back to article US state legal supremos show lots of love for proposed CLOUD Act (a law to snoop on citizens' info stored abroad)

The attorneys general of 35 US states on Wednesday signed an open letter calling for the quick passage of the Clarify Lawful Overseas Use of Data (CLOUD) Act – with some qualifications. The proposed legislation, if passed by Congress, will allow the Feds to demand people's emails and other personal communications from overseas …

  1. Snow Wombat

    Wow.... just... wow!

    This will render the locally hosted cloud services, that were explicitly created to AVOID this sort of crap, moot.

    You host anything, with a US based company, regardless of where the physical iron sits, Uncle Sam can Go Shoulder deep into your data and pull anything out he wants.

    Icky.

    1. James Ashton
      Big Brother

      Re: Wow.... just... wow!

      "You host anything, with a US based company, regardless of where the physical iron sits, Uncle Sam can Go Shoulder deep into your data and pull anything out he wants."

      Bad news for you: it's not limited to US-based companies. Say you're a UK university with a small presence in the US for the purposes of purchasing, marketing, etc. What's to stop the US subpoenaing data held on a UK campus? You probably don't want to end up in a situation where university employees can't travel to the US.

      1. bombastic bob Silver badge
        Devil

        Re: Wow.... just... wow!

        " What's to stop the US subpoenaing data held on a UK campus?"

        Uh, "due process" ?

        Actually there's an existing way to manage that: simply own controlling interest in a U.S. based company that's a separate entity from you. Sometimes they call that a "shell corporation". So what. Corporations have a level of legal protection built into them [which is why they exist, really].

    2. big_D

      Re: Wow.... just... wow!

      Except they can refuse to provide the information, if they can identify the information as belonging to a non-US citizen and that providing the information would violate local laws.

      I would also expect such co-hosting situations, like the T-Systems owned and run Azure/Office365 installations in Magdeburg and Frankfurt, where Microsoft have no administrative or physical access to the servers, to mean that the CLOUD act would have no affect on the data held in those facilities.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow.... just... wow!

        How long would a person spend in jail before law enforcement was satisfied you are correct? my guess is they'd hold that person as long as possible to make an example of them.

        1. bombastic bob Silver badge
          Devil

          Re: Wow.... just... wow!

          "How long would a person spend in jail before law enforcement was satisfied you are correct"

          There are limits on how long you can be held for contempt of court (though it may not be apparent). if you are held without bail (and that requires a hearing before a judge to have that happen) then you can be held until you get a not guilty verdict. but that's not likely with a contempt hearing first.

          The length of time for being held for contempt would vary based on the jurisdiction. However, it's theoretically possible it could be "forever" if you keep being in contempt.

          An example:

          https://www.wsj.com/articles/SB123137263059962659

          The jail stops the moment you submit to the court's authority. It would take some pretty large gonads to stay in jail for YEARS like that, based entirely on principle.

          It's what can happen in a society that's ruled by law. I guess you could ask a similar question in the UK, how long will it take before Julian Assange can 'walk free' in the streets of London? Exactly.

          1. John Brown (no body) Silver badge

            Re: Wow.... just... wow!

            "It's what can happen in a society that's ruled by law. I guess you could ask a similar question in the UK, how long will it take before Julian Assange can 'walk free' in the streets of London? Exactly."

            Actually, that's a vastly different situation. Assange is currently eluding justice. If and when he surrenders himself, he'll likely get 6 months at most. He is not currently in custody for his contempt. But while he eludes justice, the charge of contempt isn't going away.

      2. Graham Cobb Silver badge

        Re: Wow.... just... wow!

        I would also expect such co-hosting situations, like the T-Systems owned and run Azure/Office365 installations in Magdeburg and Frankfurt, where Microsoft have no administrative or physical access to the servers, to mean that the CLOUD act would have no affect on the data held in those facilities.

        I don't share your optimism. It will surely apply to any case where the US company has any access to the data at all, whether through its own employees or through contractual arrangements with third parties. It is nothing to do with ownership, or even control, of the servers.

        Are you really sure there is nothing in the contract between T-Systems and Microsoft allowing Microsoft to access any customer data?

        1. big_D

          Re: Wow.... just... wow!

          Microsoft explicitly set up the contract with T-Systems with this in mind.

          They cannot gain access to the building without being accompanied by a T-System representative and even then, they have no login credentials for the servers there.

          To get at any data on those servers, they have to provide T-Systems with a German warrant.

          1. Sir Runcible Spoon

            Re: Wow.... just... wow!

            And if the data being requested happened to contain PII of individuals from the EU, they are up against GDPR.

            How do you say 'Fuck Off' in American?

            1. bombastic bob Silver badge
              Happy

              Re: Wow.... just... wow!

              "How do you say 'Fuck Off' in American?"

              You just did. heh.

        2. Doctor Syntax Silver badge

          Re: Wow.... just... wow!

          "Are you really sure there is nothing in the contract between T-Systems and Microsoft allowing Microsoft to access any customer data?"

          AIUI the contract specifically avoids allowing Microsoft access to the data. That's the entire purpose of the arrangement.

          1. Geronimo!

            Re: Wow.... just... wow!

            So far, they have not even been able to prohibit Windows 10 from contacting home base.

            And Telekom and Co want you to believe, that they have completely cut of any access for MS?

            I have severe doubts there.

            https://www.heise.de/newsticker/meldung/Behoerden-ignorieren-Sicherheitsbedenken-gegenueber-Windows-10-3971133.html shows what's wrong here: Not even the German government could "persua<de" MS to stop hoarding data. And yet, we're led to believe the Deutsche Telekom did?

            (Couldn't find the English article)

            Na, don't think so.

      3. Anonymous Coward
        Anonymous Coward

        "if they can identify the information as belonging to a non-US citizen"

        Just, the process looks really convoluted. First, it's not the entity requesting the information that need to prove that the person is a US citizen or resides in the US. It's the company asked for that must file a motion if it believes it's a non US citizen or not residing int he US - and you wonder how they could. Most of the time, but for very visible targets, they will just surrender the data without any objection.

        Second, the motion need to be approved by a court, taking into account "the interests of the United States" - which basically means they can refuse to quash or modify the motion at their whims.

        But of course foreign governments don't get those rights, they "may not intentionally target a United States person or a person located in the United States, and shall adopt targeting procedures designed to meet this requirement;"

        Now, the very fact that US Congress may believe it has any right to ask data stored abroad about non US citizens is a big symptom of how much scared and thereby arrogant they became. McCarthy should be smiling in his grave.

        Really hope EU shows them the middle finger - and tells them to stop reading STASI manuals, and that any action against EU citizens and their data will be prosecuted.

    3. Anonymous Coward
      Anonymous Coward

      Re: Wow.... just... wow!

      "This will render the locally hosted cloud services, that were explicitly created to AVOID this sort of crap, moot."

      Except Microsoft ones. They have a security model with a data access approver that is in the legal jurisdiction of the data - and who is subject to local laws. If Microsoft US made an illegal request - say for data protected under European law - they are not getting it.

    4. bombastic bob Silver badge
      Devil

      Re: Wow.... just... wow!

      "Uncle Sam can Go Shoulder deep into your data and pull anything out he wants."

      I think there is going to be a REAL legal process involved, or that's how it should be written. 'Due Process'. Yeah, I know the FISA court is supposed to be that, too, and we have a current investigation going on AGAINST THE FBI (by Congress) regarding THAT kind of abuse, and so there must be "oversight" to make sure the abuses do NOT happen.

      I'm not sure what would change if the FBI were to go before an Irish judge in the Microsoft case (where they try and make themselves immune to an existing subpoena) and why the FBI hadn't already done that. But whatever.

      What this should NEVER become: a license to conduct a "fishing expedition" to violate the privacy of anyone that has any kind of data stored on a U.S. company's computers, regardless of the physical location. I don't think this is going to happen.

      What U.S. based companies should do: make sure the data is stored ENCRYPTED, the key belongs to the client, the company doesn't have access to the key [when this is possible], and it's only kept for as long as necessary [and purged after that].

      What users are probably going to have to do: don't keep data "in the cloud" for longer than is necessary.

      I think if I were using gmail or hotmail with IMAP I'd be moving all of the archived e-mail into LOCAL ONLY storage about now... [shouldn't be too hard to do that, either]. make sure 'sent items' is moved locally, too.

  2. IceC0ld

    Agents of SHIELD link

    the Clarify Lawful Overseas Use of Data (CLOUD) Act

    someone REALLY wanted it to be called CLOUD :o)

    1. alain williams Silver badge

      Re: Agents of SHIELD link

      A more accurate expansion of CLOUD is Companies Located Overseas Under Duress.

      Or Computers Located Overseas Under Duress.

      1. VinceH

        Re: Agents of SHIELD link

        "Computers Located Overseas? Usurp Data!"

    2. Anonymous Coward
      Anonymous Coward

      Re: Agents of SHIELD link

      The US come up with an acronym, then works the law to fit around it.

      1. IceC0ld

        Re: Agents of SHIELD link

        The US come up with an acronym, then works the law to fit around it.

        AHA

        the old solution looking for a problem ploy

  3. Anonymous Coward
    Anonymous Coward

    America Fuck Yeah

    After you've arrested low-hanging-fruit drug-dealers but those remaining outsmart you, what will do then US Govt? Because lets be clear pro-criminals are winning the cyberwars not you! Even the NSA, a traditional tech specialist, has been getting its ass kicked by Shadowbrokers etc.

    You're a failed state America, face it. The world is turning its back on you. Your 'exceptionalism' days are over, unless its exceptional remuneration for the 1%'ers etc. US corporations with large overseas cloud operations will get hurt here that's all. Whereas more and more users are using encrypted messaging systems anyway. So how is the FBI doing breaking into those?

    1. Anonymous Coward
      Anonymous Coward

      'The U.S. is arguably well down the sadistic road'

      https://www.bloomberg.com/view/articles/2018-02-21/virtual-reality-could-erase-the-limits-of-inequality

    2. bombastic bob Silver badge
      Meh

      Re: America Fuck Yeah

      "what will do then US Govt?"

      hopefully, REAL police work. Not lazy 'metadata' searches, but the kind that can take a while and usually involves irrefutable evidence collected legally without violating the rights of U.S. citizens [or any international agreements with respect to non-citizens]. THAT is the way it is SUPPOSED to be done.

      but yeah, it sounds like the cops are lazy, doesn't it?

      "You're a failed state America, face it"

      No, not until the point where "they" get their way while the sheeple watch (or fail to watch) without interest. That's really not happening, at least not yet. [what concerns ME is when 'due process' is perverted for the same kinds of reasons, and it seems THAT HAPPENED somewhat recently, from top levels of the FBI, via the FISA court].

  4. Oengus

    Rapid legislation is never a good idea

    The attorneys general of 35 US states on Wednesday signed an open letter calling for the quick passage of the Clarify Lawful Overseas Use of Data (CLOUD) Act

    If a legislator is seeking quick passage of anything be afraid. It is never in the best interest of the general public and is seldom well thought through. Just look at legislation like the US Patriot act and how it is abused.

    1. Graham Cobb Silver badge

      Re: Rapid legislation is never a good idea

      Not only is it rapid, it is supported by Theresa May!

      I am just waiting to see her insistence that the "bilateral agreement" between the US and UK for this is fair, symmetrical and based on human rights.

  5. John Smith 19 Gold badge
    Gimp

    "If a legislator is seeking quick passage of anything be afraid." that THE PATRIOT Act

    It also is a very convoluted bacryonym.

    As well as being very nasty.

    The US data fetishists who wrote this (I mean really wrote it, not whose name is on the sponsors list) really do see no limits to their authority in any way shape or form.

    The astonishing part is US tech companies see no problem with it.

    Despite the fact it might as well be called the "Don't Send Your Data Anywhere Near A US Parented Company If You Want It To Stay Out Of The Hands Of Any Federal Law Officer"

    1. Anonymous Coward
      Anonymous Coward

      "The astonishing part is US tech companies see no problem with it."

      Because they like this provision: "No cause of action against a provider disclosing information under this chapter.—No cause of action shall lie in any court against any provider of a wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with a court order under this chapter,"

      So basically they get a free card to get out of troubles. They've been offered a carrot, and swallowed it.

      The problem is what other governments will do - it they don't accept the agreement and warn that any unlawful access to data stored within their boundaries is a crime, and the company are liable for that...

  6. Anonymous Coward
    Anonymous Coward

    American Overreach - A Warning To all....

    Buddy walks into a bank to open a biz account. The bank produces normal paperwork first, but then at the and a US Homeland security form, requiring all his personal info. Fill-it-in / Sign-it, or no account! He refused naturally!

    The biz is 2nd-hand audio equipment. High-end speakers / amps which he mostly imports from private owners in Germany or the UK and sells on. Import / Export to America? Never!! The bank wasn't American owned or a US subsidiary, it was a sovereign state owned Bank bailed out in last crash.

    Any idea which country we're talking about? Clue: Its in the firing line to feel the sting of Brexit! So WTF is this Homeland Security form about: FATCA overreach? Can't be, there's no US citizens / US money involved. Terrorist money laundering money then...? The bank staff were vague and unhelpful!

  7. Anonymous Coward
    Anonymous Coward

    Fig leaf CYA for Five Eyes

    Possible backdoor for National Security exceptions to procedure of evidence and disclosure in criminal cases? You decide...

  8. Chronos
    Facepalm

    The legislation, introduced earlier this month, has the support of [...] the British Prime Minister Theresa May

    "What a surprise," said nobody at all. I suppose Amber Rudd had "a crisis," as Clarkson would say.

    1. Christoph
      Facepalm

      So she's perfectly happy for any personal data held in the UK to be grabbed by the USA at whim.

      Well, she'll have to wait until after B-Day next year, because there's no way the EU will accept that. And once she has agreed it, the EU will forbid any EU citizen's personal data to be exported to the UK. Which rather buggers all this talk about transition periods and keeping a close relationship. We will be out in the cold.

      1. Zippy's Sausage Factory

        I have a feeling all this would already place an organisation in breach of the GDPR. Including, weirdly, probably a US-based company that has no data stored in the EU but has data from EU citizens. I may be wrong, though, I'm not a lawyer.

        Either way, I suspect this one will cause alarm in the corridors of Brussels.

        1. Ken 16 Silver badge
          Coat

          not alarm

          A measured and thoughtful response involving some really huge fines on any companies found to be breaching GDPR.

        2. Anonymous Coward
          Anonymous Coward

          "Either way, I suspect this one will cause alarm in the corridors of Brussels."

          Not really. They will be happy to fill their coffers with fines from US companies and prison cells with the officers of any US company that breaches GDPR.

          1. Anonymous Coward
            Anonymous Coward

            "They will be happy to fill their coffers with fines from US companies"

            Hope so, and that EU politicians fully understand how much lopsided any kind of deal under that proposal - if passed - could be.

            It's also funny that US instead of entering into talks with EU and other countries to tackle the issue, prefer to legislate first at its own full advantage, and then try to offer "deals" to other governments - it's a trumpist way of doing deals, probably, but I hope they'll understand soon it won't work. If you want a deal, first discuss its contents as peers.

            I just don't understand why Ms. May is so keen on kneeling, I understand after putting itself in the Brexit mess they desperately need some friends, but at this point just ask to become US 51st state...

          2. Doctor Syntax Silver badge

            "Not really. They will be happy to fill their coffers with fines from US companies"

            It raises the question of what will the fines be charged on. If it's general activity in breach of the GDPR in the course of a year they stand to be fined a maximum of 4% global turnover and can just look on it as an annual turnover tax. If it's per incident then there could be multiple fines & it will start to hurt.

            Meanwhile, just get rid of the privacy figleaf.

  9. Stork

    From a personal point of view, this is the sort of thing that makes me wonder who is actually responsible for the international data transfers?

    I run a small b2c company with both my booking software and accounting software being web based. Both outfits are EU based, but how do I know where their servers are? If they happen to be in say, the US or another dodgy place, who is responsible for the data transfer?

    My own hosting is in the EU, so that should be clear.

    1. Anonymous Coward
      Anonymous Coward

      "but how do I know where their servers are?"

      If this law passes, it doesn't matter. As long as they are owned or controlled by a US entity, a US agent can ask about data stored there, and it's up to the company to ask a court to allow the access if the data are about a non US citizen.

      So, basically, you have to hope US companies will try to protect you gracefully. Maybe someone will do, fearing to lose customers, but as long as they don't have to disclose you what they do, they can simply give them the data, and hope you'll never know. And you won't be able to sue them in the US because the proposal explicitly make them safe.

      I'm quite surprised that MS & C., probably in exchange for that safety, are going to accept that. Because it means your data are not safe on any US owner/controlled system in any part of the world.

      Probably Amazon, MS and so on believe too many already rely on their cloud services to move away, but I'm glad my company don't rely on them and our data are stored locally.

      Today you don't have only emails on US controlled servers, today you may have your whole company data.

      1. Stork

        Re: "but how do I know where their servers are?"

        I would think that it is the service provider (in my case the Invoicing SW is sold by a PT company as few others bother with PT taxman certification) would be responsible.

        It is just not realistic that millions of SME's in EU have to check all the hosting of the SW the use. But sometimes laws surprice.

        More generally, I think GDPR should stop that sh*t..

        1. John Brown (no body) Silver badge

          Re: "but how do I know where their servers are?"

          "It is just not realistic that millions of SME's in EU have to check all the hosting of the SW the use. But sometimes laws surprice."

          Not only that, but check who owns the company, and keep checking in case of mergers or takeovers.

      2. Tom -1

        Re: "but how do I know where their servers are?"

        If the cloud act happens, in won't matter where the servers are, it won't matter who owns them, it won't matter whose personal data is being demanded. If a US court says "give our US authorities that data owned by that EU company with no connection at all with the USA and held on servers owned by a company which has no connection whatsoever with the USA, and is personally identifiable data about persons who have no connection whatsover with the USA" and the company fails to hand over the data it and its officers will be guilty of contempt of that American court and probably the USA will try to extradite teh company officers on that charge (so if they are in Britain, they will probably end up in an American jail because they have chosen not to break British data protection law).

    2. Doctor Syntax Silver badge

      "Both outfits are EU based, but how do I know where their servers are?"

      Time to start asking specific questions of your supplier. And not just about where the servers are but who owns them. And who owns who owns them. Apart from anything else your customers will be asking you.

  10. rmullen0

    Don't give in to the unethical and immoral imperial power, the United States

    I hope that other countries find a way to stop this. The people running the United States are completely bought and corrupt and have no moral ground to stand on in the international community. Hopefully, other countries will grow stronger and form alliances to counteract the immoral scumbags that are running the United States, committing war crimes on a daily basis, and stealing money from it's citizen's to fund the military industrial complex which is running amok.

    1. bombastic bob Silver badge
      Black Helicopters

      Re: Don't give in to the unethical and immoral imperial power, the United States

      I think you should've used the 'black helicopter' icon.

      I have a suggestion: do not store anything in the cloud, and make sure you are well aware that anything that ends up on "teh intarwebs" can be snooped, snarfed, collected, "meta-data'd", and potentially submitted as evidence, regardless of where in the world it's stored, and hopefully NOT by criminals [though it's more likely to be the case].

      icon, because, should've been there already.

  11. rmullen0

    Modern computng is designed to violate privacy

    Anyone using a smart phone or cloud computing should not expect to have any privacy. The criminals in the U.S. government at the NSA, FBI, CIA, etc. can capture your data, monitor your location etc. at will. They don't care about laws. Even if there is a law against it, they will do it anyway. But we have to do it, all in the name of keeping us safe from the "terrorists." Never mind the fact that the U.S government drone strikes and murders innocent civilians on a regular basis,, including a little girl that was a U.S. citizen. Just think what things will be like in the future. Things are going to get worse and worse. Think about autonomous vehicles. You say something against the government and oops, your accelerator just went on and your brakes went out and you are dead, like what happened to Michael Hastings. Expect it. Anything for making more money for the military industrial complex, stealing other people's resources and world domination. The oligarchs are building a new world order where nations no longer have sovereignty.

  12. DCFusor

    As a yank

    I feel compelled - and embarrassed - to point out that just about zero of actual USians want any of this, and that we've somehow allowed our government to get completely out of control.

    For those who think this is recent partisan politics, I'd point out that while newly public, most of this has been going on for most of my rather long life - many decades. It's just harder to hide it now. It was being done decades ago with a nudge and a wink.

    Looks to me as though the elected part of our government has little to do with how things go anymore anyway - it'll all unelected bureaucrats who have forgotten the duties of citizenship and who are more interested in their rice bowls than their fellow citizens. Probably without realizing how traitorous they seem to the rest of us.

    Cardinal Richelieu seems to have been right (or for that matter, the Stasi) - give me the man and I'll show you the crime - the unelected have the dirt on those who write their political paychecks, so it's fairly easy to predict how things will go from there.

  13. Eddy Ito

    ... allow the Feds to demand people's emails and other personal communications from overseas computers...

    This is exactly why personal communications need to be encrypted as strongly as possible and why SMTPS and the like are simply not adequate.

  14. ma1010
    Unhappy

    The ONE bloody thing both parties (and foreign governments) can totally agree on...

    ...is spying on people. That's always "bipartisan" in Congress. Anything else in Washington is a dog fight where everybody loses. When spying comes up, everybody still loses, but there's little or no fighting among the Congresscritters.

    1. DCFusor

      Re: The ONE bloody thing both parties (and foreign governments) can totally agree on...

      See my comment above. Who cares if there's some dirt on them? Politicians....(heck, inhaled and don't care who knows)

      Who gets dirt on everyone? Spies.

      So the guys with the dirt always get the money and laws they want. It's pretty obvious from close up.

      Any different on your side of the pond?

      All they're doing is making legal what they've been doing all along. Because they're finding it harder to hide now (Snowden, Assange, and so on).

  15. Anonymous Coward
    Anonymous Coward

    Reportable breach?

    So... Would this be classified as a "Reportable Breach of Data"?

  16. Aodhhan

    What happened to all the intelligent InfoSec professionals who used to comment on this site?

    All I see now is the rantings of those who think they know about a country's legal system, and those who just spew out political hate. Both without using critical thinking, complete understanding of the facts, and/or any real time experience.

    The act in question, doesn't bypass due process.

    You also can't look at stored data in the same light as storing material products.

    Stored data can be accessed in many locations at the same time, and in essence is then stored in many locations at the same time. If a document is called up and viewed in Chicago from it's stored location in London, it's actually in both places. In fact, you can delete the document in London, but it will still exist in Chicago.

    You can't do this with material item, without defying the laws of physics.

    What's odd... those who are politically aligned to the left should be for this law. It's something which is very anti-big business, and anti-wealthy. These are the individuals who will be affected more than some bloke living in his mom's basement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like