Alex Grigsby is the assistant director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Last week, four U.S. senators introduced the bipartisan Clarifying Lawful Overseas Use of Data Act, or CLOUD Act. As Andrew K. Woods and Peter Swire note in Lawfare, the bill aims to resolve two particularly thorny legal issues that have emerged as a result of the growth of global communication service providers, most of which are headquartered in the United States (think Facebook, Google, Microsoft, and Apple), and their ability to respond to government requests for user data. Although the bill ostensibly aims to help foreign countries obtain data to investigate local crimes, it could also make it easier for them to collect data from U.S. providers for intelligence purposes on targets anywhere in the world.
The first thorny issue the CLOUD Act aims to solve is whether the U.S. government can compel a U.S. provider to hand over data held outside of the United States--the critical question at issue in the Microsoft-Ireland case currently before the U.S. Supreme Court. The bill addresses it by allowing the U.S. government to obtain user data within the provider's "possession, custody, or control" irrespective of where the data is held, and gives the ability of platforms to push back on a request if complying with it would violate local laws or the targeted user was a U.S. person
The second issue is that U.S. communications service providers are prohibited under U.S. law from responding directly to foreign law enforcement when they legally request user data related to an investigation, creating a situation whereby providers are forced to choose whether to comply with U.S. law or foreign law. The CLOUD Act addresses this by allowing U.S. providers to comply with foreign requests for user data provided the U.S. government has entered into an executive agreement with the requesting country.
I am not a lawyer and therefore ill qualified to assess whether the bill adequately addresses both issues. Some seem to think that it does, including the big tech companies. Others, particularly civil liberty advocacy groups, don't.
A big part of the rationale for the bill (and previous iterations of it) is that it addresses a major irritant for foreign law enforcement. For example, Facebook cannot provide the chat logs of two UK citizens who planned and executed a murder in London to local law enforcement without going through a mutual legal assistance process, whereby the U.S. Department of Justice obtains a court order on the United Kingdom's behalf ordering Facebook to comply with the original request. That process that can take upwards of ten months.
This approach simply does not scale to the thousands of foreign law enforcement investigations that may have a nexus with a U.S. provider--a Canadian terrorism suspect planning to blow up Parliament using Gmail to communicate; a domestic abuse victim in Germany being tormented over Apple's Messages; or a municipal bribery case in Italy where corrupt officials used Skype. In all of these cases, foreign law enforcement would need to enlist the help of the U.S. Department of Justice to compel the U.S. providers to turn over evidence even if the crime being investigated is wholly domestic. The CLOUD Act alleviates this problem through the executive agreements, making U.S. providers more responsive to foreign requests, helping them comply with local law, and easing the burden on Justice Department lawyers.
The U.S. government can only sign executive agreements with countries that have robust privacy and civil liberties protections outlined in the bill and agree to certain targeting limitations (i.e. a foreign government can't ask Facebook for the chat logs of a U.S. person). Additionally, foreign requests for data from U.S. providers under executive agreements must be particularized, based on credible facts, approved by a court or other independent authority, legal under the foreign country's domestic law, and cannot infringe free speech.
Interestingly, nothing in the bill seems to mandate that foreign requests for data be targeted at that foreign country's nationals. For example, if the United States signed an executive agreement with the United Kingdom, Facebook would be required to comply with a UK government request for the chat history of an Indian man living in Delhi involved in a terrorism financing network so long as the request was particularized, legal under UK law, overseen by a judge and meet all of the other requirements outlined above. The same would apply if GCHQ (the UK equivalent of the U.S. National Security Agency) asked Google for emails of a suspected Russian or Chinese intelligence officer based in Turkey.
Although the primary impetus for the bill was to ease the challenges of foreign law enforcement in investigating crime, it is also likely to have an intelligence collection function given the absence of a requirement for requests to be targeted at a country's citizens. To be sure, the United Kingdom would theoretically already have access to the Facebook chat history or Gmail accounts in the examples above either by compromising the accounts in question or through routine intelligence sharing with the United States through the Five Eyes network. However, that is most likely not the case with other countries with whom the United States does not have as close a relationship but who would be some of the first in line to want an executive agreement. France, Germany, the Netherlands, and other Western European NATO members come to mind.
The CLOUD Act's intelligence collection angle is not inherently problematic, though some are probably going to argue that it is. In fact, it might be preferable to have a foreign government ask a U.S. provider nicely for account data under an executive agreement rather than hacking into it to achieve the same result. In any case, U.S. communication service providers will want to staff up if the bill becomes law. They're going to be processing a lot more requests for data.