The CLOUD (Clarifying Lawful Overseas Use of Data) Act, signed into law in the United States on March 23 as part of the $1.3 trillion Omnibus Spending Bill, is also causing legislative heartache.
A “needle in a legislative haystack”, the CLOUD Act never received a hearing nor was there debate about its privacy implications. Instead, the act was tacked onto a 2,232-page government spending bill that passed behind closed doors at the last minute.
This startled many human rights groups, including the American Civil Liberties Union and the Electronic Frontier Foundation. They’re worried the act could allow governments to force data over to other countries without warrant or without care for existing privacy laws. And they’re concerned it could erode the protections of encryption and data privacy around the world.
On paper, yes, the CLOUD Act gives governments easier permission to data outside national borders. Before, countries had to agree over which country’s court system to follow in multinational disputes which created jurisdictional confusion. The CLOUD Act simplifies things by allowing governments to form clear agreements over how to manage digital evidence for investigations. How courts gain access to cross-border data has become a pressing issue in a time when data breaches are steadily increasing. In that light, the CLOUD Act makes sense.
But the CLOUD Act should not allow for the squashing of civil liberties such as the 4th amendment, which guarantees protection for U.S. citizens against unreasonable search and seizure, or the rights of citizens in other countries. Civil rights that have been in place will supersede the CLOUD Act.
However, some companies like Microsoft are already feeling the effects of the CLOUD Act. On March 30, the U.S. Department of Justice dropped a lawsuit against Microsoft regarding a warrant for data stored on a server in Ireland. Microsoft fought to keep the information, but the under the new act the DOJ procured a warrant anyway.
Therefore, encryption and encryption key management are still vital to organizations that transfer messages and files between borders. Unencrypted data on the cloud is at constant risk of exposure and leaving it unsecured means it’s open to the mercy of legislation like the CLOUD Act. That’s why it’s a good idea to control encryption keys yourself. A solution such as eperi Gateway allows this. With eperi Gateway, you are given sole control the encryption keys for cloud services such as Office 365, meaning Microsoft would not have access to encrypted email on any server or country. It would not have access to the keys, either. And that added protection means peace of mind that even if a cloud platform had to hand over company data, it wouldn't be accessible without a key.