The federal spending bill signed by US President Donald Trump on Friday does more than fund the budget. It also makes it easier for law enforcement agencies to demand access to online information no matter what country the data is stored in.
Lawmakers added the CLOUD Act (PDF), which stands for Clarifying Lawful Overseas Use of Data Act, to the spending bill before the final House and Senate votes Thursday. It updates the rules for criminal investigators who want to see emails, documents and other communications stored on the internet. Now law enforcement won't be blocked from accessing someone's Outlook account, for example, just because Microsoft happens to store the user's email on servers in Ireland.
The law also lets the US enter into agreements to send information from US servers to criminal investigators in other countries with limited case-by-case review of requests.
The CLOUD Act offers an alternative to the current process for sharing internet user information between countries, called MLAT, or a mutual legal assistance treaty. Both law enforcement agencies and tech companies say using such a treaty to request data is cumbersome and slow. The fix has the technology sector divided though. Tech companies, such as Microsoft, favor the change. But privacy advocates say it could help foreign governments that abuse human rights by aiding their access to online data about their citizens.
Brad Smith, Microsoft President and chief legal officer, said in a statement Wednesday the bill was "a strong statute and a good compromise," and added that "it gives tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world."
Sen. Orrin Hatch, a Republican from Utah who introduced the CLOUD Act, said in February that the bill balances user privacy with the need for an updated framework for giving law enforcement the information it needs.
"The CLOUD Act bridges the divide that sometimes exists between law enforcement and the tech sector by giving law enforcement the tools it needs to access data throughout the world while at the same time creating a commonsense framework to encourage international cooperation to resolve conflicts of law," Hatch said.
But privacy advocates at groups like the ACLU and the Electronic Frontier Foundation criticized the change, saying it lets law enforcement bypass constitutional protections against unreasonable searches. It also could lead the US to send user data to police in countries known for abusing the human rights of their citizens, they argue.
The result, advocates say, is that tech companies will have to decide whether to comply with legal demands for their users' information.
The law "threatens human rights, jeopardizes the Fourth Amendment interests of individuals inside the US, and provides an alarming level of discretion to the executive branch at the expense of congressional authority," representatives of the ACLU wrote in a letter to lawmakers Thursday.
Sen. Ron Wyden, a privacy-oriented Democrat from Oregon, said in a letter last week (PDF) that while the MLAT process needs to be updated, the CLOUD Act has a big problem in the way it lets the executive branch hash out individual agreements with foreign companies on data sharing. That "places far too much power in the President's hands and denies Congress its critical oversight role," Wyden wrote.
Neema Singh Guliani, legislative counsel at the ACLU, said the bill doesn't account for the fact that a foreign country's government might have a good human rights record one day, but start eroding those rights after coming to a data sharing agreement with the US. "Human rights are not static," she said.
Tech companies can refuse to hand over the data through these agreements, instead asking foreign law enforcement agencies to use the MLAT process, Singh Guliani said. But this puts tech companies in the position of needing to know when a country may be asking for data as part of crackdowns on dissidents or journalists, rather than for legitimate law enforcement purposes. That's a lot to ask of the companies, she said.
"The public is going to be largely reliant on those companies," Singh Guliani said.
The change in law comes as the US Supreme Court is considering whether US tech companies must hand over user data to law enforcement when it's stored on foreign servers. The case, US v. Microsoft, concerns data that was stored in Ireland, which the company said it couldn't turn over to investigators because it fell outside their jurisdiction. The court heard arguments in the case in February.
First published 12:45 p.m. PT.
Update, Mar. 23 at 1:44 p.m. and 3:29 p.m.: Adds commentary from the ACLU; adds statement from Microsoft CEO. Correction, 4:08 p.m.: Fixes Smith's title to reflect that he is President and Chief Legal Officer of Microsoft.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.