In March of 2018 U.S. Congress passed the CLOUD Act, which addressed a growing issue for domestic and international law enforcement, Internet service operators (such as Microsoft) and national governments. The legislation acronym stands for Clarifying Overseas Use of Data Act and the words in the title of the legislation were well chosen. Many haven’t heard of the CLOUD Act, what the issues were that drove the legislation, nor what the Act provides or how it is to be implemented. In this blog entry, I will address these and other topics. So, let’s start at the beginning.
Factors Leading Up to the CLOUD Act
A discussion of encryption’s impact on lawful intelligence and the need for the CLOUD Act must start with BlackBerry. In 2005, BlackBerry Messenger was launched. It was devised as a way for business users to securely access their corporate email while on the go. BlackBerry became hugely popular with users, but more importantly, it was accepted by corporate IT teams because of its strong end-to-end encryption. The Messenger application became the communication method of choice for millions of users worldwide. However, because Messenger rode on top of the cellular service, and all the traffic was encrypted, law enforcement wasn’t able to access the messages.
Let’s also take a look at Skype, which launched in 2003, and experienced explosive growth in the years that followed. Skype was free and offered high quality voice and text messaging from anywhere. Soon, Skype included high-def video and the ability to dial phone lines. However, as with BlackBerry, the encryption scheme left law enforcement unable to access communications.
Social networking had exploded during this period as well. At around the turn of the century, Friendster and MySpace launched and were very popular. Facebook launched in 2004 and its steady growth made it the de facto social networking service around the world. Pew Research (https://www.pewresearch.org/internet/fact-sheet/social-media/) reports that in 2005, 5% of US adults had at least one social network account. By 2014, that number would be 62%. Today it is estimated at over 75%.
In 2007, the year when Apple launched the iPhone, Americans sent and received more text messages than made phone calls. Consumers were open to changing the way they communicated. Entirely new services were created based on mobile apps. However, much of the world’s Internet traffic was still unencrypted.
That all ended in 2013 when Edward Snowden leaked top secret programs by the Intelligence Community. While some Internet services used by consumers offered an option to encrypt before this, after Snowden, everything was encryption-by-default. Soon a slew of new communications platforms, such as Signal, Telegraph, Viber and WhatsApp, were launched. They all offered high-grade encryption (some were end-to-end). In 2014 Google and Apple announced they would both encrypt the contents of phones using Android OS and iOS.
The latter half of the last decade moved more communications from traditional, telecom operator voice and text to over-the-top (OTT) applications.
To some law enforcement and intelligence communities, BlackBerry Messenger and Skype served as a warning sign of what was to come. Telecom operators within a country are often subject to regulations which ensure they assist law enforcement with the services that they provide. An example:
Alice calls Bob using a mobile operator’s VoLTE service. If Alice is a suspect and part of a court order, the call is intercepted and provided to law enforcement.
If Alice uses an OTT app (not supplied by the telecom operator) to make that same call, the telecom operator does not know it is a voice call. Therefore, it is delivered with the other mobile data (emails, etc.). The law enforcement analyst needs to look through the packets to find that call.
Prior to 2013, this was laborious, but possible. After 2013, that OTT app almost certainly used encryption. This made the signaling information (what account called what account) and the content (the actual voice) inaccessible. This paradigm shift is referred to by many as “going dark”.
What is a law enforcement agency to do about going dark? One tactic is to force application makers to allow a back door. There are many articles, editorials and opinion pieces that reflect on the pro’s and con’s of this solution, so I am not discussing this tactic in this blog. The other tactic is to request the OTT application maker to provide the information requested using a court order. The OTT application is bound by the laws and regulations of the country in which it is headquartered. If the law enforcement agency happens to be in the same country as the OTT application maker, chances are there is legislation to compel the OTT app maker to assist (for example, the Stored Communications Act in the United States). However, if the agency and the OTT are in different countries, then international treaties come into play.
Countries have laws and regulations protecting the privacy and security of its citizens. These regulations provide the legal framework (applicable crimes, court approval and oversight) for how law enforcement within that country can request access to private information such as, business records, search premises or listen to communications of citizens or residents. They define how a subpoena or wiretap order can be served by a law enforcement agency on an OTT application, when both the agency and the OTT headquarters reside in the same country.
When the OTT headquarters and the law enforcement agency are not in the same country, an agreement between the countries must be in place to request and share information. Three vehicles for this exist: Mutual Legal Assistance Treaty (MLAT), voluntary cooperation requests and non-voluntary cooperation requests.
The MLAT has been the most common vehicle used and is a bilateral agreement between two countries. The U.S. has approximately 65 MLAT agreements in place with individual countries and one with the European Union. A MLAT defines which agencies coordinate the requests and responses. In the U.S., the coordinating agency is the Department of Justice’s Office of International Affairs. Voluntary and non-voluntary cooperation requests are just how they sound. They are requests to cooperate.
The challenge for the MLAT framework is the time involved. It is an excruciatingly long process to receive the requested information. And, since most of the Internet services from which investigators want information are located in the United States, the U.S. is overwhelmed with MLAT requests. Often the time it takes to, 1) get the request reviewed and approved by the host country’s coordinating agency; 2) for an OTT app provider to respond to the coordinating agency; 3) the time for the coordinating agency to review the information to ensure privacy is protected; and then, 4) the time to send this back to the requesting agency is far longer than the time period which most investigations are active. Furthermore, making a request does not necessarily mean the request will be granted. Some requests are rejected outright. The MLAT process is painful, to put it kindly.
Modern-Day Cloud Architecture
The nature of modern cloud architectures used by many OTT applications, distribute data. Software is broken into chunks of functionality that can be scaled out, on demand. Additionally, that data and those chunks can be distributed across any data center around the world. This is very efficient and cost effective for the cloud and Internet service companies, but it’s a legal nightmare for law enforcement.
This new architecture introduces an interesting paradigm. If User-A in Country-1 sends an email to User-B in Country-2 by using an email service offered by a company headquartered in Country-3 who stores the email in a data center in Country-4, which laws apply or take precedence? This came up in a case that became the precedent to the CLOUD Act – Microsoft Corp. v. United States (or “the Microsoft Ireland Case”)
Microsoft Corp. v. United States
A U.S. law enforcement agency was investigating drug-trafficking in 2013. That agency submitted a warrant under the Stored Communications Act (SCA) for emails and information associated with an account of a Microsoft user. The warrant was approved by a United States magistrate judge in the United States District Court for the Southern District of New York.
Microsoft discovered that the “account information” was on servers in the United States, but the “email content” was stored in a data center located in Ireland. Microsoft responded to the warrant with the “account information” but refused to hand over the “email content”. Microsoft’s argument was the emails resided in Ireland and a U.S. Judge did not have the authority to require them to be provided. Microsoft asked for the portion of the warrant covering the “email content” to be vacated. The judge reviewing the request ruled that an SCA warrant is not restricted by territory and since Microsoft still had actual control over the emails (even though outside of the U.S.), they needed to provide the “email content”. This was 2014. Microsoft appealed this ruling, but it was upheld. Microsoft appealed to the Second Circuit court in 2017.
In the appeal, many parties submitted arguments. Some were other Internet service companies, like Microsoft, that saw this as an issue for them as well. The Irish Government submitted an argument that this ruling violated the EU and Ireland’s data privacy laws and suggested they use the MLAT process instead (funny). Additionally, the EU submitted an argument. The three-judge panel reversed the lower court’s opinion. The DoJ appealed to the Supreme Court in 2018.
Enter the CLOUD Act
The Stored Communications Act (SCA) is Title II under the Electronic Communications Privacy Act (ECPA), passed in 1986. Most people look at CALEA, ECPA or SCA as introducing new abilities for authorities to spy on individuals. These legislations help privacy protections catch up to modern times. In the case of the ECPA and SCA, the Fourth Amendment protections for emerging communications technologies (like email) were unclear and ambiguous and the ECPA and SCA extended the protections to these new communications. So, the CLOUD Act was created to provide privacy protections for communications which may be entirely or even partly stored overseas. A means to catch up to the modern cloud architecture.
The old proverb, “If at first you don’t succeed, try, try again” applies here. The first attempt to fix the gaps was the LEADS (Law Enforcement Access to Data Stored abroad) Act from 2015, followed by the International Communications Privacy Act (ICPA) from 2017. Both bills failed to pass. You might be asking, what was different about 2018 that caused both houses of Congress to finally unite and pass this important legislation? The answer is that nothing really changed. It was included in the Consolidated Appropriations Act in March 2018. Simply because it was part of the legislation, it passed. Sadly, no Mr. Smith Goes to Washington moment.
However, with this passed, the United States Department of Justice dropped its appeal of Microsoft Corp v. United States to the United States Supreme Court. Additionally, Microsoft and other cloud application companies agreed that the legislation provided legal guidance and protections. So, what does it do?
What the CLOUD Act Does
The CLOUD Act does a lot and I will discuss a few of the highlights.
First, the CLOUD Act provides legal protections for Internet companies when they comply with a SCA warrant. It also sets the expectation that SCA warrants issued by U.S. law enforcement will include data located/stored in other countries (there are some exceptions). It also limits the requests to specific individuals, addresses or accounts.
Second, it streamlines the process for foreign governments to make requests and receive assistance from U.S. service providers. It accomplishes this by creating a new bilateral agreement which foreign governments may enter with the United States. These new bilateral agreements allow foreign law enforcement agencies to make requests directly to U.S.-based Internet companies (vs. using the MLAT process) with the oversight and privacy protections discussed later.
Third, it provides a formal process through which an Internet company can challenge a request by a U.S. or foreign law enforcement agency. It requires the order be for serious, specific crimes; specify the identity, which could include an account, an address or a specific device; comply with the domestic law of the foreign government; be based on facts; be subject to review or oversight by a court or independent authority before being enforced; and that it not be used to infringe on the freedom of speech. The formal process provides the means and justification to object a request and have it reviewed by a court, to make the final determination.
Fourth, the CLOUD Act also sets requirements for privacy and civil liberties, that must be met for a bilateral agreement (Executive Agreement) to be entered. For the U.S. to enter into a CLOUD Act bilateral agreement with a foreign government, the Act requires the U.S. Attorney General and the U.S. Secretary of State to certify the “robust substantive and procedural protections for privacy and civil liberties” for that government. Additionally, it assures the foreign government has adopted the Foreign Intelligence Surveillance Act (FISA) minimization methods regarding “the acquisition, retention, and dissemination of information concerning United States persons.” Basically, to have a bilateral agreement, the foreign government must align with U.S. processes, procedures and protections. In most cases, that requires them to pass specific legislation to change how they do things.
Fifth, it sets the process by which Congress approves a bilateral agreement. Once the Executive Agreement is presented, Congress has 180 days to examine and challenge it. If unchallenged, it goes into effect.
Where the CLOUD Act Stands
As I mentioned earlier, the CLOUD Act was passed by the U.S. Congress in March of 2018. The U.K. Government passed the Crime Overseas Production Orders Act in February of 2019, which aligns process and procedures to the requirements of the U.S. CLOUD Act. In October of the same year, the U.S. and U.K. signed the first CLOUD Executive Agreement. The agreement was supposed to be sent to Congress on December 4, 2019, but because of a clerical error, it was not sent until January 10, 2020. Based on that date, the 180-day window, and no challenges, the Executive Agreement was automatically passed on July 8, 2020.
In March of 2020, the Australian Government presented the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 legislation which aligns process and procedures to the requirements of the U.S. CLOUD Act. Discussions are seemingly underway on an Executive Agreement, but nothing has concluded.
As you can guess, the remaining five-eyes, Canada and New Zealand, are positioning behind Australia. Could Europe work on an Executive Agreement? Possibly, but they have their own legislation (such as GDPR) which would need to be aligned to the CLOUD Act.
What the CLOUD Act Means for Lawful Intelligence
Wiretaps – the CLOUD Act does allow for foreign law enforcement to request a telecommunications operator to comply with a subpoena or to conduct a wiretap. There are many limitations to this based on each country’s wiretap laws and how the U.S. controls monitoring of U.S. persons. U.S. and U.K. operators can expect more wiretap orders via the Executive Agreements. The increased volume, coupled with the increased 5G bandwidth, will result in higher throughputs. Telecommunications operators will need to assure their intercept platform is prepared for the increase.
Handover – when complying with a wiretap, the telecommunications operator will deliver the information, as they do today. In the U.S., that would be CALEA handover. In the U.K., that would be ETSI handover. This means Monitoring Centers in the United States will need to have full ETSI support as-well-as U.K. specific handover. Similarly, Monitoring Centers in the United Kingdom will need to have full CALEA support.
Stored Data – the request for assistance made by U.S. and foreign law enforcement on U.S.-based Internet services has exploded in recent years. Internet service companies can comply digitally, but there is not a standard way of delivering this stored information. Each company is different and even divisions in the same company are different. SS8 has been working with many of these Internet service companies to support the direct ingestion of records for law enforcement.
While the new communications and social networking tools help us connect freely and stay in touch with friends and families, it also provides tools to criminals and organized crime groups for heinous activities including human trafficking and child abuse. The CLOUD Act is s step in the right direction for law enforcement agencies trying to do their job in protecting the citizens of their respective countries, and at the same time protecting the privacy of our citizens. However, it will require new agreements between US and other countries, which will take time. SS8 will continue to work with telecommunication service providers and other technology companies to provide the law enforcement the tools that they need to investigate and stop criminal activities while protecting the privacy of individuals.
About Kevin McTiernan
Kevin has over 20 years of extensive experience in the telecommunications and network security industries. At SS8, Kevin is the VP of Government Solutions and is responsible for leading the vision, design, and delivery of SS8’s government solutions, including the Xcipio® compliance portfolio. You can learn more about Kevin on his LinkedIn profile by clicking here.
About SS8 Networks
SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies and their technology incorporates the methodologies discussed in this blog. Xcipio® is proven to meet the very high demands of 5G and high volumes of intercepts. It is able to transcode (convert) between lawful intercept handover versions and standard families. Intellego® supports ETSI, 3GPP and CALEA handovers, as well as national variants. Both product portfolios are used worldwide for the capture, analysis and delivery of data for the purposes of criminal investigations.