Your data moves everywhere. Your social media posts could pass through servers in Sweden. Your Internet search history could be stored in data centers in Berkeley or Belgium. Your text messages and ride hailing records might rely on servers around the world.
When police want access to data beyond their country’s borders, they often have to comply not just with their own data protection laws, but also with the data protection laws where the data is stored. That’s a good thing. It ensures that when data crosses borders, people don’t suffer a reduction of privacy.
But the privacy protections in this global system have aggravated law enforcement for years, and a new bill in Congress aims to appease those frustrations. The new bill would allow foreign police to demand data directly from U.S. companies and, along the way, predictably capture our emails, chat logs, online photos, and videos.
This bill is the CLOUD Act (S. 2383 and H.R. 4943) and it presents an enormous overreach.
The CLOUD Act would:
- Enable foreign police to collect and wiretap people’s communications from U.S. companies, without obtaining a U.S. warrant.
- Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.
- Allow the U.S. president to enter “executive agreements” that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.
- Allow foreign police to collect someone’s data without notifying them about it.
- Empower U.S. police to grab any data, regardless if it’s a U.S. person’s or not, no matter where it is stored.
Here’s how the CLOUD Act could work in practice:
London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would receive no prior judicial review for this request. The London police could avoid notifying U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.
Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages could be used to criminally charge the U.S. person with potentially unrelated crimes, too.
Under the CLOUD Act, this type of data collection could happen, so long as the president agrees to it.
All of this is wrong. Tell your representative today to protect privacy by rejecting the CLOUD Act.