The case that was supposed to determine whether the government can force Microsoft to turn over its users' data stored on servers in a foreign country is effectively over. Both sides have agreed that the case is moot now that the Clarifying Overseas Use of Data Act is law and the Department of Justice has procured a warrant under that law.
“What Will Microsoft And Ireland Do with the New CLOUD Act Warrant?”
Albert Gidari, Center for Internet and Society, April 9, 2018
The author raises several possible courses of action: It could try to quash the warrant somehow, or it could rely on the Irish government (possibly prompted by Microsoft) to insist that the United States work through the Mutual Legal Assistance Treaty that is supposed to ensure bilateral cooperation in such cases, or it could just roll over and give up the customer data.
My guess is that Microsoft will choose option C. It has already gotten what it wanted out of this lawsuit: a public-relations boost for its claim to protect users' data, some spiteful retaliation against the Department of Justice, and no real change in its close relations with the NSA, the FBI, and the Department of Homeland Security.
The House of Representatives has now passed, and the Senate is on the verge of passing, the Clarifiying Overseas Use of Data Act, institutionalizing and giving notional legal cover to warrantless surveillance programs, both inside the United States and in other countries, both by American national-security and law-enforcement agencies and, if the governments agree, by their counterparts in dozens of other countries. It explicitly grants such agencies access “the contents of a wire or electronic communication and any record or any other information” about a target of investigation.
Congress is working this week on a massive budget bill. The CLOUD Act was embedded in the House version of that bill so as to ensure its passage. Microsoft, Facebook, Google, and Apple are on record as supporting the it, apparently because it would save them the cost of repeatedly litigating government demands for their users' information. Under the CLOUD Act, the grounds for such litigation would be removed, and those companies could simply yield up that information as soon as the government(s) requested it.
A coalition of advocates for privacy, civil liberties, and human rights, headed by the American Civil Liberties Union, is opposing the bill, but is unlikely to be able to block it.
“S.2383 – CLOUD Act”
Library of Congress, February 6, 2018
“H.R.4943 – CLOUD Act”
Library of Congress, February 6, 2018
“Tech Companies' Letter of Support for Senate CLOUD Act”
Apple, Facebook, Google, Microsoft, and Oath, Data Law, February 6, 2018
“CLOUD Act Coalition Letter”
CLOUD Act Coalition, American Civil Liberties Union, March 12, 2018
“A New Backdoor around the Fourth Amendment: The CLOUD Act”
David Ruiz, Deeplinks, Electronic Frontier Foundation, March 13, 2018
The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans' communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. governemnt can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probably cause be shown. At no point need a search warrant be obtained.
This is wrong. … The backdoor proposed in the CLOUD Act violates our Fourth Amendment right to privacy by granting unconstitutional access to our private lives online.
“Congress Could Sneak a Bill Threatening Global Privacy into Law”
Rhett Jones, Gizmodo, March 15, 2018
“House Stables Extraterritorial Search Permissions onto 2,232-Page Budget Bill; Passes It”
Tim Cushing, Techdirt, March 22, 2018
It is now common practice for anyone who has a government job and claims to be enforcing the law to use whatever surveillance technology is available to collect data about anyone and everyone. A new bill in Congress would institutionalize this practice (and legitimize it, if it were constitutional, which it is not).
“The CLOUD Act: A Dangerous Expansion of Police Snooping on Cross-Border Data”
Camille Fischer, Deeplinks, Electronic Frontier Foundation, February 8, 2018
The bill creates an explicit provision for U.S. law enforcement … to access “the contents of a wire or electronic communication and any record or any other information” about a person regardless of where they live or where that information is located on the globe. In other words, U.S. police could compel a service provider — like Google, Facebook, or Snapchat — to hand over a user's content and metadata, even if it is stored in a foreign country, without following that foreign country's privacy laws.
Second, the bill would allow the President to enter into “executive agreements” with foreign governments that would allow each government to acquire user's data stored in the other country, without following each other's privacy laws.