The U.S. government has announced its first bilateral agreement of the CLOUD Act with the U.K, This agreement will allow the U.K. government to acquire data directly from U.S. based cloud providers such as Amazon, Google and Microsoft without the judicial oversight of a U.S. judge, without regard to U.S. law or the U.S. constitution and secretly exfiltrate it without the knowledge of either the U.S. government or the data owner.
The CLOUD Act and the Importance of Keeping Data On-Premises
Estimated reading time: 4 minutes
The United States has announced its first bilateral executive agreement effective April 2020 under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) with the U.K. In providing law enforcement better expediency, it effectively chips away privacy protection and is another compelling reason to keep corporate data on-premises and behind the organizational firewall. Let me explain:
The CLOUD Act allows secret exfiltration of your files no matter what country they are stored in
The CLOUD Act amends the Secured Communications Act (SCA) to create explicit provision for U.S. law enforcement (whether local police department or federal agency) to secretly access electronic files and communications stored in the cloud. In other words, U.S. law enforcement can serve an SCA “warrant” to U.S. cloud providers where recipients such as Google, Amazon or Microsoft are obligated to turn over evidence wherever located – even if that evidence is stored on a server geographically located in another country. It effectively eviscerates the concept of privacy protection via data residency.
The CLOUD Act allows foreign powers to secretly exfiltrate data of their own citizens from US cloud providers without US judicial oversight
The CLOUD Act also allows the Executive Branch to enter into “executive agreements” to
allow qualified foreign governments to acquire data of their own citizens located on the servers of U.S. providers wherever located, with restrictions, by requesting that information directly from the U.S. cloud provider without the approval of a U.S. judge and without regard to U.S. law or the U.S. constitution.
The CLOUD Act replaces the Mutual Legal Assistance Treaty
Instead of using the previous and cumbersome Mutual Legal Assistance Treaty (MLAT) process to get access to foreign cloud stored data, under the bilateral agreement both the U.S. and the U.K. law enforcement agencies now only need to use their own respective domestic legal process and courts to serve their orders directly to each others communications service providers. In practical terms it means that U.K. investigators will be able to secretly get fast direct access to files and communications about non-U.S. persons from U.S. providers regardless of where that data is stored as permitted by U.K. law (not U.S. law) and vice versa.
The CLOUD Act puts American companies under foreign jurisdiction
The problem with this is that it puts American companies under foreign jurisdiction in regards to release of files and communications. For example, the U.K allows for general warrants based on “reason to believe” instead of “probable cause”. Before this, U.S. providers were generally forbidden from disclosing data such emails, instant messages, photos, audio/video chats, and files stored on file servers to anyone (including foreign governments) without an order from a U.S. court determining that there is probable cause that the data in question contains evidence of a crime. Now, this bilateral agreement allows U.K. law enforcement and security agencies to get information stored in the United States without a probable cause warrant or an order from a U.S. judge.
Information on US citizens can be collected by foreign governments when communicating with a non-US target
There are safeguards against U.K. law enforcement targeting U.S. citizens and residents, but in practical terms their information can still be collected if they are communicating with a non-U.S. target without US judicial oversight.
US companies must comply with secret UK exfiltration requests of UK citizens
In addition, although at the time or writing the details of the agreement are still secret, it is reported that the agreement will force U.S. companies to comply with U.K. wiretap requests of targets that are not U.S. persons and not located in the United States – something that the previous. MLAT process did not permit.
The Need to Store Confidential Files On-Premises
The best defence to protect privacy of your confidential files against legalized secret exfiltration is to not store them on the servers of third-party providers but to keep them on-premises, under your control and behind your firewall using the decentralized edge-cloud architecture of FileFlex Enterprise.
FileFlex Enterprise addresses privacy issues of the CLOUD Act
The FileFlex zero trust platform for hybrid-IT differentiates it from other file remote access and sharing platforms. Their dependence to duplicate and sync data to a central server cluster has resulted in compromises and issues such as an increased risk posture, privacy compromise, fragmented data, the need to manage limited subsets, technical complexity and high cost. Because of the tremendous productivity benefits the centralized structure offers, the market has accepted these compromises. However, the decentralized hybrid-IT zero-trust architecture of FileFlex allows it to address the compromises and issues inherent to all cloud storage solutions at a lower cost. FileFlex improves the organization’s security posture, allows access to all storage – not just subsets – ensures privacy, keeps the management of organizational files under organizational control, accelerates compliance to privacy regulations such as GDPR and HIPAA and leverages the organization’s existing storage infrastructure to produce a disruptive low-cost model that can be applied to all storage.
To learn more about the advantages of the decentralized architecture of FileFlex click here. To learn more about how to use FileFlex Enterprise to mitigate against secret data exfiltration, click here.