Cyberattacks present a new challenge to the concept of jurisdiction. Attackers can commit devastating crimes in countries that they will never visit in person. Targeting systems outside of one’s home country is advantageous: it makes reprisal from the owners of those systems difficult for jurisdictional reasons. Extraditing criminals is not easy; investigating criminals who reside outside of one’s jurisdiction is even less so.
The US has attempted to tackle this problem with a piece of legislation known as the CLOUD (“Clarifying Lawful Overseas Use of Data”) Act. Passed in 2018, this Act was inspired by Microsoft’s refusal in 2016 to obey a warrant from US law enforcement authorities to share a subscriber’s email messages that were stored in Ireland [1]. The CLOUD Act makes US access to data within another country with which the US has signed a COUD Act agreement more streamlined and efficient. The converse is also true: countries with which the US has signed a CLOUD agreement have the same access to US data. The Act also enables law enforcement authorities to conduct real-time surveillance on individuals in another country if a suitable warrant has been provided. So far, the US has entered into agreements with Australia and the UK. It is now beginning negotiations with Canada.
The primary function of the Act is to facilitate the work of law enforcement agencies. Warrants produced by law enforcement in one country will (generally) have legal force in the other country. However, the Act does allow challenges to warrants issued from a foreign government when the warrant violate the legally enshrined privacy rights of the country in which it is served [2]. Another safeguard in the CLOUD Act is its requirement that the US Attorney General certify to Congress that the law of any viable partner country contains “robust substantive and procedural protections for privacy and civil liberties” [3]. In other words, the US is unlikely to sign a CLOUD agreement with Russia any time soon.
While the details of Canada’s agreement have yet to be fleshed out, many experts are already concerned about the form that the agreement may take. They cite flaws and ambiguities already present in the CLOUD Act. Stephen Smith argues that the CLOUD Act is overly vague and ambiguous in its sections on surveillance of individuals in foreign countries. Thus, Canada would do well to make sure that these ambiguities are cleared up in any agreement that it signs with the US [4].
Privacy lawyers have also expressed concerns about the effects that pressure from Canadian law enforcement may have on the agreement. As David Fraser argues, the RCMP’s longstanding “lawful access” agenda may have an influence on Canada’s side of the negotiations.
Negotiations have just begun. It will be some time before we have a clear idea of the shape that the agreement will take. Implementing this new agreement will no doubt require amendments to Canada’s existing privacy laws. Hopefully those amendments will not be drastic.
Sources:
[1] https://www.theregister.com/2022/03/23/us_canada_cloud_act/?td=rt-3a.
[2] https://blog.privacylawyer.ca.
[3] https://www.itworldcanada.com/post/canada-u-s-to-negotiate-treaty-to-speed-up-police-data-access-requests
[4] https://www.thestar.com/politics/2022/03/25/a-bilateral-data-sharing-deal-with-us-better-than-status-quo-says-privacy-watchdog.html.
Text of the US CLOUD Act: https://www.congress.gov/bill/115th-congress/senate-bill/2383/text
Interesting and well-informed article! While one could claim effective legislation against cyberattacks is long overdue, granting the US the ability to force service providers to disclose a user’s data regardless of where that data is stored could pose serious privacy concerns. In my opinion, it is still of vital importance that the US goes through the process of obtaining a warrant before any such information can be released.
A very good post! In regards to Canada, Canada’s history in cryptology (through the Communications Security Establishment) has been very secretive, and possibly more than the NSA. Very little is known about the CSE’s actual activities because of legislation and internal compartmentalization. In Canada’s other intelligence agencies (CSIS) and those operating similar functions (e.g., the RCMP), transparency and oversight remain an issue. CSE does not need a warrant for its operations, but ministerial authorizations (plus the Intelligence Commissioner’s approval) for more intrusive activities to be done. In Canada’s case regarding this new treaty, I can see privacy laws in Canada seeing some changes that can worry lawyers. Given the recent passing of the National Security Act in 2019 and the increasing demand for cyber security inside Ottawa, I can see this US-Canada agreement being approved.
This is an interesting issue! Privacy is important, even privacy from law enforcement, but there are also many instances where law enforcement needs access to private information to guarantee the security of the public. I hope that the ambiguities you mention get tightened up, there are a lot of big companies in the US that probably don’t have much concern for the wellbeing of Canadian citizens!
Very interesting post. I like how you cover steps being taken to mitigate hacks, rather than just talking about hacks that are occurring. When you first mentioned that CLOUD would give the US access to someone’s data in another country, I first thought “thats a major privacy breach”. After reading that CLOUD would have to follow privacy laws in that country, I thought that maybe the idea is not so bad after all. The US would be able to stop more foreign attacks on them, and this could even benefit the country where the hack was originating from. Thanks for making this post!
This is a fascinating piece of writing. Rather than merely discussing real attacks, I like how you explain steps being taken to prevent vulnerabilities. When you indicated CLOUD would enable the US access to someone’s data in another country, I immediately thought “that’s a big privacy breach.” When I found out that CLOUD would be subject to the country’s privacy laws, I realised that the concept wasn’t so bad after all. More external attempts against the US would be thwarted, which would benefit the country where the breach originated.
I find it fascinating that countries are coming together to sign an alliance pact to protect their online infrastructure. I think it will go a long way in promoting cyber cooperation and involves each other online defenses against criminals who seek to harm the system. Additionally, I hope NATO could implement a form of allied cyber defense with the help of Interpol to promote cyber security globally and potentially open up careers in this field for better protection. I think this way an interesting read overall and I hope to see future cooperation in this field.
Very captivating post! Honestly, the first thing that came to my mind after reading the first few paragraphs is the severe privacy concern this might have. Yes, I understand the authorities need to do their best to capture or extradite potential criminals but that doesn’t mean they might not misuse it. Having access to such information is certainly an infringement to one’s privacy.
I remember reading about the incident where Apple refused to give the FBI access to one of their user’s iPhone data because they believed this goes against their policy and creating such backdoors would be a step in the wrong direction and I commend their commitment toward protecting their users’ privacy. The US government is already notorious for spying on people and these kinds of laws should raise concerns. Overall, thank you Jack for shedding light on this topic.
Really interesting! We already have alliances related to military and trade so data seems to be the next logical step. I wonder whether there will be a leak or data breach in 5-10 years where it will show that Canadian data is being used by US government agencies and vice versa and it will cause another outrage. I wonder with regard to protecting members from attacks there will be a consolidated power of security power (some number of computers/machines on idle until needed), sort of like anti-missile defense systems.
This is a very good post. For CLOUD, I feel that it can reduce cyber crimes to some extent. But there is also an invasion of people’s privacy. It is difficult to guarantee that the United States will not steal the confidential information of some foreign companies for its own benefit. At the same time, we also need to consider that CLOUD’s original intention is good, but the difficulty is that it is difficult to ensure that such behavior will not help hackers, who are likely to start from countries vulnerable to cyber attacks and then obtain the private information of citizens of all countries.
Very interesting post! I believe legislation put in place in order to combat cyberattacks and cyberterrorism is absolutely needed, and I am glad there are safeguards in place to uphold the privacy rights of the country in which a warrant may be served. However, I find the ambiguities regarding surveillance of individuals in foreign countries worrying. Hopefully, these issues are cleared up in a way that protects not only Canadian citizens, but the citizens of other countries who might join this agreement. While security is important, it should not come at the expense of privacy and individual rights.
Interesting post! In the past, there has been at least one incident where a Canadian law enforcement agency shared information with an American law enforcement agency, which led to an unlawful arrest, detention, and extradition of a Canadian citizen (Maher Arar). In your opinion, does this open up signatories to the same types of issues? Also, in your opinion and from an administrative standpoint, who would be responsible for review of how a given agency uses data? If a Canadian citizen is unjustly affected by an American agency who are using Canadian data, then to whom does that citizen have recourse? I’d imagine all this would have to be determined through negotiations, but perhaps you have some additional insight on how it might all work.
Good Post! Something that stuck out to me was that warrants produced by law enforcement in one country will (generally) have legal force in the other country within countries that have signed this CLOUD act. For decades, criminals have been committing crimes in one country and then fleeing to another, in the hopes that the new country won’t extradite them for their crimes. But with this act in place, law enforcement agencies will have a stronger and broader jurisdiction to pursue criminals in other countries that have signed the act. I feel that this would be a good but also rather scary development, on one hand, there will be fewer places to run and hide when one commits a crime, facilitating less incentive to break the law. On the other hand, broadening the power of law enforcement agencies comes with numerous issues regarding differing laws between countries and jurisdictional red tape.
Interesting and informative post! In my opinion, signing this agreement could have positives as well as negatives. It could have more of a positive impact than a negative one, if used for its true purpose. Some would also say that this pact is simply a ‘privacy breach’. I hope that all the ambiguity is cleared up, during the negotiations, in a way that it benefit ones right to privacy.
It’s nice to see more laws in regards to cyberattacks, but obviously as mentioned there are many privacy concerns in regards to country’s sharing their citizens info with each other. Hopefully any vague areas as mentioned are clearly addressed and at least as mentioned countries have to follow the privacy laws of the other country.
Good post ! Privacy is important , and every country should work to upgrade their security systems .
Wow!! Cool Post.
Thanks for posting, learned lots about the CLOUD Act. It was interesting to read that the CLOUD Act allows US to access data within another country that the US has signed the agreement with. Also, pretty cool that it allows law enforcement to conduct live surveillance on citizens of a different country if need be. However, I agree that that the surveillance could stir up privacy concerns for individuals.
It is interesting to see that issues with regards to information security are becoming political issues as well. The CLOUD Act is extremely important when it comes to investigating attacks that are connected with other countries and jurisdiction.
Great post! It is undeniable that the CLOUD Act has advantages, but, at the same time, the potential for its abuse is high. Furthermore, it can be argued that the CLOUD Act can be used unlawfully and without warrant in certain situations. It also maintains the potential to create a dangerous precedent for countries to demand access to data in countries outside their jurisdiction. For security purposes, CLOUD seems justified, if not, entirely needed. However, we must also consider the almost inevitable dangers it poses, if used. Yes, it is important to have access to data in other countries, especially if it directly pertinent, however, when does it change from lawful access to unlawful and unjust access to information which ideally should remain private?
A very informative read! Although the CLOUD act seems quite advantageous from a legal standpoint, I can see countries trying to abuse the system. If this system was implemented earlier in history chances are individuals such as Edward Snowden or Julian Assange could’ve been apprehended very easily. The vagueness of the act would definitely allow them to abuse the power to do so. We can only see how this act pans out, hopefully for the greater good and not for an authoritarian dystopia.
A very informative read! Although the CLOUD act seems quite advantageous from a legal standpoint, I can see countries trying to abuse the system. If this system was implemented earlier in history chances are individuals such as Edward Snowden or Julian Assange could’ve been apprehended very easily. The vagueness of the act would definitely allow them to abuse the power to do so. We can only see how this act pans out, hopefully for the greater good and not for an authoritarian dystopia.
This is an interesting post. Although the cloud act is to promote the work of law enforcement agencies, it has defects. It is very necessary for Canada to eliminate these ambiguities before signing the agreement on it. This is very important to protect the privacy of citizens. If data is exchanged between different countries, it is difficult to avoid people with ulterior motives from divulging data. Therefore, enhancing network security and implementing relevant measures to protect privacy will be crucial issues. The state should use this bill to combat cybercrime on the premise of protecting citizens’ privacy.
Canada has always been a bit secretive when it comes to crypto security but as under the CLOUD act the US would have to still abide by the Canadian laws makes it a reasonable deal, Additionally I have high hopes for this coalition as this should help out the general public too as their privacy laws still stand and they can get direct involvement from the US if the attack was US based.
It was quite easy for the intruder to jump in legislation gaps as if their attack is targeted in a different country then their own, but hopefully the new law can deal with that.
Very informative blog! CLOUD system sounds very interesting. I feel security enhancing measures is important. Overall, great post.
This is an excellent article! The CLOUD Act offers unquestionable benefits, but it also has a high risk of being abused. Furthermore, it can be argued that in certain circumstances, the CLOUD Act can be utilised improperly and without warrant. It also has the potential to set a hazardous precedent by allowing governments to demand data from countries that are not under their authority.
While the governments of the world (especially the US) would love to claim this Act as a defense against cyberattacks, the underlying issue remains that they would be able to request information from providers at any time.
Great post! I had not heard anything about the CLOUD act until reading your post, but I’m immediately concerned about its implications for Canadian privacy and security. Much like the US we too have a “lawful access” lobby, mostly backed by law enforcement agencies that are constantly seeking more access to Canadians private data. Seeing as how the ambiguous wording of the CLOUD act has left the door open for US security agencies to conduct surveillance of Canadians data, I’m certain that would be the outcome of any agreement struck by Canada with the US on this issue. We’ve already seen how the US security apparatus has spied on Canadians during the Snowden leaks, so there’s a low baseline of trust available to build future relationships on here.
Nice post! This is the first time I’ve ever heard of two countries forming an alliance or pact to counter cyber attacks (usually I only read of topics about economic/military alliances on the news). I really do believe this new form of alliance will have a positive impact on protecting ordinary citizens and infrastructure. However, I also hope they do take their time as mentioned above, it seems some things are not ironed out or specific enough.
This is a great idea in my opinion. I think that cybersecurity has had a lot of grey area in places that defiantly need updating. With new technological advances everyday its extremely important to have government legislation there to protect and enforce polices to ensure the right to privacy. Especially since the internet is such global community where so many people are using platforms from somewhere across the world its important that these rules put some restriction on attaining information of consumers in different countries.
Great post! Honestly, I’m not too sure how I should feel about this situation. On one side, the fact that the US will be able to access the data of another country will make it easier to catch international cybercriminals. On the other side, this makes it so that there are fewer safe countries to visit if I wanted to escape the US government’s sphere of influence. I can definitely see a scenario in which the CLOUD act could be abused through its vagueness to silence people who the governments consider dangerous.
I remember reading about this ACT some time ago and the striking part was a sovereign being independent of any other sovereign. This agreement implies that a decision made by an American judge could have effect on Canadian soil. Even though this would make the jurisdiction problem of combating cybercrimes less severe it does make it feel that the law of another society having a say in Canada.