>The bill reforms the CLOUD Act, which permits foreign governments to make surveillance demands directly of U.S. companies rather than going through the U.S. legal system.
I don't get how this works.
Let's say I'm Microsoft and I operate in the UK ... UK can still contact Microsoft and has to respond if they want to operate there.
Wouldn't this just put these companies in awkward position explaining to each nation that operating in that nation means they to follow each of their conflicting laws?
Let's put the whole thing in context. This bill is intended to prevent foreign governments[0] demanding that companies headquartered in US[1] modify their products and introduce backdoors.
The top bullet point in the press release makes it crystal clear: "Prevent foreign governments from using the CLOUD Act to require U.S. providers to adopt specific designs for products, reduce the security of a product, or deliver malware to a customer."
It looks like the intended outcome is that if a foreign government wants to investigate a US based individual, they must go through the official, international court-to-court co-operation request channels. US courts can then grant the necessary warrants and/or compel that individual to give up the requested evidence / other material. Isn't that how things are supposed to work?
Interestingly, this bill would also collide with Australia's similar law.
> Let's say I'm Microsoft and I operate in the UK ... UK can still contact Microsoft and has to respond if they want to operate there.
If and when cross-border laws collide and conflict, it should be up to the governments to sort it out. UK are perfectly in their right to require that Microsoft provides information and data on entities who reside in the UK. Demanding Microsoft to introduce backdoors to their products or deliver malware to individuals would go far beyond that.
> Wouldn't this just put these companies in awkward position [...]
Presumably. There's probably still an argument for changing the incentives for foreign governments to make these orders and for Apple or similar to comply. In particular, this bill appears to amend the provisions for foreign governments to gain access to their citizens' data and provides some possible legal recourse for US providers in US courts. It's not clear this will achieve the intended outcome, but it seems like one reasonable approach if your lever is US federal legislation.
> Wouldn't this just put these companies in awkward position explaining to each nation that operating in that nation means they to follow each of their conflicting laws?
That's actually kind of the point. It gives them a reason to push back, and more importantly it has the practical effect of making the whole issue into something that each government has to negotiate with other government, instead of just strongarming private companies. It's harder for government officials to ignore a conflict with another country's laws than to ignore corporate policies.
... and if the governments can't make a deal, maybe the company has to make a choice. And maybe that's appropriate.
What would bypassing our legal system look like exactly?
If Apple operates in the UK or anywhere, they do need to be responsive to local laws, I don't think they can ignore them and say "sorry you gotta talk to the other guys" ... that's nothing new.
Same thing for other countries operating in the US.
Oh, say maybe the UK having a law that lets it demand that a cloud provider actively modify its systems to defeat any cryptography, or other technical measures, if those measures prevent any data the UK may choose to demand from being delivered in an easily readable format?
And say applying that to any data the provider may be holding for anybody in the world, regardless of whether that person is in the UK, has ever been in the UK, or is actually implicated in any crime involving the UK?
Without requiring any explanation of the reason? Or even allowing the fact of the demand to be disclosed to anybody, including, say, the US Government?
And actually issuing such crypto-neutering orders to companies operating in, say, the US?
So that the UK can get data about US citizens in ways the US itself isn't legally allowed to do?
That kind of bypassing?
At that point, maybe Apple ends up having to choose between operating in the UK and operating in the US. Or if not the US, other countries that might be seized with attacks of sanity.
The company in question has some hard choices to make about whether they want to keep operating in the UK. There is no principle here that companies have to be multinational giants; it might be better if they start operating locally.
I'm generally extremely free market, but there is a good argument to ban Facebook/Google/AWS/& friends for national security reasons. They are almost certainly tools of the US intelligence apparatus. Looking at basic questions of capability and incentive there must be some massive scandals brewing this century over their ability to interfere in foreign elections.
Wouldn't that hard choice be between not operating in that country (and losing a lot of money) versus selling out their customers? Is that a good position to put them in?
It's the same question foreign companies wanting to serve the US, Russia, or China already have the answer. It's not a difficult position: the money almost always wins.
For instance, Apple has modified its Chinese iMessage software so that all data is always stored on Chinese servers (though it's technically still end-to-end encrypted, they're the only permitted e2ee encrypted app, so I assume something shady is going on there). Apple also added RCS to their iPhones because China demanded support for it (RCS isn't e2ee of course). When big governments demand changes, even the least evil big tech companies are willing to bend the knee as long as their business model doesn't break.
Imagine it was a physical good instead. Tax havens might not be a bad example. The UK can absolutely demand that a UK citizen or corporation bring something or another back to the country, and if the laws of that other nation conflicted then it'd be "messy" but not the UK seeking to modify what is allowable on an international basis. Regardless of what happened to the item in question, the offender would be in hot water somewhere.
Extending that ever so slightly to data, Apple and friends are definitely technologically capable of moving the data from one side of the pond to the other, and they're definitely operating in both the UK and the US. Does the speed at which data travels make that more like a cyber attack from the UK on the US (infiltrating a weak link to gain unauthorized access), or is it still more like the physical good countries seem to want to regulate it as (where Apple would have to violate one or more laws)?
What I really don't like about the matter is that if you simply split Apple into two legal entities, one for the US and one for the UK, the capability of moving the data nearly for free will still exist, but that will likely thwart the backdoor in the law. That suggests something fishy going on in our definitions and intuition, and it makes me more inclined to agree with your side of things. I'm not totally sold though; I could easily have just missed the obvious paradoxes from the side I'm partially defending.
Even worse, it's a bad move if the US government can bypass our legal system by
1) showering money on European censorship advocates who use it to
2) lobby their own precarious centrist governments to create guidelines, czars and boards responsible for censoring speech online,
3) which US companies will be expected to obey worldwide in order to operate in Europe
4) allowing the US government and arbitrary billionaires to freely censor speech in the US.
Even if nefarious elements of the US power structure didn't take advantage of the eagerness of Europeans to censor the voices of what is increasingly the plurality of their voters, allowing US companies to capitulate is still an attack on US speech rights in general. It's a trade barrier, a collective tariff: either US citizens lose civil liberties, or US media companies cannot operate in Europe.
edit: the same thing happens with surveillance, or even with USB-C or GDPR regulations. The difference between surveillance/censorship and the last two is that weird phone chargers and the collecting of private dossiers on the public are not very important civil rights.
Foreign governments that have been deemed unfriendly routinely access US products that are otherwise off limits to them using the assistance of friendly "international" corporations. I suspect this bill attempts to close that loophole.
Curious if Apple leaked this to the Washington Post. And if that was by their legal team intentionally, or by a vigilante who recognized the abusive demand
I think I read that Senator Wyden is the second largest taker of money from Big Pharma. Because of this, I am going to take a careful and critical look at his legislation.
To be fair, many politicians do both really good and really bad things. The world is not black and white.
Do more research. He is a mixed bag, trying to lower prescription drug prices, but he is also no enemy of Big Pharma. I asked OpenAI about him in research mode, and if it was largely correct.
So not total FUD. I am quoting from ChatGPT:
Between 2019 and 2024, Senator Ron Wyden received $351,513 in campaign contributions from the Pharmaceuticals/Health Products industry. This total includes $169,063 from individual donors and $182,450 from political action committees (PACs).
It’s important to note that while Senator Wyden has received contributions from the pharmaceutical industry, he has also been a critic of high drug prices. For instance, during a 2019 Senate Finance Committee hearing, he emphasized the need for concrete actions to make medications more affordable.
if an individual pharma employee makes a donation as an individual, many of the datasets will classify it as “money from the pharmaceutical industry”. worth considering.
I don't get how this works.
Let's say I'm Microsoft and I operate in the UK ... UK can still contact Microsoft and has to respond if they want to operate there.
Wouldn't this just put these companies in awkward position explaining to each nation that operating in that nation means they to follow each of their conflicting laws?