《美國戰略與國際研究中心(CSIS)：2024挖掘CLOUD法案協議的全部潛力報告（英文版）（12頁）.pdf》由會員分享，可在線閱讀，更多相關《美國戰略與國際研究中心(CSIS)：2024挖掘CLOUD法案協議的全部潛力報告（英文版）（12頁）.pdf（12頁珍藏版）》請在三個皮匠報告上搜索。

1、JUNE 2024Untapping the Full Potential of CLOUD Act Agreements By Matt Perault and Richard SalgadoIn 2018,Congress passed the Clarifying Lawful Overseas Use of Data Act(CLOUD Act),a law that established a process pursuant to which U.S.tech companies are permitted to disclose user data directly to cer

2、tain foreign governments in response to their requests to assist investigations into serious matters and which allows companies in other jurisdictions to do the same in response to U.S.requests.1 The law requires that there be an executive agreement between the United States and the foreign governme

3、nt before doing so,and there are standards the foreign government must meet to qualify for such an agreement.The CLOUD Act is still in its early stages of being implemented.Since the legislation was enacted into law in 2018,two agreements have been concluded:one with the United Kingdom and another w

4、ith Australia.This is certainly progress,but these are relatively easy deals to strike.The really hard work lies ahead,with the European Union in the queue and others in the wings.CLOUD Act agreements remain a vital and promising tool.Deployed with proper calibration,these government-to-government a

5、greements have the potential to play a valuable role for many agencies worldwide in conducting legitimate investigations while protecting human rights,the rule of law,and the global free flow of information.Used effectively and implemented correctly,CLOUD Act agreements provide an important avenue f

6、or law enforcement agencies and have the potential to strengthen other international evidence-collection arrangements.This policy brief is based in part on the authors previous experience working on government surveillance law and policy at Google and Meta.Working with other industry representatives

7、,academics,and members of civil society,they engaged with the U.S.and UK governments to help shape the core elements of these CLOUD Act provisions.1 The CLOUD Act is more widely known for also resolving a dispute about whether U.S.law enforcement could use a search warrant to obtain data stored outs

8、ide of the United States from a U.S.company.That is not the focus here.Untapping the Full Potential of CLOUD Act Agreements|2The authors offer three suggestions for better realizing the potential of the CLOUD Act.First,the U.S.government should conclude more agreements with more countries.Second,it

9、should adopt practices to better evaluate the success of the agreements.Third,it should implement mechanisms to better detect and address improper use of the agreements.None of these changes require any alteration of the CLOUD Act itself and can be done by the Department of Justice(DOJ)in partnershi

10、p with other governments.A History of Blocking Statutes and the CLOUD ActTHE GROWING SIGNIFICANCE OF BLOCKING STATUTES For decades,evidence and intelligence that a country needs to enforce its laws or protect its national security has sometimes been held by companies in other jurisdictions.Over time

11、,as the services offered by U.S.companies became massively popular around the world,this issue became much more prevalent for foreign jurisdictions than for domestic ones.U.S.law prohibits these U.S.service providers from disclosing certain types of user information unless presented with valid legal

12、 process issued by a court in the United States,with some limited exceptions,even when the information pertains to conduct and users entirely outside the country.These are laws not to be trifled with.Violations of these“blocking statutes”can constitute criminal felonies.A blocking statute can advanc

13、e important public policy goals.A democratic government has a legitimate role in regulating the behavior of companies in its jurisdiction,and Congress would not want a U.S.provider to disclose user data that violates civil liberties.For example,imagine if the Iranian government approached Microsoft

14、with an order to wiretap the Outlook email account of a political dissident who had been organizing a political protest.The U.S.government would certainly not want a U.S.company to assist,and the blocking statute creates a legal barrier to doing so.No doubt Microsoft would not want to disclose the i

15、nformation either,and it could use the blocking statute to explain credibly that it is legally prohibited from doing so.The United States is not alone in using blocking statutes to advance its values by regulating the behavior of providers in its jurisdiction.In the European Union,Article 48 of the

16、General Data Protection Regulation serves to restrict data disclosure to non-EU member governments unless certain criteria are satisfied.France also has a blocking statute prohibiting the disclosure of information that would harm French interests.Though with far fewer dramatic consequences(given tha

17、t most of the big providers are in the United States),these blocking statutes may forbid the providers subject to them from disclosing data directly to U.S.government agencies.Prior to the CLOUD Act,providers subject to U.S.law were presumptively prohibited from honoring valid legal process for cert

18、ain types of user information from government agencies outside the United States.This was so even when issued by a rule-of-law respecting government and even when the data was that of the governments own citizens.For example,an email provider operating under U.S.law was not permitted,absent an excep

19、tion,to comply with a UK order to disclose private email of a user even when the user was in the United Kingdom,the crime to which the messages related was committed in the United Kingdom,and the victim was in the United Kingdom.Because U.S.blocking statutes were restrictive and inflexible,the count

20、ries needing user content information from U.S.providers had to turn to other means.For instance,many countries have Mutual Matt Perault and Richard Salgado|3Legal Assistance Treaties(MLATs)or other agreements with the United States,which require U.S.government officials to secure legal process from

21、 U.S.courts for foreign investigations.The first MLAT the United States entered into was with Switzerland in 1977.In the 1980s and 1990s,it concluded agreements with countries such as Australia,Canada,Israel,and Jamaica.The pace of MLAT negotiations accelerated in the wake of the 9/11 attacks,with t

22、he United States eager to use them to aid in terrorism investigations.They worked fairly well before the internet became so prevalent in daily life.This dramatically changed with the rise of U.S.companies providing internet communications services popular with people worldwide.In a matter of years,i

23、t was not the United States trying to get MLATs in place to investigate terrorism,but other countries seeking MLATs to secure information from these U.S.providers.As the popularity of the internet skyrocketed,so did the number of requests made to the U.S.government under these treaties and arrangeme

24、nts.The DOJs Office of International Affairs,which handles such requests,was crushed by the volume.Responses became so delayed that occasionally foreign law enforcement officials could not get the data they needed in time to help with investigations.In 2013,a U.S.report estimated that MLAT requests

25、took an average of about 10 months.Countries often did not even bother to invoke MLAT to obtain electronic records.There are other diplomatic instruments to which the United States is a party that also have provisions for mutual legal assistance.These include the Council of Europe Convention on Cybe

26、rcrime(i.e.,the Budapest Convention and Second Amended Protocol),the Inter-American Convention on Mutual Assistance in Criminal Matters,the Organization for Economic Cooperation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions,and sev

27、eral UN conventions covering corruption,organized crime,drug trafficking,and terrorism.A foreign government might also ask a U.S.agency to open a joint investigation and share information obtained from U.S.legal process.These diplomatic approaches,loosely speaking,suffer many of the same practical d

28、rawbacks as dedicated MLATs.When foreign governments hit these roadblocks,they did not stop pursuing data.Some jurisdictions responded with aggressive,unilateral,punitive measures aimed at U.S.providers.They considered laws to force tech platforms to localize data within their borders,based on the e

29、rroneous view that changing the data storage model would expedite law enforcement processing.Most egregiously,they resorted to strong-arming the companies through employee harassment and arrests to pressure companies to turn over user data or by finding vulnerable spots in network infrastructure to

30、capture communications directly.Foreign governments pressured not only the tech companies,but also the U.S.government.The DOJ and Federal Bureau of Investigation(FBI)were hounded by countries,including close allies,for a more practical means to secure communications content from U.S.providers.The go

31、vernment,providers,and civil society were aligned on the existence of a problem.Going back to the mid-2000s,many U.S.providers began discussing possible approaches to improve the situation with the U.S.government,including the DOJ and FBI,and with foreign governments.Providers suggestions included i

32、ncreasing the resources available to the U.S.government for MLAT compliance,working with foreign jurisdictions on how to use the MLAT process in a way that reduces Untapping the Full Potential of CLOUD Act Agreements|4churn arising from malformed requests,and even pushing for a more automated portal

33、 through which MLAT requests could be completed(with immediate error checking)and submitted.Some of these recommendations were implemented.In addition,some companies also made changes to their own policies and practices to improve response times,such as prioritizing requests that come through diplom

34、atic channels.All these steps undoubtedly helped reduce some of the pressure on the companies and the MLAT system.None,however,could change the reality that U.S.law was unnecessarily impeding legitimate investigations.For many years,there seemed to be little appetite within the U.S.government to pur

35、sue any big changes.With shrugging shoulders,most of the effort was spent trying to get more funding for the beleaguered and far-too-manual MLAT system.WORKING TOWARD A SOLUTION As conversations matured,a new legal dynamic arose.In a dispute between Microsoft and the U.S.government,the U.S.Court of

36、Appeals for the Second Circuit held that search warrants issued under the Stored Communications Act were not valid to compel companies to produce data that was exclusively stored outside the United States.The Supreme Court agreed to hear the case,which was then fully briefed and argued.In the view o

37、f the U.S.government,a Supreme Court ruling upholding the Second Circuits would have hamstrung U.S.law enforcement agencies in pursuing data stored overseas.Keen to avoid such a ruling,the DOJ saw an opportunity to pursue a bill that would ultimately moot the pending Supreme Court case and,more impo

38、rtantly for the purpose of this article,give some hope to other countries that they would have an easier path to securing information from U.S.providers.Some members of Congress also reenergized legislative proposals such as 2015s Law Enforcement Access to Data Stored Abroad Act and the iterative In

39、ternational Communications Privacy Act.Ultimately,the companies and the DOJ focused on one important observation:Often the U.S.government has no interest in preventing a U.S.provider from honoring foreign legal demands.If Japan needs to obtain emails in a Gmail account sent between two citizens of J

40、apan suspected of committing a murder that took place in Japan,then why should U.S.law stand in the way?It is hard to identify any public policy interest of the U.S.government that would be served in preventing that investigation from progressing.From this was borne an Obama administration proposal

41、to Congress that would ultimately become the CLOUD Act.Put simply,the United States would lower its blocking statutes under the conditions set out in the legislation and pursuant to an executive agreement for any country that meets certain minimum standards on human rights and the rule of law.This w

42、ould allow,but not require,U.S.companies to honor the foreign legal process from such countries.One condition,among many,was that the other government would do the same with regard to its own blocking statutes.Hearings were had,blog posts written,debates held.Many civil society groups were decidedly

43、 skeptical.Ultimately,and to the surprise of many,the CLOUD Act(including the provisions allowing for the lowering of blocking statutes)found its way into a must-pass appropriations bill,and President Trump signed the CLOUD Act into law on March 23,2018.Matt Perault and Richard Salgado|5CLOUD ACT AG

44、REEMENTS REALIZEDEven before the CLOUD Act became law,the U.S.government had its eye on inking a deal with the United Kingdom.Conversations between the DOJ and Home Office officials likely informed what was included in the final bill.But even with this head start and a very eager ally on the other s

45、ide of the table,it takes time to negotiate and implement a law enforcement agreement.First,the CLOUD Act agreement is a novel type of arrangement,requiring the countries to develop bespoke terms.Previous diplomatic accords such as MLATs might have a few clauses that are transferable to CLOUD Act ag

46、reements,but they differ in significant ways and do not provide easy templates.Second,even though the United States and the United Kingdom have relatively similar legal systems,the United States understood that this agreement would likely serve as a starting point for agreements with other jurisdict

47、ions where there are much greater differences.The agreement with the United Kingdom had to take into account potential sticking points or tensions arising in negotiations with other countries.Third,each side had to be careful to protect what is referred to in diplomat-speak as“essential interests.”T

48、he United States wanted to make sure that information provided by U.S.providers under the agreement would not be used in a manner that raises free speech concerns.The United Kingdom considered the potential impacts of direct disclosures from UK providers in U.S.death penalty cases.Both insisted that

49、 before prosecutors can use information collected from its providers as evidence in a case that implicates the respective essential interest,the prosecutors must secure permission from the others government.In spite of the inherent headwinds,the U.S.government concluded the negotiations with the Uni

50、ted Kingdom in October 2019 and those with Australia in December 2021.At least two other agreements are currently being negotiated:one with Canada and one with the European Union.2 Because they have CLOUD Act agreements in place,Australia and the United Kingdom now have more options for pursuing dat

51、a they need to assist with important investigations.Providers now have fewer restrictions for responding to these requests and greater clarity on how the data will be treated following a disclosure.The U.S.government presumably has fewer diplomatic requests from these countries than it would have ot

52、herwise.And because of this reduction in requests from countries with agreements in place,other jurisdictions may be experiencing a relatively faster response to their requests for assistance from the U.S.government using traditional diplomatic means.This is a good start,but there is plenty of room

53、for more.Releasing the Potential of CLOUD Act Agreements This brief offers three suggestions that can help the CLOUD Act reach its full potential.First,the U.S.government should work to conclude more agreements with more countries,avoiding the 2 The EU negotiations are very complex,presenting far mo

54、re issues than the bilateral arrangements with the United Kingdom and Australia.For political optics,some future agreements,including perhaps the EU-U.S.arrangement,will likely not be overtly referred to as“CLOUD Act Agree-ments”and may cover other issues while still invoking the CLOUD Act provision

55、s.This is in part because the CLOUD Act is known less for condition-al lifting of U.S.blocking statutes and more for the provision that allows the United States to compel a U.S.provider to disclose data in its possession,custody,or control regardless of where the data is located(subject to other obj

56、ections).These two provisions are at times conflated,the latter rightly or wrongly tainting the former.Avoiding the CLOUD Act brand altogether,as the European Commission has done,may help avoid confusion.Untapping the Full Potential of CLOUD Act Agreements|6perception that the CLOUD Act is designed

57、to create a“club”of countries with preferred data access.It can expand participation by using a series of“knobs and levers”to tailor agreements to specific jurisdictions.Second,it should adopt practices to better evaluate the agreements,including increasing transparency.Third,it should implement mec

58、hanisms to better detect and address improper use of the agreements.A BIG TENT,NOT A PRIVATE CLUBCarefully crafted CLOUD Act agreements can play a positive role for many countries beyond those in the Five Eyes(consisting of Australia,Canada,New Zealand,the United Kingdom,and the United States)and th

59、e European Union.At times,the DOJ has made it harder to realize a“big tent”vision for the CLOUD Act by describing it in terms that suggest a“club”mentality.When the DOJ says that CLOUD Act agreements are only available to“trusted foreign partners,”it is telling all the others,even those that can mee

60、t the standards,that they have to find their own way.There will be a concrete negative effect if there is a perception that the CLOUD Act creates a fast lane only for countries that have gained admission into a privileged club.If countries such as India and Brazil feel like outsiders,they are more l

61、ikely to respond with measures the CLOUD Act aims to avoid,including data localization,fines,arrests,and other retributive policies.To conclude more agreements with more countries,the U.S.government should(1)explore a broader range of agreement terms;(2)avoid suggesting that CLOUD Act agreements are

62、 only for a“club”of favored nations;and(3)devote more dedicated resources to negotiating CLOUD Act agreements.The first step in concluding more agreements is broadening what an agreement might look like.The CLOUD Act agreements with the United Kingdom and Australia are very similar,with both nearly

63、as expansive as the statute allows.They both apply to the broadest array of crimes permitted by the statute,can be used by a wide range of agencies in each country,apply to collecting data in a stored state as well as real-time surveillance of communications,allow targeting to the maximum extent per

64、mitted by the statute,and are subject to congressional review only within the shortest permissible time frame.Based on these two agreements,one might mistakenly assume that all CLOUD Act agreements must look this way.The CLOUD Act itself,however,does not require that every agreement extend as far as

65、 the law permits.In fact,as expansive as the agreements with the United Kingdom and Australia are,both amend the baseline requirements of the CLOUD Act to impose restrictions on using data disclosed to U.S.authorities as evidence that could lead to the imposition of the death penalty.Just as the Uni

66、ted Kingdom and Australia could insist on terms that make the agreements stop short of the full extent allowed by the statute,the United States can do the same in future agreements.There are many levers and knobs that can be adjusted to accommodate for differences in legal systems and particular nee

67、ds and sensitivities:Covered Crimes:Agreements could apply only to specified serious crimes,with shared definitions across borders,such as investigations into acts of terrorism or cybercrimes.Matt Perault and Richard Salgado|7 Participant Agencies:Agreements could apply only to particular investigat

68、ive agencies.For example,the blocking statutes in the United States might be lowered under an agreement only for requests from an agency that has a track record for high quality investigations and is subject to meaningful oversight.Surveillance Type:Agreements could limit the nature of data acquisit

69、ion.For example,an agreement could allow for collection of stored content but leave intact the U.S.blocking provisions for real-time surveillance.Surveillance Duration Limits:Similarly,agreements could restrict the surveillance period.For example,stored communications could be limited to a 6-month p

70、eriod and real-time surveillance to 60 days.Targets:Agreements could limit which users may be targeted in the requests.Although the CLOUD Act prohibits the non-U.S.country from intentionally targeting a U.S.person,an agreement could impose additional restrictions.For instance,it could limit the targ

71、eted users to only those who are reasonably believed to be located in or citizens of the requesting country,as well as in jurisdictions that have not agreed to certain international standards(such as the Second Additional Protocol to the Budapest Convention).3 Government Insight on Disputes:Agreemen

72、ts could expressly allow a provider to object to a request by notifying its home jurisdiction of the issue at the same time as it submits its objection to the requesting government.The authors describe this type of dispute management below.Government Insights on Overall Use:For even more timely visi

73、bility into the requests made to providers,agreements could include a requirement that when an agency submits a CLOUD Act demand to a U.S.company,it must also send a copy of the demand to the DOJ.Compressed Review Periods:Agreements could require shorter terms,triggering more frequent reviews of the

74、 countrys qualified status for renewal.The authors describe additional oversight options in more detail below.Moving away from a one-size-fits-all approach will expand the range of countries that could negotiate and secure a CLOUD Act agreement.Many agreements might be narrower than the ones in plac

75、e with the United Kingdom and Australia,which might mean that the pool of potential CLOUD Act agreement countries would not be limited to those with legal systems similar to that of the United States.This will give a wider range of governments optimism that they can conclude such agreements and in t

76、urn incentivize them to develop options for improving their laws.3 Experience with the current CLOUD Act agreements will be instructive on this point.The scenarios painted for Congress to show how the UK agree-ment could be used by the United Kingdom often had the targeted user in the United Kingdom

77、,but neither the legislation nor the agreement limits targeting in this way.Government reports,if released to the public,will likely reveal that most of the targeted users are outside the United Kingdom.Moving away from a one-size-fits-all approach will expand the range of countries that could negot

78、iate and secure a CLOUD Act agreement.Untapping the Full Potential of CLOUD Act Agreements|8Obvious candidates for fine-tuned CLOUD Act agreements include India and Brazil.Both have historically issued a large number of demands on U.S.providers.The frustration their respective law enforcement and in

79、telligence services have experienced with existing disclosure mechanisms has led to a slew of proposals that could be detrimental to security and privacy.Another candidate for an agreement is South Korea,which has had a dramatic increase in requests for user information from U.S.providers in the las

80、t few years,4 and which the DOJ has referred to in its hypothetical CLOUD Act scenarios.Scholars such as Peter Swire,Deven Desai,and DeBrae Kennedy-Mayo have shown that India presents an important candidate for improved data disclosure.India,like many jurisdictions,has laws and practices that may re

81、quire significant changes to meet the minimum requirements of the CLOUD Act.As Swire and Kennedy-Mayo postulate,these might include India joining the Budapest Convention,forswearing the use of legal process that does not involve a judicial authority,and using a“qualified entity”to act as a moderator

82、 on behalf of requesting agencies to enforce policy requirements regarding requests to providers.On the other hand,excluding India entirely could invite more aggressive and counterproductive unilateral action,which is likely to have a negative impact on the privacy and security of people in India an

83、d beyond.Figuring out a path for a more limited agreement would reduce the likelihood that the government takes such steps and could create an incentive for it to institute domestic reforms in hopes of securing a more expansive agreement in the future.This presents the DOJ with a very challenging ob

84、jective:to aim for a“big tent”approach while also protecting U.S.interests in situations that justify interference through blocking statutes.Regulating the behavior of a U.S.company makes sense when the requesting country is corrupt and contemptuous of the rule of law or commits human rights abuses.

85、And of course,the United States has an interest in protecting U.S.individuals who may be the subject of a request from a foreign government to a U.S.provider.For these reasons,U.S.government officials should be clear that foreign governments must meet certain standards to participate.Of course,it is

86、 also possible that countries such as India and Brazil may balk at the prospect of entering into agreements that are more limited than others have been in the past.Hopefully,the immediate value of even a narrow arrangement and the potential for future expansion will overcome the tendency toward such

87、 a reaction.Finally,to accelerate the pace of negotiations and conclude more agreements,the DOJ needs resources.Congress should allocate increased funding for this program,including adding personnel dedicated to negotiating CLOUD Act agreements with a greater set of countries.Devoting resources to t

88、he CLOUD Act process so it can respond to more requests would also free up resources for and complement other data access mechanisms such as MLAT and letters rogatory.In addition,an agreement with the European Union,currently under negotiation,presents a good example of how the CLOUD Act can fill ga

89、ps left by other mechanisms.Even after EU member states have adopted the new E-Evidence Directive and Regulation so they can obtain data from the EU subsidiaries of U.S.providers established in Europe(often in Ireland),these countries law 4 See,e.g.,Google Transparency Report(reporting 774 requests

90、covering 2,788 accounts in the first half of 2019,rising to 2,747 demands covering 16,609 accounts in the same period in 2023);Facebook Transparency Report(reporting 351 requests covering 1,932 accounts in the first half of 2019,rising to 1,468 requests covering 1,932 accounts in that period 2023).M

91、att Perault and Richard Salgado|9enforcement agencies will still need to use diplomatic mechanisms to obtain evidence about users served by the providers U.S.entities.For agencies in EU member states,an arrangement that takes advantage of lowered U.S.blocking statutes through the CLOUD Act could be

92、valuable to their legitimate investigations into threats involving non-U.S.users of the U.S.providers.CLOUD Act agreements also complement the Budapest Convention.Being a party to this convention is specifically called out in the CLOUD Act as a factor to qualify for an agreement.As a result,the desi

93、re for such agreements may incentivize more countries to sign on to it,including the Second Additional Protocol.This would be a valuable end in itself,and even more so by incentivizing countries away from other international instruments lacking in basic protections,such as the draft cybercrime treat

94、y before the United Nations.EVALUATING EFFICACYIt is important to be able to identify whether a CLOUD Act agreement is effective in removing unnecessary barriers to legitimate investigations and improving,or at least forestalling backslide,on human rights.Understanding impact will help the United St

95、ates develop options to improve agreements or perhaps will suggest that investment should be made in other mechanisms.It will also enable nongovernmental organizations(NGOs)and academic researchers to evaluate the CLOUD Act process.Finally,since Congress receives reports on the operation of each agr

96、eement,understanding impact will be critical for that review process.The DOJ posts information about related negotiations,agreements,and public communications on its CLOUD Act Resources webpage,but there is no data about the volume or type of data requests.While the UK government has provided some i

97、nformation,it has not yet provided much detail.During CLOUD Act negotiations,the United States and companies discussed options for ensuring that there would be transparency about how the agreements worked in practice and accountability for violations.But in practice,transparency and accountability a

98、re difficult.Not only does it take time to collect and report data,but the agreements are still in their early stages.The first agreement,with the United Kingdom,came into force on October 3,2022,and data requests did not immediately ensue.In addition,collecting information about how an agreement is

99、 used is challenging because of how the current CLOUD Act agreements work.If the United Kingdom uses the CLOUD Act to request data from a U.S.provider,the DOJ might never see that the request was made unless the provider raises a dispute with the United Kingdom that is not resolved,so the U.S.govern

100、ment gets pulled in.Removing the providers host government from this process,in cases where the host government does not have an interest in the request,is precisely the point.As understandable as the challenges of transparency might be,the lack of it makes it difficult to understand the efficacy of

101、 CLOUD Act agreements.This means the DOJ and Congress would face challenges in making this assessment,as would third-party organizations and experts such as NGOs and academic researchers.To improve transparency,CLOUD Act agreement participants should make available qualitative and quantitative infor

102、mation about how the agreements function in practice.The agreements in place with the United Kingdom and Australia each allow agencies in those countries to submit requests directly to U.S.companies with no notice to the DOJ.Yet there is nothing in the legislation prohibiting Untapping the Full Pote

103、ntial of CLOUD Act Agreements|10agreements from including a requirement that when an agency submits a CLOUD Act demand to a U.S.company,it must also send a copy to the DOJ.More detailed and timely information could help the department catch issues sooner and provide better analysis to Congress when

104、an agreement comes up for review.This requirement should be reciprocal,necessitating that the United States also copy the central authority of the other government when it issues a request under the agreement.Of course,it is important that the DOJ not use this notification as a preapproval process f

105、or every request submitted by the host country;that would reintroduce the very pitfalls of the MLAT system.Currently,the agreements require each government to submit annual reports providing“aggregate data”on its use of the agreement.The first such reports from the United States and the United Kingd

106、om should have already been generated and exchanged,but so far they have not been made public.Perhaps,given that the first anniversary of the agreement with the UK going into effect was recent,the reports are still being reviewed.Regardless,the DOJ should make these reports public,including its own.

107、The CLOUD Act does not require that the reports be kept confidential,nor do the agreements now in place.If there are good reasons not to publish them in full,the DOJ should consider releasing summaries with qualitative and quantitative data on how the agreements are working in practice.In any event,

108、these full reports should be made available to Congress.Similarly,the CLOUD Act requires that when an agreement is up for renewal,the DOJ submits a report to congressional committees setting out how the agreement has been implemented and describing any problems or controversies encountered.As with t

109、he annual reports,the DOJ should make these publicly available to the extent it can.In addition,companies should publish data in their transparency reports on the number of CLOUD Act requests they receive and by which country,as Meta and Google have already done,for example.(The agreements currently

110、 in place require that demands indicate they are issued pursuant to the agreement,making it relatively easy for providers to track.)But company reporting is likely to create a spotty and incomplete picture of the total impact of the CLOUD Act.The key information is the total number and type of reque

111、sts from foreign governments,not the requests that each provider received.Governments should not be the only entities reviewing the efficacy of the agreements.With funding from foundations and governments,civil society organizations should also study their impact,including their long-run influence o

112、n human rights norms.For instance,Freedom House,a nonprofit organization,releases an annual report on internet freedom.With dedicated support,it could expand this report to include detailed analysis of the CLOUD Acts annual impact.Freedom House or other think tanks might serve as a repository for co

113、mpany reporting,providing a more holistic overview of requests made pursuant to the agreements.ENFORCING AGAINST VIOLATORSThe robust process required by the statute to qualify for an agreement under the CLOUD Act is essential to its purpose.As the United States looks at other jurisdictions with whic

114、h to enter more bespoke arrangements,it may need to adopt additional protections against misapplication of the agreement.It is also possible that a country might change its legal authorities after entering into an agreement,and those changes might warrant revisiting its“qualified status.”This means

115、the United States will need Matt Perault and Richard Salgado|11a mechanism to detect whether the agreement is being misused or the law has changed and to take action in response.One obvious way to gain such insight is by setting up a process for a U.S.company to immediately report objectionable CLOU

116、D Act agreement requests to the DOJ.The agreements with the United Kingdom and Australia each allow a provider to raise initial objections with the issuing authority.If the objection is not resolved,the provider may bring in its host government so that the two governments can hash it out.Significant

117、ly,the agreements currently in place do not prohibit a provider from notifying its host government at the same time as it submits the objection to the requesting government.There is no process for doing so,however.To gain more visibility into the nature and volume of requests that are out of the agr

118、eements scope or otherwise problematic,future agreements could make this explicitly permissible and set up an intake process with the DOJ.Once it has more timely insights into the disputes arising with U.S.providers,the DOJ could take action if it believes the foreign government is violating the ter

119、ms of the agreement or decide to refrain from interfering and let the objection process in the foreign jurisdiction play out.If the DOJ does see systemic issues,it could apply pressure on the other country,noting that its qualifying status may be in peril.In addition,regardless of whether it takes a

120、ction in individual cases,it could inform Congress of these objections during the review period.The DOJ could strengthen its hand in these circumstances by including a provision in each agreement that allows it to immediately suspend it on the grounds of misuse.5 Another accountability mechanism wou

121、ld be to build in more frequent opportunities to revisit the terms.The CLOUD Act provides that any agreement will expire after five years but may be renewed if the U.S.attorney general and secretary of state provide a report to Congress concluding that the other country is still“qualified.”Individua

122、l agreements could have shorter terms and require more frequent reviews.In addition,an agreement could expressly provide that it is subject to an immediate pause,suspending further submission of requests,if there is a need to address sudden material changes in circumstances.Armed with more informati

123、on from periodic public reports,more frequent reviews might also incentivize faster improvements in the partner country since they could lead to a more expansive arrangement in a shorter time.ConclusionCLOUD Act agreements have tremendous potential,alongside other diplomatic mechanisms,to facilitate

124、 legitimate investigations that require cross-border electronic evidence collection without 5 The agreements with the United Kingdom and Australia have similar provisions to preclude use of the agreement for an identified category of requests when a dispute is not resolved and to allow the agreement

125、 to be terminated with one months notice.The United States will need a mechanism to detect whether the agreement is being misused or the law has changed and to take action in response.Untapping the Full Potential of CLOUD Act Agreements|12sacrificing human rights and liberties.To get closer to that

126、potential,a series of knobs and levers should help guide future negotiations,since a one-size-fits-all approach would unnecessarily constrain the CLOUD Acts reach.The United States should also build in more mechanisms for transparency and accountability to help identify areas of improvement,ferret o

127、ut otherwise hidden problems,and build trust.Matt Perault is the director of the Center on Technology Policy at UNC-Chapel Hill,a professor of the practice at UNCs School of Information and Library Science,and a consultant on technology policy issues at Open Water Strategies.Richard Salgado is a sen

128、ior associate with the Center for Strategic and International Studies Strategic Technologies Program,teaches at Stanford Law School and Harvard Law School,and provides consultancy services through Salgado Strategies LLC.This report is made possible by general support to CSIS.No direct sponsorship co

129、ntributed to this report.This report is produced by the Center for Strategic and International Studies(CSIS),a private,tax-exempt institution focusing on international public policy issues.Its research is nonpartisan and nonproprietary.CSIS does not take specific policy positions.Accordingly,all views,positions,and conclusions expressed in this publication should be understood to be solely those of the author(s).2024 by the Center for Strategic and International Studies.All rights reserved.