The CLOUD Act
or
Look what rode
in on the omnibus

Cloud spyYou may have heard of the Fourth Amendment. It says, in essence, that if the cops want to search your home, they’d better convince a judge to issue a warrant.

In theory, anyhow. It’s another matter in practice, for things have changed since the Amendment’s ratification in 1792. For instance, we didn’t have trash collection back then. Madison might have been amused—or appalled—to see that, a year short of two centuries later, none other than the U.S. Supreme Court would have to weigh in on when cops can legally dig through your trash.[1]

There were other things besides trash collection that no one foresaw in 1792, such as hidden cameras and microphones, tracking devices, radar that detects motion through walls, and camera-carrying drones, to name a few. And we didn’t have cloud technology.

Warrants collided with the cloud in Microsoft Corporation v. United States of America.

It all began with a 2013 drug trafficking case in New York. The government jumped through the right hoops and obtained a warrant for documents stored on Microsoft servers. Microsoft said—I’m paraphrasing somewhat liberally here—“Sure, fine, you can search our servers located in the U.S., but some of the data you want resides on servers in Ireland, where you have no jurisdiction, so, no.”

A series of suits followed. A federal magistrate judge ordered Microsoft to furnish the data residing in Ireland. Microsoft appealed to a federal district judge, who agreed with the magistrate judge. Next Microsoft appealed to the Second Circuit Court of Appeals. This time, Ireland weighed in, saying they’d kind of like a say as to who accesses data stored on their soil. The district judge overturned the earlier decisions.

So, the government took the matter to the Supreme Court, which heard arguments in February.

A decision is due later this year. Or not.

Microsoft and the government have since filed a motion with the Supreme Court that says, and again I paraphrase, “Yeah, about that? Never mind.”

That’s because the situation appears resolved by the CLOUD Act, a bill quietly attached to the 2,232-page, $1.3 trillion omnibus spending bill that U.S. Congress passed last month. “CLOUD” is for “Clarifying Lawful Overseas Use of Data.”[2] The CLOUD Act lets “qualifying foreign governments” and the United States access information from servers on each other’s respective soil.

In what might at first blush seem a sudden turnabout, the government and Microsoft both support the CLOUD Act. So do Apple, Google, and others. But that would be curious only if Microsoft’s earlier resistance had been grounded on Fourth Amendment principles. It now appears that Microsoft et al may have been less concerned about individual privacy rights and more concerned about being sued or prosecuted for handing over information. The CLOUD Act provides tech companies complete protection from civil and criminal actions for compliance with government requests.

There are a couple of wrinkles.

Under the CLOUD Act, a “qualifying foreign government” can demand and obtain access to your U.S.-based records without approval from the United States. And, as pointed out by the Electronic Frontier Foundation (EFF) on February 8, not all qualifying governments have privacy laws as stringent as ours.

And then, this question popped into my devious, loophole-seeking mind: Couldn’t a U.S. president skip the whole obtaining-a-warrant thing by asking a foreign country to obtain data—from servers in the U.S.? Apparently the same thing has popped into other devious, loophole-seeking minds. As EFF reported on March 22, this and other issues have more than a few people concerned.

But perhaps we are being unduly paranoid. Never in history have high-ranking U.S. officials abused their power. Right?


[1] Answer: The moment you leave it at the curb. See California v. Greenwood.

[2] Congress and their acronyms. So cute.

Leave a Comment