Simply put, the CLOUD Act provides minor updates to a decades-old law that is strictly limited to helping law enforcement agencies fight and deter international criminal and terrorist activity. It does not, as some have suggested, give US law enforcement agencies free access to data stored in the cloud.
We see the DOJ’s speech and guidance as a step in the right direction, but more needs to be done by governments around the world to educate cloud-computing customers about important issues regarding access to data.
In this article, I wish to highlight a few of the key misunderstandings about the act in order to help customers understand that this law should not change how they use cloud services.
Cloud of unknowing
In 1986, Congress enacted the Stored Communications Act (SCA), which addressed law enforcement access to electronic communications. Although the SCA was considered forward-looking at the time, courts have struggled over the years to apply it to technologies like internet applications and cloud computing that did not exist when the SCA was passed.
One area of debate related to whether US law enforcement agencies could obtain data located outside the US. The CLOUD Act resolved this debate.
It made clear that providers subject to US law, such as an entity doing business in the US (including foreign-based entities with US subsidiaries), can be served with a warrant and court order under the SCA to provide data under their control, regardless of where it is stored.
To be clear, despite suggestions to the contrary, the CLOUD Act does not introduce a new concept. Governments across the globe have long had the ability to obtain evidence of crimes located outside of their jurisdiction.
As the DOJ noted in its white paper, most countries require disclosure of data wherever it is stored, consistent with the Budapest Convention, which was the first international treaty aimed at improving cooperation and investigations in cyber and computer crimes.
Indeed, French courts have long allowed police to obtain data outside of France, so long as it is accessible from a computer in France.
Most recently, in February 2019, Britain passed the Crime (Overseas Production Orders) Act, which allows British law enforcement agencies to obtain stored electronic data from a company or person based outside of Britain.
This practice is consistent with a centuries-old principle of international cooperation. Countries use a number of tools, ranging from domestic laws to international treaties, to seek potential evidence located beyond their borders and establish a tradition of cross-border cooperation.
This serves as the foundation for what trusted and respected organisations like Europol do, and the CLOUD Act simply reflects what these other law enforcement agencies and other countries have been doing for many years.
Cloud of dust
One of the most common misunderstandings about the CLOUD Act is that it is applicable to only US companies. This is not true.
The act applies to all electronic communication service or remote computing service providers that are subject to US jurisdiction, including email providers, telecom companies, social media sites, and cloud providers, whether they are established in the US or in another country.
This means that any foreign company with an office or subsidiary in the US is subject to the act.
As Downing said in his speech, US courts have ruled that even non-US websites that have been used by customers based in the US have been subject to US jurisdiction and, therefore, could be subject to the CLOUD Act.
Another common misunderstanding about the act is that it somehow provides the US Government with unfettered access to data held by cloud providers.
This is simply false.
The act does not grant law enforcement agencies free access to data stored in the cloud. Law enforcement can compel service providers to provide data only by meeting the rigorous legal standards for a warrant issued by a US court.
US law sets a high bar for obtaining a warrant, requiring that an independent judge conclude that law enforcement has reasonable grounds to request the information, that the information requested directly relates to a crime, and that the request is made clearly, accurately, and proportionally. This is the opposite of unfettered access.
Above the clouds
When Amazon Web Services (AWS) receives a request for data located outside the US, we have tools to challenge it and a long track record of doing so. In fact, our challenges typically begin well before we go to a court. Each request from law enforcement agencies is reviewed by a team of legal professionals.
As part of that review, we assess whether the request would violate the laws of the United States or of the foreign country in which the data is located, or would violate the customer’s rights under the relevant laws.
We rigorously enforce applicable legal standards to limit – or reject outright – any law enforcement request for data coming from any country, including the US. We actively push back on law enforcement agencies to address concerns, which frequently results in them withdrawing their request.
In the event that we cannot resolve a dispute, we do not hesitate to go to court. Amazon has a history of formally challenging government requests for customer information that we believe are too broad or otherwise inappropriate.
We will continue to resist requests – including those that conflict with local law, such as the GDPR in the European Union – to do everything we can to protect customer data.
We will also continue to notify customers before disclosing content, and we provide advanced encryption and key management services that customers can use to protect their content further.
We have industry leading encryption services that give our customers a range of options to encrypt data in-transit and at rest, and to manage encryption/decryption keys – because encrypted content is rendered useless without the applicable decryption keys.
Kickin’ the clouds away
AWS is vigilant about its customers’ privacy and security. We are committed to providing all customers, including governmental agencies that trust us with their most sensitive content, with the most extensive set of security services and features to help ensure complete control of their data.
The CLOUD Act did not alter or weaken this commitment. On the contrary, the act recognises the right of cloud providers to challenge requests that conflict with another country’s laws or national interests, and requires that governments respect local rules of law.
Additionally, foreign governments concerned about the risk of government data disclosure may be entitled to sovereign immunity. The US recognises that, under the principle of sovereign immunity, foreign governments have effective legal means under US law to prevent disclosure of their data.
At AWS, we are constantly helping our customers and partners to understand their position in relation to new compliance standards and laws. It is the only way we believe organisations can ensure that they are able to protect their end users.
The reality is that cloud computing is having a positive effect on lives around the world in all kinds of ways.
With AWS technologies, our customers are creating forward-thinking technologies that shape the ways we live and learn, whether through photo sharing and video streaming, increased access to financial services and e-commerce/trade, processing geospatial data for new discoveries, creating or promoting greater opportunities for education and skills development, or helping industries evolve with accessible artificial-intelligence and machine-learning services.
Our customers are also leveraging the cloud for good: working to prevent human trafficking, prevent violent crime, improve citizen services in cities, and to make medical breakthroughs. What would be incredibly disappointing would be for all of this to be slowed due to fundamental misunderstandings about the CLOUD Act.