The US CLOUD Act and the UK encryption order
A shocking twist: the US government is pro-encryption now?
I promised the next post would be on Apple’s arguments regarding the fundamental rights impact of the UK encryption order if there was no more late-breaking news, and guess what… that’s right, more news. Only a few hours after I pressed ‘publish’ on yesterday’s post, the Washington Post again broke a new story that the US Director of National Intelligence Tulsi Gabbard was asking the Department of Justice (DOJ) to investigate whether the UK order to Apple violates Americans’ privacy and civil liberties. Shortly thereafter, Senator Alex Padilla and Rep Zoe Lofgren (both Democrats) asked the DOJ to investigate whether the order violates the UK-US CLOUD Act Agreement.
Well. Obviously, I have to write some more because I basically wrote an entire PhD on the US CLOUD Act. (Book forthcoming at the end of this year… maybe I should hurry up a bit on that manuscript now.) I mentioned in my first post on the Apple-UK encryption drama that I thought the US CLOUD Act opened the door to the UK order. I wrote a chapter in this book arguing that this would happen, and setting out why I think the CLOUD Act enables this.[1] So I found yesterday’s news a bit surprising that US lawmakers are suggesting the UK order is in violation of the CLOUD Act.
While I do not think the order is a violation of the UK-US CLOUD Act Agreement per se, I do think there is a twist here that I did not see coming when I wrote on this issue previously—the UK and US appear to be out of alignment on the encryption issue! This is a very new situation.
The impetus for my book chapter, which I started drafting during the first Trump administration, was a joint statement issued by then US Attorney General Bill Barr, then UK Home Secretary Priti Patel, and then Australian Minister for Home Affairs Peter Dutton, warning about the effects of end-to-end encryption. The clear consensus among AUKUS (love that acronym) was, “we don’t like end-to-end encryption” (I’m paraphrasing). So the Trump 2.0 administration suddenly being pro-encryption?! Yeah, big change! And that changes the analysis for whether the UK may risk losing its CLOUD Act Agreement with the US.
The US CLOUD Act
But first, what is the CLOUD Act? Well, we actually need to back up a bit further to ask, ‘how would the UK police obtain a suspect’s data from a US tech company before the CLOUD Act’?
Before the US-UK CLOUD Act agreement, it was a massive headache for UK authorities to get a hold of a target’s data held by a US tech company. (And this is still the case in most other countries, except Australia who also has a CLOUD Act Agreement). Let’s say the London Metropolitan Police were investigating a murder case in London, involving a victim in London, and determined that the suspect (you guessed it, also in London) planned the crime with an accomplice (sure, also in London) through his Gmail account. Unfortunately for the Met Police, they would need to get data (aka the emails) from Google, an American company.
Google is obviously subject to the laws of the USA, including the Stored Communications Act. According to this law, Google can only disclose the content of stored communications (aka the emails) to the Met police through a US court-issued warrant based on probable cause. To get this US warrant, the Met Police need to use a mutual legal assistance treaty with the US, which involves sending a request to the DoJ’s Office for International Affairs, which checks it for legal compliance before sending it on to the US Attorney in the district where Google is located, who then takes the request to a US Magistrate Court for approval. Then the US Attorney serves the warrant on Google, who sends the emails back to the DOJ, who then has to check them to make sure they aren’t about Americans (among other things), and finally sends the emails to the UK central authority who forwards it on to the Met Police. Needless to say, this takes a while—often up to a year.
The UK didn’t love this situation and lobbied the Obama administration for an easier way to get data held by American tech companies for criminal investigations. You can imagine that American tech companies hold a LOT of potentially relevant digital evidence for criminal investigations in other countries. Most of the time, these investigations have nothing to do with any American interests (as in our London murder example). The Obama administration agreed that they could help, and the CLOUD Act was born.[2]
Without getting too into the weeds here on the CLOUD Act (because I could write a whole book on it… ha), the legislation set up a framework to support bilateral agreements with partner countries, which would allow those countries (aka the UK) to send orders for content data directly to US companies without the middlemen (DOJ/US courts). Given the risks associated with this, the agreements are only available to partner countries with human rights safeguards comparable to those in US law. The DOJ is required to report on the presence of these safeguards to Congress to certify the agreement.
CLOUD Act Agreements and Encryption
Now, you may be wondering… what about encryption? The CLOUD Act seems to just be about streamlining warrants for the content of communications data. You would be right to wonder. Out of nowhere (literally, there is not any legislative history that I can find on this), a sentence was added to the CLOUD Act right before its passage:
“the terms of the agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”. (18 USC § 2523(b)(3))
This became known as the decryption neutrality provision. The US DOJ White Paper expressly called the CLOUD Act ‘neutral’ on encryption.
So does a UK technical capability notice to Apple to build a backdoor into an encrypted system violate this provision? Well, no, for two reasons: (1) because of the neutrality provision, and (2) because the notice does not claim to have any legal force due to the UK-US CLOUD Act Agreement. By the way, Sen Padilla and Rep Longren, in their letter to the DOJ, call this reasoning ‘split[ting] the finest of hairs’. (bit overstated, no?). But lawyers are all about hair-splitting—drawing lines is what the law is all about. So, let’s draw some lines…
The whole point of this ‘neutrality’ provision in the US CLOUD Act was to avoid taking a position on encryption (though I suppose it is worth noting that the law could have just remained silent on the issue). Remember, back in the day, the FBI and DOJ also wanted a backdoor into end-to-end encryption. At the time, this was well known. Also, the UK law providing for technical capability notices that could be served on US companies was already in existence when the CLOUD Act was being negotiated.
With this context in mind, critics of the CLOUD Act claimed it would pave the way for the UK to do exactly what it is doing now! By entering a last-minute ‘neutrality’ clause on encryption, Congress could attempt to silence those critics by saying ‘the CLOUD Act isn’t about encryption at all!’ Congress and the DOJ could argue that the neutrality clause preserved the status quo regarding encryption.
However, as I argue in my book chapter, because of the nature of UK law, rather than the wording of CLOUD Act, that was never going to be the case. Remember, the UK authorities cannot issue a TCN unless it is to be used for an accompanying authorisation under the Investigatory Powers Act, usually the targeted interception warrant. But the UK’s targeted interception warrants were blocked by the Stored Communications Act, essentially mooting the availability of the TCN. So when the CLOUD Act un-blocked the UK’s targeted interception warrants under the Investigatory Powers Act, the TCNs were now available to UK authorities.
So why do I think this doesn’t violate the CLOUD Act? Well because—as I note above—‘the CLOUD Act isn’t about encryption at all!’
The first part of the decryption neutrality provision states that a CLOUD Act agreement cannot be used to create an obligation on a US company to decrypt data. Well, it isn’t being used for that here. It is UK law which creates the obligation on Apple to create a backdoor into an encrypted system. US law has nothing to say about this, and neither does the UK-US Agreement itself. And that is important!
The CLOUD Act could have explicitly blocked orders requiring decryption in the same way that the Stored Communications Act blocks foreign law enforcement demands for the contents of communications. But Congress didn’t do that. And I think it is precisely because at the time that the CLOUD Act was passed, the UK and US were aligned on end-to-end encryption. As the Washington Post notes, the FBI wants the very capabilities that the UK is trying to secure with the order to Apple. The 2019 DOJ White Paper made it clear that the CLOUD Act did not ‘prevent countries from addressing decryption requirements in their own domestic laws’, and the DOJ knew at this time that the first CLOUD Act agreement would be with the UK, which already had broad powers to compel decryption implemented in its domestic law.
The Twist
I must admit that I never saw this coming: Trump 2.0 seems to be in favor of end-to-end encryption? Or at least DNI Gabbard is. This brings up a potential inter-administration conflict, which I assume may also be present in the UK—the law enforcement versus intelligence community position. I lack the space, and frankly expertise, to expand on this, but it is worth mentioning as a potential complicating factor. But for now, let’s assume that the US government will back Apple here.
I could see in this new dynamic how the UK-US CLOUD Act Agreement might be imperiled. I maintain that the order to Apple does not violate the CLOUD Act Agreement for reasons I outline above. I also do not think it violates the spirit of the CLOUD Act, as was implied by Sen Padilla and Rep Longren. But it could undermine the basis of the US-UK CLOUD Act Agreement, which requires the Attorney General to certify to Congress that ‘the domestic law of the foreign government … affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.’ (18 USC 2523(b)(1)).
If the current US government were to see a commitment to encryption as a requirement of these robust protections for privacy and civil liberties, as the European Court of Human Rights now seems to suggest it is, then this could threaten the basis for the CLOUD Act Agreement.
Further, the DOJ must certify that the UK has ‘sufficient mechanisms to provide accountability and appropriate transparency regarding the collection and use of electronic data by the foreign government’. 18 USC 2523(b)(1)(B). It is concerning that UK technical capability notices are secret, which usually means that the public is unaware that a service provider has built a backdoor into encrypted services. Is this appropriately transparent with regards to the collection of data?
While a bit more attenuated, the CLOUD Act also requires the UK to demonstrate ‘a commitment to promote and protect the global free flow of information’. It could be argued that encryption protects the global free flow of information by providing necessary cybersecurity measures.
If the US government wants to block TCNs to American companies, it may find that these requirements are undermined and suspend the UK-US Agreement going forward. But this determination would be made by the DOJ (in the law enforcement community). So, such a determination may depend heavily on whether the DOJ and law enforcement community agree with the intelligence community’s concerns.
I highly doubt we will see any kind of amendment to the CLOUD Act to block decryption orders, but that is primarily due to the seeming inability of Congress to function at the moment. And likely, that would be a tough sell politically. The Trump administration can still try diplomatic pressures to block the order, which may be the most likely of its potential responses.
What’s next?
I don’t know, but I hope the news takes a short break so I can get some other work done! These developments do have me reassessing whether we are in scenario 2 after all, as I discussed yesterday, and Apple is going to let the US government put pressure on the Home Office to withdraw the order, rather than spend time and money fighting it in court. Let’s see… I’m sure some fresh news will drop as soon as I hit publish!
[1] If you want a longer length treatment of this issue, and do not have library access to the book, send me an email.
[2] There had been other previous attempts to legislate on this, but the US government ended up with skin in the game after the Microsoft Ireland case, and the CLOUD Act was finally passed because it benefited both the US and its allies.