Over the last four years, Microsoft has been battling with the US court system over the ability for US law enforcement to compel them to hand over data that is stored on servers outside the US. While that case focussed on data relating to a drug trafficking operation, Microsoft saw it as a test of how data sovereignty is enforced in the courts. One of the Microsoft's arguments was that the courts were the wrong place fo such a matter to be resolved and that the US Congress should decide. That happened, and now we have the CLOUD Act.
The CLOUD Act - it stands for Clarifying Lawful Overseas Use of Data (which makes me think they started with the name and worked back from there) - is a framework for law enforcement agencies to directly access under lawful warrant data across borders. It will rely on bilateral agreements between the US and other countries for lawful access to relevant data.
The Australian government, through the office of the Minister for Law Enforcement and Cybersecurity, has welcomed the passage of this legislation saying "“Given the size and scale of technology and communications companies based in the US, the CLOUD Act has the potential to be of significant benefit to law enforcement. Australia welcomes the US taking leadership on this issue".
Before the US Congress passed the CLOUD Act, the US Supreme Your looked at the issue and was split 4-4 along partisan lines as to whether they should even consider the matter. It was expected tat they would rule on this later this year but the new law seems to have bypassed the need for them to reconsider this.
The CLOUD Act is not a legal carte blanche for US law enforcement to force cloud providers to hand data over. It relies on an accelerated version of an existing legal instrument called a mutual legal assistance treaty (MLAT). These treaties allowed countries to work together on legal matters but were time consuming to put together. The CLOUD Act allows for countries to enter into "executive agreements" where countries can expedite an MLAT, assuming appropriate warrants are in place.
While there has been some criticism of the new rules - and I have to admit I was initially sceptical of how it would work - the CLOUD Act seems to balance the needs of law enforcement and our privacy. Law enforcement can't simply order a tech company to hand data over when it's stored offshore and the country holding the data can refuse the request.
The case that sparked all this, between Microsoft and the US Government has been bumped from the Supreme Court and sent to a lower court where it's expected to be dropped now that the law has passed.
Why does this matter?
Ordinarily, the passage of a law in another country wouldn't be a a big deal for us but the CLOUD Act is the beginning of a new era, I think.
Most of the time, legislators and law enforcement have a hard time keeping up with the rapid changes that happen in technology. Government's total inability to anticipate the privacy issues around Facebook is an example of how clueless it can be.
But the CLOUD Act is a step forward. While we might not agree with its purpose, it reflects the changing nature of how the world uses technology, albeit almost two decades after cloud services started becoming ubiquitous. The CLOUD Act seems to have some checks and balances in place although staunch allies, like Australia might not oppose too many requests from US officials and we are yet to see how the courts here will deal with the accelerated MLAT process.
One of the things that is becoming clearer is that law enforcement, while constrained by national borders, is starting to look for ways to tackle globalised crime.
What do you think? Is the CLOUD Act a good or bad thing? Will it make a difference to how you use cloud services, or the services you choose?