[tzs]

People tend to think that the CLOUD Act did a lot more than it actually did. The CLOUD Act did two things.

First, it amended the Stored Communications Act (SCA) to clarify whether requests issued under the SCA were more like warrants or more like subpoenas.

Roughly, a warrant authorizes law enforcement to do something they normally would not be allowed to do, like search a place or seize something.

A subpoena authorizes law enforcement to make someone else do something, like make someone to give law enforcement a copy of a document that is under that person's control.

This didn't expand any US government powers. It just clarified what existing power applied when asking for data. In particular it had nothing to do with asserting US jurisdiction extraterritorially, which is what a lot of people seem to think it was about.

Second, it made it easier for the US to enter into agreements to share data with foreign governments. Previously this had to be done through something called a "mutual legal assistance treaty" (MLAT). The CLOUD Act authorized the executive branch to make data sharing agreements, which is much more streamlined but also has much less oversight.

There was nothing really controversial about the first part. Pretty much every major country claims similar powers to require people in their country to turn over documents to the government as part of criminal investigations.

The controversial part was the second part. Many felt that it would allow the government to easily enter into data sharing agreements to get data without needing a subpoena or warrant, thus bypassing the courts and so effectively stripping away Fourth Amendment rights.

[xg15]

Thanks a lot for the in-depth explanation. I admit, I didn't know a lot of the context, in particular the clarification between warrant and subpoena.

> This didn't expand any US government powers. It just clarified what existing power applied when asking for data. In particular it had nothing to do with asserting US jurisdiction extraterritorially, which is what a lot of people seem to think it was about.

Not a lawyer or expert in that area, but my understanding why specifically people in the EU were so upset about it (including ECJ judges apparently) was that this effectively did extend US jurisdiction - simply by virtue of US companies being active internationally, specifically tech companies.

The overwhelming part of all internet activities in the EU are facillitated through US companies (or local subsidiaries of them). This includes a large part of intra-EU activities. So if one german citizen writes another german citizen an email, chances are very high that email will be stored on a Google server - or at least on a server of a german subsidiary of Google. This makes the CLOUD act relevant to EU citizens, even though technically, the obligations of Google under it are a purely domestic affair.

So if the CLOUD act gives US agencies the power to subpoena Google to retrieve data about non-US citizens - while Google is effectively running large part of the internet for other countries - then that does feel a bit like extension of jurisdiction.

(It technically isn't, and to my knowledge the ECJ wasn't arguing that it was. The ECJ simply argued that Google's obligations under the CLOUD act are incompatible with Google's obligations under the GDPR. So something's got to give)

Going back to the beginning of the thread, I have to admit though, I have no idea if the CLOUD act would give agencies the power to force inclusion of certain root certs. So I take that back.

[tzs]

It can help to understand the jurisdiction issues to think of an analogous situation but with paper records instead of digital records. Consider this scenario.

I have a company that operates a business in the US. I keep records on paper in filing cabinets at my office.

I decide to archive some records offsite. I do this by engaging the services of a storage firm that operates a vault in an old mine in a remote area. To store records I ship them in a box to the storage firm, which slaps a barcode on the box, assigns it to an open spot in the vault, and puts the box there.

If I ever need the records I ask the storage firm for them, they look them up in their records to find where they are in the vault, retrieves the box, and ships it to me.

I later want to archive more records, and I do the same thing except this time I use a different storage company. It works the same way--they store boxes I send them, and ship those back to me upon request.

The first storage company is somewhere in the US. The second storage company is Mexico.

Suppose the US government wants to look at some of my records. If they want to get warrants to seize those records themselves by going to where they are stored (my office and/or the storage vaults) a US court would have jurisdiction to issue such warrants for the records in my office and the records in the storage vault in the US. For the records in the vault in Mexico they would have to go through whatever Mexico's procedure is to get the records seized.

They need to go through Mexico for the Mexican vault because they are trying to force someone in Mexico to do something they have no obligation to do. They want someone to go into the vault and seize the records.

If, one the other hand, the government gets a subpoena asking me for the records which in order to comply with I'll have to ask the vaults to send me the records, no one in Mexico is being asked to do anything other than provide the service to me that I hired them to do. The Mexican government does not need to be involved, and has no interest in being involved because what is happening in Mexico is just normal operation of the storage service there.

The situation with Microsoft that prompted the CLOUD Act was similar, although the records weren't archived records. Microsoft in the US operated an email service. They stored the email at various cloud providers around the world. One of those cloud providers was an EU company that was owned by Microsoft but separate from the Microsoft owned US company that provided the email service. The US Microsoft email company's relation with the EU Microsoft cloud storage company was simply that of a customer that bought their storage service.

The US Microsoft email company had the right to retrieve any data it stored at that cloud service (or at any other cloud service it used) at any time. Nobody at the cloud storage company would have to be involve or even aware when this happened. To them it is all just customers using the storage APIs to access the customer's data.

There are GDPR issues, but note those same GDPR issues would also apply if the US company was storing data about EU people in cloud storage that was entirely in the US (their own or at a separate US cloud provider whose servers were in the US).