Law in the Internet Society

Cloudy With a Chance of Eyeballs: Consequences at the Seams of Cross-Border Data Sharing

In lengthening the reach of governments to request private information from third-party data hosts, the CLOUD Act materially compromised digital privacy. The Stored Communications Act (SCA) already specified the situations in which corporations must comply with data disclosure requests, however, CLOUD codified that SCA requests are enforceable even upon data outside of the US. Consequently, private data stored within foreign territories became fair game for government grabs without notifying that country’s officials. At face value, the measure plausibly assuaged a legitimate national security concern: facilitating timely access to sensitive data on which law enforcement can act. However, a deeper inquiry into the statute reveals lesser apparent ramifications and demonstrates a need for reform.

One such consequence is that CLOUD does not explicitly limit its application to US-incorporated companies. While there is a high bar for having jurisdiction over a foreign corporation, it’s plausible that a technology company would systematically target and transact business with the US market, thus "submit[ting] to the judicial power of an otherwise foreign sovereign [regarding] defendant's activities."* This then posits a seemingly perverse circumstance where a foreign corporation with foreign-held data is at the mercy of American SCA warrants. Such a wide radius of authority threatens to undermine legislative sovereignty, corporate autonomy and the general integrity of data privacy.

To some extent, CLOUD accounts for this issue through the conditions under which a data host can motion to quash a disclosure request: they must reasonably believe that the target is not an “American Person. . . [and that disclosure would risk violating] the laws of a qualifying foreign government.” While this mechanism may help with comity issues, the judicial procedures for evaluating such motions, and requirement of meeting both conditions, dilutes its protective potency.

Another consequence is that CLOUD gives foreign governments similar reach over US data, and problematically relegates disclosure discretion beyond what the US itself possesses. It makes sense that friendly nations would want to collaborate on symbiotic national security efforts, however, the way this is accomplished raises questions of constitutionality and undermines central tenants of privacy jurisprudence. Pre-CLOUD, foreign governments generally accessed US-held data through MLATs. However, MLATs draw ire from intelligence bodies whose urgent needs are undermined by long review processes. Understandably, these actors bolster their capacity to act when their access to critical data quickens.

CLOUD provides such tailwind. It delegates MLATesque authority to the executive, enabling the creation of bilateral political agreements that recognize foreign governments as statutorily “qualified.” The gravity of this designation is apparent in light of where CLOUD places it in the amendment to SCA. SCA 2702 imparts that communication content disclosure is prohibited, but carves out exceptions for law enforcement in emergency situations or where the contents “appear to pertain to the commission of a crime.” While the access of domestic bodies is circumstantially qualified as such (and subject to disclosure and annual review,) foreign governments face no such explicit restrictions. They can immediately receive “US” data without notice to the target individual or US government.

This creation threatens even greater implication given existing ambiguities of jurisdictional reach. The access that CLOUD provides foreign governments is not given any enumerated jurisdictional boundaries. Hence, one could construe the foreign government’s unregulated access to “US” data to include foreign-held data of US companies, or even entirely extraterrestrial companies that avail themselves to federal law through specific jurisdiction. Functionally, this potentially grants unmetered access to private data controlled by foreign bodies of law.

Even if these daunting harms have not yet been widely actualized, the threat they pose warrants proactive undertakings. That said, any effort to repeal, replace, or modify CLOUD must balance facilitating national security, protecting consumer privacy, and not unduly compromising the market viability of third-party data hosts.

Challenging CLOUD on 4th amendment grounds might be a first step, and Justice Gorsuch’s dissent in Carpenter v. Unites States offers guidance on such an argument. Gorsuch entertains that a “constitutional floor” exists “below which “Fourth Amendment rights may not descend.” He likens contemporary data privacy rights to mail-related privacy findings in Ex Parte Jackson, which stated that “[n]o law of Congress” could authorize letter carriers “to invade the secrecy of letters.” Gorsuch also posits a pragmatist interpretation of the property-based understanding of the fourth amendment and its possible effective obsolesce of the Third-Party Doctrine. He recognizes that “the fact that a third party has access to or possession of your papers and effects. . .does not necessarily eliminate your interest in them. . .[j]ust because you entrust your data—in some cases, your modern-day papers and effects—to a third party may not mean you lose any Fourth Amendment interest in its contents.”

Applying Gorsuch’s association, it can be argued that inalienable interests remain in personal data stored in third-party held electronic records. “No law of Congress” should be able to pass a law authorizing the causeless seizure of domestically held data of US Persons, yet CLOUD appears to do just that for foreign governments with bilateral agreements.

At minimum, a constitutional replacement to CLOUD would move “qualified foreign governments” in with the text of 2702(b)(7) such that they are also limited by probable cause standards. However, for such a replacement to effectively combat exploitative practices, additional reform measures are necessary. First, there is no apparent reason why exercising an SCA warrant through a bilateral agreement should not require concurrent notification to the target country’s government. If timely access is the justification for CLOUD in the first place, notice facilitates immediate accountability without hindering functionality. Second, even if notice occurs, the mechanisms by which we hold the executive accountable are lacking. Privacy liberties that would otherwise have been kept in check by judicial review could easily be disregarded for five years by a White House itself interested in unconstitutional espionage. It’s difficult to remedy this aspect of CLOUD without undermining the delegative mechanism that aids law enforcement, but within the existing structure, renewal periods could be shortened, and the conditions for quashing a disclosure request could be relaxed.

* I cannot get the hyperlink to work correctly. I think the brackets within the quote are causing an issue, but I can't add the reference to the essay body without going over the word limit. The quote is from


Webs Webs

r9 - 16 Jan 2020 - 07:32:03 - AnthonyMahmud
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM