Leverage the CLOUD Act To Protect Encryption

Bob Goodlatte, former Chairman of the House Judiciary Committee (R-VA), is Senior Policy Advisor for the Project for Privacy and Surveillance Accountability, and one of the authors of the CLOUD Act. Greg Nojeim is a Senior Counsel and Director of the Security and Surveillance Project at the Center for Democracy & Technology, a Washington, D.C., nonprofit public policy organization.

When you meet in person with a neighbor or a friend, you would be deeply troubled if the government demanded that you spoke loudly enough so its agents could eavesdrop on everything you both say. Why should that be any different in your online communications as well?

Encryption ensures that emails, texts, and other communications are kept private between the sender and the receiver. In an age of cybersecurity threats, encryption protects sensitive personal medical and financial information, and the trade secrets that underlie the success of American business. This technology, among the most important data security tools companies offer, is important for more than just privacy.

Encryption protects journalists from malevolent governments. It shields women and their children from stalkers and abusers. Such reasons are partly why late last year the cybersecurity agencies of four of the Five Eyes countries urged network managers to ensure that communications traffic is encrypted end-to-end.

These agencies made this recommendation in the wake of the “Salt Typhoon” attacks, in which hackers believed to be associated with the Chinese government infiltrated the networks of major US telecom operators. The UK stood apart, refusing to join cybersecurity agencies in the US, Canada, Australia and New Zealand in this pro-encryption declaration.

Instead, the UK is pursuing a disastrous policy of attacking encryption and the privacy it enables. Its super-extraterritorial order to Apple requires the company, which is based outside the UK, to alter equipment it maintains in other countries so it can facilitate the wiretapping of users, including those outside the UK. There used to be a saying, “The sun never sets on the British Empire.” Today, it appears that the British Home Office seeks to build a data empire.

Earlier this year, the UK ordered US-based Apple to compromise the encryption protection afforded by its cloud back-up service, and perhaps compromise other services as well. The purpose? To allow UK authorities to enforce orders requiring Apple to hand over the contents of users’ communications. Apple responded by withdrawing its encrypted cloud back-up service from the UK and challenging the UK order. But, had Apple complied with the order worldwide, it would have had to withdraw the service from the US and globally, or compromise its security. This would have exposed cloud back-ups of iMessages, photos, and documents to attack by authoritarian governments, stalkers, and nefarious hackers alike.

The US government shouldn’t be complicit in this power grab by continuing to give the UK authority to enforce surveillance orders against US tech companies, as it currently does under the 2017 CLOUD Act. The Act allows governments to enter into agreements with the United States that permit US tech companies to bypass US warrant requirements to disclose user data in criminal investigations not targeting Americans.

But now, the UK’s order to Apple reveals that the CLOUD Act needs a tweak to more fully protect Americans – not from their own government, but from a foreign government. Congress should amend the CLOUD Act to prohibit CLOUD Act agreements with governments whose laws or practices allow for orders that undermine encryption and cybersecurity, and to preclude those governments from issuing such orders if they have a CLOUD Act agreement with the US.

Pending any changes to the CLOUD Act by Congress, the Department of Justice should pull the US out of the CLOUD Act agreement with the UK unless the UK withdraws the order it issued to Apple. While there were reports in August that the UK had agreed to withdraw its order, court filings reportedly suggest the order is still in place. The US can cancel the US/UK agreement without cause, with 30 days’ notice. The benefits of that agreement have been one-sided: The UK has issued over 20,000 surveillance demands against US tech companies; the US, in contrast, has issued only 63 requests to UK providers. This imbalance gives the US leverage to stand up to the UK and go to bat for Americans who rely on US tech companies to secure their data.

On the July 4 holiday, the country celebrated the revolutionaries in the original 13 colonies who had the courage to stand up and declare their independence. They rebelled against their colonial masters’ anti-democratic measures, including general warrants that allowed the King’s agents to paw through anyone’s papers at will. Now, it is time for Congress and the Department of Justice to reclaim our privacy and assert our rights to secure communications against our former colonial masters. Consider it some unfinished business of the American Revolution.