Law in the Internet Society

View   r9  >  r8  ...
AnthonyMahmudFirstEssay 9 - 16 Jan 2020 - Main.AnthonyMahmud
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"

Cloudy With a Chance of Eyeballs: Consequences at the Seams of Cross-Border Data Sharing

Changed:
<
<
-- By AnthonyMahmud - 11 Oct
>
>
In lengthening the reach of governments to request private information from third-party data hosts, the CLOUD Act materially compromised digital privacy. The Stored Communications Act (SCA) already specified the situations in which corporations must comply with data disclosure requests, however, CLOUD codified that SCA requests are enforceable even upon data outside of the US. Consequently, private data stored within foreign territories became fair game for government grabs without notifying that country’s officials. At face value, the measure plausibly assuaged a legitimate national security concern: facilitating timely access to sensitive data on which law enforcement can act. However, a deeper inquiry into the statute reveals lesser apparent ramifications and demonstrates a need for reform.
 
Changed:
<
<
The “Clarifying Lawful Overseas Use of Data Act” (“CLOUD”) radically altered the climate for data privacy in the United States and abroad. CLOUD expanded the parties to whom and circumstances in which private technology companies disclose their customer’s private messages, social media data, and other personal information.
>
>
One such consequence is that CLOUD does not explicitly limit its application to US-incorporated companies. While there is a high bar for having jurisdiction over a foreign corporation, it’s plausible that a technology company would systematically target and transact business with the US market, thus "submit[ting] to the judicial power of an otherwise foreign sovereign [regarding] defendant's activities."* This then posits a seemingly perverse circumstance where a foreign corporation with foreign-held data is at the mercy of American SCA warrants. Such a wide radius of authority threatens to undermine legislative sovereignty, corporate autonomy and the general integrity of data privacy.
 
Changed:
<
<

Access to Foreign Servers Controlled Domestically

>
>
To some extent, CLOUD accounts for this issue through the conditions under which a data host can motion to quash a disclosure request: they must reasonably believe that the target is not an “American Person. . . [and that disclosure would risk violating] the laws of a qualifying foreign government.” While this mechanism may help with comity issues, the judicial procedures for evaluating such motions, and requirement of meeting both conditions, dilutes its protective potency.
 
Changed:
<
<
At the tip of the iceberg, CLOUD achieves this by lengthening the reach of government entities to request such data. The Stored Communications Act (SCA) already specified the situations in which corporations must, may, and may not comply with any given request. However, CLOUD codifies that SCA requests are now enforceable even upon data outside of the United States. Consequentially, private user data stored within the borders of foreign jurisdictions is fair game for government grabs with neither (necessarily) a say nor a notice to the officials of that territory.
>
>
Another consequence is that CLOUD gives foreign governments similar reach over US data, and problematically relegates disclosure discretion beyond what the US itself possesses. It makes sense that friendly nations would want to collaborate on symbiotic national security efforts, however, the way this is accomplished raises questions of constitutionality and undermines central tenants of privacy jurisprudence. Pre-CLOUD, foreign governments generally accessed US-held data through MLATs. However, MLATs draw ire from intelligence bodies whose urgent needs are undermined by long review processes. Understandably, these actors bolster their capacity to act when their access to critical data quickens.
 
Changed:
<
<
On the thin most surface, this measure plausibly assuages a legitimate national security concern: facilitating timely access to sensitive data on which law enforcement can act. However, deeper inquiry into the statutory language contemplates ramifications not quite as sunny.
>
>
CLOUD provides such tailwind. It delegates MLATesque authority to the executive, enabling the creation of bilateral political agreements that recognize foreign governments as statutorily “qualified.” The gravity of this designation is apparent in light of where CLOUD places it in the amendment to SCA. SCA §2702 imparts that communication content disclosure is prohibited, but carves out exceptions for law enforcement in emergency situations or where the contents “appear to pertain to the commission of a crime.” While the access of domestic bodies is circumstantially qualified as such (and subject to disclosure and annual review,) foreign governments face no such explicit restrictions. They can immediately receive “US” data without notice to the target individual or US government.
 
Changed:
<
<

Consequences of Jurisdictional Ambiguities

>
>
This creation threatens even greater implication given existing ambiguities of jurisdictional reach. The access that CLOUD provides foreign governments is not given any enumerated jurisdictional boundaries. Hence, one could construe the foreign government’s unregulated access to “US” data to include foreign-held data of US companies, or even entirely extraterrestrial companies that avail themselves to federal law through specific jurisdiction. Functionally, this potentially grants unmetered access to private data controlled by foreign bodies of law.
 
Changed:
<
<
CLOUD does not explicitly limit its application to tech companies incorporated in the United States. No doubt there is a high bar for having jurisdiction over a foreign corporation, but it does not seem farfetched that a major tech communication platform would systematically target and transact business with the US market, thus "submit[ting] to the judicial power of an otherwise foreign sovereign to the extent that power is exercised in connection with the defendant's activities." J. McIntyre? Mach., Ltd. v. Nicastro, 564 U.S. 873, 881. This then posits a seemingly perverse circumstance where a foreign corporation with exclusively foreign data storage is at the mercy of American SCA warrants. Such a wide radius of authority threatens to undermine legislative sovereignty, corporate autonomy and the general integrity of data privacy. It also appears to harbor irreconcilable contentions with the GDPR data control rights. GDPR’s ‘right to be forgotten’ and “right to be informed” “where personal data are transferred to a third country” appear incongruent with the record retention, and notice-free data grabs that CLOUD can authorize.
>
>
Even if these daunting harms have not yet been widely actualized, the threat they pose warrants proactive undertakings. That said, any effort to repeal, replace, or modify CLOUD must balance facilitating national security, protecting consumer privacy, and not unduly compromising the market viability of third-party data hosts.
 
Changed:
<
<

Capacity of Safeguards for Consequences of Judicial Ambiguities

>
>
Challenging CLOUD on 4th amendment grounds might be a first step, and Justice Gorsuch’s dissent in Carpenter v. Unites States offers guidance on such an argument. Gorsuch entertains that a “constitutional floor” exists “below which “Fourth Amendment rights may not descend.” He likens contemporary data privacy rights to mail-related privacy findings in Ex Parte Jackson, which stated that “[n]o law of Congress” could authorize letter carriers “to invade the secrecy of letters.” Gorsuch also posits a pragmatist interpretation of the property-based understanding of the fourth amendment and its possible effective obsolesce of the Third-Party Doctrine. He recognizes that “the fact that a third party has access to or possession of your papers and effects. . .does not necessarily eliminate your interest in them. . .[j]ust because you entrust your data—in some cases, your modern-day papers and effects—to a third party may not mean you lose any Fourth Amendment interest in its contents.”
 
Changed:
<
<
To some extent, CLOUD’s drafters account for this issue. Enumerated are conditions under which a data host can motion to quash a disclosure request: the service provider must reasonably believe that the individual whose data is sought is not an “American Person” and does not reside in the US, AND that “the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.” Through the most optimistic lens, the latter parameter appears to shield service providers from falling between Scylla and Charybdis. However, the judicial procedures for evaluating such motions, and requirement of meeting both conditions, dilutes its protective potency.
>
>
Applying Gorsuch’s association, it can be argued that inalienable interests remain in personal data stored in third-party held electronic records. “No law of Congress” should be able to pass a law authorizing the causeless seizure of domestically held data of US Persons, yet CLOUD appears to do just that for foreign governments with bilateral agreements.
 
Changed:
<
<

Bilateral Data Access Agreements

>
>
At minimum, a constitutional replacement to CLOUD would move “qualified foreign governments” in with the text of §2702(b)(7) such that they are also limited by probable cause standards. However, for such a replacement to effectively combat exploitative practices, additional reform measures are necessary. First, there is no apparent reason why exercising an SCA warrant through a bilateral agreement should not require concurrent notification to the target country’s government. If timely access is the justification for CLOUD in the first place, notice facilitates immediate accountability without hindering functionality. Second, even if notice occurs, the mechanisms by which we hold the executive accountable are lacking. Privacy liberties that would otherwise have been kept in check by judicial review could easily be disregarded for five years by a White House itself interested in unconstitutional espionage. It’s difficult to remedy this aspect of CLOUD without undermining the delegative mechanism that aids law enforcement, but within the existing structure, renewal periods could be shortened, and the conditions for quashing a disclosure request could be relaxed.
 
Deleted:
<
<
While the apathetic nationalist may not lose sleep over compromises to foreign autonomy, they would certainly object to how Americans are paying for it with their own privacy. The second wave of CLOUD act provisions purport to give foreign governments similar reach over US-held data, and problematically relegate disclosure discretion beyond what the US itself possesses.
 
Deleted:
<
<
In essence, the CLOUD act enables certain foreign governments to enjoy the same privileges to US-held data that Uncle Sam has to theirs. It makes sense that friendly nations would want to collaborate on symbiotic national security efforts. However, the way this is accomplished offends the conscious of constitutionality and compromises central tenants of privacy jurisprudence.
 
Deleted:
<
<

Source of Purported Necessity

 
Deleted:
<
<
Before CLOUD’s enactment, foreign governments could seek access to US-held data either through letters rogatory, (a judicial instrument,) or far more commonly, Mutual Legal Assistance Treaties (MLATs.) MLATs are binding, area-specific, legislatively developed agreements for information sharing, the legality of which are held in check by judicial review. Though already capable of facilitating the kinds of exchanges that CLOUD seeks to enable, MLATs draw ire from law enforcement and intelligence bodies whose urgent concerns lack the temporal pliancy to be bottlenecked by reviews that can stretch from months to years. Understandably, these actors bolster their capacity to act when their access to critical data nears instantaneous.
 
Changed:
<
<

Erosion and Inequities of Regulatory Autonomy

CLOUD pushes the channel in that direction by delegating MLATesque authority to the executive. The bill allows the president, with consent from two of her appointed offices, to create bilateral political agreements with other heads of state, thus recognizing their government as statutorily “qualified.” The gravity of this designation is apparent in light of where CLOUD places it in the amendment to SCA. SCA 2702 imparts that communication content disclosure is prohibited, but carves out exceptions for (among other things) US law enforcement agencies in emergency situations or where the contents “appear to pertain to the commission of a crime,” and “qualified foreign governments.” Thus, while the access of domestic bodies is qualified circumstantially and subject to disclosure and annual review, foreign governments face no such explicit restrictions. They can obtain US-housed communication data with notice given to neither the individual who created the data nor the US government at all.

Implications and Constitutionality

This creation threatens even greater implication when viewed beside existing ambiguities of jurisdictional reach. The scope of access privileges that CLOUD provides foreign governments is not given any distinction. Hence, one could construe the foreign government’s (directly) unregulated access to “US” data to include the data stored in other countries by United States companies, or even entirely extraterrestrial companies that avail themselves to federal law through business-derived specific jurisdiction.

Yes, companies can move to quash, or not comply, but often they have every incentive to appease the government of their customer base. Yes, executive agreements require vetting of foreign law, are subject to potential judicial challenge and face renewal burdens every five years, but those measures do not prevent foreign nations from being their own jury and not telling anyone about it once they qualify. Functionally, this potentially grants unmetered access to private communications data controlled by foreign bodies of law.

When privacy regulation sees such a seismic shifting of authority in all three branches of government, concern for 4th amendment violations become inevitable. If they are legitimate, would CLOUD not be a delegation of authority which Congress was never conferred in the first place?


Thoughts for second draft:

I'd like to expand on the analytical content of this paper and clarify/hone the thesis. However, I found it difficult to make room for this material given the amount of background info I felt the need to cover. Ideally I would like to go more in-depth with an APA/ad law scrutiny of CLOUD's delegation and offer a more concrete (or at least more expansively explained) basis for my concerns about jurisdictional reach given CLOUD's placement/language in the SCA. But such arguments in isolation, I fear, would lack essential context for a reader who isn't familiar with CLOUD/SCA, MLATs & the existing procedures for authorized data sharing, and possibly the procedural history with Microsoft v. US. Where might I be able to cut summary content to make room for subjective/original material?

I know the issues. You should take the steps to remove introductory material to put your own ideas forward more. But they should be yours: I know others' views of the issues, too. And it would be worth pointing out that the CLOUD Act was made because the US public cloud companies would otherwise have been flattened by an adverse ruling in the Supreme Court in Microsoft v. US, which would have subjected foreign data in the US and outside the US under the control of parties within the US to US law enforcement subpoenas. That would have ended the public cloud providers' credibility with non-US businesses for good. So if you want to replace the CLOUD Act with another mechanism, it must provide a better deal not only to US intelligence community and law enforcement, but also to AWS, MS, etc.


Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

>
>
* I cannot get the hyperlink to work correctly. I think the brackets within the quote are causing an issue, but I can't add the reference to the essay body without going over the word limit. The quote is from https://supreme.justia.com/cases/federal/us/564/873/

Revision 9r9 - 16 Jan 2020 - 07:32:03 - AnthonyMahmud
Revision 8r8 - 02 Dec 2019 - 19:16:52 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM