CLOUD Act Would Erode Trust in Privacy of Cloud Storage

Today, Senators Hatch, Graham, Whitehouse, and Coons introduced a bill that would significantly amend the Electronic Communications Privacy Act (ECPA). The bill would authorize federal and state judges to issue warrants compelling U.S. providers such as Microsoft and Google to disclose user content that is stored outside the U.S., no matter where the user is located. The CLOUD Act would also permit the U.S. Department of Justice to authorize foreign governments to serve direct surveillance demands, including for real-time wiretapping, on U.S. providers. The Center for Democracy & Technology supports ECPA reform, but does not believe the CLOUD Act does enough to protect the privacy of internet users.

“The Electronic Communications Privacy Act balances the interests of consumers, providers, and the government. The CLOUD Act throws that balance off-kilter by accommodating providers and the government but leaving consumers behind,” said CDT Vice President for Policy Chris Calabrese.

Unlike previous iterations of related legislation, the CLOUD Act omits the requirement of a warrant, issued on the basis of a finding of probable cause, for the disclosure of communications content to governmental entities in the U.S. CDT believes any reform to ECPA should include a warrant for content requirement, such as the one included in the the Email Privacy Act, which unanimously passed the House twice.

“ECPA reform should not move forward without the Email Privacy Act,” added CDT Senior Counsel Greg Nojeim. “The legislation also needs to ensure that cross-border data demands by the U.S. and other governments conform to strong human rights standards. Absent these improvements, the CLOUD Act will erode trust in the privacy of data stored in the cloud.”

More information about CDT’s effort to reform ECPA is available here.