After a protracted legal battle that Microsoft took all the way to the U.S. Supreme Court over Department of Justice demands that the tech company turn over emails of a drug-trafficking suspect that it stored on a server in Ireland, Microsoft has sided with the government on a new law that would give the Justice Department access to email and other electronic communications stored overseas by U.S. cloud and email providers.
In an apparent reversal of company policy, Microsoft supports the Clarifying Lawful Overseas Use of Data Act, also known as the Cloud Act, because it would encourage cross-border law enforcement agreements that clarify the rules for sharing customer data. Joining the maker of Windows and Office 365 are a handful of large U.S. tech companies, including Apple, Facebook, Google, Microsoft, and Oath (formerly Yahoo).
A bipartisan group of U.S. lawmakers introduced the Cloud Act in early February. The bill would invalidate a July 2016 court ruling rejecting the Justice Department’s warrant for the emails stored in Ireland.
While the Cloud Act earns applause from some of Silicon Valley’s biggest consumer-facing companies for making “notable progress to protect consumers’ rights,” some digital-rights groups argue that it does the exact opposite.
The bill “takes care of the government’s interest and the interests of providers, but not the interests of consumers and their privacy,” says Gregory Nojeim, senior counsel at the Center for Democracy and Technology. U.S. tech companies would have to turn customer data stored in the cloud overseas over to domestic law enforcement agencies. And in many cases, he says, it would take only a subpoena for authorities to obtain the data stored abroad—not a court-ordered warrant.
The Cloud Act “creates an aggressive expansion of U.S. jurisdiction against the rest of the world,” adds Camille Fischer, a free-speech and government transparency fellow at the Electronic Frontier Foundation. “It allows the U.S. to seek data, no matter where it’s stored.”
The legislation would upend long-standing international agreements on data sovereignty, including the 2001 Budapest Convention on Cybercrime, Fischer says. Worse, she fears, a U.S. government move to reverse those agreements could embolden other countries to seek customer data held inside the United States.
In the past, U.S. tech vendors have been “scared of a race-to-the-bottom approach,” Fischer says. “If the U.S. says it can extraterritoriality enforce domestic [legal] process, what is really stopping the U.K., France? What’s stopping Russia? What’s stopping China?”
Critics say the bill has several other problems, including new bilateral agreements between the United States and other countries that could allow foreign law enforcement agencies to seek real-time surveillance of communications between foreigners and U.S. residents. The Justice Department would determine which nations to partner with, and the bill does not allow for public input.
The Cloud Act “creates an aggressive expansion of U.S. jurisdiction against the rest of the world.”—Camille Fischer, free-speech and government transparency fellow, Electronic Frontier Foundation.
But supporters of the Cloud Act say it would clarify the rules when communications providers get law enforcement requests to turn over customer data held overseas. The bill “reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data,” the supportive tech companies wrote in a recent letter to the bill’s sponsors.
The bill requires “baseline privacy, human rights, and rule-of-law standards” in the bilateral agreements that the Justice Department could sign with other countries, the companies added. The legislation gives tech vendors the ability to notify foreign governments when a legal request implicates their residents, they said, and allows them to challenge law enforcement requests in court.
“Our companies have long advocated for international agreements and global solutions to protect our customers and Internet users around the world,” they wrote. “We have always stressed that dialogue and legislation—not litigation—is the best approach.”
The bill would resolve questions about cross-border law enforcement requests through a “clear, workable framework,” Sen. Orrin Hatch, the chief sponsor of the bill, said on the Senate floor last month.
Data stored in other countries “causes problems both for law enforcement and for email and cloud-computing providers,” added Hatch, a Utah Republican. “It causes problems for email and cloud-computing providers because they find themselves caught between orders by U.S. law enforcement to disclose data in other countries, and laws in those other countries that may forbid such disclosure.”
Large tech vendors have a lot of incentive to support the Cloud Act because they do significant business in countries that want access to their customer data, says Fischer of the EFF.
But in the legislation, “there’s nothing really there to help consumers,” she says. “The Cloud Act, in many ways, will create new problems that will hurt consumers.”