Congress Passed the CLOUD Act, Ignoring Most Privacy and Human Rights Concerns

Today, with a vote of 256-167, the House of Representatives passed an omnibus spending bill (H.R. 1625) that was required to prevent another government shutdown. Tucked into the very back of that bill was the CLOUD Act, which would enable the U.S. government to obtain communications data regardless of whether it is held inside or outside of the United States. The CLOUD Act would also create an exception to the Stored Communications Act (SCA) to allow qualifying foreign governments to enter into an executive agreement to bypass the human rights protective Mutual Legal Assistance Treaty (MLAT) process when seeking data in criminal investigations and to seek data directly from U.S. technology companies.

OTI and many other privacy and human rights groups oppose this bill because it fails to include adequate safeguards for individual rights.

The bill as passed includes certain improvements over the earlier version of the CLOUD Act. Most importantly, the bill now requires the Attorney General and Secretary of State to determine that a foreign government has met each element of the bill’s human rights test before they can certify a country to enter into an executive agreement; it requires the AG to explain these findings in a report to Congress; and it prohibits these agreements from being used to create a new obligation for U.S. companies to decrypt data.

However, the changes to the bill still fail to address or effectively fix several core concerns. As passed, the CLOUD Act still:

Fails to require prior judicial review of foreign governments’ surveillance orders despite new language that was added;

Permits foreign government to ask companies to engage in real time intercepts (wiretaps) of their users’ communications under standards that fall below those required of the U.S. government under the Wiretap Act;

Does not define “serious crimes” in specifying what crimes foreign governments may use the MLAT bypass process to investigate;

Provides inadequate protection for Americans’ privacy if their data have been incidentally collected by a foreign government;

Potentially creates a new backdoor search loophole by allowing foreign governments to share Americans’ incidentally collected data back to the U.S. government, and with few limits as to how the U.S. government can access and use those data;

Fails to include an update to the SCA to require the government to obtain a probable cause warrant before demanding the contents of communications that are over 180 days old, as similar bills like the LEADS Act and ICPA did; and

Fails to prevent foreign countries from attempting to demand -- outside of this new process -- that U.S. companies create encryption backdoors, and it does nothing to prohibit foreign governments that are party to these agreements from imposing data localization mandates on U.S. companies.

The Senate will likely pass this bill later today or tomorrow.

Though the bill sponsors made some important improvements to the CLOUD Act, these remaining deficiencies result in a bill that still poses a threat to privacy, civil liberties, and human rights. A more detailed description of the bill’s changes is available here, and an in-depth analysis of the bill as introduced is available here.

The following statement can be attributed to Sharon Bradford Franklin, Director of Surveillance & Cybersecurity Policy, New America’s Open Technology Institute:

“The House voted to enact a bill that would pose new threats to privacy and human rights for Americans and anyone who uses the services of U.S. tech companies. While this version of the CLOUD Act includes some new safeguards, it is still woefully inadequate to protect individual rights. Critically, the bill still would permit foreign governments to obtain communications data held in the United States without any prior judicial review, and it would allow foreign governments to obtain U.S.-held communications in real time without applying the safeguards required for wiretapping by the U.S. government. Despite overwhelming opposition from privacy and human rights groups, Congress never held a hearing on the CLOUD Act, and entirely preempted any meaningful debate on the legislation by attaching it to the must-pass omnibus spending bill.”