February 14, 2025

Wyden Releases Draft Bill to Secure Americans’ Communications Against Foreign Surveillance Demands

Bill Fixes Loopholes in Flawed U.S. Law Used to Demand Apple Build Backdoors for iCloud Accounts, Putting Americans’ Security at Risk

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., today released a discussion draft of the Global Trust in American Online Services Act to secure Americans’ communications against abusive foreign demands to weaken the security of communications services and software used by Americans.

The bill reforms the CLOUD Act, which permits foreign governments to make surveillance demands directly of U.S. companies rather than going through the U.S. legal system.

“Foreign governments shouldn’t get a cheat code to undermine the security of American technology,” Wyden said. “My bill would fix the loopholes in the CLOUD Act, and modernize the law so American allies can request the information they need to investigate serious crimes without sacrificing the security of Americans’ communications services.”

According to news reports, the United Kingdom issued a secret order to Apple last month, directing the company to weaken the encryption protecting its iCloud backup service. The U.K. was apparently able to secretly issue the order to Apple, rather than seeking assistance from the Department of Justice (DOJ) because of the CLOUD Act. Wyden and Representative Andy Biggs, R-Ariz., urged Director of National Intelligence Tulsi Gabbard to demand the U.K. withdraw its order in a letter on Thursday.

The CLOUD Act, enacted in 2018, enables foreign countries to obtain data directly from U.S. firms, bypassing the U.S. legal system once they enter into an agreement with the Justice Department. However, the CLOUD Act failed to require foreign countries to adopt the same due process requirements long guaranteed under U.S. law, enabling foreign governments to demand that U.S. technology companies weaken the security of products used by Americans and putting global trust in U.S. firms at risk.

The Global Trust in American Online Services Act addresses serious flaws in the CLOUD Act, to ensure that U.S. technology companies can continue to maintain the trust of their international customers, and that the U.S. can compete globally as a safe place for data. The legislation would:

  • Prevent foreign governments from using the CLOUD Act to require U.S. providers to adopt specific designs for products, reduce the security of a product, or deliver malware to a customer.
  • Allow U.S. providers to challenge foreign CLOUD Act orders in U.S. federal court.
  • Require Congressional approval of CLOUD Act agreements rather than the current disapproval mechanism, and enable oversight by requiring that each agreement sunset after five years rather than lasting indefinitely.

The draft bill is available here. A one-page summary of the bill is available here.

###