New Law Could Give U.K. Unconstitutional Access to Americans’ Personal Data, Human Rights Groups Warn

This form of international data-sharing could put Americans’ privacy at risk and expose citizens to potential Fourth Amendment abuses, critics say.

British Prime Minister Theresa May meets with US President Donald Trump, September 26, 2018 on the sidelines of the United Nations General Assembly (UNGA) in New York. (Photo by PETER FOLEY / POOL / AFP) (Photo credit should read PETER FOLEY/AFP/Getty Images)
British Prime Minister Theresa May meets with U.S. President Donald Trump on the sidelines of the United Nations General Assembly in New York on Sept. 26, 2018. Photo: Peter Foley, Pool/AFP/Getty Images

Nine human rights and civil liberties organizations sent a letter to the U.S. Justice Department today objecting to a potential agreement between the United States and the United Kingdom that would give British law enforcement broad access to data held by U.S. technology companies.

The possible agreement stems from the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, for which Justice Department officials have lobbied since 2016 and which President Donald Trump signed into law in March.

In addition to requiring American tech companies to provide data on U.S. citizens when served with a warrant, the CLOUD Act allows for so-called executive agreements between the president and foreign governments. These agreements, the first of which would be with the United Kingdom, would empower foreign law enforcement agencies to order U.S. tech companies to produce data about individual users without a warrant, so long as the search target is not a U.S. citizen or resident.

The Electronic Frontier Foundation, one of the organizations that signed the letter of protest, has described a possible scenario for how a U.K. police service might obtain data under the CLOUD Act: “London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would receive no prior judicial review for this request. The London police could avoid notifying U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.”

But this form of international data-sharing could put Americans’ privacy at risk and expose citizens to potential Fourth Amendment abuses, critics say.

While the CLOUD Act requires that foreign police services not “intentionally target a United States person or a person located in the United States,” the law does not stop foreign police agencies from receiving communications of U.S. citizens or residents. Using the Electronic Frontier Foundation’s example of a Londoner communicating on Slack, any communications between the targeted British citizen and Americans would also be turned over to London police.

“The phrase ‘intentionally target’ creates a large loophole; people in the U.S. and U.S. persons overseas could easily get caught in the dragnet,” said Sarah St.Vincent, an investigator with Human Rights Watch, another signatory to the Justice Department letter. Although such so-called minimization procedures are ostensibly in place to prevent foreign governments from ensnaring U.S. users, St.Vincent told The Intercept that she rejects the notion that they “should be reassuring to anyone,” as “procedures are not laws,” but rather safeguards. “I don’t see any mechanism in here to ensure that those are strictly applied and inspected,” St.Vincent added.

The CLOUD Act also leaves open the possibility that a foreign police agency could obtain, without a warrant, incriminating communications from a U.S. citizen, which could then be shared with U.S. law enforcement. Data obtained in this way could not be used as evidence in a U.S. court, because its collection would violate Fourth Amendment protections. But local, state, or federal law enforcement agencies could reacquire the communications after obtaining a warrant — a controversial law enforcement practice known as “parallel construction.”

Federal law enforcement agencies, including the FBI and the Drug Enforcement Administration, already use parallel construction to launder information acquired from the warrantless wiretapping programs exposed by National Security Agency whistleblower Edward Snowden. In November 2017, The Intercept reported how the FBI used parallel construction to enter information first obtained through the government’s mass surveillance programs into evidence in terrorism trials. In these cases, prosecutors did not disclose to the courts that investigators had obtained the evidence from warrantless surveillance and then re-obtained it using legitimate warrants.

A Human Rights Watch report released in January documented how the DEA set up a unit called the Special Operations Division to receive raw intelligence from the NSA and disseminate leads to field agents. Agents on the ground were instructed to conceal the source of their information and find other ways to justify searches and broader investigations.

“The CLOUD Act would specifically allow the U.K. authorities to pass data belonging to U.S. persons back to the U.S. authorities if it ‘relates to significant harm, or the threat thereof, to the United States or United States persons’ — quite a significant loophole,” St.Vincent said. “The U.S. authorities can’t deliberately set up this end run around the Fourth Amendment themselves, but they’re free to sit back and receive whatever the U.K. sees fit to share.”

Despite the act’s worrying implications for user privacy, the American tech vanguard has embraced it. In February, Google, Apple, Facebook, Microsoft, and Oath (formerly Yahoo) wrote to four U.S. senators detailing their support for the legislation, claiming that CLOUD “reflects a growing consensus in favor of protecting Internet users,” and “would be notable progress to protect consumers’ rights and would reduce conflicts of law.” In September, Reuters reported that Apple was building an “online tool” that would allow police around the world to more easily request the company’s user data.

Only after the CLOUD Act was passed did Microsoft, one of the law’s early boosters, address questions of personal privacy and offer assurances that the framework would not be abused. In a September blog post, Microsoft president and top lawyer Brad Smith announced “six principles that have driven, and will continue to drive, our advocacy as governments reform their laws and negotiate international agreements,” including a “universal right” for users to be notified if their data is accessed, and the ability to “challenge unlawful and inappropriate demands for user data.” Even so, Smith’s post states unequivocally that Microsoft believes the “passage of the CLOUD Act created the foundation for a new generation of international agreements that allows governments to engage with each other to create lasting rules to protect privacy.” Other tech firms have simply remained silent.

American companies with enormous data holdings likely favored CLOUD as a means of avoiding the need for “data localization” laws, which would compel them to place servers inside the borders of countries where they do business. Such arrangements are both significantly more expensive and potentially less secure from physical tampering than allowing remote access via an agreement like the CLOUD Act. Facebook, still mired in the Cambridge Analytica scandal in the United Kingdom and out of favor with Parliament, has its own incentives for supporting a U.S.-U.K. data-sharing pact.

In addition to the Electronic Frontier Foundation and Human Rights Watch, the letter’s other signatories are Access Now, Demand Progress, Fight for the Future, Freedom of the Press Foundation, Government Accountability Project, Restore the Fourth, and World Privacy Forum.

The Justice Department did not respond to a request for comment about the letter and the possible agreement with the United Kingdom under the CLOUD Act.

Join The Conversation