Quite recently the CLOUD Act was approved and signed in the United States. It’s a from my perspective somewhat expected and through it all welcome missing piece in cyber crime fighting.
What is CLOUD Act and what does it mean?
CLOUD Act, or Clarifying Lawful Overseas Use of Data Act was enacted as late as in March 2018. It’s purpose is to modernize law enforcement’s abilities to seize data in custody of US based cloud operators and service providers stored outside of the US borders.
Why is there a need for the act?
One of the main reasons behind the CLOUD Act is the investigation started in 2013 related to drug-shipping. A judge in a US district court issued a warrant under the Stored Communications Act (SCA) requiring Microsoft to release e-mails and information associated with a user account that they hosted. Microsoft did release the meta information about the user account that was being stored in the US, but refused to release the e-mails that were stored in their Dublin data center.
After a couple of appeals (where Microsoft won in the first one) the case got stuck in the US supreme court since it’s a tricky case and their seems to be important pieces missing in corresponding and way to outdated laws.
That’s where the CLOUD Act comes in to the picture. Microsoft (among others) have welcomed the act, for example in a blog post of Microsoft President Brad Smith. He says that the CLOUD Act “creates a modern legal framework for how law enforcement agencies can access data across borders”.
And for us in the rest of the world?
At least for us living in Sweden and Scandinavia public digitalization has been stumbling a bit for many reasons. Let’s just face it, there are companies in the market more capable of largely scaled operations then most public authorities are. However, there are a couple of laws in the way. One example would be the Swedish secrecy laws that says that the data owner must make sure that their highly classified information can’t be breached. It’s fairly easy to come into technical discussions with a cloud operator or service provider about honoring secrecy, that’s usually not the problem.
The problem however comes with the fact that there might be other laws overhauling the Swedish secrecy laws, thus one way or another forcing the supplier of provide data to authorities. Like the CLOUD Act, as one example.
Looking to buy cloud services?
If you’re looking into buying cloud services you at least have to be aware of the CLOUD Act.
I have heard quite a few colleagues in the business saying that with the
CLOUD Act the US can spy on us all. As usual, that kind of statements has to get more nuance to them.
Yes, having a US based company be in custody of your data means that there’s a possibility for US authorities to get hold of your data. Even if you’ve stored it in data centers outside of the US. You simply have to assess that risk as well among all others.
Really concerned and believe that the CLOUD Act is a step in the wrong direction? In that case I guess you’ll have to avoid letting US based and/or US controlled companies be custodians of your information.