Original URL: US state legal supremos show lots of love for proposed CLOUD Act (a law to snoop on citizens' info stored abroad)
The attorneys general of 35 US states on Wednesday signed an open letter calling for the quick passage of the Clarify Lawful Overseas Use of Data (CLOUD) Act – with some qualifications.
[...] In effect, it means the FBI can ask, say, a California court for a subpoena to obtain files from a San Francisco upstart's servers hosted in France, sidestepping French privacy laws and legal system. The act's wording also does not limit the Feds to serving orders for communications on US companies and entities – agents would be able to demand information from whomever they wished, if a US judge approved.
The draft law also allows foreign governments to ask for non-US-citizens' personal data stored in America, under new sharing agreements that would be worked out by the White House.
The CLOUD Act was drawn up in part as a result of the ongoing court battle between Microsoft and US law enforcement: Uncle Sam wants a Microsoft customer's email messages stored on a Microsoft-run server in Ireland. The Feds went to a judge in New York for the information, but Redmond wants prosecutors to go to Ireland and ask an Irish judge for permission.
Microsoft, essentially, is arguing that, because the data in question is stored on servers in Ireland, the g-men's request – made under the 1986 US Stored Communications Act – is invalid. The US Supreme Court will consider the case this year.
[...] "The Act also creates incentives for our foreign partners to enter into bilateral agreements that will facilitate cross-border criminal investigations, while ensuring that privacy and civil liberties are respected."
Related Stories
As of today, a data-sharing pact between the US and the UK is in effect, five years after it was first floated. The two sides claim that the Data Access Agreement, which was authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the US, will help law enforcement to combat serious crimes in both countries. The Department of Justice called the initiative the first of its kind, adding that it would enable investigators "to gain better access to vital data" to fight serious crimes in a manner that's "consistent with privacy and civil liberties standards."
Under the agreement, authorities in one country can request data from ISPs in the other country, as long as it's related to preventing, detecting, investigating and prosecuting serious crimes including terrorism, transnational organized crime and child exploitation. US officials can't submit data requests targeting people in the UK and vice-versa — presumably the requests can either be used to assist domestic investigations or investigations into foreign nationals. Authorities also need to adhere to certain requirements, limitations and conditions when they access and use data.
[...] The US is looking to forge pacts with other countries under the CLOUD Act. It signed a deal with Australia last December and entered negotiations with Canada earlier this year.
Previously:
Responsibility Deflected, the CLOUD Act Passes
U.S. law to Snoop on Citizens' Info Stored Abroad
(Score: -1, Spam) by Anonymous Coward on Monday February 26 2018, @03:15PM (1 child)
An obese man with a bowl haircut sat on a couch in an ordinary living room. Rolls of fat on his face, neck, and body jiggled whenever he moved. The man's name was Jackson. As Jackson was lazing around, his doorbell rang. "I wonder who that could be..." Jackson muttered.
Jackson waddled to the door and opened it. What he saw filled him with surprise and delight. Girl Scout Cookies. A small girl was going door-to-door selling Girl Scout Cookies; this was unusual, but fortuitous. It was Jackson's favorite. The man immediately seized upon the opportunity and went back into his house with the items.
Jackson had freshened up in order to get ready for the main course. He had all of his usual tools in this room, and everything was ready. Jackson couldn't wait to begin. "Hehe! It's been a while since I've had one that matched my preferences this closely!" the man said jubilantly. Then, he began. She cried. She screamed. She squealed. She convulsed. She broke. Her hands fell limply to the ground. She showed no signs of moving ever again.
"Damn! I got so excited that I forgot how fragile these are! I'll have to be more careful next time to prevent it from breaking so quickly." said Jackson, as he shoveled Girl Scout Cookies into his mouth. "These rot all too quickly, so I'd better dispose of it properly." the man, who was an upstanding member of his community, said.
The last person to ever see the little girl who sold cookies to Jackson was the garbage man.
(Score: 2) by Azuma Hazuki on Monday February 26 2018, @08:33PM
If you want to write your autobiography go get a fuckin' blog.
I am "that girl" your mother warned you about...
(Score: 2) by c0lo on Monday February 26 2018, @03:19PM
Microsoft will only need to use a European partner (say, Accenture [wikipedia.org]?) to operate the Irish cloud and provide the OS-es and know-how to them, and receive ... mmm... royalties?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Insightful) by Runaway1956 on Monday February 26 2018, @03:23PM (4 children)
When are they going to admit that they DO NOT respect privacy, or civil liberties, and certainly not national soveriegnty.
(Score: 1) by khallow on Monday February 26 2018, @04:37PM
(Score: 0) by Anonymous Coward on Monday February 26 2018, @05:46PM
Should have named it the "Himmler Act".
(Score: 2, Insightful) by fustakrakich on Monday February 26 2018, @05:47PM
What, and blow their cover?
La politica e i criminali sono la stessa cosa..
(Score: 2) by MostCynical on Monday February 26 2018, @11:16PM
Remember, 1984 is now an instruction manual
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Insightful) by Sourcery42 on Monday February 26 2018, @03:32PM (2 children)
Well there is is. The most evil, condescending thing I will read today. Nice to have that out of the way in the early AM.
(Score: 2) by frojack on Monday February 26 2018, @03:58PM (1 child)
attorneys general of 35 US states
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Monday February 26 2018, @04:05PM
Link to the actual letter https://attorneygeneral.utah.gov/wp-content/uploads/2018/02/Final-2.21-CLOUD-Act-Letter.pdf [utah.gov] which some how went 404 from the Register's site.
Yup, even Washington State's AG selling Microsoft into slavery.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by JoeMerchant on Monday February 26 2018, @03:54PM (4 children)
Time was, spying was high treason punishable by summary execution. Then we started flying planes so high that they (usually) couldn't be shot down, and not much later flying satellites over foreign soil which could (by informal account) read the nametag of a soldier in the field in Vietnam. Spying is still illegal, but somehow this new technology made it O.K. for the U.S. to photograph inside the walls of the Kremlin, and even track interior activity through infrared and radar...
While I can see clear argument for data at rest in a server being subject to the laws and protections of the sovereign nation in which the server is located, when that data is "in flight" on the internet it would seem to be much closer to public domain, like Stephen Wright leaning out a window to smile for a satellite picture - it's just how things are. Now, as for:
That's just world government trying to sputter to life, again. As long as powerful individuals outweigh the power of the largest governments, they will keep the world's governments fragmented - they're easier to control that way.
🌻🌻 [google.com]
(Score: 3, Insightful) by khallow on Monday February 26 2018, @04:41PM
[...]
Come on. It's never been illegal in a country to spy on another country. The illegality is always one way, when an outside entity spies on the country.
(Score: 2) by frojack on Monday February 26 2018, @05:23PM (1 child)
When was that time?
And in what country?
Historically Treason has not been charged unless there was an act of war declared by congress, because to do so required designating some other country an "enemy". Further, the only entity that could be charged with treason in your scenario would be the US government itself. Now THERE's a can of worms.
Back to school son. You have to find a different way.
No, you are mistaken. I've always had this sig.
(Score: 2) by JoeMerchant on Monday February 26 2018, @08:15PM
Because, to kill him would have been a waste of a political bargaining chip.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Tuesday February 27 2018, @03:42AM
(Score: 4, Insightful) by jelizondo on Monday February 26 2018, @04:32PM
I know there are some Aussies and Brits around the site. I’d love for any of them to get a judge in Australia, Britain or anywhere else for that matter, to serve an order to release data stored in a server in the U.S. without going thru the U.S. judiciary.
But I would love the most to hear what our esteemed Attorney Generals spout upon learning that some other country has decided that our law does not apply in our country.
What's good for the goose is good for the gander.
(Score: 2) by fritsd on Monday February 26 2018, @04:44PM (4 children)
On 28 May, the GDPR [europa.eu] directive of the EU comes in operation.
If I read it correctly that means, that if the French server operator allows this transfer of information, they lose the right to process personal data, AND they face a fine of up to € 20 000 000 or 4% of total annual worldwide turnover, whichever is *more*.
I think it probably took the EU this long to work through the repercussions of our post-Snowden world. But I suspect they took it rather seriously.
(Score: 3, Insightful) by frojack on Monday February 26 2018, @05:15PM (2 children)
All well and good, but unenforceable.
You buy an app to store your smartphone pictures in the cloud from some US company. Your photos go to France Cloud company because that is the cloud provider hired by App company. (Exactly as TFS says).
Tin Star sheriff gets a subpoena and demands photos. App Company dutifully hands them over, by pulling your photos (which they stored for you) from French Servers (which they paid for), and delivers them to tin star. French server will never know about the subpoena, only that the bulk purchaser of cloud storage retrieved data, just like every other day.
YOU never had a contract with French Cloud. They don't know you exist, even though there is a numbered sub directory with your pictures in it.
Even if French Cloud knew who you were in records provided by App Company, there is nothing that says they can't return data to who ever is paying for the storage, and who therefore owns the data.
You seem to suggest that French Company will get in between each request for data and arbitrate who can or can not get that data?
Are ye daft mon?
No, you are mistaken. I've always had this sig.
(Score: 2) by bob_super on Monday February 26 2018, @05:22PM
If Tin Star Sheriff gets a subpoena against a European, they can argue that their data is stored in Europe (per the app's legalese to avoid trouble with the personal data export directive).
If the data is released, it would be easy to attack it in court (though US courts tend to be sympathetic to US requests), and the hosting company would get kicked in the nuts.
"How did you get that incriminating data?" is a pretty basic question to ask.
Obviously, the protection of US citizens' data stored in Europe is a bigger can of worms (see MS case)
(Score: 2) by fritsd on Monday February 26 2018, @07:36PM
No, not in between each request for data. But maybe before French Cloud even signs the contract with App Company:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en [europa.eu]
for example if App Company signs:
which they probably can't promise if they're in a US jurisdiction.
I'm still not sure about the fine print, but I think companies incorporated in the EU have to write down how they process personal data (if they do), and if they are planning to share that data with third countries. But probably only if they process "high risk" personal details. I don't know if photos fall under that category.
In a brochure on the GDPR, it said that data on race, religion and sexual preference were mentioned as examples of "high risk".
(Score: 0) by Anonymous Coward on Monday February 26 2018, @05:16PM
I'll take it seriously when they start enforcing the law against their American overlords, rather than stitching up a deal giving the US everything they ask for, with nothing in return.
(Score: 0) by Anonymous Coward on Monday February 26 2018, @08:02PM
What about the anonymous users? Or how does it handle the case where the user's nationality isn't yet precisely determined? Or what happens if they make a mistake?
Though while I'm sure whoever makes the request will push for "They aren't known to be a US citizen, so give me their data." so are we left to rely on the integrity of the judge to deny requests for data from users whose identity is unclear?
It seems you could end up more protected, or wildly more vulnerable, as an AC...