This is cross-posted at ACSblog, as part of their symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).
Tomorrow, the Second Circuit will hear arguments in the almost two-year old dispute between Microsoft and the government over emails stored extraterritorially. Earlier, I opined (in discussion with Orin Kerr) on the statutory questions raised by the case. The purpose of this post is to focus on the policy issues. And viewed solely from a policy perspective, neither position—Microsoft’s nor the government’s—is satisfying.
For those unfamiliar with the case, the dispute started in December 2013, when the government served a warrant on Microsoft, compelling the production of certain emails. Microsoft refused to comply, arguing that the emails were stored in Ireland, that the government’s warrant authority does not extend extraterritorially, and that therefore the warrant was invalid. But so far its fight has been unsuccessful. Both the magistrate and district court judge sided with the government: Because the data could be accessed and controlled from Microsoft employees operating within the United States, the warrant was territorial, not extraterritorial; it is therefore valid.
While often described as a “privacy case,” that’s not really what the case is about. The government is, after all, proceeding by a warrant based on a finding of probable cause. No one suggests that compelled production would be a privacy violation if the data were stored in the United States. It does not become a privacy violation simply because the data is stored in Ireland. That said, the case has major privacy implications. The case raises fundamental questions about sovereignty and jurisdiction in an increasingly interconnected world, with key privacy rights—and related free speech and associational rights—turning on the answer to those sovereignty and jurisdictional questions. It reflects a new world order in which State A can compel the production of data located in State B, with neither the government agent or the company employee querying the data ever leaving State A. And the case poses key questions about who does—and should—control access to the data in such a situation—State A or State B?
If Microsoft wins, that means data, rather than corporate, location controls. But as I explain at length in a forthcoming article (The Un-Territoriality of Data, to be published in The Yale Law Journal this fall) there are two key problems with this position. First, it simply doesn’t make sense for data location to be determinative of the rules that apply. Data is highly mobile, divisible, and generally subject to third party control. Data’s mobility makes data location a highly unstable and potentially fleeting basis of jurisdiction. Its divisibility means that relevant data (particularly when one starts considering large databases) may not even be housed in a single location, but partitioned and spread across multiple jurisdictions. And the fact of third party control means that the data owner (the person with possessory interest in the data) often has no idea of the path by which his or her data travels from place to place or where it is being stored at any given moment—and thus has not made a conscious choice to bind him or herself to that jurisdiction’s rules. As a result, data location turns out to be an often arbitrary and unstable determinant of jurisdiction. It is not at all surprising that law enforcement officials (not just in the Microsoft case, but around the world) chafe when they can’t compel the production of sought-after data, simply because it happens to be stored outside their territory.
Second, and relatedly, if jurisdiction turns on location, this provides a strong incentive to data localization. If Microsoft wins, governments will be incentivized to require that their citizens and residents store their data locally, so as to ensure jurisdiction over—and thus access to—the data. If successful, this will have significant costs to the efficiency and effectiveness of the Internet as a whole.
Conversely, the government’s position is also flawed, arguably creating more problems than it solves. It marks the beginning to the end of sovereign control over privacy within its borders. The United States is not the only government asserting broad authority to compel data, wherever located. The United Kingdom says that it can compel companies to produce data, wherever located, so long as the company is operating in its jurisdiction. Brazil has considered similar legislation, and other nations are following suit. While United States’ law currently prohibits U.S.-based companies from complying with such foreign government requests when content, such as the substance of one’s emails, is involved, it contains no similar restrictions on foreign government access to non-content information—such as subscriber information, time and duration of sessions, to/from lines on emails, and IP addresses. Transparency reporting indicates the governments receive, and respond to, tens of thousands of requests for such non-content information from foreign governments every year. As our lives become increasingly digitalized, the volume of such requests will only increase over time. As will the scope of information that can be learned from such data.
Moreover, it becomes increasingly difficult for U.S. companies to hold the line even with respect to content data if the United States is saying that it can compel the production of such data wherever located. This may be less of a concern when it is the United States or the UK compelling the production of data but imagine a similar authority in the hands of, say, China or Russia? One can imagine a race to the bottom, with State A’s efforts to put in place robust privacy protections completely eroded by State B’s ability to access data stored in State A. More cynically, one can imagine law enforcement officials in a state with strong privacy protections seeking out a foreign partner to compel production of sought-after data as a means around their own restrictions on access.
Second, it puts companies in the middle of an inevitable morass of conflicting laws. What happens when one state’s laws require disclosure of data, but another state’s laws prohibit it? Such conflict problems are obviously not new, but they should be minimized, not exacerbated. The growing law enforcement interest in such data means that the opposite will occur; these conflict problems are almost certainly going to increase over time.
Third, it encourages yet another form of data localization, with government’s requiring that their citizens and residents use local providers so as to ensure the state’s ability to compel. This would have huge costs to U.S. business—as exemplified in part by the fact that so many major telecommunication providers filed amicus briefs on Microsoft’s behalf. Even without laws requiring the use of locally based providers, customers may increasingly flee from U.S. providers in an effort to shield their data from the U.S. government’s reach.
All this points to the conclusion that the lawsuit itself will not—and should not —be the final word. Rather, the value of the case is that it puts the issues into the spotlight. It is now time for meaningful reflection as to how law enforcement ought to operate in this increasingly interconnected world, and the development of new domestic and international law standards to govern control cross-border requests for data. Unfortunately, there are no easy answers, but here I suggest just a few things to consider.
* Mutual Legal Assistance Treaty (MLAT) reform. MLATs are treaties that govern law enforcement access to evidence located in another nation’s jurisdiction. It is, in fact, Microsoft’s position that rather than demanding the data from Microsoft, it should ask the Ireland government for the data pursuant to the MLAT between the two nations. The problem from the government’s perspective is that the MLAT process is notoriously slow (although in this case the Irish government has committed to respond “expeditiously”). The U.S. government, for example, takes an average of ten months to process such requests; some cases take much longer.
Multiple voices are now calling streamlined and more efficient the MLAT process. But while a more efficient MLAT system would be a welcome change, such efforts still require a resolution of the basic jurisdictional question at issue in the Microsoft case. After all, the MLAT process only begins where jurisdiction ends. The location of data is one answer, as Microsoft is now advocating, but it has the flaws discussed above. Location of the company’s headquarters or major place of operations, and/or citizenship or location of the user provide other possible options. No answer is perfect; each has its own shortcoming. But regardless of what is decided, there should be agreement across nations as to how to define jurisdiction. This is not something that should be imposed unilaterally (i.e., by a U.S. judge or panel of judges, as would happen if the Microsoft case were the final world).
* No matter how the underlying jurisdictional question is answered, certain safety valves also should be considered to facilitate cross-border access to data when certain pre-conditions are met—thereby reducing some of the growing pressure on the MLAT system. One could imagine, for example, an agreement with a handful of like-minded nations that would permit governments to make requests directly to companies in certain, specified kinds of cases when a baseline set of procedural and substantive requirements are met. Figuring out the specifics will not be easy, but it is also not impossible. Cross-border agreements for sharing of financial data provide a possible model. (Any such agreements would also need to be accompanied by legislative change, at least in the United States.)
* It is also time to turn our attention to the often-overlooked issue of metadata. U.S. companies receive tens of thousands of requests for metadata a year from foreign governments. But there are no rules—or even a set of accepted standards—governing when and in what circumstances they can do so. While most U.S.-based providers have internal guidelines and vetting procedures that incorporate privacy and other related human rights concerns, it is a mistake to put the onus on the companies to develop the requisite standards or to assume that the companies of the future will be as rights-focused as the best ones of today. Any bilateral or multilateral agreement ought to also include standards governing access to metadata—standards that also ought be codified in U.S. law.
* * *
In sum, there are no good answers in the Microsoft case. Neither side is satisfying, and either outcome yields a set of potentially damaging policy consequences. That said, the case has started a much-needed discussion. Whatever the Second Circuit decision, much more work needs to be done.