New Facebook-Backed Law Would Let Foreign Governments Get Your Data Without a Warrant
Mark Zuckerberg promises this time his company will really protect your data, after Cambridge Analytica revelations. Except Facebook just pushed legislation that does the opposite.
Facebook, plunged into crisis by the Cambridge Analytica revelations, is now scrambling to assure users – and investors – that this time, their data really, truly is secure. And on a recent post-crisis media blitz, founder Mark Zuckerberg has emphasized that the mass exfiltration of scads of profiles from unsuspecting Facebook users was a vestige of a past privacy practice, not a symptom of anything wrong with current Facebook policy.
Yet Facebook urged Congress to pass a measure, the CLOUD Act, that privacy advocates warn makes it easier for a foreign government to acquire Americans’ emails, pics, videos and other online data, and then share that with U.S. law enforcement. It also makes it easier for those foreign governments to get the online lives of their own citizens from the servers of companies like Facebook.
Congress tucked the CLOUD Act into its omnibus spending bill – the measure it passed in the wee hours of Friday morning to avert a government shutdown. President Trump, after vacillating, signed it into law today.
“Despite Facebook's promise to take Americans' personal privacy seriously, it and other big tech companies championed a bill that will let foreign governments directly demand emails and other personal information from those under protection of U.S. law, all without oversight from U.S. courts,” Senator Ron Wyden, an Oregon Democrat on the intelligence committee, told The Daily Beast on Friday.
"Congress has delivered a huge giveaway to big tech companies, at the expense of Americans' rights. Without one minute of debate, the CLOUD Act was jammed into a must-pass bill to satisfy tech giants.”
The CLOUD Act requires telecoms, internet service providers and tech firms to “preserve, backup or disclose the contents of a wire or communication and any record or other information pertaining to a customer or subscriber within such a provider’s possession, custody or control.”
Then come the parts that a consortium of tech firms are particularly eager to see enacted.
Such disclosure, the measure mandates, shall occur “regardless of whether such communication, record or other information is located within or outside the United States.” And it changes existing law to stipulate that it “shall not be unlawful under this chapter for a provider of electronic communication service to the public or a remote computing service” – that is, a cloud-based data storage business, hence the name of the act – “to intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government that is subject to an executive agreement” certified by the attorney general.
In other words, foreign governments now have a warrant-free path to huge amounts of digital data, including those stored on U.S.-based servers – something civil libertarians warn will have severe implications for both Americans and foreigners.
Privacy advocates call the new law an end run around the Fourth Amendment’s protections against unreasonable searches and seizures. Under the CLOUD Act, U.S. law enforcement can “grab data stored anywhere in the world, without following foreign data privacy rules,” assessed the Electronic Frontier Foundation. And the U.S.’ foreign partners can set up a Fourth Amendment shell game. Those foreign governments can access Americans’ online communications with foreigners, and if what they find “relates to significant harm, or the threat thereof, to the United States or United States persons,” they can pass it back to the feds. No warrant required.
And the part about “executive agreements” represents a major threat to users of services like Facebook in authoritarian countries. The Trump administration and its successors could enter into a handshake deal with foreign governments to turn over data on citizens of those governments targeted for retribution for protesting, organizing or other activity displeasing to tyrants that are stored on the U.S. servers of Facebook, Google or other tech giants. And then, per the language of the law, the tech giants will be compelled to comply.
The measure “allows Trump, and any future president, to share Americans' private emails and other information with countries he personally likes. That means he can strike deals with Russia or Turkey with nearly zero congressional involvement and no oversight by U.S. courts,” Wyden warned in a Thursday statement ahead of the vote on the omnibus.
The tech companies favor the CLOUD Act because it would “reduce international conflicts of law,” a group of them wrote to leading senators on February 6. That’s a reference to various countries’ divergent laws and privacy protections over law enforcement and intelligence agencies’ access to domestic and foreign-stored data. While the group framed their support in terms of “enhancing and protecting individual privacy rights,” their letter conspicuously referred to permutations of that “reducing conflicts of law” phrase four times in five paragraphs.
The rights protections those tech firms lauded in their letter are, in Wyden’s Thursday assessment, “toothless provisions on human rights that Trump’s cronies can meet by merely checking a box.”
Signatories to the pro-CLOUD Act letter are Apple, Google, Verizon-owned Oath – which in turn owns Yahoo, Tumblr and AOL – and Facebook.
Zuckerberg emerged Wednesday night after days of deafening silence over the Cambridge Analytica revelations. The Observer and the New York Times had revealed that an app downloaded by 275,000 people and designed by a researcher named Aleksandr Kogan had scraped up Facebook profiles for an unsuspecting 50 million people who hadn’t read the fine print of their user agreements and privacy settings. Kogan provided the Trump-connected firm Cambridge Analytica with the data, in violation of Facebook’s then-current policies – but Facebook simply took the firm at its word that the data was deleted.
“You know we have a basic responsibility to protect people's data and if we can't do that then we don't deserve to have the opportunity to serve people,” Zuckerberg told CNN.
But there was “good news,” he told Recode. “Actually the most important changes to the platform we made in 2014, three or four years ago, to restrict apps like [Kogan’s] from being able to access a person’s ‘friends’ data in addition to theirs.”
Asked by The Daily Beast to reconcile Zuckerberg’s recent data-protection assurances with the CLOUD Act, Facebook has yet to provide an answer.