the CLOUD Act (was What can ISPs do better? Removing racism out of internet)

• Previous message (by thread): What can ISPs do better? Removing racism out of internet
• Next message (by thread): the CLOUD Act (was What can ISPs do better? Removing racism out of internet)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Is the CLOUD Act germane to North American network operations (the mission of NANOG)? My understanding is that this ACT was to help solve problems the FBI had with obtaining remote data through overseas service providers, through SCA warrants. 
> 
> SCA already compels U.S.- and Canada-based service providers, via warrant or subpoena, to provide requested data stored on servers. It doesn’t matter if the data are stored in the U.S. or in another country. I’m not seeing how CLOUD impacts any NANOG member, which just encompasses Canada and the US (Mexico has its own network operator’s group, LACNOG.)
> 
> I’m open to being educated, however.

The CLOUD act is reciprocal.  It allows an agency of another country to demand from U.S.-based holders of data that data which is relevant to a citizen of that country, where that individual is working abroad in the U.S.. - with *no* due process - in fact with no requirement of notice to that individual.  It's the equivalent of a demand for production of documents (i.e. a subpoena) - no warrant, no anything else.

Example (using the UK because that is the reciprocal agreement closest to being formalized):

John Deaux is from London, and a citizen of the UK. John is working in the U.S., at a tech company in Palo Alto, California. John has a Gmail account, and uses Dropbox to store his photos. A law enforcement agency in the UK decides that it wants access to the data in John’s Gmail account and Dropbox account, and so they serve a demand for the production of John’s data on Google and Dropbox, under the CLOUD Act. If the U.S. and the UK have an executive agreement in place as contemplated by the CLOUD Act, Google and Dropbox must comply.

And, it gets worse: 

Let’s say that while combing through John Deaux’s Gmail data the UK authorities find evidence that he has been laundering money, and they believe that it may be in concert with Joe Smith, who lives in Mountain View, a short distance from John. Joe is a U.S. citizen. The U.S. authorities do not know about Joe’s possible illegal activity, and they have no reason to suspect it. If they did suspect it, they would have to convince a judge to issue a warrant to search Joe’s data (because in the U.S. you can only use the subpoena route if there is already an open case against the person).  *However*, there is nothing in the CLOUD Act that stops the UK agency from simply passing this data on to U.S. law enforcement voluntarily. In fact, the CLOUD Act encourages it.

Anne

---

Anne P. Mitchell, Attorney at Law
Dean of Cybersecurity & Cyberlaw, Lincoln Law School of San Jose
CEO/President, Institute for Social Internet Public Policy
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Board of Directors, Denver Internet Exchange
Board of Directors, Asilomar Microcomputer Workshop
Legal Counsel: The CyberGreen Institute
Former Counsel: Mail Abuse Prevention System (MAPS)
Member: California Bar Association

• Previous message (by thread): What can ISPs do better? Removing racism out of internet
• Next message (by thread): the CLOUD Act (was What can ISPs do better? Removing racism out of internet)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]