back to article CLOUD Act hits Senate to lube up US access to data stored abroad

Tech giants including Microsoft, Google and Apple have given a proposed US law on overseas data sharing the thumbs-up. The bipartisan Clarifying Lawful Overseas Use of Data Act (PDF), introduced to the Senate yesterday, aims to iron out confusion around which laws apply when governments want access to data stored in the cloud …

  1. Anonymous Coward
    Anonymous Coward

    So, the US can just claim jurisdiction by saying it wants it?

    1. Arthur the cat Silver badge

      So, the US can just claim jurisdiction by saying it wants it?

      That's what they've done for the last 50 or so years. Why would they stop now?

    2. veti Silver badge

      You're not reading the story.

      That's what they're doing now. This bill gives US companies the right to resist handing over the information if they believe it applies to someone who's protected by foreign laws. That's a right they don't, currently, have, without going through a prolonged and expensive appeals process.

      It's smart packaging: it dresses itself up as empowering law enforcement, but actually it's limiting powers that they're already using (albeit without any clear authority).

      1. big_D Silver badge

        If it works, it will be a step forward. If it gets the dilution and amendments when going through the the process of becoming a law, it could still spell the death of the cloud industry, at least international clouds.

      2. Pascal Monett Silver badge

        @veti

        "The new bill would render this argument moot by adding a section to the SCA that says firms must pass on data in their possession, even if it is held outside the US"

        Sorry, but there is nothing in that quote that gives anything to US companies.

        1. rh587 Bronze badge

          Re: @veti

          Sorry, but there is nothing in that quote that gives anything to US companies.

          You're aware that the Bill is longer than a single sentence. Right?

          Try page 5, where they give providers some measure of push-back:

          A provider of electronic communication service to the public or remote computing service, that is being required to disclose pursuant to legal process issued under this section the contents of a wire or electronic communication of a subscriber or customer, may file a motion to modify or quash the legal process where the provider reasonably believes—

          (i) that the customer or subscriber is not a United States person and does not reside in the United States; and

          ‘(ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.

      3. Anonymous Coward
        Anonymous Coward

        Veti, you may want to take your own advise and read the story. Yes, it codifies a method for companies to protect *NON-US CITIZENS*. But it also explicitly requires those companies to hand over information of US citizens regardless of jurisdiction. It's the bit in bold, in case you can't find it.

  2. Anonymous Coward
    Anonymous Coward

    Re: "a Downing Street spokesperson said"

    How long before that list of offences soon includes parking ticket and speeding? In otherwords, every crime possible.

    Of course, all the data will go in one direction i.e. to the USA. Get caught speeding in Lincolnshire and the NSA will know about it before you. They probably do already but if your name is on a 'suspect' list you are probably on your way to the USA before you can say boo to a goose.

    1. Anonymous Coward
      Anonymous Coward

      Re: "a Downing Street spokesperson said"

      How long? -5 months. They will claim your email address matched the description of a known terrorist, and as to the parking fines, your car was the same color as the car driven by a suspected terrorist affiliate in his cover job as a Valet, who then sent the 4.75 in small coin he nicked from the seat cushins back to his nation of origin.

      If you don't define terrorism, everything is terrorism.

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Does not change a thing in the Microsoft case

    Microsoft Ireland is a separate legal entity so no change there. In fact this strengthens Microsoft's position. The data is not in its possession. It is Microsoft Ireland which owns it.

    This does nothing about the DOJ conjecture that a USA company owning a controlling stake in a foreign company is entitled to direct operation of any of the foreign company assets over the head of the foreign company management. That is what DOJ is trying to prove in the NY case. That is bullshit (in legal terms).

    This makes legal other data fishing excursions, f.e. the Google ones where the data is owned by Google USA, not Google Ireland. Sure - data resided in Ireland, but it was owned by Google USA.

  5. iron Silver badge

    I haven't read the proposed act but it was sounding dodgy in the article until I got to the end. Now I know it is a very, very bad idea that will erode our and US citizens' rights and privacy because May supports it.

    1. Agamemnon

      As a brother from across the pond, you lot seem to really, Really, dislike your PM.

      We're not all that fond of our president.

      I say we all say "Screw it" and go for a pint or three and lament our misery, together.

      (Rapid problem salving.)

  6. Anonymous Coward
    Anonymous Coward

    "With it [the CLOUD Act], law enforcement officials in the US and the UK will be empowered to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking, and the sexual abuse of children regardless of where the suspect's email or messages happen to be stored," a Downing Street spokesperson said.

    Thanks downing street, if I wasn't sure this is some law being created just to take peoples privacy I am now. They could change the wording from "investigate" to "control" and drop the usual excuses but then they don't want to tell the truth just yet,

  7. Anonymous Coward
    Anonymous Coward

    What's next? Lets see - America-Fuck-Yeah

    'All Your Cloud Base Are Belong to Us'... Naturally....

    1. earl grey Silver badge
      Trollface

      Re: What's next? Lets see - America-Fuck-Yeah

      Make your time!

  8. Anonymous Coward
    Anonymous Coward

    At least it's now more honest

    This situation has existed for well over a decade, but more covert. I'm OK with this law only insofar that it now makes it abundantly clear that you cannot trust a US company with your data, not because they don't want to protect your data but because they simply are not in a position to do so.

    In other words, any organisation that has to comply with the EU GDPR (read: all EC based companies) better end their use of US resources. Better safe than sorry, especially since being sorry might involve a fine of up to 4% of turnover - the low takeup of GDPR compliance work may mean that the search for a company to make an example of is already underway..

    1. Adam 52 Silver badge

      Re: At least it's now more honest

      Go on then, why might that be? Anything specific or just FUD?

    2. Mike Moyle Silver badge

      Re: At least it's now more honest

      I think that's why Microsoft, et. al., support this. They figure that their overseas divisions can argue that they have to abide by, e.g., EU data privacy laws and can tell the US gov't, "Let's you and him fight!" I think that they will argue that -- at least, as described here -- this law takes them out of the line of fire and places it directly between the respective governments.

      Which is actually -- if you're going to argue this at all -- exactly where it should be.

      1. Teiwaz Silver badge
        Mushroom

        Re: At least it's now more honest

        Which is actually -- if you're going to argue this at all -- exactly where it should be.

        We should feel more at ease with this state, I'm not sure how the EU will react, often depends which country is affected and whether they feel incensed enough to give the U.S the (whatever local rude hand gesture).

        But proud 'ole U.K? She'll roll over and drop 'er pants like a well-broken prison 'hore.

        Uncle Sam did a good job grooming this 'un,....poor John Bull.

  9. Primus Secundus Tertius Silver badge

    Surely there is a misprint here.

    The article says: "enhancing and protecting privacy while reducing international legal conflicts".

    But it really means: "reducing privacy while enhancing and protecting international legal conflicts".

    1. LDS Silver badge

      "the agreement has taken steps to minimise data slurping on US citizens."

      While US companies can keep on slurping data on foreign citizens?

      Actually, I can't see how any reasonable State could enter into a deal with such law. They will demand everything and won't allow anything in return. I really hope the EU show them the middle finger.

      'm also surprised it's being supported by MS, Google, etc. Evidently the cash binge they've been allowed required something in exchange, because such a law imply you'll be a complete fool to store anything in any US-owned system. Can't really see how they can promote their cloud business then.

      But evidently all they needed was just butt-covering rules to avoid being indicted for handling data unlawfully. Just, US law doesn't apply abroad - if the break another country law, they can still be prosecuted.

  10. alain williams Silver badge

    Standards of privacy

    The proposed law states that such deals could only be struck if certain conditions are met, including that the foreign country has "robust" standards on human rights and privacy protections,

    Ah, foreign country - otherwise the USA would have to exclude itself.

  11. Steve McGuinness

    I am not liking this trend

    Of well considered, clearly worded US Laws that allow for minimal debate on what is and isn't legal.

    Do they WANT to put those poor Lawyers out of business by doing things properly? I can almost see the partners at Freemont, Lake and Goodwin telling their kids they cant have christmas presents because "The Law is pretty straight on this one".

  12. JohnFen Silver badge

    Is there a bigger sign?

    Is there a bigger sign that avoiding the cloud is a good thing? I think not.

  13. Claptrap314 Bronze badge

    Anything truly new here?

    It is fascinating to me that the big companies get railed on for using these shell companies for avoiding tax liability, but become heros when they use it for avoiding data production liability.

    People have been (rightfully) warning that US entities, and entities financially controlled by US entities, are unavoidably responsible to US law. The fact that a bill is finally being created that formalizes this observation should hardly be surprising to commenters here.

    And playing hide the nut with shell companies registered elsewhere isn't going to work, either. If you don't want your interactions to be subject to US law, then don't deal with US entities or entities controlled (directly or indirectly) by them. Please. I really, really mean it.

    It would be a really, really, good thing if these high-fliers got their wings clipped this way. It's a bad thing when Google can go to war with Spain and win.

    Folks are unhappy that the US is using its economic clout and its special relationships with various other governments to extend its jurisdiction in particular ways. But there are a number of transnational organizations that are doing the exact same thing--Google merely being the most blatant example here. The difference is that with the US government, conversations like this can actually affect policy via the democratic process. Not so with the corps.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anything truly new here?

      The company I work for owns a defense company in the US, which is also a defense contractor. Does it mean my government has unfettered access to all those data?

      When twenty years ago US Marines pilot killed twenty people cutting a cable of a cableway, US refused to let Italy trial them. And the murderers of twenty people never went to jail. When CIA operatives kidnapped a man in Milan, US refused to extradite them.

      US would wants a one-way system, thinking it's the biggest gorilla, but it no longer works that way. First, crooks can easily use system in Russia or the like, and they will do - and good luck to access them then- maybe it was better to have data kept in friendlier nations and use existing treaties to obtain data.

      But it looks that cops in the US too used to unrestricted powers bad laws like the PATRIOT Act or the like gave them, are now like little children that find rules an hindrance. It looks McCarthy is back again, and US aims to look like East Germany and its STASI surveillance. It won't end well - and alienating allies is far easier than making them.

    2. JohnFen Silver badge

      Re: Anything truly new here?

      "It is fascinating to me that the big companies get railed on for using these shell companies for avoiding tax liability, but become heros when they use it for avoiding data production liability"

      It makes sense to me -- companies avoiding "data production liability" are benefiting their users, where avoiding tax liability is not.

      "The fact that a bill is finally being created that formalizes this observation should hardly be surprising to commenters here."

      I haven't seen any expression of surprise, only disgust.

  14. Anonymous Coward
    Anonymous Coward

    Do you want ubiquitous encryption? Insist on ubiquitous surveilence.

    Sure, the fools in charge of Brexit seem eager to sell their own citizens out for a shot at a "Special" trade deal with the only person worse at negotiation then them. It will only push the major serive providers that want to do business in the EU to switch to a system architecture where all they can hand over is metadata and large blobs of heavily encrypted data. Watch the heat maps as traffic flows to Irish data centers out of London.

  15. John Smith 19 Gold badge
    Holmes

    tl:dr Avoid all US based "cloud" services

    Or to give it a more meaningful description "anonymous server farms in unknown jurisdictions"

    Basically Google/Microsoft/Apple don't mind handing your emails to the Feds, they just wanted a law which said so.

    Because then it would be "legal."

    Kind of like the robber who hands a share of the loot to his (dumb) accomplice and says "That's for help in the job we just done." Then pulls a gun and says "But this one I'm doing myself.. So hand it back."

  16. Pascal Monett Silver badge

    "Lawful Overseas Use of Data"

    The only lawful overseas use of data possible is respecting the laws that are in effect overseas. Yes, it is a nightmare for police in New York. It's supposed to be.

    The fact that this bill handily disregards not only the above but also the framework that is already in place to grant access to personal data via diplomatic channels is simply the US being its usual bullying self. The fact that the title of the bill is actually the complete opposite of what the bill actually proposes is just normal US politics., par for the course.

    Extraordinary Rendition got a bad rap and was put to pasture. Now we have Ordinary Data Rendition, and nobody gives a flying one.

    I need a whiskey.

  17. Doctor Syntax Silver badge

    These include a motion to quash or modify the legal process if it believes the customer isn't a US citizen and that disclosure "creates a material risk" that the firm would violate the laws of another government.

    Who's going to be responsible for this? If it's the data subject they're not going to be told until after the event if at all. Even then it means having to defend themselves in the US when they live elsewhere.

  18. timetracker

    legalized spying

    What happened to 'get a warrant'...

    If it is really for the bad guys, go to a judge...

    Seems like the desire is to just go fishing for data....

  19. DougS Silver badge

    There's a way around this

    Do like Apple is doing in China. Instead of holding the data itself, it is contracting with a Chinese company to store the iCloud data of Chinese citizens. In this case of course it is in response to Chinese government restrictions that data about their citizens must be held within China by an approved company. Since Apple doesn't have "possession" of the data this law wouldn't apply.

    So Google, Apple, Facebook etc. would simply need to contract with an EU based company for data on EU citizens, post-Brexit UK company for data on UK citizens, etc. That would certainly damage Google, Amazon and Microsoft's global cloud market ambitions - but maybe hurting the economy is the only thing that could get the US government to back off.

    If they tried to claim that since it was still "Facebook's data" even if it lived on a foreign company's servers and that constituted "possession", it would be a strong incentive for these companies to consider relocating their headquarters to a more enlightened country. That would REALLY hurt the US economy - perhaps irreparably.

  20. Ken Moorhouse Silver badge

    On-premises Data

    Whatever laws are passed/revoked that are internationally enforceable arguably have a lesser effect on your data when it is stored on-premise.

    Nothing to hide, nothing to fear. Yes but the costs/time involved in responding to official requests could become quite arduous. Who is going to foot that bill?

    1. Agamemnon

      Re: On-premises Data

      Ultimately... who *Always* foots the bill?

  21. Wolfclaw Silver badge

    SCA requires "robust" standards on human rights and privacy protections, and that the agreement has taken steps to minimise data slurping on US citizens"

    Well the US will fail those requirements and EU regs too.

    US security services are heading the way of the Gestapo, STASI, KGB and becoming the original thought Police !!

  22. BobDowling

    Downing Street spokesman...

    ...to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking, and the sexual abuse of children...

    But I'll bet there is no restriction to just those crimes, nor any restriction on who will be able to make the requests.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019