, 27 tweets, 8 min read Read on Twitter
It's really early on a Sunday, so while I sip my coffee I'm also going to try to clear up a lot of confusion about the CLOUD Act created by poor reporting by The Times (of London) and Bloomberg.

Here is the original, incorrect story:
Warning: I Am Not A Lawyer, but I have spent an unreasonable amount of my finite lifespan working or arguing with lawyers about technology. As a result, I am now a Human Markov Chain Trained on the Output of Lawyers, which means I can generate realistic sounding gibberish.
If you want a more legally sound opinion, please talk to @granick, the world's greatest expert in this area in a civil liberties context, @agidari, who was the go-to lawyer for tech companies on ECPA/SCA and is now teaching, or @ZwillGen, a key firm used by big tech.
Some history: the most important law governing the relationship between US tech platforms and governments is the Electronic Communications Privacy Act (ECPA), specifically a section of it called the Stored Communications Act (SCA). These amended the 1968 wiretap statues in 1986.
When Ronald Reagan signed this bill, the landscape of electronic communications was very different. As a result, ECPA/SCA have all kinds of funny issues when applied in 2019, such as not covering location data and the existence of a bizarre 180 day timer aimed at voicemail.
For the purposes of this thread, two big issues are:
1) Enforcement of laws online are often a shared responsibility between governments and companies.

2) US companies now transmit and store communications content for the entire planet using global infrastructure.
On 1: A significant number of prosecutions for online behaviors that cause offline harm are initiated by investigatory teams inside companies like GOOG, FB and MSFT. I had child safety, fraud, counter-terrorism, disinformation and nation-state intel teams in my org at FB.
According to SCA, companies can't turn over stored "electronic communications" except in ways outlined by 18 U.S.C. § 2703. The most important option here is a court order complying with 2703(d), which has to be signed by a judge.

The law:
Sidenote: Congress did not write themselves into 2703, and they cannot issue orders to get stored communications directly from service providers. In 2017 this lead to a conflict where FB could turn over more Russian disinfo data to the special counsel than to SSCI/HPSCI.
The SCA system works pretty well for US law enforcement. If LE has individualized suspicion that somebody has committed a crime, they can get a 2703(d) order from a judge. Tech can also spot a crime and tell LE, who then get an judge's order using a affidavit from the company.
All the large tech platforms have teams to intake and process these requests. If requests are too broad, they push back or perhaps go to court.

Here are FB's policies on this:

Here is an example of FB beating the government back:
Sidenote 2: You will notice that at the same time FB was struggling over Russian data it was also fighting DOJ attempts to dragnet anti-Trump protesters. The laws that protect good guys also protect bad guys, and we have to be careful with precedents set in exigent circumstances.
This system does NOT work well for law enforcement in other countries. Over the past 20 years, evidence of crimes that would have transited or been stored by communication systems operated domestically in, let's say the UK, have moved to US servers.
ECPA/SCA do not* allow US tech companies to turn over the contents of communications, even to human rights respecting democracies with independent court systems.

*This is actually super complicated and there are exceptions I am not qualified to explore. Again, help me @agidari.
This means that most investigators outside the US can get "basic subscriber information", such as IP addresses and some metadata, but they need to ask the FBI to ask a judge for a court order to get the actual content (called an MLAT). This does not make other countries happy.
At the same time, the dominance of US tech companies has created the possibility of US courts grabbing user data stored on overseas systems operated by Americans.

Microsoft fought a famous example of such an attempt:
The application of a law meant to regulate phone companies domestically was clearly showing it's age, so a group of legislators and tech lawyers put together the CLOUD Act.
ECPA/SCA is a really important tool for pushing back on authoritarian countries. The companies like to say things like "we follow local law", but in reality they resist orders every day by saying "sorry, SCA won't let us do that". So we can't just create a blanket exception.
The CLOUD Act deals with this by creating a process for overseas courts to issue orders for content only pursuant to a 1:1 agreement between that country and the US. So the US DOJ gets to be a gatekeeper. UK/FR/DE/JP likely get in. CN/RU/VN do not. India will be a big test.
There are a bunch of human rights protections in the CLOUD Act and there can be more in each agreement. If tech companies don't like an order, they can always ask a US judge to make the hard call.

Here is a good summary:
Which brings us to today, on the precipice of the first CLOUD Act agreement being signed by the US and UK. This agreement would allow UK courts to issue requests equivalent to US courts, but it DOES NOT grant them access to anything a US court can't get already.
SCA does not give a court the power to defeat E2E encryption, so orders for wiretaps of products like WhatsApp can get some data, like IP addresses, phone numbers, contact lists and avatar photos. It cannot get encrypted messages and attachments.

The CLOUD Act does not change this status quo, it just extends it to select other countries. Figuring out how democracies around the world will regulate multinational tech cos is hard, and this isn't a bad model to start with as it explicitly contains human rights protections.
Sidenote 3: One of the most important amendments to ECPA/SCA has been the FISA Amendments Act that established the FAA 702 program (aka PRISM). There is a lot to not like with that law, but it also does not defeat E2E nor does it give "direct access".
Lawyers look at every 702 request and can fight it. Unfortunately, those fights are then classified and @granick makes a good argument that classified legal battles over fundamental rights are incompatible with democracy.

Here is a declassified example:
So anyway, the CLOUD Act is controversial in some ways but absolutely does not do what The Times and Bloomberg assumed. The fight over encryption continues, but the US/UK agreement hopefully reduces some of the pressure by giving UK LE the same options as US LE.
My colleague @Riana_Crypto will be covering ECPA in a lecture given to our shared cybersecurity class in October, so I'll make sure to post the video where she corrects every mistake I made above.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Alex Stamos
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!