For tech companies walking the line between cooperating with law enforcement and protecting user data privacy is a lingering headache, and the Supreme Court’s decision to review the matter in United States v. Microsoft Corporation isn’t likely to provide much relief.
Balancing the mandate of law enforcement with the right to personal privacy was the same problem at play in last year’s dispute between the FBI and Apple. The FBI and Department of Justice lawyers, remember, tried to compel Apple to create a custom hack to break into the iPhone used by San Bernardino shooter Syed Farook.
It’s a problem that will keep recurring, because law enforcement and the tech sector don’t see eye to eye in the U.S.—and now, in the Microsoft case, the debate is extended to (the very different) data privacy standards of foreign countries.
Facts Of The Case
The current dispute arose when the Department of Justice obtained a regular search warrant to seize the email of a drug trafficking suspect from Microsoft servers located in Ireland. Microsoft holds, and a Second Circuit court of appeals unanimously agreed, that the DOJ needs more than just a domestic search warrant to compel Microsoft to hand over the email.
The DOJ’s warrant was issued under a 1986 law called the Electronic Communications Privacy Act (ECPA). The debate is whether ECPA can be used as a basis for a warrant that reaches across national borders to obtain digital evidence.
The Second Circuit rested its opinion largely on a 2010 Supreme Court decision in Morrison v. National Australia Bank citing a “longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States.” Nor could the court find cases where the SCA had been used as a basis for seizing property held overseas.
Disregarding the location of the data, the Justice Department argues that because Microsoft stored the data on a foreign server for its own business reasons, and because the company has the power to retrieve the data if it wants to, that it should have to comply with the warrant.
But it’s not that simple, says Cooper Levenson attorney and data security expert Peter Fu. “The problem is, whenever a company brings customer records back to the U.S.– even if it’s the records of a U.S. customer—the cross-border transfer of data often triggers European privacy law.”
A Moving Target
The fact that the Supreme Court would even take the case is remarkable, points out John Elwood writing in the SCOTUS official blog Tuesday. That’s because the high court almost never hears cases where the lower court wasn’t split in its decision (the Second District’s three-judge panel was unanimous in Microsoft’s favor). Only when SCOTUS views the case to be extremely important will it grant cert, Elwood writes.
Regardless of which way the Supreme Court comes down on the issue, lawyers will still be arguing about how old laws should apply to more complex digital property disputes in the 21st century. SCOTUS will be giving guidance on how to apply one law. But others can be used as a basis for obtaining a search warrant.
We’ve seen in recent years that law enforcement agencies are willing to use even the most obscure and arcane laws to underpin their search warrants. “Every year, a different U.S. Attorney’s office will inevitably attempt to apply centuries-old laws to digital age issues” Fu says.
The Department of Justice lawyers in the San Bernardino case asked a federal district court justice to issue an order under the All Writs Act–a legal statute that dates back to 1789–compelling Apple to devise a hack to the phone. Apple objected to the order, and the FBI eventually withdrew it.
The ECPA, which supplements the Stored Communications Act (SCA), dates back to 1986, a few years before the internet began remaking culture, business, and our conception of property rights. The writers of the law, therefore, were certainly ill-equipped to write language foreseeing the rightful seizure of digital property stored on an “extraterritorial” server.
“Current laws don’t adequately support the needs of law enforcement anywhere in the world or protect our rights,” wrote Microsoft president and chief legal officer Brad Smith in a blog post. The high court’s decision won’t create a single law that lays out a single set of rules for tech companies and law enforcement agencies.
The natural solution, then, would be to take the problem out of the courts and let Congress establish a new set of data-transfer rules that balance the mandate of law enforcement to protect the public with personal privacy rights in the digital age.
A couple of bills, in fact, are now making the rounds in Congress. In July, Senators Orrin Hatch (R-Utah), Chris Coons (D-Delaware), and Dean Heller (R-Nevada) reintroduced a bill called the International Communications Privacy Act (ICPA) of 2017. Representatives including Darrell Issa (R-California) and Suzan DelBene (D-Washington) introduced a House version of the same bill.
ICPA provides law enforcement agencies with a legal process to use when trying to access user data on foreign servers as evidence. It also provides a system for notifying the governments of foreign countries like Ireland when it’s required by international law.
“Wherever we have like-minded countries with similar laws on privacy we should have an agreement that is sensitive to those countries’ laws,” says BSA/Software Alliance global policy Alliance VP Aaron Cooper, “and where law enforcement would have to give notice to the foreign government so that they could make an objection if that was warranted.”
Cooper is confident the ICPA will make it to the president’s desk, and will be signed. “Given that senators from both parties are behind these bills I don’t see the partisan politics affecting the outcome,” he says.
Cooper Levenson’s Fu is less hopeful. A new law passed now might not have much staying power, he says. “Congress is in a position to do it, but I think we are in such political extremes right now that any new law will likely be attacked or severely limited when the next regime comes in.”
Tech companies don’t categorically object to providing user data to law enforcement when it’s really needed. Fu says what his clients object to is the legal uncertainty about when and how to do so. It creates lots of extra work for everyone involved, he says, causing headaches for risk managers, compliance officers, and tech company CEOs alike.
Here in the tech bubble, we tend to side with tech companies when it comes to disputes with the government over their obligation to share user data. This view was fostered by the Patriot Act, strongly reinforced by the NSA revelations of Edward Snowden, and was reinforced by the Apple case last year–thanks in no small part to the conduct of FBI director James Comey and the DOJ attorneys.
But, as Fu points out, there are times when law enforcement legitimately needs to quickly collect digital evidence from overseas servers. Terrorist organizations are real, and data is the oxygen of their organization around the world. The Microsoft case involves a suspected drug trafficker, but the Supreme court decision could easily affect the DOJ’s ability to follow the digital trail of a terrorist.
The Core Problem
The underlying problem in the Microsoft case is that these days data is spread around on servers all over the world. The personal data of an Saudi Arabian customer of a Danish tech company might be stored on a U.K. server, and become the target of a warrant granted by a U.S. court. The data are just tiny collections of electrical impulses stored on magnetic media or transmitted instantaneously over wires or air to anyplace in the world. Yet data touches so many people, places, companies, and jurisdictions around the world–each with different ideas about security and privacy.
Within the U.S., we can default to federal law when the laws of two states come into conflict in a case. Not so when the privacy rules of two countries come into conflict. “There’s really no international government to look to for guidance, and as such, the execution of international search warrants within and outside of the U.S. is a highly inefficient process,” Fu says.
In the Microsoft case, the DOJ is advocating a privacy protection threshold that’s in conflict with the one being espoused by a multinational tech company and a country–Ireland. (Ireland filed an amicus brief supporting Microsoft’s case in the appeal, along with a bunch of big tech companies.)
Fu says it would be extremely difficult or impossible to create a set of privacy rules that would be sensitive to the privacy positions of all countries involved. Countries around the world have very different approaches to digital privacy rights. Western European countries require more robust protections for personal data compared to the U.S., for instance.
In the absence of multilateral agreements, Fu says, countries use bilateral agreements called Mutual Legal Assurance Treaties (MLATs) to govern cross-border data transfers. But these are problematic for law enforcement because following their rules turns a request for evidence data into a tedious, labor-intensive, months-long affair–even in time-sensitive national security cases.
To get around this, law enforcement agencies sometimes work directly with their foreign counterparts, which set up a joint or parallel investigation of the same crime in their own jurisdiction. So the U.S. FBI might make a request for documents on servers in the U.K. by working through Mi5, and vice versa.
So the Microsoft case is a legal tug-of-war over the power and reach of a search warrant. It has nothing to do with law enforcement retrieving evidence at this point.
“This appears to be the DOJ attempting to forgo the informal agency-to-agency channels and instead, reinterpret the Stored Communications Act to cover all data controlled or possessed by U.S. companies held abroad,” said Fu of the Microsoft case. If the DOJ is successful, it would be necessary for U.S. law enforcement to use an MLAT only when it was trying to access data residing on foreign servers owned by non-U.S. companies, Fu said.
The case is like a bad movie that forthrightly leaves the door open for a bad sequel. Win or lose, law enforcement attorneys will likely continue pushing the international reach of warrants in the absence of an overarching set of rules.
That will naturally put law enforcement in conflict with tech companies, the keepers of the data. And that’s where we are right now. “The fog of war is so dense that we are shooting at each other instead of helping each other,” Fu says.
“And nobody wants to do this,” he concludes. “We’re investing all this time and money interpreting out-of-date law, when in reality, tech companies want to be selling technology and law enforcement agencies want to be out prosecuting bad guys.”