affords robust substantive and procedural protections for privacy and civil liberties."

That includes:

  • Protection from arbitrary and unlawful interference with privacy
  • Fair trial rights.
  • Freedom of expression, association, and peaceful assembly.
  • Prohibitions on arbitrary arrest and detention.
  • Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.

CLOUD Act also prohibits countries from using surveillance orders to chill freedom of speech, and — likely very important to Apple given the San Bernardino case — language that discourages governments from using this process to mandate U.S. companies create backdoors to compromise the security of their operating systems and devices.

Doesn't CLOUD Act take oversight away from the legislative branch and hand even more power to the executive branch?

It certainly seems to, especially in earlier versions. The version of CLOUD Act being voted on now includes new provisions for Congress to:

  • Review new bilateral agreements for up to 180 days.
  • Review changes to existing agreements for up to 90 days.
  • Require written certification and explanation for how countries pass certification.
  • Fast-track disapproval of bilateral agreements.

What about judicial oversight? Isn't CLOUD Act just a way to get around the courts?

Yes and no. I sincerely think Americans have gotten used to being the center of the technology world and don't really think about how things work beyond their borders.

For years, those of us outside the U.S. have had our data be subject to U.S. laws and courts. While some inside the U.S. might think that's great, in the post-Snowden, post-San Bernadino era it's simply not anything any fair-minded person can consider ideal.
 CLOUD Act mandates that any surveillance order issued by any country part of the agreement must be both individualized and "subject to review or oversight by a court, judge, magistrate, or other independent authority," and that this review must be "prior to, or in proceedings regarding, enforcement of the order."

It's totally understandable that some in the U.S. may consider privacy laws outside the U.S. to be problematic. Just understand that those of us outside the U.S. may consider U.S. privacy laws to be just as problematic.


But CLOUD Act just makes it easier for governments to access U.S.-based data?

I think that's part of the point. Again, other countries have grown increasingly frustrated with how long it takes to get data on their citizens from U.S. based companies.

Now, they're considering laws to try and force U.S. companies to hand over data without any regard to privacy, or to repatriate data so they can access it directly.

CLOUD tries to avoid that by establishing a reasonable, agreeable process in a way that's certainly not ideal but may just be workable.

That includes the certification process, the requirement for independent oversight and individualized orders, reasonable justification, and in response to "serious" crimes.

Doesn't CLOUD Act allow non-U.S. countries to wiretap inside the U.S. in a way even U.S.-based law enforcement can't?

Potentially, yes. Here are the restrictions under the CLOUD Act:

  • Other governments are explicitly forbidden from surveilling a U.S. person directly or indirectly.
  • Surveillance orders have to of fixed and of limited duration.
  • Surveillance can only occur when it's reasonably necessary and the information being sought can't be reasonably obtained using less intrusive methods.

That's a lot of "reasonably" wiggle room but my understanding — as not a lawyer or legal scholar! — is that the CLOUD Act parallels the Wiretap Act, swapping the limitation to a list of predicate offenses for a restriction to serious crimes.

What that means in practice we'll likely only find out when it's implemented and challenged.

But won't U.S. data be collected alongside non-U.S. data? Isn't that unavoidable?

It certainly sounds like it. But CLOUD Act has several provisions to protect against that:

  • Prohibits directly targeting of U.S. persons' data by non-U.S. governments.
  • Prohibits asking a CLOUD Act certified country to target a U.S. persons' data.
  • Prohibits targeting a non-U.S. persons' data for the purpose of collecting a U.S. persons' data (for example, their shared communications).
  • Prohibits the dissemination of a U.S. persons' data except where there is evidence of a serious crime.

It's the nebulous nature, and potential for abuse of that last one, that's probably the greatest concern, because…

There's nothing to ensure other countries — or any country! — really follow those rules, though, is there?

There's the U.S. government. But, real talk time: There's nothing to ensure any country really follows any rule, as we've seen all too terrifyingly over the last decade.

But that doesn't mean you stop having laws and agreements. It means we all have to do a better job holding all governments accountable.

So why is everyone from the ACLU to the EFF so against CLOUD Act?

Because that's literally their job. Those organizations exist only and completely to protect the civil rights, including the privacy rights, of Americans and people around the world.

That stand in stark and necessary opposition to those in government and law enforcement who believe that the fewer rights we have, the better they can protect the state — and maybe us.

And we need the ACLU, EFF, and others to do this. Desperately.

Is there a way to limit exposure under CLOUD Act?

Potentially. Again, since Apple's business doesn't depend on harvesting, hoarding, and exploiting user data, it doesn't need to persist that data. It can use end-to-end encryption and not store anything longer than it absolutely has to.

If you're especially concerned, you can do things like:

  • Disabling iCloud backup, which is safety rather than security focused, and keep encrypted backups locally.
  • Disabling sync services that need to keep a copy of your data on the cloud (though this may be incredibly inconvenient).
  • Delete old mail messages off the iCloud servers, keeping local, encrypted backups of anything you really need.

So, CLOUD Act?

In an ideal world, countries would be racing to have the best and most complete privacy laws possible and it would be law enforcement that was continually complaining about how much work it had to do and hoops it had to jump through to access anything and everything even remotely personal.

But, I fear we're increasingly looking at a scared world. At a withdrawn world. At a world that's nationalistic and intrusive. And that was ill-prepared for the realities of the internet and pocket-sized, perpetually connected devices.

So, CLOUD Act.

I have grave concerns about it. I'm guessing Apple does as well. But I have grave concerns about how things have been handled up until this point, and even graver concerns about how things may be handled in the future, given data repatriation, the assault on encryption, and the continued cries for backdoors.

Whether CLOUD Act really is the pragmatic compromise tech companies hope it will be, we'll have to wait and see.