[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]
FOREIGN INFLUENCE ON AMERICAN'S DATA
THROUGH THE CLOUD ACT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME AND FEDERAL
GOVERNMENT SURVEILLANCE
OF THE
COMMITTEE ON THE JUDICIARY
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINETEENTH CONGRESS
FIRST SESSION
__________
THURSDAY, JUNE 5, 2025
__________
Serial No. 119-24
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via: http://judiciary.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
60-646 WASHINGTON : 2025
COMMITTEE ON THE JUDICIARY
JIM JORDAN, Ohio, Chair
DARRELL ISSA, California JAMIE RASKIN, Maryland, Ranking
ANDY BIGGS, Arizona Member
TOM McCLINTOCK, California JERROLD NADLER, New York
THOMAS P. TIFFANY, Wisconsin ZOE LOFGREN, California
THOMAS MASSIE, Kentucky STEVE COHEN, Tennessee
CHIP ROY, Texas HENRY C. ``HANK'' JOHNSON, Jr.,
SCOTT FITZGERALD, Wisconsin Georgia
BEN CLINE, Virginia ERIC SWALWELL, California
LANCE GOODEN, Texas TED LIEU, California
JEFFERSON VAN DREW, New Jersey PRAMILA JAYAPAL, Washington
TROY E. NEHLS, Texas J. LUIS CORREA, California
BARRY MOORE, Alabama MARY GAY SCANLON, Pennsylvania
KEVIN KILEY, California JOE NEGUSE, Colorado
HARRIET M. HAGEMAN, Wyoming LUCY McBATH, Georgia
LAUREL M. LEE, Florida DEBORAH K. ROSS, North Carolina
WESLEY HUNT, Texas BECCA BALINT, Vermont
RUSSELL FRY, South Carolina JESUS G. ``CHUY'' GARCIA, Illinois
GLENN GROTHMAN, Wisconsin SYDNEY KAMLAGER-DOVE, California
BRAD KNOTT, North Carolina JARED MOSKOWITZ, Florida
MARK HARRIS, North Carolina DANIEL S. GOLDMAN, New York
ROBERT F. ONDER, Jr., Missouri JASMINE CROCKETT, Texas
DEREK SCHMIDT, Kansas
BRANDON GILL, Texas
MICHAEL BAUMGARTNER, Washington
------
SUBCOMMITTEE ON CRIME AND FEDERAL
GOVERNMENT SURVEILLANCE
ANDY BIGGS, Arizona, Chair
TOM TIFFANY, Wisconsin LUCY McBATH, Georgia, Ranking
TROY NEHLS, Texas Member
BARRY MOORE, Alabama JARED MOSKOWITZ, Florida
KEVIN KILEY, California DAN GOLDMAN, New York
LAUREL LEE, Florida STEVE COHEN, Tennessee
BRAD KNOTT, North Carolina ERIC SWALWELL, California
CHRISTOPHER HIXON, Majority Staff Director
JULIE TAGEN, Minority Staff Director
C O N T E N T S
----------
Thursday, June 5, 2025
OPENING STATEMENTS
Page
The Honorable Andy Biggs, Chair of the Subcommittee on Crime and
Federal Government Surveillance from the State of Arizona...... 1
The Honorable Jamie Raskin, Ranking Member of the Committee on
the Judiciary from the State of Maryland....................... 3
The Honorable Jim Jordan, Chair of the Committee on the Judiciary
from the State of Ohio......................................... 5
WITNESSES
Susan Landau, Professor of Cyber Security & Policy, Department of
Computer Science, Tufts University
Oral Testimony................................................. 6
Prepared Testimony............................................. 9
Caroline Wilson Palow, Legal Director and General Counsel,
Privacy International
Oral Testimony................................................. 23
Prepared Testimony............................................. 25
Richard Salgado, Partner & Founder, Salgado Strategies
Oral Testimony................................................. 41
Prepared Testimony............................................. 43
Gregory T. Nojeim, Senior Counsel & Director, Security and
Surveillance Project, Center for Democracy & Technology
Oral Testimony................................................. 76
Prepared Testimony............................................. 78
LETTERS, STATEMENTS, ETC. SUBMITTED FOR THE HEARING
All materials submitted by the Subcommittee on Crime and Federal
Government Surveillance, for the record........................ 100
A letter from the Reform Government Surveillance Coalition, Jun.
5, 2025, submitted by the Honorable Andy Biggs, Chair of the
Subcommittee on Crime and Federal Government Surveillance from
the State of Arizona, for the record
Materials submitted by the Honorable Dan Goldman, a Member of the
Subcommittee on Crime and Federal Government Surveillance from
the State of New York, for the record
An article entitled, ``Trump Wants to Merge Government Data.
Here Are 314 Things It Might Know About You,'' Apr. 9,
2025, The New York Times
An article entitled, ``The Trump administration has expanded
Palantir's work with the government, spreading the
company's technology--which could easily merge data on
Americans--throughout agencies,'' May 30, 2025, The New
York Times
FOREIGN INFLUENCE ON AMERICAN'S DATA
THROUGH THE CLOUD ACT
----------
Thursday, June 5, 2025
House of Representatives
Subcommittee on Crime and Federal Government
Surveillance
Committee on the Judiciary
Washington, DC
The Subcommittee met, pursuant to notice, at 10:05 a.m., in
Room 2141, Rayburn House Office Building, the Hon. Andy Biggs
[Chair of the Subcommittee] presiding.
Present: Representatives Biggs, Jordan, Tiffany, Nehls,
Knott, Goldman, and Raskin.
Mr. Biggs. The Subcommittee will come to order.
Without objection, the Chair is authorized to declare a
recess at any time.
We welcome everyone to today's hearing on the CLOUD Act and
foreign influence on America's data.
I now recognize the gentleman from Texas, Mr. Nehls, to
lead us in the Pledge of Allegiance.
All. I pledge allegiance to the Flag of the United States
of America, and to the Republic for which it stands, one
Nation, under God, indivisible, with liberty and justice for
all.
Mr. Biggs. Thank you, Mr. Nehls. I now recognize myself for
an opening statement.
I welcome my colleagues to this important hearing and
welcome our audience and our witnesses today. I thank each of
our witnesses for being here today, with special recognition
for one of our witnesses who flew all the way from the U.K. to
testify today. Thank you.
Given advances in technology and the heightened intercon-
nectivity of the digital era, personal data, business
information, and sensitive communications are sent, received,
and stored all over the world.
Often during an investigation law enforcement needs to
acquire this information from U.S. companies. Until 2018, if
this information was held in another country--for example, a
data server in Ireland--it wasn't clear whether U.S. law
enforcement would be able obtain it, even though it was
requesting the data from a U.S. company.
In 2018, Congress passed the Clarifying Lawful Overseas Use
of Data Act, or the CLOUD Act, to address this gap in the law.
Under the CLOUD Act, U.S. law enforcement, pursuant to a lawful
court order, can obtain data held by U.S.-based service
providers but stored outside of the United States.
The CLOUD Act also provides avenues for our allies to enter
into bilateral agreements with the United States to similarly
obtain their citizens' data from these same service providers
to assist with their own law enforcement investigations.
Unfortunately, one of our closest allies, the United
Kingdom, is taking advantage of its authorities under the CLOUD
Act and is attacking America's data security and privacy.
In February of this year, The Washington Post reported that
the U.K. had secretly ordered Apple to build a back door into
its devices to enable U.K. law enforcement to access a user's
data stored on the cloud, including encrypted data.
The CLOUD Act requires that a country entering into a data
access agreement with the United States have laws that include
robust protections for privacy and civil liberties. The U.K.'s
order, however, threatens the privacy and security rights, not
only of those living in the U.K., but of Apple users all over
the world, including Americans.
This order sets a dangerous precedent and if not stopped
now could lead to future orders by other countries. The U.K.'s
Investigatory Powers Act permits it to issue orders to tech
companies compelling them to weaken encryption or halt security
updates for users around the world.
This broad extraterritorial order highlights the tension
between national security and individual rights. These
interests are not mutually exclusive, and it is possible to
protect both national security and individual rights.
Providing law enforcement with the tools to conduct
investigations is a laudable, important goal, but the U.K.,
seemingly emboldened by its agreement with the United States
under the CLOUD Act, has issued an order that will affect
people all over the world and this is a step too far.
Encryption is a critical tool to maintain the privacy and
security of digital information and communications. Efforts to
weaken or even break encryption makes us all less secure. The
U.S.-U.K. relationship must be built on trust. If the U.K. is
attempting to undermine this foundation of U.S. cybersecurity,
it is breaching that trust.
If companies are forced to build back doors to encryption,
that simultaneously opens a back door to privacy rights or an
invasion of privacy rights.
It is impossible to limit a back door to just the good
guys. Just last year, Chinese hackers known as Salt Typhoon
penetrated lawfully mandated back doors, gaining access to
wiretap systems used by U.S. law enforcement. The hackers also
were able to access the private data of President Trump and
Vice President Vance.
This attack is a clear example of the dangers of
surveillance back doors. This should concern everyone. I've
long had concerns about the CLOUD Act and the bilateral
agreements it enables that could allow foreign governments to
spy on Americans.
Given the recent actions by the U.K., I am concerned that
the CLOUD Act is failing to adequately protect the privacy and
security of Americans.
In the wake of the U.K.'s order, I have called on this
administration to act decisively to protect Americans'
communications.
I continue to urge our government, including the Justice
Department, to evaluate whether the CLOUD Act and our agreement
with the United Kingdom are working as intended.
If they are not, we should renegotiate the agreement to
ensure that our rights are protected, and we should do so by
invoking the 30-day termination clause.
After years of senior U.S. Government officials pushing for
weaker encryption and surveillance back doors, it seems the
tide has shifted. Indeed, after the Salt Typhoon hack, our
government publicly recommended the use of end-to-end encrypted
communications tools.
Director of National Intelligence Tulsi Gabbard stated at
her confirmation hearing that back doors lead down a dangerous
path that can undermine Americans' Fourth Amendment rights and
civil liberties.
This hearing provides an opportunity to build on the
momentum toward greater respect for privacy and evaluate
whether and what changes are needed to ensure Americans' rights
are protected.
I'm looking forward to hearing from our witnesses today--
and, again, thank you for being here--and discussing how we can
best move forward.
I now recognize the Ranking Member, Mr. Raskin, for his
opening statement.
Mr. Raskin. Mr. Chair, thank you very much. Welcome to our
witnesses. I appreciate your being here with us.
Living in the digital age in America means that much of our
connection with other people takes place over the internet. We
message with friends and family and coworkers over our cell
phone apps, we store documents in the cloud, and we share
materials over email.
The end-to-end encrypted services promise that no one--not
Apple, not Google, not the government, Federal, State, or
local--can access the messages that we send. These platforms
are increasingly counted on by users wishing for the privacy of
a protected face-to-face conversation in the new era of
technology that we inhabit.
Imagine pulling out your phone, opening up an app you've
been told is secure, and sending a message to a friend. Now,
imagine learning that the app is not end-to-end encrypted as
promised. Instead, the government has ordered the service
provider to make its security weaker so the government can
demand access to your message. Imagine the government told the
platform that they couldn't tell a soul about this arrangement.
Well, that's exactly what the United Kingdom secretly
ordered Apple to do recently, and that's the reason that we're
here today.
Requiring Apple to secretly build a so-called back door
into its Advanced Data Protection service would make users'
end-to-end encrypted documents no longer secure as expected.
Law enforcement officers, not just in the U.K. but also in the
U.S., could demand Apple produce users' content and metadata
from the cloud and cybercriminals would be able to exploit this
system weakness introduced by the back door to target Americans
for espionage, consumer fraud, and ransomware.
Back doors to encrypted technology are not capable, as the
Chair said, only of letting good guys in while keeping the bad
guys out. Back doors are intentionally designed weaknesses in
an encrypted technology's mathematical formula.
These design weaknesses can be exploited by foreign
governments seeking to compromise our national security, steal
our intellectual property, and monitor us in our daily lives
and workplaces.
Congress passed the CLOUD Act in 2018 to allow for data-
sharing agreements between the U.S. and countries that meet
required standards. Through its negotiated agreement with the
U.S., U.K. law enforcement can access nonencrypted data
transmitted by U.S. providers that is relevant to their law
enforcement recommendations.
While secret orders like the Technical Capability Notice
the Home Office placed on Apple have nothing to do with the
data-sharing agreement or the CLOUD Act, they are only
worthwhile to the U.K. because of the data that is made
available through the agreement.
I, for one, believe that the CLOUD Act and the U.S.-U.K.
data-sharing agreement thus far have been beneficial both to
U.S. companies and to our country. I also believe that forcing
companies to circumvent their own encrypted services in the
name of security is the beginning of a dangerous slippery
slope.
I look forward to hearing from the witnesses as to what, if
anything, we need to do to change to prevent future similar
orders against other companies.
Some argue that privacy is passe, yesterday's news. Cookies
monitor which websites we click on, our devices already track
every step we take, and data brokers take anonymized data and
reidentify it in portfolios available to the highest bidder.
I disagree with the idea that privacy is no longer valuable
or meaningful to the American citizenry. In a country where
visa holders are being detained simply for opinions that they
have expressed or an op-ed they wrote, where criticism of the
administration can result in a visit from the Secret Services,
and where the staff of Members of Congress can be arrested and
handcuffed just for doing their jobs, Americans' security from
government intrusion has never been more urgent or important.
The deluge of ways new technology enables the government to
spy on their citizens makes it even more important that
Americans stand up to increases in State surveillance.
Thomas Jefferson wrote in 1788 that,
The natural progress of things is for liberty to yield and
for government to gain ground.
Well, we have to resist that natural tendency.
A week ago, the Trump Administration announced it would
hire Palantir to consolidate Americans' data into dossiers on
all U.S. citizens.
The plan to use Palantir's Foundry project to organize and
analyze data across agencies into one big, beautiful dossier is
chilling. It's the beginning of an effort to create a national
citizen database, which would be vulnerable to manipulation,
not just by outside actors, but by inside political actors.
From bank account numbers and student debt totals to
medical claims and disability status, the administration today
is taking information that was previously siloed into different
categories, as required under the law, and using it to create
one big, beautiful surveillance apparatus that can be used to
crush resistance, to profile Americans, and to silence dissent.
We're here today to discuss the CLOUD Act. I recognize
this. We should also recognize none of these issues exist in a
vacuum. All government surveillance curtails all citizens'
liberties.
It is not always immediate. Often it is a slow decay and
erosion. Every chip in our civil liberties foundation brings us
that much closer to a government that no longer has its
foundational and necessary ideological checks against total
control of the citizenry.
Surveillance databases like the one contemplated by the
Trump Administration remain the stuff of science fiction and
authoritarian governments, not a reality for a country founded
on the principles of democratic self-government and freedoms
and rights for the people.
In the case of the U.K. order, we can start with an easy
first step. We don't need legislation to pass in the divided
House or frozen Senate. The Trump DOJ can just do its job.
The U.S. should not sit idly by and watch the Home Office
issue perhaps more secret orders against U.S. companies. Thus
far, that's exactly what the DOJ has done. I sincerely hope
that we move quickly to change that.
I thank Chair Biggs and Chair Jordan for holding a second
bipartisan surveillance hearing, and I look forward to working
across the aisle with my friends as we prepare for the
expiration of FISA Section 702 next year.
I yield back to you, Mr. Chair.
Mr. Biggs. The gentleman yields back. Thank you.
I now recognize the Chair of the Full Committee, Mr.
Jordan, for his opening statement.
Chair Jordan. No opening statement. I just want to thank
the Chair for having this hearing, thank our witnesses for
being here, and appreciate the remarks by both the Chair and
the Ranking Member on this subject and the Ranking Member's
reference to the work we have to do as 702 and the FISA come up
for reauthorization less than a year from now.
With that, I would yield back to the Chair, and again thank
our witnesses for being here.
Mr. Biggs. I thank the Chair. The Chair yields back.
Without objection, all other opening statements will be
included in the record.
I'll now introduce today's witnesses.
With us today is Professor Susan Landau. Ms. Landau is a
Professor of Cyber Security and Policy in the Department of
Computer Science at Tufts University. Professor Landau's
research focuses on privacy, surveillance, cybersecurity, and
law.
She has previously worked or held faculty appointments at
Google, Sun Microsystems, the Worcester Polytechnic Institute,
the University of Massachusetts Amherst, Wesleyan University,
the National Academies of Sciences, Engineering, and Medicine,
the National Science Foundation, and the National Institute of
Standards and Technology.
Welcome, Professor. Thank you for being here.
Ms. Caroline Wilson Palow. Ms. Wilson Palow is the Legal
Director and General Counsel at Privacy International, a
nonprofit organization based in the U.K. Ms. Wilson Palow leads
the organization's legal advocacy and advises its programs on
legal strategy and risk.
Prior to joining Privacy International, she was an attorney
with Wilson, Sonsini, Goodrich & Rosati, where her practice
focused on privacy and intellectual property.
Thank you for joining us. Thanks for coming all this way,
too.
Mr. Richard Salgado is the founder of Salgado Strategies, a
consulting firm that advises clients on geopolitical,
cybersecurity, and surveillance issues. He also serves as a
lecturer at both Harvard Law School and Stanford Law School.
Mr. Salgado previously was the Director of Law Enforcement
and Information Security at Google for more than 13 years,
worked on international security and law enforcement compliance
at Yahoo! and served in the Department of Justice.
Thank you, Mr. Salgado, for being with us.
Mr. Gregory Nojeim is a Senior Counsel and Director of the
Security and Surveillance Project at the Center for Democracy
and Technology, a nonprofit organization that advocates for
civil rights and civil liberties in an increasingly digital
world.
He previously served as the Associate Director and Chief
Legislative Counsel of the ACLU's Washington office, where he
focused on the civil liberties implications of terrorism,
national security, and information privacy legislation.
We welcome all of you. Thank you for being here today.
We will begin now by swearing you in. Would you please rise
and raise your right hand?
Do each of you swear or affirm under penalty of perjury
that the testimony you are about to give is true and correct to
the best of your knowledge, information, and belief, so help
you God?
Let the record reflect that the witnesses have all answered
in the affirmative.
You may now be seated. Thank you.
I want you to know that we've read your--I don't know, I
won't guarantee everybody--but I've read your statements, and
those will be entered into the record in their entirety.
Accordingly, we ask that you summarize your testimony in five
minutes.
At four minutes, the light should go yellow before you.
When it's almost five minutes, I will just tap this a little
bit so you'll know it's time to kind of wrap up. I don't want
to cut you off too much, but we do want to remind you of that.
We thank you so much for being here.
Now, Professor Landau, I recognize you for your five
minutes.
STATEMENT OF SUSAN LANDAU
Ms. Landau. Thank you, Chair Biggs, Ranking Member Raskin,
and the Members of the Committee, for the opportunity to
testify today.
I have no need to remind you of the damage caused by Salt
Typhoon. I want to touch on the hackers' access to the
databases of wiretap targets. This enabled the Chinese
Government to learn which spies we had discovered.
It appears to have been made easier by the technical
requirements and mandates imposed by the Communications
Assistance for Law Enforcement Act. Introducing such access to
complex systems--and communication systems are complex
systems--increases security vulnerabilities.
At the same time, the Salt Typhoon hackers could not read
communications sent through WhatsApp, Signal, or on Apple
network. These were end-to-end encrypted, as the Chair
mentioned, a form of cryptography which, as long as the
communications device itself has not been hacked, only the
sender and receiver can read the encrypted communication.
We all use end-to-end encryption daily. You almost always
use it when you visit a webpage, you always do when you're
sending credit card information. You use it on Signal, on
WhatsApp, on multiple other applications.
Apple's Advanced Data Protection secures users' files by
treating them as end-to-end encrypted messages sent from the
user to themselves. Files are delivered when the user downloads
them.
Meanwhile, they reside on the iCloud. Since only the user
has the encryption key, the files cannot be decrypted while
stored in the iCloud.
It is a terrific form of security. If there is ever a
breach of the iCloud, the user's data is secure.
Who needs it? All of us. Journalists. Human rights workers.
Members of civil society organizations. The latter are
particularly targeted by Russia and China. Remote workers.
Businesspeople while traveling. Members of your family with
files they'd like to keep private, like healthcare proxies,
wills, and financial information. Members of your staff. All of
us.
Around the time the U.S. Government loosened export
controls on encryption back in 2000, the NSA began encouraging
wider use of strong encryption domestically. The FBI was less
enthusiastic and began pressing about ``Going Dark,'' its
increasing inability to understand communications and later
read files due to encryption.
The issue came to a head with the San Bernardino case
involving a locked iPhone. Unable to open the device due to
Apple's security protections, the FBI and DOJ sought to have
Apple undo those protections.
Doing so was not nearly as straightforward as the FBI
sought to portray. Requests for access were likely to be
frequent, while information on obtaining access had to be
stored for both legal and technical reasons. This created a
serious security vulnerability and Apple refused to do it.
The case ended, by the way, when an FBI consultant was able
to unlock the device.
The real point, though, is whether you're looking at CALEA,
the 2016 fight over the locked iPhone, or the purported app the
U.K. Technical Capability Notice served on Apple, these
attempts at mandating lawful access to be built into complex
communication systems creates vulnerabilities in these systems.
That's dangerous for Americans and for U.S. national security.
Protecting the private data of Americans is a critical
aspect of protecting U.S. national security. This is because
protecting the private communications of a CEO's son-in-law,
the files of an American who has family working in China, the
draft research papers of a graduate student in genomics who has
not yet filed a patent on her work, is protecting both the
individuals and the economic and national security of our
Nation.
That's why former NSA Directors Mike McConnell and Michael
Hayden, former DHS Secretary Michael Chertoff, former FBI
General Counsel Jim Baker, and multiple other national security
and law enforcement leaders support widespread public use of
end-to-end encryption.
It is why the Chair mentioned the joint guidance of the
governments of Australia, Canada, New Zealand, and the United
States, post-Salt Typhoon, recommended that end-to-end
encryption be used whenever possible for communications traffic
to the maximal extent possible. By refusing to sign, the U.K.
is a real outlier. It has become a ``Four Eyes'' statement.
Apple's advanced data encryption protects people's data. It
is an important and needed technology. I urge you to ensure
that the U.K.'s efforts to improve its own investigatory
capabilities do not come at its expense.
The technology that Apple developed protects our national
security and the security and privacy of ordinary Americans. It
should be widely used and widely available. Please ensure that
it continues to be so.
Thanks very much.
[The prepared statement of Ms. Landau follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Biggs. Thank you. Now, I recognize you, Ms. Wilson
Palow, for your five minutes.
STATEMENT OF CAROLINE WILSON PALOW
Ms. Wilson Palow. Thank you, Chair Biggs, Ranking Member
Raskin, and the Members of the Subcommittee. Thank you for the
opportunity to testify today on behalf of Privacy
International.
I'm here to tell you about a troubling surveillance power
that allows the United Kingdom's government to secretly order a
U.S. company to undermine the security, privacy, and free
speech rights of Americans.
Indeed, due to the global reach of U.S. companies, these
orders threaten the security and fundamental rights of users
worldwide.
This power can be found in the U.K.'s Technical Capability
Notice regime, which is part of the Investigatory Powers Act of
2016.
Under this law, the U.K. can order a telecommunications
service provider to build or modify its systems so that in the
future the U.K. can access data on those systems through other
lawful processes, such as warrants authorizing the interception
of content or overseas protection orders permitted under the
CLOUD Act. More on that later.
I have provided a more detailed description of these
notices in my written statement. In brief, the most salient
aspects of them are that they are ill-defined, secret, and
extraterritorial. American companies subject to a U.K. order
cannot reveal even its existence to U.S. officials and
oversight bodies, much less users, investors, or anyone else
who plays a crucial role in vetting the legality and wisdom of
such notices.
Why are we concerned about a U.K. surveillance power
affecting American companies? Because these notices can be
given to companies outside of the U.K. so long as the company
offers, provides, or controls services used by people in the
U.K. This small nexus is sufficient for the U.K. to demand a
company change its systems worldwide, affecting all its users,
whether in the U.K., the U.S., or elsewhere.
We are here today because in February The Washington Post
revealed that a U.S. company, Apple, received a secret notice
requiring it to undermine the security of its Advanced Data
Protection service, as Professor Landau has described, which is
an optional security feature for Apple's users providing end-
to-end encryption of iCloud storage that only the iCloud user,
not Apple itself, can unlock.
The Washington Post reporting and the significant press
followup have provided us with a potentially unique opportunity
to have a public debate about a specific application of these
types of orders because of their inherent secrecy.
Seizing this opportunity, my organization, Privacy
International, has filed a case challenging the notices regime
at the U.K.'s The Investigatory Powers Tribunal. Apple has
filed a similar challenge.
Privacy International is devoting significant resources to
opposing the Apple order because it exemplifies the potential
for the notice regime to have far-reaching consequences that
threaten our security and rights. That is because it appears
that Apple has been ordered to deliberately weaken an end-to-
end encrypted service.
We are concerned that this means that these notices now
being used against encryption services in the U.K. will not
stop with Apple.
My understanding from technical experts, including
Professor Landau, is that it is technologically infeasible to
have both effective end-to-end encryption and mechanisms for
third-party access, which the U.K. seems to be demanding.
That is because to enable such third-party access creates
an inherent vulnerability that can be exploited by bad actors,
including hostile states and criminal networks.
That is why government security and privacy experts on both
sides of the Atlantic, including in the U.S., the U.K., and the
EU, strongly recommend using end-to-end encryption.
If the U.K. Government succeeds in maintaining this order
against Apple, it is likely further such orders targeting end-
to-end encryption may follow. Other American companies, given
their global reach, will be targets.
Notices might also be used to force a company to do many
other things that can undermine our security, such as sending
false security updates or refraining from fixing a
vulnerability in its systems.
Considering the notices regime's significant impact on
fundamental rights and American companies, questions have been
raised about the interaction of these orders with the CLOUD
Act.
In some ways, the notices regime and the CLOUD Act operate
independently of each other as the U.K. claims the ability to
serve an order directly on a U.S. company, irrespective of the
CLOUD Act.
The CLOUD Act itself steers clear of encryption with the
Department of Justice declaring the act ``encryption neutral.''
Once a U.S. company is ordered to create a back door in its
end-to-end encrypted services, the U.K. could then serve a
production order on that company for information that would
have been previously inaccessible, tying the notices regime and
the CLOUD Act back together.
These secret orders also significantly impact fundamental
rights, such as privacy and freedom of speech, and the CLOUD
Act was intended to protect these rights, as well as U.S.
companies.
The only other country with a CLOUD Act data access
agreement, Australia, also has a Technical Capability Notices
regime. The European Union, which is negotiating a data access
agreement, has been considering measures that would undermine
end-to-end encryption.
More countries therefore might soon be targeting U.S.
companies and undermining the security and privacy of their
users worldwide while also taking advantage of CLOUD Act
processes. This clearly raises the question of whether the
CLOUD Act encryption neutrality is truly sustainable, which I
suspect my fellow panelists are now eager to answer.
Thank you.
[The prepared statement of Ms. Wilson Palow follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Tiffany. [Presiding.] Thank you, Ms. Wilson Palow. Now,
I'd like to turn to Mr. Salgado.
You have five minutes for your testimony.
STATEMENT OF RICHARD SALGADO
Mr. Salgado. Thank you, Mr. Congressman. Thank you, Chair
Biggs, Ranking Member McBath, Chair Jordan, and Ranking Member
Raskin, for inviting me here today to participate in this
hearing on these important issues and for your leadership on
this.
My name is Richard Salgado. The Chair summarized my more
than 35 years of experience as a lawyer, mostly dealing with
government surveillance and network security issues.
It was almost exactly eight years ago that I testified
about the need for changes that were ultimately included in the
CLOUD Act and signed into law by President Trump in 2018. I'm
honored to be here again now that we've gained some experience
with the act and the agreement that the U.K. entered pursuant
to it.
Even in these relatively early days, it's clear that the
act provides a framework for advancing U.S. interests and
public safety. It underscores the importance of finalizing
agreements with Canada, the European Union, and beginning
negotiations with other countries.
Deeply concerning is the report by The Washington Post in
February that the U.K. is secretly seeking to compel Apple to
disable a global security feature in one of its products to
expand its surveillance capabilities. It also illustrates the
value of the CLOUD Act framework.
When a foreign government coerces an American company to
compromise or withhold security protections intended to
safeguard users worldwide, the impact reaches everyone,
including Americans. The harm is magnified when such mandates
are imposed in closed, secret proceedings with outcomes
concealed.
These actions threaten core U.S. interests in cybersecurity
and erode the global competitiveness of American technology
providers in the light of serious competition from China.
If there is still a real debate about whether security
should yield to government surveillance, it doesn't belong
behind closed doors in a foreign country. It shouldn't be
settled in secret proceedings run by foreign officials and with
outcomes unknown even to the U.S. Government.
The debate belongs in public, before the U.S. Congress, led
by officials elected by the American people, acting with the
interests of this country at heart. It must be decided here,
not imposed there.
Regardless of the outcome in the reported Apple matter,
which we may never know, this experience reflects the broader
threat of foreign efforts to covertly undermine the security of
products and services offered by American companies. We are now
tasked with identifying and implementing solutions.
Fortunately, the CLOUD Act provides an ideal framework for
this. The CLOUD Act provisions at issue today were enacted to
address problems created by U.S. blocking statutes.
Before the act, U.S. providers were broadly and
presumptively barred from disclosing certain user data to
foreign governments, even when the request came from a
jurisdiction that respects human rights and the rule of law and
in a legitimate case.
As a result, countries had to rely on diplomatic tools,
like Mutual Legal Assistance Treaties, which are often too slow
in practice. Frustrated, some would resort to unilateral
measures to circumvent U.S. law, including tactics that
undermine security.
The CLOUD Act addresses this by conditionally lifting the
blocking statutes for any country that qualifies for and signs
an Executive agreement with the U.S. To qualify, a government
must demonstrate respect for civil liberties and due process,
among other requirements.
Once an agreement is in place, a U.S. provider may honor
data requests from that country without risking running afoul
of the blocking statutes.
With a few surgical changes, the CLOUD Act is well-suited
to address the U.K.'s reported actions and similar moves by
other foreign governments. I have outlined several improvements
in my written testimony and will briefly summarize only a few
here.
First, the U.S. Government should press the U.K. to end its
reported effort against Apple and commit to refraining from
similar actions against other American companies. That
commitment should be a condition for continued participation in
the agreement.
Second, Congress should amend the CLOUD Act to declare
cybersecurity a national interest that, like free speech, must
be respected.
Third, Congress should require that to qualify for an
agreement a foreign government must not impose surveillance or
antisecurity obligations on American companies.
With these targeted changes and a few others, the act can
better advance cybersecurity and help American companies
continue offering trusted, secured services worldwide. We
should treat the lamentable U.K. episode as a lesson and
improve the act. Too much is at stake otherwise.
Thank you for the opportunity to discuss these issues.
[The prepared statement of Mr. Salgado follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Tiffany. Thank you, Mr. Salgado. Mr. Nojeim, you have
five minutes for your testimony.
STATEMENT OF GREGORY T. NOJEIM
Mr. Nojeim. Thank you so much, Acting Chair Tiffany,
Ranking Member Raskin, and the Members of the Subcommittee.
My name is Greg Nojeim and I direct the Security and
Surveillance Project at the Center for Democracy and
Technology. I'm proud to say that our awesome intern class is
here and showed up.
Thank you for identifying yourselves.
Mr. Tiffany. Welcome.
Mr. Nojeim. The CDT is a nonprofit, nonpartisan
organization. As the Chair mentioned, we defend civil rights,
civil liberties, and democratic values in the digital age.
We're calling on Congress to act with the DOJ to protect
the privacy and security of Americans' data against threats
from countries that benefit from CLOUD Act agreements.
Congress enacted the CLOUD Act in 2018 by tacking it onto
the end of a 2,322-page omnibus spending bill. It empowers the
DOJ to enter into Executive agreements without congressional
approval with foreign countries through which the U.S.
providers can disclose user data from storage and in real time.
Disclosures are made directly to foreign states under the laws
of the foreign State, and the U.S. warrant requirement that
would otherwise pertain does not apply.
The U.K. has availed itself of this opportunity in spades,
issuing over 20,000 demands under the CLOUD Act. In contrast,
the U.S. has issued 63.
The benefits of the agreement to the U.S., while real, are
limited. CLOUD Act agreements are supposed to preserve the
privacy of Americans and of other people in the United States.
The foreign country cannot target those people with CLOUD Act
orders.
Things haven't quite worked out as Congress planned.
Instead, the U.K. has ordered Apple, as the other witnesses
have said, under the authority of U.K. law, not under the
authority of the CLOUD Act, to build in a back door to its
encrypted cloud backup service so Apple can fulfill the U.K.'s
CLOUD Act demands.
If Apple had fully complied, it would have compromised the
communications security of its users in the U.S. and worldwide.
The U.K. law, the TCNs, are super-extraterritorial. The
U.K. authorities can issue orders on companies headquartered
outside the U.K. and order them to alter their equipment that
is outside the U.K. so they can wiretap people who are outside
the U.K.
We don't know how many other U.S. providers have received
one of these orders. If they have received one, they are gagged
and can't say so.
Other countries assert authority to compel this type of
provider assistance. Australia is the only other country to
have a CLOUD Act agreement. If has a similar law similar to the
U.K.'s, but it includes a vague exception that may protect
encryption.
Canada, which is negotiating a CLOUD Act agreement with the
U.S. right now, has a provision almost identical to the
Australian law provision.
Acting Chair Tiffany, if you are an iPhone user and you go
to London and you try to back up your iMessages with the cloud
backup service that Apple provides, you wouldn't be able to do
it in encrypted form. The reason you wouldn't be able to do it
is because Apple has withdrawn that service from the U.K. under
the pressure of this order that it's received.
The U.K. would have Apple withdraw the service worldwide or
compromise its protections so that no matter where you went,
even to your office next door in the Cannon Building, if you
downloaded your iMessages you wouldn't be able to protect them
with encryp-
tion.
This situation is intolerable. The DOJ and Congress should
put an end to it by taking three steps.
First, the DOJ should invoke Article 12.3 of the agreement
and declare that it is infective with respect to CLOUD Act
orders issued to a provider that has received an order like the
one served on Apple. Such a declaration would have an immediate
effect.
The DOJ should also persuade the U.K. to publicly withdraw
the order to Apple, under threat of terminating the agreement,
unless the U.K. agrees. This has the benefit of a negotiated
result with more predictable public effect that sends a message
to other countries that seek CLOUD Act agreements.
Finally, Congress should back up the DOJ by amending the
CLOUD Act to prohibit CLOUD Act agreements with countries whose
laws or practices permit such orders and to require CLOUD Act
agreements--that they explicitly prohibit such orders.
We look forward to working with you on such solutions.
[The prepared statement of Mr. Nojeim follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Tiffany. Thank you, Mr. Nojeim. We are now going to
proceed under the five-minute rule with questions.
First, I would like to recognize the gentleman from Texas,
Mr. Nehls.
Mr. Nehls. Thank you, Mr. Chair. Thank you to all the
witnesses that are here today. I want to start posing a
question to all of you. In your opinion, does the CLOUD Act and
the Executive agreements we have under it with the U.K. and
Australia sufficiently protect American communications from
foreign surveillance? Please explain why or why not.
I'll start with you, Mr. Salgado.
Mr. Salgado. No, they do not, and for several reasons. The
primary one that the U.K. matter exposes is that they don't do
anything to dissuade a foreign government from imposing
technical capabilities like we've seen in the U.K., but a whole
host of other potential efforts undermine security--back doors,
contaminated apps.
There is a whole host of things that a creative
investigator could come up with, all that undermine the
security of American services. Now, it would also compromise
Americans' data. The CLOUD Act is a framework that we could use
to protect that.
Mr. Nojeim. I agree with that. We are focused today on the
security risks that the CLOUD Act actually incents countries
that have product agreements to demand of U.S. providers.
There's a lot of improvements that could be made to protect
Americans.
One improvement would be to make it so that the U.S.
providers could at least tell their government when they
receive an order, like the one served on Apple, that this has
happened. Apple is gagged not only from telling the world it
received an order, but it can't even tell its home country.
Mr. Nehls. You mentioned there were 20,000 requests.
Mr. Nojeim. The 20,000 of these--
Mr. Nehls. We were at 63.
Mr. Nojeim. Yes. It's imbalanced, it's imbalanced.
Mr. Nehls. Yes. Thank you. Ms. Wilson Palow?
Ms. Wilson Palow. I would agree with my fellow witnesses. I
would just add and reemphasize that the CLOUD Act is designed
when engaging in Executive agreements with these other
countries to make sure that these countries have a surveillance
regime that respects privacy and other rights, and clearly the
U.K. is not following that here with the TCN, the Technical
Capability Notice.
It is obviously a huge invasion into privacy. It is
breaking all our security by targeting end-to-end encryption.
It undermines our potential free speech rights because of the
way that end-to-end encryption can be used by so many to
communicate, by opposition groups around the world, by human
rights defenders in really tough circumstances. I would say
that the U.K. is not really in the spirit of the act at the
moment.
Mr. Nehls. Professor?
Ms. Landau. This is mostly a law and policy question, but I
will pose a technical version of it, which is that in the 1990s
the U.S. Government proposed an encryption scheme for digital
communications--digital voice communications--in which the keys
would be stored with two agencies of the Federal Government.
This did not go over well. It didn't go over well with
industry, it didn't go over well with foreign countries, and it
didn't go over well with buyers. When AT&T implemented it, the
product did not get bought.
Now, imagine that the U.K. requires that encryption use
keys that are stored with the U.K. Government. As far as I can
tell--and the lawyers to my right can correct me if I'm wrong--
but I don't see anything in the CLOUD Act that would prohibit
such a thing. Yet, of course, no American company, no American
who has any private business would want to use encryption where
the keys are stored with the U.K. Government.
Mr. Nehls. Mr. Salgado, does the CLOUD Act, do our
agreements under it pose an undue or unfair burden on U.S.
companies? Why or why not?
Mr. Salgado. I don't think they impose an undue burden,
other than that the companies, as Mr. Nojeim pointed out, are
barred from disclosing these things that are coming to them.
The CLOUD Act isn't there to protect them from that. It is
a good vehicle for that so that they can tell the U.S.
Government. Really Congress ought to have much more information
than is provided through the current reporting mechanism.
Mr. Nehls. Yes. Could the U.K., this Technical Capability
Notice to Apple, aggravate that burden?
Mr. Salgado. It could and I think it has. I think you see
the situation with Apple where they seem unable to comment on
this.
Mr. Nehls. What happens if other countries now, they all
follow suit with this?
Mr. Salgado. Yes, that's the problem. It just continues
with more and more. Especially if it goes unaddressed by the
U.S., that just creates an invitation to continue doing things.
Mr. Nehls. I have about 25 seconds left.
Do you have any recommendations for future Executive
agreements or amendments to the CLOUD Act to lessen that burden
on U.S. companies.
Mr. Salgado. I do. There are several of them laid out in my
witness testimony.
First and very simply, we should have a declaration in the
agreement that network security and cybersecurity is an
essential interest, which is a diplomatic term of art, just
like free speech and some others, that carries weight with it.
We can also put some in the conditions to get an agreement,
some restrictions on the type of technical surveillance
capabilities that partner countries would be allowed to
provide, among other changes.
Mr. Nehls. Thank you all for being here. I yield back.
Mr. Tiffany. The gentleman yields. I now turn to the
Ranking Member, Mr. Raskin, for his five minutes of
questioning.
Mr. Raskin. Thank you, Mr. Chair.
Mr. Nojeim, what is the argument on the other side? What is
the U.K.'s interest in doing this? Is there some other way to
vindicate their interest, other than the construction of the
back door?
Mr. Nojeim. Their argument would be--first, I think they
should be at this table and answering your questions.
That the argument would be that they need access to
communications content to fight crimes and prevent crimes. That
they would say, ``Well, our interest in getting access trumps
the privacy interests of everybody in the world.'' That is what
they would have to say.
Mr. Raskin. Yes. To transpose it to the domestic context,
it would mean that the government would have access to all our
private conversations, not just technologically, but in person,
at a restaurant, walking in the park, right? Because there
might be some information they want to get.
Mr. Nojeim. You might have heard some in law enforcement
argue that they are going dark because of encryption.
This is the golden age of surveillance. There has never
been more human thoughts available to law enforcement agencies
around the world in the history of mankind than today. They get
it from social media, they get it from data brokers, they get
it from all kinds of sources.
Mr. Raskin. Thank you. Professor Landau, could you take us
through the Salt Typhoon hack on the telecom providers and show
us why that episode underscores the importance of creating
strong security?
Ms. Landau. Sure. None of the technical details have been
released by the U.S. Government, so this is a certain amount of
speculation. We do know that the telecommunications network,
the phone network, has some insecurities.
One of the important aspects of the phone network is that
the way that the phone systems interoperate used a model of
trust where each of the phone companies knew each other and
there were few phone companies and that worked fine.
We don't have a few ISPs, we have thousands of ISPs, we
have tens of thousands of ISPs. Way back when ISPs started
carrying phone calls--for example, E911, Voice over IP, and
there was a requirement, an appropriate requirement by the
government to have the ISPs interop, interconnect with the
phone system so that when somebody dials a 911 emergency call
the phone system can then locate where that person is.
The problem is that ISPs--as we all know, the internet has
a great number of insecurities. The hackers use the
insecurities that are caused by that interconnection. At the
technical level I don't know all the different pieces.
When you send a message, when you text, if you're texting
over the phone line as opposed to texting via iMessage or an
app that encrypts, if you're texting over the phone line then
your message is not encrypted. Once the hackers were into the
phone system they could read texts.
The CALEA more greatly centralized wiretaps. It used to be
wiretaps were done at the phone's central office, the office
five miles down from my house or three miles down from my
house. They are now more centralized.
A city will have only a few CALEA sites. If you only have a
few sites and you're in the phone system and the hackers are in
the phone system, they can more easily access it.
There are all sorts of pieces that were not thought through
carefully.
Mr. Raskin. Thank you very much.
Ms. Wilson Palow, so the so-called Technical Capability
Notice, which is the euphemism, I suppose, for creating this
gapping backdoor entryway into communications, contained a
provision that the order itself was secret.
I wonder--first, what purpose did that secrecy condition
serve for the government? What does that do to civil liberties
and people's reasonable expectations of privacy?
Ms. Wilson Palow. First, the purpose. Again, I'm
speculating because the U.K. Government also has maintained
total secrecy around why this order exists.
Mr. Raskin. They have got secrecy around secrecy.
Ms. Wilson Palow. Yes, secrecy around secrecy, exactly.
The U.K.'s general idea is that--and this is actually not
just in the case of TCNs but certain other, broader powers like
interception--is that it really heavily tries to protect the
technical capabilities that it has.
By making this order entirely secret, it means that users,
others, can't know whether or not there is a back door in a
service that is being targeted. The U.K. would say that's
necessary for national security.
It completely undermines the ability of everyone else,
including Congress, including oversight bodies around the
world, including users and concerned civil rights advocates--
civil liberties advocates--from being able to question whether
or not this is an acceptable violation of our privacy and
security.
Mr. Biggs. [Presiding.] The gentleman's time has expired.
Thank you.
I apologize. I was having a vote in another Committee that
is, like, a mile away, I had to go do that vote. I apologize
for missing some of your testimony. I apologize.
I now recognize the gentleman from Wisconsin, Mr. Tiffany,
for his five minutes.
Mr. Tiffany. Mr. Chair, I was happy to pinch hit.
Ms. Wilson Palow, one requirement of the CLOUD Act to enter
into these agreements is it has to be part of the convention on
cybercrime. Is that correct? That's my understanding.
Ms. Wilson Palow. Yes, I believe so, although actually some
of the other witnesses may be able to answer that better than I
could.
Mr. Tiffany. With that being the case, that convention also
includes countries like Turkiye and South Africa. While the
concern is being most pointed toward the U.K., and perhaps
appropriately so, Turkiye and South Africa aren't exactly
exemplars of protecting people's civil rights.
Should we be concerned about this extending beyond the
U.K.?
Ms. Wilson Palow. Certainly. One of the most concerning
aspects of this Technical Capability Notice regime is, of
course, the U.K. claims to be able to serve the notice actually
entirely outside of the CLOUD Act provision.
Even if a country like Turkiye or South Africa did or did
not negotiate an agreement, an Executive agreement under the
CLOUD Act, if they had a similar regime in place, as long as
that's not blocked by the CLOUD Act or some other U.S. law
provision, they similarly could serve these types of notices on
U.S. companies and may have much less respect for rights, as
you suggest.
Mr. Tiffany. Mr. Nojeim, do you have a comment in regard to
what I just asked in the comments here?
Mr. Nojeim. A lot could be done to ensure that the U.S.
doesn't enter into agreements with countries that don't respect
the rule of law.
For example, the CLOUD Act does not have a requirement that
the U.S.--that the country's laws require that there be even
judicial authorization of surveillance. That seems like a very
basic requirement and yet it's not in the CLOUD Act.
Mr. Tiffany. It strikes me as I sit here and as we once
again see that we have spies among us from China and the
surveillance that's gone on, a spy balloon that flew over our
country a few years ago, are we whistling past the graveyard of
China freedoms that--aren't they the greatest threat here?
Mr. Nojeim. China poses a huge cybersecurity threat to the
United States. If countries like the U.K. can force our
providers to disarm by removing encryption protection, then we
are more vulnerable to that kind of surveillance and that kind
of attack.
Mr. Tiffany. You're saying that we would benefit by
amending the CLOUD Act to make sure that it's not abused by the
U.K., but perhaps other countries also. Is that what you're
saying?
Mr. Nojeim. Yes. Think of the CLOUD Act requirements in
three buckets.
There are the criteria that the country's laws and
practices must meet. You could include a new one for protecting
encryption.
There are criteria that the agreement must include things
that the agreement must say. Right now, the statute says that
the agreement has to be silent on encryption basically. It
should say it has to protect encryption.
Then, there's requirements about what the orders can and
can't do. Amendments in those three buckets could protect
encryption.
Mr. Tiffany. Mr. Salgado, were you with Google in 2018 when
the CLOUD Act was enacted into law?
Mr. Salgado. I was, yes.
Mr. Tiffany. In reading your testimony, I get the
impression that you were a strong advocate for the CLOUD Act at
that point. Is that right?
Mr. Salgado. That's true.
Mr. Tiffany. Now coming to us saying it needs to be
changed.
Did you sense in 2018 that there should be--that we should
be really concerned about--that we were giving away too much
with that CLOUD Act in 2018? Did you have any concerns at that
time?
Mr. Salgado. I did. There were some changes to the CLOUD
Act I would have liked to have seen or some provisions I would
have liked to have seen added. There wasn't anything quite on
the horizon that we have with the U.K. now.
Yes, there were some things that I thought we could do
better with the CLOUD Act. It was pretty good as it was passed
and it's been valuable, but it could use a tune-up.
Mr. Tiffany. This is going to be a pointed question.
It seems to me we have Google and Apple that are the
subjects of this, in particular Apple, and we look at them in
China and how they go about doing their business where they
have basically, in my terms, they have capitulated to the
Communist Chinese Government.
How do you reconcile that as someone who is a former
executive with Google?
Mr. Salgado. I'm not sure I totally understand the
question. It may be better directed to somebody who is
currently at Google who could explain that further.
Mr. Biggs. I'm sorry, but the gentleman's time has expired.
Mr. Tiffany. I yield.
Mr. Biggs. Thank you. The Chair now recognizes the
gentleman from North Carolina, Mr. Knott.
Mr. Knott. Thank you, Mr. Chair. I appreciate the topic of
today's important hearing.
To the witnesses, I enjoyed speaking with you briefly
before the hearing. Again, thank you for making the trip to
Washington to discuss this important issue.
It's one that's largely unknown on a technical and a
practical level to many in this country, even in Congress. This
issue is one that I assume will be abused by foreign
governments and/or criminal actors, and hopefully there is a
distinction still between those.
Take the U.K., for instance, a country with a proud history
of protecting liberties, of respecting the rule of law,
adhering to due process, bedrocks of Western civilization.
That country today has protected and built a surveillance
State. They spy on their own citizens. They arrest people for
posting various things online. They monitor their own citizens'
public communications and public posts. It's something that's
quite concerning.
Under this particular issue that we're discussing today, I
do want to know, just technically speaking, Ms. Landau, can you
just explain to us how the communications that are covered that
we're discussing today, how they are collected, how are they
are stored, and then how they can be accessed in the future?
Ms. Landau. The current Google architecture says that if I
have three devices that I've made fit this advanced data
protection, that when I upload something to the iCloud, it's
essentially a message that I am going to send to myself because
I might pick it up on another one of my devices.
I have encrypted it end to end, all my devices know the
encryp-tion key, and I authenticate to the devices before I
pull it down from the iCloud. It's just hanging out in the
iCloud, hanging out, hanging out.
Apple doesn't have the key, nobody has the key, just I have
the key. That's the protection for it.
Mr. Knott. Is the U.K. seeking to collect the data of two
parties who are exclusively in the U.K. or is it looking to
protect--OK, explain.
Ms. Landau. Well, you're probably better set.
Mr. Knott. Ms. Wilson Palow?
Ms. Wilson Palow. Yes. With this Technical Capability
Notice they are seeking to open up a back door, so an option to
collect data. Then under other surveillance powers that they
have, they can collect data from anyone in the world. They have
both outward-facing powers and inward-facing to the U.K.
Mr. Knott. Then hypothetically, let's say in the future or
present, could Federal law enforcement request information from
a foreign country like the U.K. to receive communication files
that involve American correspondence?
Ms. Wilson Palow. Yes, I believe that is possible, although
I may defer that to some of my other panelists who better
understand the American regulations, because I think there are
some prohibitions.
Mr. Knott. I'm not talking about regulations. I'm talking
about--
Mr. Nojeim. Practically? Yes.
Mr. Knott. Practically speaking, that action would be
feasible, correct?
Ms. Wilson Palow. That's right. Because the U.K. absolutely
will have Americans' data in the intelligence that it collects.
Mr. Knott. It could also be reasonable to assume this is a
bypass of Fourth Amendment protections potentially if it was
motivated by the wrong actors, correct?
Ms. Wilson Palow. Again, it potentially could be. In theory
there is the possibility.
Mr. Nojeim. If I could add something here. May I?
Mr. Knott. I was getting ready to go to you. Yes, sir.
Mr. Nojeim. The statute wouldn't permit the U.S. to task
the U.K. to listen in on an American. That order would be
illegal under the statute.
Mr. Knott. Sure.
Mr. Nojeim. What happens is Americans communicate with
people outside the United States all the time.
Mr. Knott. It doesn't permit it, but it enables it.
Mr. Nojeim. It enables it through this kind of incidental
collection. You're familiar with this through the 702 program.
If I'm talking to a foreigner abroad who's the target of
the U.K. surveillance order, served on Apple, my communications
will be collected as well, and then there's rules about when
those communications can be shared back to the United States.
Mr. Knott. Right. Let me followup with that.
You mentioned earlier this is the golden age of
surveillance. What are ways that you believe the CLOUD Act
could be reformed to ensure that imminent threats are able to
be identified and stopped without eroding the civil liberties
protections that we're discussing?
Mr. Nojeim. In addition to requiring that foreign country
have judicial authorization, there ought to be a rule that
people get notice when they've been surveilled. We have that
rule in the United States. You don't get notice that happens
before the investigation has finished, you get notice when it's
done.
Mr. Knott. Yes.
Mr. Nojeim. That would go a long way. Also, transparency
and the ability of providers to tell their own government that
they've received an unlawful order.
Mr. Knott. My time has expired, Mr. Chair. I yield back.
Mr. Biggs. The gentleman yields back. For entry into the
record a letter from Reform Government Surveillance.
Without objection, so ordered. I now yield to the Chair of
the entire Committee.
Chair Jordan. Thank you, Mr. Chair.
Mr. Nojeim, should the U.S. Government have to get a
warrant before they search the 702 database on an American?
Mr. Nojeim. Absolutely.
Chair Jordan. Yes. You were just there. This, the issue
we're talking about today, I think even underscores and
highlights that reason, because as you point out, the U.S.
Government, we spy on foreigners all the time. OK, fine, good.
I think that's appropriate.
They pick up all kinds of information on Americans. Then
that giant haystack of information gets searched using an
American's phone number, email address, or name.
If you're going to do that, go to a separate and equal
branch of government, get a warrant, and show that you have a
reason to do so.
Mr. Nojeim. Yes. That's an essential reform and that
Congress shouldn't reauthorize Section 702 unless it achieves
that reform.
Chair Jordan. Well, we almost achieved it last year. Last
Congress we lost the vote 212 to 212. I'm hoping we win it this
time. Mr. Salgado, do you think that's a good change that we
need to make?
Mr. Salgado. It's not only good, it's constitutionally
mandated. It's also good public policy.
Chair Jordan. No kidding. How about Ms. Wilson Palow, do
you think so?
Ms. Wilson Palow. Yes, I would agree.
Chair Jordan. Professor, do you agree?
Ms. Landau. Absolutely.
Chair Jordan. Wow. This is amazing. This is amazing. We all
think we should follow the Constitution and require a warrant
if you're going to go search Americans' data.
I am hopeful. This is one of the things that we can get
bipartisan support on in this Committee and actually get it. We
had it last Congress. Unfortunately, we didn't have quite the
votes we needed.
This issue just highlights it even more why that is
necessary. Again, I want to thank you all for coming today.
I would yield. I appreciate the gentleman from New York
allowing me to go and the Chair for doing so. I yield back the
balance of my time to the Chair.
Mr. Biggs. The gentleman yields.
I now recognize the gentleman from New York, Mr. Goldman.
Mr. Goldman. Thank you very much, Mr. Chair.
You raised a very interesting point, Chair Jordan: Wanting
to make sure that a warrant is obtained to search Americans'
data.
I recognize we're focused on the CLOUD Act, and it's an
important issue. I don't dispute that. In the times we're in
this seems quaint and intellectual, academic discussion. In
reality, what we're dealing with is an administration--current
administration--that is trying to categorize, gather, and
streamline data of Americans with access by a private company.
Now, let me explain a little bit, and I want to ask some
questions.
Many of you, I am sure, have heard of Palantir, which is a
large data company, has a lot of connections to Elon Musk, to
DOGE. In March, Donald Trump issued an Executive Order that
would increase the sharing of all unclassified data between and
among Federal agencies. It directed agency heads to authorize
and facilitate both the intra- and interagency sharing and
consolidation of unclassified agency records.
Now, The New York Times report in May outlined in great
detail how the President has employed Palantir to carry out
this Executive Order, essentially to merge all data from all
different Executive Branch agencies into one single database.
Now, it's unclear who would control that database, who
would have access to it, what searches would be done, and there
seem to be no guardrails about that.
Another The New York Times article says that the
administration--that this database would have 314 different
points of data about every American. Literally every American
314 various categories of data will be consolidated into one
database by a private company, Palantir.
Now, my colleagues on the other side of the aisle often
express concern about government surveillance, about ensuring
that we get search warrants in the context of 702, which is a
small universe of already obtained information that we know are
communications with people of interest from foreign
nationalities.
Here, we just have every American's data put into one
database with no guidelines and no restrictions. We don't know
what Palantir is doing. We don't know what DOGE is doing. We
don't know what Elon Musk is doing. It essentially creates a
one-stop shop for all Americans' data, which, as we're talking
about cybersecurity, I'm sure you all agree that creates a
tremendous cybersecurity risk if China or Russia were to hack
this.
Now, the Chair of this Committee has said in the past,
quote, ``Congress has struggled''--of this Subcommittee, Mr.
Biggs--``Congress has struggled for four years with a corrupt
Presidential Administration''--meaning the Biden
Administration--``that further expanded the opportunities for
the government to spy on its citizens.''
There was nothing in the Biden Administration that
approximates this collection of data, this opportunity for the
government to spy on its citizens.
I'm not even talking about breaking laws under the Tax Code
and sharing tax information with immigration enforcement
agencies. I'm not even talking about sharing tax information or
Social Security Administration information. This is just every
piece of data that is out there in the government's control
consolidated with one private company in one database.
I would ask my friend, Chair Biggs, to think about whether,
if you are truly worried about government surveillance, why are
we not doing any oversight of Palantir, its contracts with the
government, its consolidation of all Americans' personal
information into one database, and the cybersecurity risks? I
really hope, in all seriousness, that you will do oversight
over that if you do truly care about government surveillance of
citizens.
I yield back.
Mr. Biggs. The gentleman yields back. Now, I yield myself
five minutes.
Mr. Goldman. Mr. Chair, could I--sorry--introduce two
unanimous consent requests?
Mr. Biggs. Yes.
Mr. Goldman. Thank you. One is an April 9, 2025, The New
York Times article entitled, ``Trump Wants to Merge Government
Data. Here Are 314 Things It Might Know About You.''
The other one is a May 30, 2025, The New York Times
article, ``Trump Taps Palantir to Compile Data on Americans.''
Mr. Biggs. Without objection. Thank you.
Mr. Goldman. Thank you.
Mr. Biggs. Again, thanks to the witnesses for being here.
I'll yield myself now five minutes.
So, Mr. Salgado, in your written statement you said one
should take little solace in the provisions of the CLOUD Act.
``First, they will still allow for incidental and inadvertent
collection of Americans' data, subject to certain minimization
requirements.''
Can you expand on that for me, please?
Mr. Salgado. Sure. We touched on that a little earlier in
the hearing, specifically Mr. Nojeim's reference to inadvertent
and incidental collection where the U.K. can use the CLOUD Act
to obtain data from American companies and, inadvertently or
incidentally, that data could include U.S. persons' data or
data about people in the United States.
As I mentioned in the written testimony, there are
restrictions on the U.K. and its use and dissemination of that
information, and it has some minimization requirements, which
is a phrase you may be familiar with from Section 702 and FISA
generally. That's what I was referring to.
Mr. Biggs. That's what I thought you were referring to. One
of the things that I find interesting about that is, having met
with the U.K. Home Office within the last six weeks, I am
concerned about their processes on what they actually do and
their transparency--or lack of transparency--with this
incidentally collected data. That's part of the problem that we
have with the 702 application as well.
Ms. Wilson Palow, you indicated that you disagree that the
U.K.'s safeguards are as robust as they claim, but that is
beside the point because your concern about TCNs is that, once
a back door is created, States with far less stellar records on
human rights, such as Russia and China, could seek similar
access through legal process.
You've talked about that a little bit. I'd like you to
expand on that. Then, ask each of the Members of the panel to
also expand on that.
Ms. Wilson Palow. Certainly.
Once this back door is built, once end-to-end encryption is
broken, any State using their legal process--no matter whether
or not it is retrospections as we would hope it would be--can
then ask Apple for access to this data, because once it's
broken it's not just broken for the U.K. to access the data or
for the U.S. to access the data, any country could request it.
A lot of countries have surveillance regimes that would allow
them to make these sort of requests.
Mr. Biggs. It isn't just countries that would request it.
It's also rogue actors that might be able to access those back
doors as well, right?
Ms. Wilson Palow. That's exactly right.
Mr. Biggs. Rather than ask each of you to expand on that,
what I'm going to ask instead is, my position would be that
DOJ, without immediate transparency and opening up of the
process--the TCN that's going on with Apple--that they
immediately issue the 30-day termination notice. That's just my
position.
Does anybody there agree with me on the panel?
Mr. Nojeim. That would be a good tactic. They could issue
the notice. They say we're going to terminate in 30 days unless
you withdraw this order to Apple. I think that makes a lot of
sense.
Mr. Biggs. Yes. It's a leverage point. Yes. Professor?
Ms. Landau. I absolutely agree.
Mr. Biggs. Anybody? Mr. Salgado?
Mr. Salgado. No, I don't disagree with that at all. There's
a lot of negotiating strategies here. This agreement is
important to the U.K., and I think they would come to the
table.
Mr. Biggs. Ms. Wilson Palow?
Ms. Wilson Palow. I agree that this is an important moment
to pressure the U.K. because, if we don't push back now, then
the U.K. may issue many more of these orders in the future
entirely in secret and we won't know about them.
Mr. Biggs. Yes. That's my point, is that it's hanging out
there. We don't know enough about what's happening. The legal
term is penumbra--there's a penumbra of information floating
around out there that we hear about, but we need to nail it
down and really take action on it.
The next step is--and I'm going to ask each of you this. We
have a minute left; so, you each have about 15 seconds. What
two things do you think we need to do to improve the CLOUD Act?
I'll start with you, Mr. Nojeim.
Mr. Nojeim. Amend it to make it so that no such order can
be issued by another country that gets one of these agreements.
Amend it to make it so that a country can't get an agreement
unless its laws prohibit such orders.
Mr. Biggs. Thank you. Mr. Salgado?
Mr. Salgado. I would adopt Mr. Nojeim's and add two more,
one being that the providers be allowed to notify the U.S.
Government when they receive orders under this act or Technical
Capability Notices; and that Congress receive more frequent
reporting from the Department of Justice on the operation of
the acts that are in place.
Mr. Biggs. The oversight. Yes. Ms. Wilson Palow?
Ms. Wilson Palow. I would adopt Mr. Salgado and Mr.
Nojeim's recommendations.
Mr. Biggs. Thank you. Professor?
Ms. Landau. I would adopt all three recommendations.
I would add that, as Mr. Salgado mentioned earlier,
cybersecurity and network security be part of the criteria in
deciding whether or not to enter into an agreement.
I don't disagree with privacy being fundamental and
important, but I think there's a really strong lever about
cybersecurity and network security that should be used.
Mr. Biggs. Thank you so much. We've exhausted our time,
which is a crying shame because there's so much more to get at
with this subject.
I appreciate each of you and your testimony. It's important
testimony.
This is an important--here's the thing about Congress. If
there was a bunch of money on the table, this room would be
filled and everybody would be here. On this type of issue--
which is actually critical to the country and national
security--you see what happens. It's a sad, sad revelation
about the U.S. Congress today.
We appreciate all of you being here. Thank you so much. We
will undertake your recommendations and move forward with those
very much. Thank you.
We are adjourned.
[Whereupon, at 11:17 a.m., the Subcommittee was adjourned.]
All materials submitted for the record by Members of the
Subcommittee on Crime and Federal Government Surveillance can
be found at: https://docs.house.gov/Committee/Calendar/ByEvent
.aspx?EventID=118335.
[all]