On Monday, the Supreme Court decided to take cert in what’s known as the Microsoft Ireland case – raising the issue of law enforcement’s ability to reach data stored across national borders. The case presents the court with one of two fairly stark options based on the intepretation of the three decade old (and highly outdated) Stored Communications Act: Either US warrant authority is limited to data that is physically held within the United States. Or US warrant authority reaches all data held by a U.S. company, regardless of location.
Neither is a satisfactory outcome (as I have argued numerous times before). A win for Microsort restricts law enforcement’s ability to investigate crimes based on where sought-after data happens to be at any given moment – an often highly fluid factor that may have nothing to do with the relevant equities in the case. Such a rule is potentially crippling for law enforcement, which suddenly finds itself unable to access critical evidence based simply on the decision of a third-party provider of where to hold it. Such a rule also incentivizes data localization mandates, pursuant to which data is required be held locally, as a means of ensuring access. This is hugely costly for any company that wants to compete internationally and deeply damaging to the future of the Internet and to US business interests, as was discussed in depth at this hearing before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on Wednesday.
A win for the government, however, is also troubling. It will be viewed around the world as US asserting access to all data held by US companies anywhere, without regard to the countervailing considerations of foreign states. Some of this reaction overstates the reality. Federal law enforcement is, after all, to take into conflict of laws in deciding whether to seek a warrant. But this is done as a matter of policy, not law, and is not applicable to state prosecutors that can also issue such warrants. Such internal, executive branch policy constraints are not likely to be sufficiently reassuring to foreign customers worried about the reach of U.S. surveillance authorities. The US tech community’s broad support for Microsoft highlights the fears that they will lose foreign customers as a result of a government win.
Even more concerning, a government win sets a dangerous precedent that makes it harder for the United States to insist that foreign governments respect U.S. law when seeking the US-held communications content of a U.S. citizen or resident. Current law, of course, prohibits such direct access of US-held communications content. Foreign governments must make a diplomatic request for the data rather than going directly to the company that holds it. And the data will only be turned over if US law enforcement deems the request worthy and obtains a warrant based on probable cause on behalf of the foreign government. There is a risk, however, that foreign governments will increasingly try to bypass these restrictions if the United States is seen as directly demanding access to their nationals’ data. More broadly, the prospect of nations compelling access to the data of anyone everywhere, without baseline substantive and procedural protections in place, threatens all of our privacy rights.
This deeply unsatisfactory choice highlights the need for Congress to step in, update the underlying statute with the nuance that it deserves, and thereby moot the case. Even Brad Smith, the President and CEO of Microsoft – the company that is litigating the case – has urged the same. As have two Second Circuit judges and many others.
Specifically, Congress should clarify that US warrant authority does not turn on location of data. US warrants served on US companies should presumptively valid, regardless of the location of the data. But if the government is seeking the data of a foreigner located outside the United States, and if access to that data would generate a conflict of laws, the U.S. government should be obliged to specify those facts in the warrant application. And the requiring court should be obliged to consider the respective equities in the case – including the nature of the conflict, the possibility of accessing the data via other means (e.g., diplomatic channels), the importance of the data to the investigation, and the foreign governments’ interest in limiting access – in deciding whether to issue the warrant. This would set the kind of precedent that the United States would want other nations to engage in when seeking the data of U.S. citizens and residents—thus protecting our privacy, safeguarding security, and promoting the kind of free and open Internet that inures to all of our benefits.
I make this case in a New York Times oped as well (here and below). In sum, the Supreme Court’s granting of cert is a clarion call for Congressional action.
There’s No Good Decision in the Next Big Data Privacy Case by Just Security on Scribd
Image: Drew Angerer/Getty