Omnibus Bill Chips Away at Citizens' Abilities to Protect Data from Government Snoops Across the World
The CLOUD Act improves data sharing with governments by reducing oversight.
The omnibus spending bill Congress is considering right now isn't just about spending money we don't have and saddling future generations with debt. It's also about chipping away at their data privacy, too.
Buried deep in the omnibus bill—we're talking 2,200 pages in—is legislation intended to give the feds access to data held by American companies overseas. It also will have the effect of making it easier for foreign countries to gain access to data being stored here in America, and that makes human rights and privacy groups very, very concerned.
The Clarifying Lawful Overseas Use of Data Act, acronymed the CLOUD Act, seeks, in part, to resolve a current dispute between the Department of Justice and Microsoft that is before the Supreme Court. The feds want access to data connected to a drug trafficking suspect. This data is being stored in Dublin, Ireland, not on American soil, and therefore Microsoft has been resisting.
The CLOUD Act would require that communication providers cough up this information even if the data is stored outside the United States, provided it's about an American citizen.
That's not all the act does, and the rest of it has human rights groups worried about the implications. The act also changes and apparently simplifies the process for foreign governments to also request data about their citizens when that data is stored on American soil. It reduces the amount of bureaucratic oversight in the process and reduces the ability of Congress or the judicial branch to step in to potentially block data sharing with countries that have reputations for using this private information for oppressive purposes.
Over at The Hill, Neema Singh Guliani of the ACLU warned about the consequences of giving only a couple of high-ranking people in the executive branch the authority to determine which governments the United States would cooperate with:
The bill would give the attorney general and the secretary of State the authority to enter into data exchange agreements with foreign governments without congressional approval. The country they enter into agreements with need not meet strict human rights standards – the bill only stipulates that the executive branch consider as a factor whether a government "demonstrates respect" for human rights and is similarly vague as to what practices would exclude a particular country from consideration. In addition, the bill requires that countries adopt procedures to protect Americans' information, but provides little specificity as to what these standards must include. Moreover, it would allow countries to wiretap on U.S. soil for the first time, including conversations that foreign targets may have with people in the U.S., without complying with Wiretap Act requirements.
In a letter sent by the groups to lawmakers, they also warn that CLOUD Act doesn't include a warrant requirement for communications over 180 days old, meaning that it doesn't guarantee constitutional standards are followed, or require law enforcement to alert people when the government gets access to their data.
Sen. Rand Paul (R-Kentucky) complained last night on Twitter about the CLOUD Act getting shoved into the omnibus bill so that there will be no debate about what it does. He clearly doesn't like it, nor does his bipartisan partner in online privacy, Sen. Ron Wyden (D-Oregon). Microsoft's president, however, supports it, because no doubt with this process in place, the company can point to it and not have to take responsibility (or legal liability) when a government violates somebody's rights.