This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.
Two big legal developments last week—a court opinion and a legislative proposal—mean the pressure is on to address the question of when law enforcement can seize personal information stored in other countries, known as cross-border data acquisition. This issue may sound a little arcane, but its resolution will affect privacy, criminal justice, and innovation for years to come. When you use the Internet, do you enjoy the privacy protections of your home country’s laws, or of no country’s laws? (The answer may surprise you!) How can governments obtain the information they legitimately need to find criminals and conduct valid intelligence operations when the data is held in another nation and/or by an American company? What should companies do if the privacy standards in the country where they are holding the data are far more stringent than those of the country asking for the data? Where there’s a conflict of laws, must and should companies give governments information for investigations of things that are legal in the US like homosexuality (illegal in India), talking trash about the king (illegal in Thailand), and holocaust denial (illegal in France)?
Last Thursday, a panel of the Second Circuit Court of Appeals ruled unanimously that Microsoft need not comply with a US government warrant for emails stored on an Irish server. The issue was whether a warrant issued under the Stored Communications Act (SCA) could be applied extraterritorially to seize data in another nation, and whether it was an extraterritorial act to require a Microsoft employee in the United States to enter the database commands that would call the responsive data from Ireland back to the US. The panel held that warrants do not have extraterritorial effect. Further, it considered the warrant as executed in Ireland, where the data was located. Since warrants can’t command searches or seizures outside US borders without explicit authorization from Congress, the warrant was null and void and Microsoft did not have to comply.
I was surprised by the Microsoft Ireland decision. My view was that the seizure of the data takes place in the US and therefore the warrant would not be exercised extraterritorially. My view was not adopted by the Second Circuit. It wasn’t the first time and it won’t be the last. But the opinion isn’t very clear on why the court thinks that the execution takes place in Ireland where the data is, and not in the US where a Microsoft employee is served with the warrant, or where she places her fingers on the keyboard to extract the responsive information, or where the law enforcement official ultimately reviews the data.
The record was silent on the nationality of the target of the investigation. It’s a big obstacle if US law enforcement can’t get information about a US person for a US investigation from a US company just because that company decided to store the data outside the US. The police would likely have to make a request through that nation’s mutual legal assistance treaty (MLAT) provisions, which can take months. But it might make sense to require the US to go through the courts of another country if the target is a foreign national that the other government would want the US to respect whatever privacy safeguards provided to that person by his own nations’ laws. (More about this later.)
Another question is whether US authorities can continue to use the provisions of the Electronic Communications Privacy Act (ECPA) that authorize warrantless access to data to obtain information stored outside the US. For example, ECPA provisions allow access to some kinds of transactional data (session data but not electronic communications transaction records) and subscriber information with a subpoena with notice. Further, email 180 days old or older and, the concurring judge controversially suggests, messages that have been read, can be obtained with an order or subpoena. Can these procedures, less privacy-protecting than a warrant, be enforced extraterritorially? The majority suggests not:
“[O]ur Court has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.”
Indeed, the majority goes further, calling into question the so-called third party doctrine, a DOJ theory that information held by service providers and other data custodians is not protected by the Fourth Amendment because people have no expectation of privacy in information others can access. The theory is premised on two cases, Smith v. Maryland, involving phone numbers dialed, and United States v. Miller, involving bank records. Contrary to DOJ canon, the majority says that the records in Miller have nothing to do with email content. The government goes too far, says the majority, to assume that it could ever enforce a subpoena for email content given how different the role of the service provider is as compared to a bank or other traditional subpoena recipients. (p. 37) In other words, while it is generally accepted (outside the DOJ at least) that communications content doesn’t lose Fourth Amendment protection due to the third party doctrine, the Second Circuit appears to go further here and suggest that metadata, too, could be protected by a warrant requirement.
Did Privacy Win?
Ultimately, it’s unclear to me whether this opinion is a privacy-friendly outcome, though that is certainly how the panel majority seemed to view their task of interpreting the SCA. I say this because other countries generally have surveillance laws that are less, not more, privacy-protecting than US law. European readers might prefer that Ireland consider whether to authorize the search. If so, I’d like to hear why because the US’s warrant requirement and our wiretapping procedures—when they apply—are generally comparatively stringent. Further, the US has written laws that curtail domestic intelligence gathering, where many European nations do not.
So to my mind, the more privacy-friendly outcome would be if the search were found by the court to be taking place in the United States, if not also in Ireland. That is because US law imposes more constraints on US officials acting inside the US. Outside the US, the Fourth Amendment does not apply to law enforcement searches targeting foreign nationals (see United States v. Verdugo-Urquidez). Searches targeting citizens must be “reasonable”, and though courts have split on what reasonableness means, they have uniformly held that these investigations do not require a Fourth Amendment search warrant. Further, US intelligence agencies are generally more constrained by FISA when conducting surveillance from inside the US Even section 702, the controversial law behind the NSA’s PRISM program, is more privacy protective than the executive order under which most overseas intelligence gathering takes place. As a matter of ensuring constitutional and statutory privacy protections, the public might prefer a ruling that says the search takes place in the US.
An Incentive for Data Localization?
Another huge policy questions lurks here. Will the Microsoft Ireland case encourage other nations to push for data localization? If the mere fact that data isn’t stored in the US means US law enforcement can’t get at it, will that incentivize other nations to demand their citizens data be stored outside the US, and in their own countries? These data localization demands, which began in earnest after the Snowden disclosures, often have public support. But, citizens mistakenly believe that the best way to protect themselves from snooping would be to keep the data out of the US. That’s wrong as a matter of intelligence law—the US has far less regulation of intelligence gathering that takes place overseas. Meanwhile, other nations’ less regulated intelligence agencies are happy to have their citizens’ data within closer reach. Nevertheless, if putting foreigners’ data outside the US imposes meaningful barriers to US law enforcement access, we’ll likely see increased demand for localization.
Data localization is not demonstrably good for privacy, and it’s bad for innovation. Perhaps established Internet giants like Google, Facebook, and Twitter can afford to build or rent data centers around the world—and figure out how to allocate their users data to them. But data localization is a huge expense to smaller businesses and start ups. Further, establishing jurisdiction based on the location of data is a real regulatory problem. Where nations’ laws conflict, which nation do you have to comply with? If your users’ data is everywhere “in the cloud”, you need to reduce the number of legal regimes you have to answer to. However, as Andrew K. Woods points out over at Lawfare, this isn’t necessarily a problem for Microsoft:
This data-location-centric test is a welcome one if your network is structured around state lines – as, for example, a telephone network might be, or like Microsoft’s country-specific cloud in Germany. But such a rule hurts firms that structure their network largely independent of state lines and that maintain that the data is either located in the US or “somewhere in the network” – firms like Google and Facebook. In a number of disputes around the world, US firms have argued that their data is in the US, even if it is really pinging around a globally distributed network, because they rely on a control test to determine jurisdiction. This case rejects such a test and thereby gives a competitive edge to firms, like Microsoft, that have built networks along country lines.
Ultimately, this decision may have more impact on Internet innovation than it does on preserving privacy.
The Future of Mutual Legal Assistance
These hard problems raised by the Microsoft Ireland case are behind the current push to update or reform mutual legal assistance processes, or MLA. The hope is that reforming that process will keep foreign requests for data on track and under the rule of law. The reform proposals range from the modest—improved tracking, training and funding under the current MLA Treaty (MLAT) regimes—to the more dramatic.
Congress sent one dramatic–potentially cataclysmic–“solution” to the MLA problem to the Obama Administration on Friday around 5:00pm Eastern time. Thanks, guys! The legislative proposal is the result of negotiations between the British and the Americans permit UK-based law enforcement to quickly obtain stored communications and wiretaps directly from US-based providers without going through the MLAT process. (Surveillance law expert David Kris has a description of the provisions here.)
Ultimately, the idea is to reform the Electronic Communications Privacy Act (ECPA) to allow companies to disregard it if they receive a surveillance order from select foreign governments that have entered into executive agreements with the US. The US Attorney General must certify to Congress (and that certification cannot be challenged in court) that these countries’ surveillance regimes are up to standard substantively and procedurally—even if they are less protective than US law. If so, foreign authorities won’t have to comply with US standards for obtaining a search warrant or a wiretap warrant in order to get stored communication or conduct live communications intercepts.
That’s a shame for Americans, since our data will inevitably get turned over as part of this surveillance. The proposal mirrors the FISA Amendment Act section 702 in that it prohibits directly targeting Americans as well as the pretense of targeting foreigners in order to obtain American data. We are only beginning to learn from the Snowden documents and the ongoing debate over section 702 how ineffectual the purported “no targeting” safeguards have proven to be—independent investigation shows over half of section 702 collected data is from, to, or about Americans—and the government is nevertheless allowed to search and use it. Further, most nations, including the UK, provide even less protection for non-citizens’ privacy than the US does. That means that US providers will give foreign governments private data with less protection than Americans currently receive. It may also be a shame for foreigners. If certifications are easy to come by, the new statute punts on even the weak provisions of ECPA and does nothing to raise the privacy-level for the vast majority of Internet users.
The Microsoft Ireland case and the legislative proposal for foreign law enforcement access means there’s a fire under Congress to do something to ECPA. ECPA was passed in 1986, and Congress could not have fully understood the privacy implications, or the jurisdiction implications, of the Internet at that time. There have been ongoing attempts to modernize ECPA to make it clear that law enforcement needs a search warrant based on probable cause before it can read our email or track our physical location—though these have not progressed in Congress. Now, with the investigatory barriers imposed by the Microsoft Ireland case and this new legislative proposal, Congress will likely take up ECPA again, with an eye to a more thorough overhaul.
The Microsoft Ireland case may be a short-term victory for privacy advocates, but its larger implications are far more complex. The policy and legal decisions made in its wake will determine whether the opinion is ultimately an advancement of or a blow to privacy and innovation on a global Internet.