UPDATE: The UK has now released the text of the UK-US Cloud Act agreement, and an explanatory memorandum available here.
Last year, we warned that the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act would weaken global privacy standards, opening up the possibility of more permissive wiretapping and data collection laws. Today’s announcement of the U.S.-UK Agreement is the first step in a multi-country effort to chip away at privacy protections in favor of law enforcement expediency.
U.S. Attorney General William Barr and British Home Secretary Priti Patel announced that the U.S. and UK have signed an agreement that will allow each country to bypass the legal regimes of the other and request data directly from companies in certain investigations. The text of the agreement has not yet been released, but the countries were able to enter into such a regime through the controversial powers granted in the U.S. CLOUD Act and the UK Investigatory Powers Act and the 2019 Crime (Overseas Production Orders) Act. At EFF, we fought against the provisions in these bills that weaken global privacy standards, and we are concerned based on the U.S. and UK press statement that this agreement will not include necessary privacy provisions.
Based on reporting, the U.S.-UK agreement sets up a regime in which the UK police can get fast, direct access to communications data about non-U.S. persons held by American tech companies. In return, the United States government will be given fast-track access to British companies' data regardless of where that data is stored. This unprecedented arrangement will seriously undermine privacy and other human rights.
Like many international deals, the U.S.-UK negotiations were held behind closed doors, and their details were shrouded in secrecy, even though the CLOUD Act requires that the U.S. Attorney General send any potential agreement to U.S. Congress for review within seven days after certifying a final agreement. The U.S. and UK should not be able to make secret law that binds tech companies and dictates the privacy of their customers, and we will continue to push for this agreement to be made public.
What does the U.S.-UK deal change?
United States law provides strong protections for the content of communications—the text of email and instant messages, the photos we privately share with our friends, our private audio/video chats, and our cloud-based documents. American tech companies are generally forbidden from disclosing this category of data to anyone (including foreign governments) without the consent of the data subject or without an order from a U.S. court determining that there is probable cause that the data in question contains evidence of a crime. The Mutual Legal Assistance Treaty (MLAT) regime, which has been followed for the past few decades and has been adopted by a majority of democratic countries, provides a vehicle for foreign governments to obtain communications content while following privacy standards set out in U.S. law.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 gives the U.S. executive branch the power to enter into bilateral agreements with “qualifying foreign governments”—a set of countries that the U.S. determines satisfy a list of privacy and human rights standards in the statute. These agreements would authorize those governments to request data stored in the U.S. and allow the U.S. to request data stored in foreign countries without going through the MLAT process.
The CLOUD Act also allows foreign police to get information stored in the United States without a probable cause warrant or an order from a U.S. judge. There are prohibitions on foreign governments against targeting U.S. citizens and residents, but this means that U.S. persons’ information can still be collected without U.S. oversight if they are communicating with a target but are not the target themselves. In practice, the foreign vs U.S. person distinction in the law means that some data stored in the U.S. is protected by U.S. law while foreign data stored in the U.S. may be subject to lesser standards.
The new agreement with the UK is the first between the U.S. and a “qualifying foreign government,” and we have specific concerns about the details of the deal. The UK legal standard for access to data is much more permissive than the Fourth Amendment. The UK still allows for general warrants (a practice that fueled U.S. colonists’ grievances against the British government) and can issue a warrant based on a “reason to believe” that there may be evidence “relevant” to a crime, rather than probable cause. The CLOUD Act does have a baseline standard for when and how evidence can be requested from tech companies directly, but there is quite a bit of daylight between the CLOUD Act standard and UK law, and without seeing the agreement we cannot tell if it meets a higher privacy standard.
The press statement frames this deal as necessary to investigate and prosecute child exploitation and terrorism, but under the framework outlined in the CLOUD Act, this agreement can be used to investigate any “serious crime,” meaning that this power can and will be used across the board from drug investigations to investigations of financial crimes.
If a U.S. company doesn’t want to comply with a UK order—if, for instance, it thinks that the order is too vague or not tied to a “serious crime”—it may likely face penalties in the United Kingdom. Presumably at this point, a U.S. provider could decide to bring the United States government into the picture if the U.S. provider believes that the foreign government order is not consistent with the CLOUD Act safeguards. But in practice, there is no mechanism to do so, and it would be burdensome for the government to interject itself in individual cases.
It has also been reported that this agreement will now let the UK wiretap individuals located anywhere on the globe with the assistance of U.S. companies (so long as the target of the wiretap is not a United States person and is not located in the United States). The MLAT process did not allow for real-time interception, and U.S. law has even higher requirements for real-time access to information because of the grave privacy risks involved when the government eavesdrops on private conversations. Letting the UK use the lesser privacy standards under UK law to wiretap information as it passes through U.S. tech companies is an enormous erosion of current data privacy laws.
Contrary to a number of recent press reports, however, the agreement cannot authorize the UK government to force companies like Google or Facebook to decrypt encrypted communications. That’s because the CLOUD Act contains a specific provision that prohibits an agreement between the U.S. and another country from creating “any obligation that providers be capable of decrypting data.” The UK might rely on its horrible Investigatory Powers Act to try to force companies to build backdoors or simply pressure companies to do so voluntarily, but the Cloud Act doesn’t give those arguments any weight under U.S. law.
We don’t yet know what the agreement says, so the first step is to make sure that it is released to the public. Law (even international agreements) should not be secret.
The CLOUD Act contains provisions that mandate that the Attorney General send all proposed agreements to Congress for review. Congress has 180 days after notification to review an agreement and determine whether or not the agreement satisfies the requirements laid out in the CLOUD Act. If an agreement is found wanting or if Congress has any other basis for objection, either chamber can introduce a joint resolution to disapprove of the agreement and stop the executive branch from enacting it.
It’s a complicated process, but it is imperative that Congress exercise it. When Congress passed the CLOUD Act, it created a rift in privacy and law enforcement access practices. Now it is Congress’ continuing responsibility to make sure that our rights don’t fall through the cracks.