AWS Security Blog
AWS and the CLOUD Act
While news of Brexit dominates headlines in the United Kingdom, another important event took place recently in London. U.S. Deputy Assistant Attorney General Richard W. Downing addressed the myths and realities of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), in a speech at the Academy of European Law Conference. Following the speech, the U.S. Department of Justice (DOJ) published a whitepaper and FAQ clarifying the purpose and scope of the CLOUD Act and addressing many of the misunderstandings of this law. I strongly encourage people to read the speech, the DOJ’s whitepaper, and the FAQ to understand what the CLOUD Act actually does and does not do. Simply put, the CLOUD Act provides minor updates to a decades-old law that is strictly limited to helping law enforcement agencies fight and deter international criminal and terrorist activity. It does not, as some have suggested, give U.S. law enforcement agencies free access to data stored in the cloud.
We see the DOJ’s speech and guidance as a step in the right direction, but more needs to be done by governments around the world to educate cloud computing customers about important issues regarding access to data. This is why I want to take some time today to highlight a few of the key misunderstandings about the CLOUD Act in order to help customers understand that this law should not change how they use cloud services.
Law enforcement access to data over the last 30 years
In 1986, Congress enacted the Stored Communications Act (“SCA”), which addressed law enforcement access to electronic communications. Although the SCA was considered forward-looking at the time, courts have struggled over the years to apply it to technologies like internet applications and cloud computing that did not exist when the SCA was passed. One area of debate related to whether U.S. law enforcement agencies could obtain data located outside the United States. The CLOUD Act resolved this debate. It made clear that providers subject to U.S. law, such as an entity doing business in the United States (including foreign-based entities with U.S. subsidiaries) can be served with a warrant and court order under the SCA to provide data under their control, regardless of where it is stored.
To be clear, despite suggestions to the contrary, the CLOUD Act does not introduce a new concept. Governments across the globe have long had the ability to obtain evidence of crimes located outside of their jurisdiction. As the DOJ noted in its whitepaper, most countries require disclosure of data wherever it is stored, consistent with the Budapest Convention, which was the first international treaty aimed at improving cooperation and investigations in cyber and computer crimes. Indeed, French courts have long allowed police to obtain data outside of France so long as it is accessible from a computer in France. Most recently, in February 2019, the United Kingdom passed the Crime (Overseas Production Orders) Act, which allows U.K. law enforcement agencies to obtain stored electronic data from a company or person based outside of the United Kingdom.
This practice is consistent with a centuries old principle of international cooperation. Countries use a number of tools, ranging from domestic laws to international treaties, to seek potential evidence located beyond their borders and establish a tradition of cross-border cooperation. This serves as the foundation for what trusted and respected organizations like Europol do, and the CLOUD Act simply reflects what these other law enforcement agencies and other countries have been doing for many years.
Understanding the CLOUD Act
One of the most common misunderstandings about the CLOUD Act is that it is applicable to only U.S. companies. This is not true. The CLOUD Act applies to all electronic communication service or remote computing service providers that are subject to U.S. jurisdiction, including email providers, telecom companies, social media sites, and cloud providers, whether they are established in the United States or in another country. This means any foreign company with an office or subsidiary in the United States is subject to the CLOUD Act. As Mr. Downing said in his speech, U.S. courts have ruled that even non-U.S. websites that have been used by customers based in the United States have been subject to U.S. jurisdiction and therefore could be subject to the CLOUD Act.
Another common misunderstanding about the CLOUD Act is that it somehow provides the U.S. government with unfettered access to data held by cloud providers. This is simply false. The CLOUD Act does not grant law enforcement agencies free access to data stored in the cloud. Law enforcement can compel service providers to provide data only by meeting the rigorous legal standards for a warrant issued by a U.S. court. U.S. law sets a high bar for obtaining a warrant, requiring that an independent judge conclude that law enforcement has reasonable grounds to request the information, the information requested directly relates to a crime, and that the request is made clearly, accurately, and proportionally. This is the opposite of unfettered access.
When AWS receives a request for data located outside the United States, we have tools to challenge it and a long track record of doing so. In fact, our challenges typically begin well before we go to a court. Each request from law enforcement agencies is reviewed by a team of legal professionals. As part of that review, we assess whether the request would violate the laws of the United States or of the foreign country in which the data is located, or would violate the customer’s rights under the relevant laws. We rigorously enforce applicable legal standards to limit – or reject outright – any law enforcement request for data coming from any country, including the United States. We actively push back on law enforcement agencies to address concerns, which frequently results in them withdrawing their request.
In the event we cannot resolve a dispute, we do not hesitate to go to court. Amazon has a history of formally challenging government requests for customer information that we believe are overbroad or otherwise inappropriate. We will continue to resist requests, including those that conflict with local law such as GDPR in the European Union, to do everything we can to protect customer data. We will also continue to notify customers before disclosing content, and we provide advanced encryption and key management services that customers can use to protect their content further. We have industry leading encryption services that give our customers a range of options to encrypt data in-transit and at rest, and to manage encryption/decryption keys – because encrypted content is rendered useless without the applicable decryption keys.
The CLOUD Act did not change cloud providers’ ability to protect their customers
AWS is vigilant about its customers’ privacy and security. We are committed to providing all customers, including governmental agencies who trust us with their most sensitive content, with the most extensive set of security services and features to help ensure complete control of their data. The CLOUD Act did not alter or weaken this commitment. On the contrary, the CLOUD Act recognizes the right of cloud providers to challenge requests that conflict with another country’s laws or national interests and requires that governments respect local rules of law. Additionally, foreign governments concerned about the risk of government data disclosure may be entitled to sovereign immunity. The United States recognizes that under the principle of sovereign immunity foreign governments have effective legal means under U.S. law to prevent disclosure of their data.
Customers around the world can continue to use AWS in compliance with local laws
At AWS, we are constantly helping our customers and partners understand their position in relation to new compliance standards and laws. It is the only way we believe organizations can ensure that they are able to protect their end users. After you have read Mr. Downing’s speech and the documents from DOJ, you should visit our webpage dedicated to the CLOUD Act, which has FAQs, whitepapers, and other resources for customers and APN partners. On that webpage, you can learn the facts about the limited impact of the CLOUD Act and understand its application to AWS.
The reality is that cloud computing is positively impacting lives around the world in all kinds of ways. With AWS technologies, our customers are creating forward-thinking technologies that shape the ways we live and learn, whether through photo sharing and video streaming, increased access to financial services and e-commerce/trade, processing geospatial data for new discoveries, creating or promoting greater opportunities for education and skills development, or helping industries evolve with accessible AI/ML services. Our customers are also leveraging the cloud for good: working to prevent human trafficking, prevent violent crime, improve citizen services in cities, and to make medical breakthroughs. What would be incredibly disappointing would be for all of this to be slowed due to fundamental misunderstandings about the CLOUD Act. The information recently provided by DOJ regarding the CLOUD Act is a helpful step toward greater understanding of the facts, but we hope this post and related resources will bring insight and clarity to this debate.
Michael Punke is the Vice President of Global Public Policy at AWS.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.