Congress has, once again, used the must-pass budget bill to ram through unpopular legislation that fundamentally changes how the internet works.

The omnibus government spending bill is nominally supposed to be used to, well, authorize the government to spend money. It is one of the few pieces of legislation that must pass every year, otherwise the government shuts down. Because Congress is dysfunctional and rarely votes on any “clean” pieces of legislation, every year the spending bill becomes unwieldy as lawmakers tack on their pet legislation. The thinking is that, even if a piece of legislation doesn’t have enough votes to pass on its own, it can pass in the spending bill, because voting against it would mean voting to shut the government down.

This is how we end up with the CLOUD Act, a bill that never had a hearing, never had its own vote on the floor of Congress, and was never marked up by legislators. It has absolutely nothing to do with government spending, and yet, if President Trump signs the spending bill, it will become the law of the land. This is the same process that allowed Congress to pass the Cybersecurity Information Sharing Act, a bill that was subjected to years worth of online and in-person protests and was highly unpopular. But because few lawmakers are willing to shut down the government over your privacy, these unpopular bills have become laws.

The CLOUD Act is a surveillance bill that allows the US and foreign governments to obtain your online data directly from service providers like Facebook, Google, Slack, etc., without a warrant. The EFF has called it “a new backdoor around the Fourth Amendment.”

It allows the US to obtain data from servers in foreign countries without complying with those countries’ laws, and allows the president to make agreements with foreign nations that allow those countries to grab data stored in the US without a warrant—as long as that data pertains to a non-US individual. As we’ve seen with NSA surveillance in the past, however, our data is so intertwined that it’s impossible to separate the data of non targets from those who are subject to targeted surveillance.

“When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target,” the EFF wrote.