The American CLOUD Act – Thank you so much for the free advertisement
There are those days, when we arrive at the office, read the news and recognize that yet another government has started a large-scale AD campaign for cloud encryption (watch out for the irony in this introduction).
After having to say ‘Thank You’ to Edward Snowden and the hackers of Jennifer Lawrence’s iCloud account, we would now like to formally say ‘Thank You’ to the U.S. government. We feel obligated to do so because the U.S. government has introduced a new law, which absolutely makes the use of encryption of data in the cloud a prerequisite – the CLOUD Act.
Of course, encryption has always been indispensable in theory, but many people are lazy and careless and hope for the best. Now they have cold facts and reason to take action and start with encryption, a real reason to not leave your data unencrypted. EVER.
What is the CLOUD Act?
So, the U.S. finally came up with a law, specifically tailored for Boxcryptor that forces U.S. cloud storage providers to give government authorities access to the stored data upon request wherever in the world the data is stored, even inside the EU. The fact that this law fundamentally renders the European General Data Protection Regulation (GDPR) null and void is of absolutely no concern to American lawmakers, whatsoever. With full and complete awareness – and to no big surprise of other countries – are legal frameworks in other countries ignored or bluntly disregarded. The first indication towards this behavior is given in the title “Clarifying Lawful Overseas Use of Data Act” (CLOUD Act).
U.S. authorities already had the possibility to request data of subjects in a criminal investigation, but this required taking a detour by a court of justice, acquiring a judge’s ruling. This resulted in a large-scale, much-noticed legal dispute, known under the name Microsoft Ireland. Microsoft refused to hand over data which they had stored in Ireland, to U.S. authorities. The CLOUD Act is therefore, being considered as a reaction of the U.S. government to this legal dispute and as a way to make sure that no US cloud provider ever can make such a refusal again.
At this point in time, the CLOUD Act is in the U.S. senate for reading. We do not have any information as to when the senate is expected to pass the law. But you can stay updated on the progress of the bill, in the senate. But the process of a law being applicable and being passed by the government is different in the U.S. than in most European countries. U.S. courts are following the common law, which is strongly influencing the legislation process, contrary to a legislative process as is the case within the EU, whereas a law has to be passed by legislation first and is subsequently applied accordingly by the courts. The American process result in the CLOUD Act being applied already today inside courts, despite not having passed the legislative process of the senate.
Implications of the CLOUD Act for the cloud providers
U.S.-based companies that are offering cloud storage services are being forced into the peculiar situation of being forced by law to break the law. This is due to the fact that it is impossible to obey the CLOUD Act and the GDPR at the same time, due to these laws opposing each other.
Implications of the CLOUD Act for the users of a cloud service
Once more, there is enough reason to believe and fear that data, stored in a cloud, is being accessed by a third party for no apparent reason. The new aspect of this fear is that it is neither hackers or the misfortune of an individual’s human error that we need to be afraid of (well, not more than usually), but it is the U.S. law enforcement, courts, and government agencies.
What’s especially remarkable about the CLOUD Act is the fact that it is specifically prohibited for cloud providers to inform their users of any government authority request to access their data.
“For all European companies, Cloud Act in combination with GDPR really forces all businesses to act to not risk the fine of 20 million EUR or 4% of the global turnover (whichever is the highest). It is now clearly illegal to use any US service to store any type of personal data (can be 3 email addresses in a file) without first client-side encrypting your data as you as a business cannot guarantee that your US service provider will not disclose any information to a third party as they are clearly obligated to do this according to law. It does not matter what your cloud or service provider promises in their terms or conditions as federal law overtrumps any business agreement. Boxcryptor therefore become one of the most important insurances a business can have.” (Daniel Arthursson, CEO of CloudMe)
CloudMe is a truely European cloud storage service and one of over 30 providers we at Boxcryptor support natively.
Microsoft has in response to this new legislation released a proposition paper with ideas for an international treaty regarding data protection and where the right to be informed (about an inquiry to access one’s data) is mentioned as the most important part. Read more about Microsoft’s proposition.
How to protect oneself against the effects of the CLOUD Act?
As of right now, the CLOUD Act is not a law, yet – but it is already effective and applied. The common understanding is that this law will be passed exactly how it is at the moment. But whether the law is passed or not - there is only one protection against U.S. authorities accessing one’s data without justification: Strong client-side encryption of each file.
Also important: With Boxcryptor’s filename encryption, the authorities might see the folder structure of one’s cloud storage, but the filenames will only contain a series of randomly chosen foreign characters – and any unauthorized access and analysis of the data is avoided.
Taking this one step further is to use Boxcryptor together with a cloud storage service that also stores the information within Europe and is majority owned by European interests thereby avoiding Cloud Act altogether.