> Is the CLOUD Act germane to North American network operations (the mission of
> NANOG)? My understanding is that this ACT was to help solve problems the FBI
> had with obtaining remote data through overseas service providers, through
> SCA warrants.
>
> SCA already compels U.S.- and Canada-based service providers, via warrant or
> subpoena, to provide requested data stored on servers. It doesn’t matter if
> the data are stored in the U.S. or in another country. I’m not seeing how
> CLOUD impacts any NANOG member, which just encompasses Canada and the US
> (Mexico has its own network operator’s group, LACNOG.)
>
> I’m open to being educated, however.
The CLOUD act is reciprocal. It allows an agency of another country to demand
from U.S.-based holders of data that data which is relevant to a citizen of
that country, where that individual is working abroad in the U.S.. - with *no*
due process - in fact with no requirement of notice to that individual. It's
the equivalent of a demand for production of documents (i.e. a subpoena) - no
warrant, no anything else.
Example (using the UK because that is the reciprocal agreement closest to being
formalized):
John Deaux is from London, and a citizen of the UK. John is working in the
U.S., at a tech company in Palo Alto, California. John has a Gmail account, and
uses Dropbox to store his photos. A law enforcement agency in the UK decides
that it wants access to the data in John’s Gmail account and Dropbox account,
and so they serve a demand for the production of John’s data on Google and
Dropbox, under the CLOUD Act. If the U.S. and the UK have an executive
agreement in place as contemplated by the CLOUD Act, Google and Dropbox must
comply.
And, it gets worse:
Let’s say that while combing through John Deaux’s Gmail data the UK authorities
find evidence that he has been laundering money, and they believe that it may
be in concert with Joe Smith, who lives in Mountain View, a short distance from
John. Joe is a U.S. citizen. The U.S. authorities do not know about Joe’s
possible illegal activity, and they have no reason to suspect it. If they did
suspect it, they would have to convince a judge to issue a warrant to search
Joe’s data (because in the U.S. you can only use the subpoena route if there is
already an open case against the person). *However*, there is nothing in the
CLOUD Act that stops the UK agency from simply passing this data on to U.S. law
enforcement voluntarily. In fact, the CLOUD Act encourages it.
Anne
---
Anne P. Mitchell, Attorney at Law
Dean of Cybersecurity & Cyberlaw, Lincoln Law School of San Jose
CEO/President, Institute for Social Internet Public Policy
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Board of Directors, Denver Internet Exchange
Board of Directors, Asilomar Microcomputer Workshop
Legal Counsel: The CyberGreen Institute
Former Counsel: Mail Abuse Prevention System (MAPS)
Member: California Bar Association