CLOUD At: a new US bill provides access to personal data abroad
Last week, March 23, 2018, the US Congress passed a bill called the CLOUD Act. It greatly expands the ability of United States law enforcement agencies to access private information online.
Read more about the act and how the community and IT companies reacted to it, we will tell below.
/ photo angela n. CC
')
The Clarifying Lawful Overseas Use of Data Act was first proposed on February 6, 2018. The bill is an amendment to the Stored Communications Act (SCA) - an act of 1986 governing the provision of US government access to data held by Internet service providers. The CLOUD Act became part of a 2232-page document approving the state budget; therefore, there were no separate debates on its content, as, by the way, there was no separate hearing in Congress.
The act has two key points that facilitate access to US law enforcement agencies to the PD.
1. Requesting PD users from IT companies
First, from now on, law enforcement agencies (from police officers to agents of the Federal Migration Service) have the right to request access to data from IT companies, regardless of where this information is stored. In other words, the US police may require Google or Facebook to provide PD users, even if they are stored, for example in Europe.
Given that many global IT companies are under US jurisdiction, authorities have access to correspondence, metadata, and user accounts worldwide. Now companies will not be able to refuse to provide data, even if it is prohibited by the laws of another state (as was the case with the case of Microsoft Ireland ).
2. Providing information to other states
The second part of the act gives the President and the US Attorney General the opportunity to enter into special agreements with other states on data exchange. Under these agreements, countries may request user data from US IT companies, provided that they are not American citizens and do not live in the United States.
There are no restrictions on which countries the United States can enter into these agreements. The Act allows you to initiate such agreements between countries without the approval of Congress.
IT giants Microsoft, Google, Facebook, Apple, and Oath (formerly Yahoo) have compiled a letter that approved the bill, calling it "a notable progress in consumer protection." They also pointed out that the CLOUD Act will allow "better protection of users, thanks to international agreements".
When the act was approved, Microsoft Legal Director Brad Smith (Brad Smith) said in his twitter that "this is an important day for international relations and the protection of personal data throughout the world." He also noted that the act will increase the credibility of the technologies that we use every day. However, the tweet was met with explicit criticism of network users.
/ photo by Alexandre B CC
The rest of the technical community is not so clearly supports the new act ( especially cryptocurrency enthusiasts). It is discussed the fears that it will lead to the localization of data , that is, the desire of each country to keep the PDs of citizens on "local" servers.
Also, the act was criticized by many American human rights organizations. More than twenty organizations, including the EFF (Electronic Frontier Foundation - Electronic Frontier Foundation) and the ACLU (American Civil Liberties Union - American Union for the Protection of Civil Liberties), made an open letter to Congress, which indicated clear violations of human rights in the CLOUD Act.
We are talking about the regulation of agreements on the transfer of information. Suppose a certain country, in cooperation with the US government, turns to Slack in order to obtain personal correspondence of a person who is a resident of that country. Slack, in the case of transmitting the message history, also unwittingly reveals the messages of all those involved in the correspondence.
Moreover, CLOUD provides an opportunity for the state, which has thus obtained confidential data about American citizens, to transfer them directly to US law enforcement agencies without any additional approvals , warrants or court orders. This can be interpreted as a direct violation of the Fourth Amendment to the US Constitution .
Prior to the adoption of the CLOUD Act, the legal aspects of accessing information abroad were regulated by the MLAT (Mutual Legal Assistance Treaties - Mutual Legal Assistance Agreement). This treaty was drawn up in 2001 with the active participation of the United States and European countries (Russia did not recognize the Convention decision). It allows law enforcement agencies of different countries to gain access to data stored abroad, with the assistance of the state in which they are stored.
MLAT has its drawbacks. On average, the duration of consideration of a single request is about 10 months , and by the time of receiving information from another state, in most cases it is no longer relevant. Despite the imperfections, the system is an important transitional stage in the development of international relations in the field of cyber security, especially since the Council of Europe plans to improve it soon. However, the adoption of the CLOUD Act does not contribute to this process, and more is its alternative .
PS More materials from the First Corporate IaaS blog:
Read more about the act and how the community and IT companies reacted to it, we will tell below.
/ photo angela n. CC
')
What is CLOUD At
The Clarifying Lawful Overseas Use of Data Act was first proposed on February 6, 2018. The bill is an amendment to the Stored Communications Act (SCA) - an act of 1986 governing the provision of US government access to data held by Internet service providers. The CLOUD Act became part of a 2232-page document approving the state budget; therefore, there were no separate debates on its content, as, by the way, there was no separate hearing in Congress.
The act has two key points that facilitate access to US law enforcement agencies to the PD.
1. Requesting PD users from IT companies
First, from now on, law enforcement agencies (from police officers to agents of the Federal Migration Service) have the right to request access to data from IT companies, regardless of where this information is stored. In other words, the US police may require Google or Facebook to provide PD users, even if they are stored, for example in Europe.
Given that many global IT companies are under US jurisdiction, authorities have access to correspondence, metadata, and user accounts worldwide. Now companies will not be able to refuse to provide data, even if it is prohibited by the laws of another state (as was the case with the case of Microsoft Ireland ).
2. Providing information to other states
The second part of the act gives the President and the US Attorney General the opportunity to enter into special agreements with other states on data exchange. Under these agreements, countries may request user data from US IT companies, provided that they are not American citizens and do not live in the United States.
There are no restrictions on which countries the United States can enter into these agreements. The Act allows you to initiate such agreements between countries without the approval of Congress.
Support act
IT giants Microsoft, Google, Facebook, Apple, and Oath (formerly Yahoo) have compiled a letter that approved the bill, calling it "a notable progress in consumer protection." They also pointed out that the CLOUD Act will allow "better protection of users, thanks to international agreements".
When the act was approved, Microsoft Legal Director Brad Smith (Brad Smith) said in his twitter that "this is an important day for international relations and the protection of personal data throughout the world." He also noted that the act will increase the credibility of the technologies that we use every day. However, the tweet was met with explicit criticism of network users.
/ photo by Alexandre B CC
Criticism of the act
The rest of the technical community is not so clearly supports the new act ( especially cryptocurrency enthusiasts). It is discussed the fears that it will lead to the localization of data , that is, the desire of each country to keep the PDs of citizens on "local" servers.
Also, the act was criticized by many American human rights organizations. More than twenty organizations, including the EFF (Electronic Frontier Foundation - Electronic Frontier Foundation) and the ACLU (American Civil Liberties Union - American Union for the Protection of Civil Liberties), made an open letter to Congress, which indicated clear violations of human rights in the CLOUD Act.
We are talking about the regulation of agreements on the transfer of information. Suppose a certain country, in cooperation with the US government, turns to Slack in order to obtain personal correspondence of a person who is a resident of that country. Slack, in the case of transmitting the message history, also unwittingly reveals the messages of all those involved in the correspondence.
Moreover, CLOUD provides an opportunity for the state, which has thus obtained confidential data about American citizens, to transfer them directly to US law enforcement agencies without any additional approvals , warrants or court orders. This can be interpreted as a direct violation of the Fourth Amendment to the US Constitution .
Alternative: Mutual Assistance Contract
Prior to the adoption of the CLOUD Act, the legal aspects of accessing information abroad were regulated by the MLAT (Mutual Legal Assistance Treaties - Mutual Legal Assistance Agreement). This treaty was drawn up in 2001 with the active participation of the United States and European countries (Russia did not recognize the Convention decision). It allows law enforcement agencies of different countries to gain access to data stored abroad, with the assistance of the state in which they are stored.
MLAT has its drawbacks. On average, the duration of consideration of a single request is about 10 months , and by the time of receiving information from another state, in most cases it is no longer relevant. Despite the imperfections, the system is an important transitional stage in the development of international relations in the field of cyber security, especially since the Council of Europe plans to improve it soon. However, the adoption of the CLOUD Act does not contribute to this process, and more is its alternative .
PS More materials from the First Corporate IaaS blog:
- Placing GIS in the cloud: what are the features here
- How does the protection of personal data: the European approach
- What you need to know the financial institution to work with the cloud
- How to test cloud security: eliminating security issues
- How to increase the level of cloud infrastructure security
- 12 cloud security threats according to the Cloud Security Alliance
- Disaster recovery as a service: advantages and disadvantages
Source: https://habr.com/ru/post/352402/
All Articles