Reason.com

Free Minds & Free Markets

How A Legal Squabble Could Change the Way the Government Collects Personal Data

The U.S. "would go crazy if China did this to us," says Microsoft about DOJ attempt to compel email data stored overseas.

Thomas Hawk/FlickrThomas Hawk/FlickrAn ongoing legal battle between Microsoft and the Department of Justice (DOJ) over a warrant for customer emails has the potential to seriously threaten open Internet policies around the world. The dispute hinges on abstract legal and technical questions about digital ownership and territoriality, but the broad result will be "fundamental to the future of global technology," as Microsoft described it, because the court's decision could limit or expand the federal government’s power to access personal data stored overseas.

The case arose in 2013, when a New York magistrate served a warrant to Microsoft to access the email communications of a suspected drug dealer. Microsoft proceeded to gather the needed data to comply with the warrant, as it usually did. In the course of its search, however, Microsoft discovered that only the relevant "metadata"—descriptive information that merely describes the content or context of data—was stored in the U.S. The actual content of the communications was stored overseas in a wholly-owned Microsoft subsidiary’s servers in Ireland, well beyond the jurisdiction of a normal U.S. warrant.

Microsoft agreed to turn over the U.S.-stored metadata but disputed that the magistrate had authority to compel the seizure of data stored overseas. Microsoft argued that the emails in question are personal documents held on behalf of its customers, not corporate "business records" that DOJ can quickly seize through a warrant.

The feds, of course, have a different opinion. According to federal prosecutors, the Stored Communications Act (SCA) section of the larger Electronic Communications Privacy Act (ECPA) of 1986 makes no exception for the "territoriality" of the data. Microsoft employees in the U.S. can access and divulge the email communications, which are indeed business records, and the law compels that it must, the feds say. Companies cannot evade SCA obligations simply by storing data overseas.

Last year, U.S. Magistrate Judge James Francis agreed with the government, ruling that Microsoft must indeed turn over the emails. Microsoft suddenly found itself flanked by many organizations that are often among its top critics as the company proceeded to fight this ruling in two separate appeals courts. Privacy and civil liberties groups like the Electronic Frontier Foundation and American Civil Liberties Union filed amicus briefs to defend the technology giant’s position, as did media outlets like the Guardian and NPR and major Internet service companies such as AT&T and Verizon. Whether motivated by company profits or the public interest, all of these groups are gravely concerned by the U.S. government’s new assertion that, under the SCA, it has the authority to compel any data located anywhere in the world with a normal warrant. 

Such an audacious federal power grab creates clear threats to civil liberties protections for U.S. and non-U.S. persons alike. Technology companies, already reeling from the economic blowback of the Edward Snowden revelations, are understandably reticent to further diminish their customer’s trust and lose even more business to foreign competition. As the counsel for Microsoft argued to the U.S. Court of Appeals for the Second Circuit, the U.S. "would go crazy if China did this to us."

Indeed, even if the U.S. government were to win this case, they might lose in more subtle but perhaps more potent ways. The Obama administration frequently chastises the Chinese government for attempting to impose its illiberal Internet surveillance policies on the rest of the world. Should the U.S. government begin to assert the authority to extract foreign data, China and other countries will find it easy to argue that they have a right to do the same.

This kind of arrangement could seriously threaten liberal nations’ open Internet policies. Citizens residing in such countries might no longer enjoy the full protection of existing national privacy or speech protections, since foreign nations could choose to extract whatever data they deem relevant to their law enforcement or national security interests. Internet freedom could suffer a kind of "race to the bottom" as more authoritarian power centers expand their spheres of influence in formerly liberal jurisdictions.

Interestingly, the Irish government does not believe that the U.S. government needs to risk establishing such an unstable global precedent to attain the information that it presently desires. In its amicus brief to the appeals court, the Irish government states that it is willing to share appropriate data with foreign law enforcement under already-existing "mutual assistance in law enforcement treaties" that facilitate criminal information-sharing among international powers. Microsoft itself has supported this option in its arguments. But even this remedy has drawbacks, as it could expose customers to foreign legal regimes even less protective of privacy and due process than the U.S.

Alternatively, if Microsoft and its short-term allies manage to convince the court that the DOJ cannot compel companies to divulge customer data stored overseas, then law enforcement may resort to issuing subpoenas to get the data instead. The subpoena process, while a bit more time-consuming for law enforcement, would forgo some of the due process and judicial review protections secured by the SCA.

The current legal battle between Microsoft and the DOJ is only one in a long line of incidents highlighting the outdated nature of current U.S. Internet and computer policy. Much of contemporary web policy is guided by outdated laws, drafted by non-technical policymakers well before the advent of our mature Internet infrastructure. Frictions frequently arise as the fast pace of technological development and norms clashes with the needs and interests of law enforcement.

The ECPA, for example, was passed in 1986, decades before cutting-edge developments in cloud computing and low-cost data storage shaped the course of modern telecommunications use. Much of the statutory language and assumptions buried in the SCA were intended to address an environment where U.S. computer users employ U.S. companies to manage personal data in U.S. data centers. It did not foresee the interconnected global "network of networks" that predominates contemporary computer usage.

It is an old adage that "hard cases make for bad law," but it is becoming more apparent by the day that bad computer law makes for unnecessarily hard cases. It is truly remarkable that the state of current U.S. Internet and data policies is so patchy and backwards-looking that a simple case of overseas data storage can send U.S. technology policy into such unchartered and potentially dangerous waters. The court is expected to issue a ruling sometime between October and next February; it's possible that this case could make it all the way to the Supreme Court. Unfortunately, even the sharpest legal minds may find it difficult to resolve such a complicated case informed by our inadequate and outdated data laws.

Photo Credit: Thomas Hawk/Flickr

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Fist of Etiquette||

    It is truly remarkable that the state of current U.S. Internet and data policies is so patchy and backwards-looking that a simple case of overseas data storage can send U.S. technology policy into such unchartered and potentially dangerous waters.

    It's legislators. They're technological morons and apparently the people they normally have writing their laws up for them are either also technomorons or simply having a difficult time crafting something that will be to their personal benefit.

  • dantheserene||

    Any time the government is doing something truly outrageous against privacy it is because of "terrorism", the drug war, or occasionally the possibility of child porn. Between them, they are almost always the point of the spear.

  • LynchPin1477||

    The current legal battle between Microsoft and the DOJ is only one in a long line of incidents highlighting the outdated nature of current U.S. Internet and computer policy

    Yes, but the core problem is not that the laws are outdated. I have zero confidence that updated laws would do more to protect people's personal data.

    The problem is that the government has been given (or simply claims to have) a mandate to pursue drug dealers and terrorists and scores of other criminals to the ends of the Earth, and is not only willing but apparently eager to trample on basic rights to do it. Forget that the war on drugs creates far more problems than drugs themselves ever would, or that the threats from terrorism are routinely overblown (in order to gin up support for these expanded government powers).

    Until voters take a more sober view of the actual risks and costs of these programs they'll continue. Updated laws may very well make things worse.

  • VicRattlehead||

    LOL voting to change things... how quaint.

  • Chevy the Mulched||

    The US I was told about growing up is clearly gone, if it ever existed in the first place. It'd be nice if liberty could be valued somewhere on earth.

  • Win Bear||

    result will be "fundamental to the future of global technology,"

    We've already seen the future; our progressive Secretary of State demonstrated it: we'll all be running our own E-mail servers.

    Good news is that it's pretty simple. For example, you can just use an old Android phone as your own E-mail server: http://tinyurl.com/pwox94j

  • GroundTruth||

    To see how this will play out, take a look at US citizens with foreign bank accounts.

    'nuff said?

  • Alan@.4||

    And if Obama were able o seek a third term and so did, how many of the people who had put him into national office twice, would vote to repeat their actions, his performance and the performance of the executive branch during his terms in office notwithstanding.

  • Belin||

    I make up to $90 an hour working from my home. My story is that I quit working at Walmart to work online and with a little effort I easily bring in around $40h to $86h… Someone was good to me by sharing this link with me, so now i am hoping i could help someone else out there by sharing this link... Try it, you won't regret it!......

    www.HomeJobs90.Com

  • ||

    ✔✔✔✔Start your home business right now. Spend more time with your family and earn. Start bringing 78$/hr just on a c0mputer. Very easy way to make your life happy and earning continuously. Start here….

    http://www.jobhome20.com ..................

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online