Adapted from this tweet thread.
I will start this blog post by stating that, to be perfectly clear, there is nothing in the CLOUD Act that mandates forced decryption or could be construed to allow it.
However, people who say that forced decryption of U.S. communications disclosed under the Cloud Act is impossible may be wrong. If you bear with me, I’ll explain why.
Tim Cushing, writing for the inimitable online paper of record Techdirt, reports in this article, titled “No, The New Agreement To Share Data Between US And UK Law Enforcement Does Not Require Encryption Backdoors,” that
The reporting here is borderline atrocious. The article insinuates that this agreement will force Facebook and WhatsApp to turn over decrypted communications or install a backdoor. It won’t. The platforms may be compelled to turn over encrypted messages but all UK law enforcement will get is encrypted messages. The reporting here makes it appear as though social media platforms are being compelled to provide plaintext. They aren’t.
Correct. Not in the CLOUD Act, they’re not. TechDirt concludes:
What the UK government has in the works now won’t mandate backdoors, but it appears to be a way to get its foot in the (back)door with the assistance of the US government.
If we’re only looking at the CLOUD Act and any data sharing agreement entered into pursuant to the CLOUD Act, this view is absolutely, 100% correct. The CLOUD Act indeed prohibits the inclusion of provisions regarding forced decryption in any data sharing agreement.
The issue is that America is not the only country in the world, the CLOUD Act is not the only law in the world and any US-UK data sharing agreement entered into pursuant to the CLOUD Act, currently in draft, will not be the only law in that applies to data disclosures in the UK.
The UK already has plenty of its own laws – passed in 2000, 2016, and 2018 – that will fall outside of the four corners of any data sharing agreement and which currently allow the UK to either secretly force companies to backdoor their encryption, or force individuals or companies to disclose their private keys (so-called rubber-hose cryptanalysis).
These laws are, primarily, the Regulation of Investigatory Powers Act 2000, Section 49; the Investigatory Powers Act 2016, Section 253; and Schedule 1 to the Investigatory Powers (Technical Capability) Regulations 2018.
This pre-existing legislation plus the CLOUD Act, working in tandem, could result in the US companies being compelled to provide US-based data in readable form to the UK without the UK obtaining a US warrant, even if the CLOUD Act itself is silent on decryption.
Allow me to explain.
If the US-UK data sharing agreement becomes law, UK police can ask US firms to provide the content of communications data and the US firms will be able to provide it without worrying that they’re violating 18 U.S.C 2702(a)(1).
The consequence of this will be twofold. If the current reporting is wrong (as I suspect), US companies with no UK presence will be able to more or less tell the UK to pound sand when the UK asks for the content of communications on their servers, as I expand on in considerable detail here.
US companies with a UK nexus, however (practically all major web companies and SaaS providers) will have a choice: either leave the UK or obey the UK court orders they will get served with under the CLOUD Act data agreement.
Again, these are disclosure rather than forced decryption orders.
A problem arises, however, when we consider how the CLOUD Act disclosure rules might interact with pre-existing forced decryption laws in the United Kingdom. Namely, once your telecommunications service is under the UK’s jurisdiction, the UK government has a domestic power under Section 253 of the Investigatory Powers Act 2016 to promulgate regulations that would allow the UK government to, among other things, order firms to remove “electronic protection” from communications and maintain the ability to do so.
Oh, and once they serve a company with one of these notices, the company is subject to a nondisclosure obligation, so nobody will know the notice has been given. See Section 255(8) of the Investigatory Powers Act.
And sure enough, in 2018, the UK eventually adopted a statutory instrument that gave the UK government the power to impose these conditions on telecommunications providers operating or controlling all or part of their operations from within the United Kingdom:
In all probability, what the CLOUD Act data sharing agreement will do is make it nearly impossible for global tech firms that store data in the United States to refuse UK warrants on Stored Communications Act grounds if they wish to continue doing business in the UK.
The data sharing agreement to be entered into with the UK under the CLOUD Act
- will not, in all probability, allow UK police to forcibly pry open encrypted communications in the US; and
- will not, in all probability, tell us anything about how the rumored data sharing agreement will interface, if at all, with existing UK forcible decryption laws or key disclosure laws which pre-date both the CLOUD Act and the data sharing agreement.
All that the meat of the CLOUD Act in 18 USC 2523 says on the subject of forced decryption is
the terms of the agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data[.]
This doesn’t disqualify the UK’s existing forced decryption or key disclosure regimes or prevent the UK from enacting new ones. All it says is that forced decryption can’t be part of the terms of the data sharing agreement. There is nothing in the CLOUD Act that prevents the UK from serving a technical capability notice (i.e., forced decryption) on a US firm that provides encrypted data to the UK under a CLOUD Act order. I am guessing there will be nothing in the data sharing agreement either. Which means that the UK will probably remain free to serve technical capability notices on companies upon which it also serves CLOUD Act orders.
Much, of course, will depend on the final agreement. What it will say is anybody’s guess, but I am not hopeful that it will be a particularly libertarian document, and my hunch is that the US won’t be keen to draw attention to the UK’s forced decryption laws by mentioning them in the data sharing agreement.
Which is course is the point. To the extent the data sharing agreement is silent on forced decryption, that, my friends, is your back door. Even if the CLOUD Act agreement doesn’t mandate the forced decryption of data, there are plenty of existing UK statutes that do. This means that the CLOUD Act could still result in forced decryption of data obtained from (and possibly about) US citizens and US companies on US servers by UK police, in secret, without anyone in America knowing about it or having any constitutional recourse.
Forced decryption that could probably not happen – or if it did, it would happen far less frequently – if the U.S. declined to enter into this executive agreement and (ideally) repealed the CLOUD Act.
Thoughts welcome on Twitter or in the comments.