Somewhat Improved, the CLOUD Act Still Poses a Threat to Privacy and Human Rights

Above: President Donald Trump gestures to the $1.3 trillion spending bill passed by Congress early Friday.

The president just signed a 2,232 page omnibus bill to fund the government and avoid another shutdown. This was a quintessential must-pass bill, and it was used as a vehicle to quietly push through the controversial CLOUD Act, which, though somewhat improved, still poses a threat to privacy and human rights.

The CLOUD Act enables the U.S. government to obtain communications data regardless of whether it is held inside or outside of the United States. It also creates an exception to the Stored Communications Act (SCA) to enable certified foreign countries that are a party to an executive agreement with the United States to go directly to U.S. companies to request that they hand over the contents of their users’ communications. This exception enables those countries to bypass the Mutual Legal Assistance Treaty (MLAT) process, which protects human rights by requiring foreign governments to work with the Department of Justice to obtain warrants from U.S. judges before they can access that data for their criminal investigations.

The version of the bill that was included in the omnibus does include some improvements over the earlier version to help to mitigate the risks of bypassing the MLAT process. For example, the version of the CLOUD Act that just passed requires that the Attorney General (AG), in concurrence with the Secretary of State, determine that a foreign government meets all of the factors in the bill’s human rights test. In the previous version of the bill, the AG and Secretary of State only had to consider those factors, but it was up to their discretion to certify a foreign government. There was thus a risk that the executive branch could have certified a foreign government even if that government failed to meet some of the factors, such as not prohibiting torture, or failing to guarantee fair trials, and protecting against arbitrary interference with privacy. Additionally, the AG must now submit a report to Congress explaining why she or he determined that all of the factors were met, though that report is not required to be made public.

While these two changes are important improvements, many of the other changes to the bill are only partial or ineffective fixes to problems privacy advocates, human rights advocates, and even a former high-ranking official at the U.S. State Department have raised. Several other concerns have been left entirely unaddressed.

One of the most important improvements advocates have called for is a requirement that an independent body in the foreign government review and approve surveillance orders before they are submitted to a U.S. company. The bill’s original language only required that orders be subject to “review or oversight” by an independent body, thus allowing after-the-fact oversight as sufficient review. The bill that passed adds new language to that requirement, but the additions fail to impose a requirement for prior review.

The CLOUD Act now requires that the foreign governments’ surveillance orders “be subject to review or oversight by a court, judge, magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the order.” The inclusion of the phrase “or in proceedings regarding…” means that “prior to” is not a requirement, and the provision could still  allow for oversight that is contemporaneous with or after the execution of the order.

Yet another partial fix found in this version of the bill is how it addresses the threat of encryption backdoor and data localization mandates. In an important improvement, the CLOUD Act now makes clear that the executive agreements cannot create an obligation for a company that receives a surveillance request to be capable of decrypting data. Outside of surveillance orders submitted via the MLAT bypass process, however, the CLOUD Act still does nothing to prevent foreign governments from requiring U.S. companies to create encryption backdoors, or to prevent those governments from imposing data localization mandates.

There are still other troubling provisions in the bill that were entirely untouched. One issue that was unaddressed is the mechanism for Congressional approval. Oversight is now slightly improved by doubling the period of time for Congress’ review and requiring a new review if the underlying bilateral executive agreement changes. But, no Congressional ratification of bilateral agreements is required, and Congress may still only issue a Joint Resolution of Disapproval. This leaves Congress in the impossible position of stopping the certification of a foreign government only if it has a veto proof majority, or if somehow, the President decides to reject the determination of the AG and Secretary of State.

Other remaining problems include that the CLOUD Act fails to impose limits on foreign governments’ real-time collection of communications that mirror those that would be required of the U.S. government under the Wiretap Act. It also does not define what constitutes “serious crimes” under the bill, and leaves interpretation of that inherently vague concept to the discretion of the foreign government.

Additionally, the new bill failed to incorporate any changes to improve privacy protections for Americans. It still requires only that foreign governments minimize data in a manner similar to what is required under the Foreign Intelligence Surveillance Act, and it still permits foreign governments to share U.S. persons’ communications back to the U.S. government with few limitations on how the U.S. government may use that data. Finally, the bill that just passed did not include a fix for the SCA’s 180-day loophole by requiring the government to obtain a probable cause warrant before it could demand communications contents, irrespective of how old the communications are.

While the bill sponsors did try to address some of the concerns that have been raised, the improvements are not enough to shift the balance so that the CLOUD Act will be a boon, rather than a threat, to privacy and human rights. Danny Sepulveda, a former U.S. ambassador, deputy assistant secretary of state, and U.S. coordinator for international communications and information policy, recently wrote an article calling for reforms to the CLOUD Act that have not been fully incorporated. As he noted, attaching the CLOUD Act to the omnibus was “shortsighted and create[d] some potential for abuse.” Congress made a mistake by forcing this controversial bill into law without any committee consideration, opportunity for amendment, or debate on the House and Senate floor.

Now it is up to the Department of Justice and Congress to ensure that only countries with the strongest records on human rights get certified and that the underlying executive agreements are narrowly tailored, and up to U.S. companies to be vigilant about protecting their users’ rights.

Photo by Mark Wilson/Getty Images 

About the Author(s)

Robyn Greene

Policy Counsel for the Open Technology Institute at New America Foundation Follow her on Twitter (@robyn_greene).