Clouds on the Horizon: Cross-Border Surveillance Under the US CLOUD Act

Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty, chapter 8 (edited by Federico Fabbrini, Edoardo Celeste, John Quinn) (2021)

22 Pages Posted: 10 Sep 2021

See all articles by Stephen W. Smith

Stephen W. Smith

Stanford Law School Center for Internet and Society; Texas Southern University - Thurgood Marshall School of Law

Date Written: March 10, 2021

Abstract

The CLOUD Act of 2018 was hailed by proponents as a significant breakthrough in the ability of U.S. law enforcement to obtain electronic data stored abroad. Far less attention has been paid to another law enforcement-friendly aspect of this law--enabling real-time surveillance in a foreign country. This chapter takes a closer look at CLOUD Act provisions that authorize, expressly or (perhaps) implicitly, live monitoring of activities by criminal suspects and others abroad. While wiretaps and pen registers are explicitly covered, two other common and extremely intrusive surveillance techniques--cell phone tracking and remote access computer monitoring (i.e. hacking)--are not mentioned at all. What are we to infer from their omission? That these common techniques are not covered at all? Or that they are covered, but buried under ambiguous verbiage unlikely to attract attention and generate opposition? At this point it is not obvious which is more likely to be the case.

This legal uncertainty is disconcerting for many reasons. First, to the extent the CLOUD Act authorizes U.S. law enforcement to unilaterally engage in real-time surveillance on foreign soil, it may violate the international law principle of territorial sovereignty. Second, U.S. jurisprudence is currently unsettled as applied to new surveillance techniques such as smartphone tracking and computer hacking; as a result, foreign governments might well be disinclined to enter into a CLOUD Act executive agreement with the U.S. permitting such activities on their soil. Finally, the extraterritorial impact of modern electronic surveillance can be dramatic, especially in the case of remote access to foreign servers and devices. Several EU countries have already recognized the special dangers posed by government hacking--to privacy, internet security, and foreign relations--and have developed a panoply of protections to mitigate those risks. By contrast, the U.S. has failed to enact any special substantive and procedural protections against the risks posed by such intrusive surveillance.

The CLOUD Act should be amended to unambiguously exclude coverage of real-time surveillance techniques. Until that is accomplished, any foreign power negotiating a CLOUD Act executive agreement should be aware of the limits and uncertainties of U.S. law concerning these surveillance methods, and insist upon robust legal standards and procedures governing their use.

Keywords: criminal procedure, electronic surveillance, privacy, data protection, extraterritoriality, sovereignty

JEL Classification: K14, K19, K33, K42

Suggested Citation

Smith, Stephen W., Clouds on the Horizon: Cross-Border Surveillance Under the US CLOUD Act (March 10, 2021). Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty, chapter 8 (edited by Federico Fabbrini, Edoardo Celeste, John Quinn) (2021), Available at SSRN: https://ssrn.com/abstract=3917893

Stephen W. Smith (Contact Author)

Stanford Law School Center for Internet and Society ( email )

559 Nathan Abbott Way
Stanford, CA 94305-8610
United States

Texas Southern University - Thurgood Marshall School of Law

3100 Cleburne Street
Houston, TX 77004
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
181
Abstract Views
1,010
Rank
337,411
PlumX Metrics