Criminal Justice & the Rule of Law Surveillance & Privacy

Cloud Act Implementation Issues

Greg Nojeim
Tuesday, July 10, 2018, 8:00 AM

Congress passed the Cloud Act as part of an omnibus spending bill in March over the objection of many civil society groups, including the Center for Democracy & Technology (with which I am affiliated). The legislation, formally the Clarifying Lawful Overseas Use of Data Act, empowers the Justice Department to serve legal process authorized by the Electronic Communications Privacy Act (ECPA) on U.S. providers for data those companies control, no matter where the data is located.

Published by The Lawfare Institute
in Cooperation With
Brookings

Congress passed the Cloud Act as part of an omnibus spending bill in March over the objection of many civil society groups, including the Center for Democracy & Technology (with which I am affiliated). The legislation, formally the Clarifying Lawful Overseas Use of Data Act, empowers the Justice Department to serve legal process authorized by the Electronic Communications Privacy Act (ECPA) on U.S. providers for data those companies control, no matter where the data is located. It also authorizes the department to enter into agreements with foreign governments allowing those governments to make direct demands to U.S. technology companies for content and metadata under their own laws in lieu of using existing mutual legal assistance treaties. Both parts of the law create implementation issues that will have to be resolved by the Justice Department, often in consultation with the State Department. This post identifies some of those issues.

Issues Related to the U.S. Government’s Cloud Act Demands

1. Required Legal Process: Will the Justice Department continue to use warrants, rather than subpoenas, to obtain the content information of non-U.S. persons abroad?

The Cloud Act leaves in place the outdated notion in the Electronic Communications Privacy Act that email content more than 180 days old and content held by remote computing services are available to law enforcement with just a subpoena, rather than having to meet the higher evidentiary requirements of a warrant. (The pending Email Privacy Act, which could have been attached to the Cloud Act, would remedy this problem by imposing a warrant-for-content rule.) Most of the major U.S. providers, despite the language of ECPA, follow the rule established by the Sixth Circuit in U.S. v. Warshak by demanding warrants for content—no matter the content’s age and no matter whether it is held by a “remote computing service” or an “electronic communication service.” The Justice Department has adopted that position as a policy matter.

This is important because a warrant requirement provides substantially more procedural and substantive privacy protection than does a subpoena requirement. Subpoenas can be issued without judicial authorization and upon a determination that the information sought is merely relevant to the crime being investigated. In contrast, a warrant is issued only when there is strong evidence of crime—probable cause—and strong evidence that the information sought pertains to that crime. Importantly, under the U.S. system, only a judge can issue a warrant, and the judge must be independent of the investigators.

Because Warshak was a constitutional decision, the Justice Department—and state and local law enforcement—may take the position that the warrant-for-content rule that Warshak establishes does not apply when the government seeks the content of non-U.S. persons abroad. Those persons are outside the jurisdiction of the Constitution, the argument would go. While there is a strong case that searches of data that is physically located in the U.S. enjoy Fourth Amendment protections, law enforcement may take the position that even if the Fourth Amendment applies, a warrantless seizure of content of a non-U.S. person abroad is constitutional because it is reasonable. They could rely instead on ECPA’s rule that a subpoena or court order with notice suffices.

The Cloud Act inserts into U.S. law governing surveillance for criminal purposes novel distinctions between U.S. persons and people in the United States, on the one hand, and foreigners abroad on the other. When determining whether to make a demand for data under a Cloud Act agreement, the Justice Department must consider citizenship and location of the target in connection with its determination as to whether foreign law bars disclosure to the U.S. government. In addition, Cloud Act agreements will drive the Justice Department to determine citizenship of the data-subject because the demands the department issues under such agreements must pertain to people other than citizens and residents of the country with which the U.S. has the agreement. These two requirements make it more likely that, going forward, the Justice Department will determine the citizenship of the target before deciding on which legal process to pursue. This may, in turn, drive it to consider whether to question the applicability of the Warshak warrant-for-content rule to foreigners abroad. Associate Deputy Attorney General Sujit Raman left this issue largely open when asked to address it at a recent event at the Center for Strategic and International Studies: “We are likely to sort of maintain our traditional approach, which is to seek a warrant based on probable cause for content, but it does depend on the particular facts and the particular circumstances,” he said.

2. Death Penalty: Will any bilateral agreements between the U.S. and foreign governments include provisions to let those countries prevent data obtained under the agreement from being used to pursue capital punishment?

For much of the world—including close U.S. allies that are likely to seek and obtain bilateral agreements under the Cloud Act—the death penalty is anathema to human rights. The Cloud Act permits U.S. federal, state and local authorities to serve process on U.S. communications providers for data to facilitate the prosecution of foreigners abroad in cases prosecuted in the U.S. in which the death penalty may be sought. It also permits those authorities to make data demands of foreign providers in countries that secure Cloud Act bilateral agreements (“agreement countries”) in death penalty cases. According to the Death Penalty Information Center, 146 countries have abolished the death penalty in law or in practice, including Australia, Canada, New Zealand, the U.K. and most of Europe. Many countries that have abolished the death penalty reserve the right in the context of mutual legal assistance to refrain from providing information requested by the U.S. absent a pledge that the information will not be used to pursue the penalty of death. Some countries may insist on similar provisions in arrangements under the Cloud Act.

How U.S. tech companies respond to U.S. government demands in death penalty cases involving foreign nationals is also important. If, for example, a case could be made that fulfilling such a demand for data about a foreigner abroad would violate the law of an agreement country, the U.S. tech company could challenge the demand in a U.S. court by invoking the comity provisions of the Cloud Act. Those provisions require a U.S. judge to weigh various factors in determining whether to compel the U.S. company to comply with the demand for data to be used to put a person to death.

Issues Related to Foreign Governments’ Cloud Act Demands

3. Judicial Authorization: Will the Justice Department, when negotiating Cloud Act agreements, require that demands for content by the foreign government be subject to prior judicial authorization?

According to the European Court of Human Rights and other authorities, independent authorization (preferably, judicial authorization) of surveillance is required to prevent abuse. The Cloud Act does not definitively meet this bar. Instead it gives the Justice Department, in consultation with the State Department, broad discretion to decide with which countries the U.S. will enter into bilateral agreements. Under the Cloud Act, orders issued by foreign governments “shall be subject to review or oversight by a court, judge magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the order.” This does not clearly require that consideration by a judge precede the issuing of the legal process. The language could be read to mean that the ability to challenge in court, after disclosure compelled by legal process akin to a subpoena, is all that is required.

Both the Justice Department and U.K. officials have said that the prospect of entering into an executive agreement with the U.S. was a motivating factor for Parliament to change U.K. law in 2016 to require judicial authorization for data demands. At the CSIS event referenced earlier, Associate Deputy Attorney General Raman said that whether to require judicial authorization was something the Justice Department was actively keeping in mind, but he made no commitment to such a requirement. Proponents of the Cloud Act touted it as an opportunity to encourage governments to raise standards for their data demands; judicial (or other independent) authorization is a key test of whether the Cloud Act will lead to such results.

4. Government Transparency: Will the Justice Department give Congress and the public advance notice of the countries with which it plans to negotiate bilateral agreements, and will the department make public at the time it conveys them to Congress the text of each agreement and its explanation of how the Cloud Act requirements are met?

The Cloud Act requires the Justice Department to notify Congress within seven days of the date it certifies an executive agreement with another country after making a determination that the laws and practices of that country meet Cloud Act standards. Under the law, the Justice Department must convey with the notice: (i) the text of bilateral agreement and (ii) an explanation as to why it believes that the country, and the orders that country will issue under the agreement, meet Cloud Act requirements. Congress then has 180 days to decide whether to enact a law nullifying the agreement. The Justice Department is also required to print in the federal register “any determination or certification” regarding Cloud Act agreements. This is too little transparency, too late.

The law gives Congress only the option of passing legislation to strike down an entire agreement, rather than an opportunity to influence the agreement’s terms. Although the law requires that any determination or certification regarding any Cloud Act agreement be made public in the federal register, it is not clear whether the agreement text must also be made public. While the explanation of compliance with Cloud Act requirements would probably be regarded as a “determination or certification” regarding the agreement, it would be useful for the Justice Department to affirm that such information will also be made public. Moreover, although the Justice Department had, before passage of the Cloud Act, largely negotiated an agreement with the U.K., and it has been approached by several other countries about such agreements, the Justice Department hasn’t disclosed the draft U.K. agreement or the other countries seeking such agreements.

5. Company Transparency: Will the Justice Department require in Cloud Act agreements a provision permitting companies subject to U.S. jurisdiction to report on the real-time surveillance orders they receive from foreign governments, even if those governments’ local laws might bar such reporting?

Some countries with which the U.S. may enter into bilateral agreements treat real-time surveillance like a state secret. In the U.K., real-time interception is so secret that the product of the surveillance is not even admissible in court, where it could be challenged. U.S. tech companies’ transparency reports disclose the numbers of demands for stored content and non-content that they receive from foreign governments. (Real-time surveillance demands on U.S. providers from foreign governments, if any, are not honored because compliance with such demands could constitute a crime under U.S. law.) But the Cloud Act authorizes real-time surveillance demands from countries that enter bilateral agreements, and companies are likely to want to report on the number of such demands they receive, as they do for stored content. The Justice Department will have to decide whether to require that agreements with countries allow for such transparency reporting notwithstanding a law or practice that would otherwise bar such reporting.

6. Freedom of Speech: How will the Justice Department interpret and implement the Cloud Act’s prohibition on foreign government data requests that infringe freedom of speech?

Some countries that may seek Cloud Act agreements criminalize hate speech, insults directed at royalty or comments that “glorify” terrorism—prohibitions unlikely to pass muster in the U.S. under the First Amendment. The Cloud Act says that orders from foreign governments issued pursuant to that statute “may not be used to infringe freedom of speech,” but it does not specify whose version of free speech is not to be infringed. It also creates no mechanism to detect and prevent free-speech violations in a timely manner. How U.S. companies interpret the prohibition on orders that violate free-speech rights will be particularly important. The U.S. has perhaps the strongest free-expression rules in the world. In the context of mutual legal assistance treaties, the U.S. turns down many data demands from foreign governments because they seek information in connection with speech that would not be criminal in the U.S. because of the First Amendment. The Justice Department must decide whether to ensure similar protections under Cloud Act arrangements, and it will have to determine how to prevent foreign orders from infringing on freedom of speech no matter whose version of free speech is being protected.

7. Notification to U.S. Government: Will Cloud Act agreements reserve to providers a right to notify the U.S. government of problematic data requests from foreign governments that is at least as broad as the right to notify foreign countries of problematic demands by the U.S. government?

The Cloud Act makes it clear that a company can notify the government of an agreement country if the company receives a U.S. data demand that concerns a national or resident of such country. This notification can be made even if the data demand is issued with a statutory protective order that would otherwise bar any such disclosure under U.S. law. Authorizing such notification is sensible: It permits the foreign government to intervene to protect its interests and the rights of its residents and nationals. But the Cloud Act provides no reciprocal process or right for companies to notify the Justice Department of problematic data demands from agreement countries that also impose gag orders when they issue demands. This could undermine companies’ ability to alert the Justice Department to data demands that would infringe on the rights of U.S. citizens or residents, or of people present in the U.S.; or to data demands that would infringe on the free-speech rights of a foreigner abroad. The Cloud Act, at 18 U.S.C. § 2523(b)(4)(K), requires that agreements reserve the U.S. government’s “right to render the agreement inapplicable to any order for which the United States Government concludes the agreement may not properly be invoked.” If, however, companies cannot inform the Justice Department about such problematic orders, the department will be unable to intervene when it would want to do so to protect human rights.

8. Safety Valve: Will Cloud Act agreements include a clause that permits the Justice Department to suspend data demands under an agreement with a foreign government when that government undergoes a radical change resulting in data demands that threaten human rights of its citizens, residents and others?

Countries sometimes undergo sudden, radical changes that adversely impact the human rights of people who might be subject to data demands and surveillance through the Cloud Act. While radical changes may be uncommon in the countries eligible for Cloud Act agreements, the possibility of such changes must be accounted for. Before the attempted coup in July 2016, Turkey may have been regarded as a country with which a Cloud Act agreement could be negotiated. The government’s crackdown after the coup attempt went far beyond the coup plotters. Media outlets were shut down; Turkish courts ordered the arrest of tens of thousands of people; and more than 100,000 military officials, police officers, teachers, university professors, civil servants and others were thrown out of their jobs. Turkey’s data demands on U.S. providers increased as the crackdown broadened. In that type of scenario, it may be appropriate to suspend the Cloud Act agreements to ensure that direct data demands made of U.S. companies are not used to infringe free expression and other human rights.

The Cloud Act requires the Justice Department to review each agreement every five years (18 U.S.C. 2523(e)). But it does not specify what this review entails. Nor is it clear that the Justice Department will receive enough information to conduct a meaningful review. For example, there is no provision in the act for the Justice Department to receive notice of the disclosures a company makes under a Cloud Act agreement. In light of this, it would be wise for the Justice Department to build in a safety valve that would permit suspension of a Cloud Act agreement prior to the five-year review in the event of radically changed circumstances. The Cloud Act leaves the Justice Department with discretion to negotiate such a provision.

9. Exclusive Means: Will Cloud Act agreements include an “exclusive means” requirement to ensure that data demands made by agreement countries meet either the requirements of a mutual legal assistance treaty or a Cloud Act agreement?

The Cloud Act is an alternative to other mechanisms for cross-border data demands. Those mechanisms include requests made under mutual legal assistance treaties and informal requests for voluntary disclosures. U.S. law permits U.S. providers to voluntarily disclose to foreign governments non-content information, such as email logs and location information. Thus a U.S. tech company could receive, for the same piece of non-content: (i) a demand under the Cloud Act, which could be made only after meeting the requirements of local law for compelled disclosures, as well as Cloud Act requirements; (ii) a request under the relevant treaty, which would trigger the application of U.S. law to the request, including any requirement for a court order or other legal process and including the dual criminality/felony requirements for warrants that are built into 18 U.S.C. § 3512(e); or (iii) an informal request meeting no legal standard in the U.S. or the requesting country, in response to which the U.S. tech company could voluntarily make a disclosure. These are essentially lawless disclosures because there is no legal standard that must be met, and no governmental entity decides whether the disclosure can be made because the standard has been met. Cloud Act agreements should eliminate the third option. That way, the data demand would have to meet the requirements of local law or U.S. law.

10. Points of Contact: Will Cloud Act agreements identify a single entity in each country that will clear and authenticate data demands and properly direct them?

In the United States, as many as thousands of local, state and federal law enforcement entities may make data demands of U.S. providers. Likewise, in agreement countries, many entities may be able to make data demands under local law, and under Cloud Act agreements they would be empowered to make data demands of U.S. providers. Some will make data demands that are better documented and clearer than others. Some will make mistakes, making demands that they do not realize are unlawful under the Cloud Act or the terms of their country’s agreement with the U.S., or even under local law. Some will direct their demands to the wrong person or facility at the company from which data is sought. It will be difficult for U.S. tech companies on the receiving end of those demands to assess the lawfulness of each individual request and to authenticate that the demand came from a government entity. This is especially true for small providers. It would be preferable for Cloud Act agreements to require that each country party to the agreement designate a single entity (or perhaps a few entities) from which demands made under the act would issue. For example, U.K. demands would all come through the Home Office rather than from multiple police agencies in multiple jurisdictions. The Home Office would serve the demand directly on a particular U.S. provider as opposed to directing it through the Justice Department, as happens today with requests under mutual legal assistance treaties. That designated entity could control for the quality of demands, ensure lawfulness, establish authenticity, and serve the demand on the proper person or facility of the receiving company.

11. Consultation: Will the Justice Department consult with human rights experts before entering into Cloud Act agreements with particular countries, including experts based in those countries?

Some civil society groups have acquired vast knowledge about human rights abuses that, if considered by the Justice Department, might counsel against entering into a Cloud Act agreement with a particular country or might argue for specific provisions to head off abuses or prevent misunderstandings. Human Rights Watch and Amnesty International have broad human rights expertise on a global scale. Other groups specialize in countries or regions, in particular rights, or in social or professional segments of societies particularly vulnerable to human rights abuses. The Cloud Act requires the Justice Department to “take[] into account, as appropriate, credible information and expert input” as it determines whether a foreign government meets the act’s requirements as a condition of entering into an agreement. Most of those requirements are based on human rights. The law gives the Justice Department broad discretion in deciding which experts it will consult, and it should be sure to consult with human rights experts “on the ground.” To its credit, the Justice Department has already made arrangements to consult with leading civil society groups in the U.K. about the Cloud Act agreement it is negotiating. Such consultations should likewise be arranged in connection with decisions about entering into Cloud Act agreements with other countries.

***

The Cloud Act raises numerous implementation issues for the Justice Department to consider, and this post identifies only some of them. The act gives the Justice Department enormous discretion. How the department uses that discretion as it implements the law will largely determine whether the Cloud Act causes countries to adopt more rights-respecting surveillance laws or, instead, causes a large-scale diminution of human rights as other countries’ laws are applied to data demands made of U.S. tech companies.


Greg Nojeim is the Director of the Freedom, Security & Technology Project at the Center for Democracy & Technology in Washington, D.C. and has written extensively about cross border data demands.

Subscribe to Lawfare