Smith on Cross-Border Surveillance Under the US CLOUD Act

Stephen W. Smith (Stanford Law School Center for Internet and Society) has posted “Clouds on the Horizon: Cross-Border Surveillance Under the US CLOUD Act” on SSRN. Here is the abstract:

The CLOUD Act of 2018 was hailed by proponents as a significant breakthrough in the ability of U.S. law enforcement to obtain electronic data stored abroad. Far less attention has been paid to another law enforcement-friendly aspect of this law–enabling real-time surveillance in a foreign country. This chapter takes a closer look at CLOUD Act provisions that authorize, expressly or (perhaps) implicitly, live monitoring of activities by criminal suspects and others abroad. While wiretaps and pen registers are explicitly covered, two other common and extremely intrusive surveillance techniques–cell phone tracking and remote access computer monitoring (i.e. hacking)–are not mentioned at all. What are we to infer from their omission? That these common techniques are not covered at all? Or that they are covered, but buried under ambiguous verbiage unlikely to attract attention and generate opposition? At this point it is not obvious which is more likely to be the case.

This legal uncertainty is disconcerting for many reasons. First, to the extent the CLOUD Act authorizes U.S. law enforcement to unilaterally engage in real-time surveillance on foreign soil, it may violate the international law principle of territorial sovereignty. Second, U.S. jurisprudence is currently unsettled as applied to new surveillance techniques such as smartphone tracking and computer hacking; as a result, foreign governments might well be disinclined to enter into a CLOUD Act executive agreement with the U.S. permitting such activities on their soil. Finally, the extraterritorial impact of modern electronic surveillance can be dramatic, especially in the case of remote access to foreign servers and devices. Several EU countries have already recognized the special dangers posed by government hacking–to privacy, internet security, and foreign relations–and have developed a panoply of protections to mitigate those risks. By contrast, the U.S. has failed to enact any special substantive and procedural protections against the risks posed by such intrusive surveillance.

The CLOUD Act should be amended to unambiguously exclude coverage of real-time surveillance techniques. Until that is accomplished, any foreign power negotiating a CLOUD Act executive agreement should be aware of the limits and uncertainties of U.S. law concerning these surveillance methods, and insist upon robust legal standards and procedures governing their use.