The United States Congress passed late last night a $1.3 trillion budget spending bill that also contained a piece of legislation that allows internal and foreign law enforcement access to user data stored online without a search warrant or probable cause.
US officials never discussed the bill, but merely appended it to the Omnibus budget spending bill (page 2201) they introduced in Congress on Wednesday night.
The budget bill was deemed a priority and officials were almost forced to approve it in its current form to avoid a complete US government shutdown starting next week.
The budget bill passed a day later, Thursday, with a 256-167 vote in the House of Representatives, and a 65-32 vote on the Senate floor, including with the embedded CLOUD Act that got zero discussion, feedback, or modifications from regulators.
The unaltered and now official CLOUD Act effectively gets rid of the need for search warrants and probable cause for grabbing a US citizen's data stored online.
US police only need to point the finger at some account, and tech companies must abide and provide all the needed details, regardless if the data is stored in the US or overseas.
Further, the bill recognizes foreign law enforcement and allows the US President to sign data-sharing agreements with other countries without congressional oversight. The CLOUD Act will then allow foreign law enforcement to require data on their own citizens stored in the US, also without obtaining a warrant or proving probable cause.
Privacy groups like the Electronic Frontier Foundation argue that in the US' hunt for criminals located in other countries, it might enter data-sharing agreements with countries known for human rights abuses and allow autocratic regimes easy access to their own citizen's data. Since there's no more need for a foreign law enforcement agency to obtain US warrants or prove probable cause, this opens the door wide open to political abuses.
But these data-sharing agreements might be a poisoned pill that could be employed for espionage and intelligence gathering as well. For example, foreign law enforcement could request data from their own citizens engaging in communications with US citizens. Tech companies will then be required to pass over that foreign citizens' entire communications, including his messages exchanged with the US person, potentially exposing details that an intelligence agency will consider valuable.
Nonetheless, giving law enforcement access to data stored overseas could have been done by preserving the need for search warrants and proving probable cause, and without backdooring the Fourth Amendment, as EFF experts bluntly put it.
The reason why the CLOUD Act was proposed in the first place was to end any future litigations like the one put forward by Microsoft five years ago when it fought a US police's request to access a US citizen's data stored on a server in Ireland.
Regulators also argued the CLOUD Act will help with fighting terrorism, albeit its most important impact will be in going after ordinary criminals, like fraudsters, hackers, scammers, and more.