a

Facebook

Twitter

Copyright 2015 Libero Themes.
All Rights Reserved.

8:30 - 6:00

Our Office Hours Mon. - Fri.

703-406-7616

Call For Free 15/M Consultation

Facebook

Twitter

Search
Menu
Westlake Legal Group > Posts tagged "Symposium before the oral argument in United States v. Microsoft"

Symposium: Why is the U. S. government trying to help Vladimir Putin access information stored in the United States?

Westlake Legal Group symposium-why-is-the-u-s-government-trying-to-help-vladimir-putin-access-information-stored-in-the-united-states Symposium: Why is the U. S. government trying to help Vladimir Putin access information stored in the United States? Symposium before the oral argument in United States v. Microsoft Featured

Andrew Pincus is a partner in Mayer Brown LLP and filed an amicus brief in support of Microsoft on behalf of 12 business and consumer pricing. The views expressed are his and not those of his clients.

Consider this scenario:

An officer of Sledkom, the national law-enforcement investigatory agency in Vladimir Putin’s Russia, demands a meeting with the head of microsoft’s operations in Russia. He hands over a list of journalists and dissidents living and working in the United States — some of whom are Russian citizens — together with authorization sufficient under Russian law to obtain the contents of an individual’s email account. Microsoft officials in Russia can, as a matter of technology, copy the contents of those email accounts and transfer the copy to Microsoft/Russia. Under Russian law, Microsoft will be held in contempt if it fails to provide the emails demanded by Sledkom. And it is not permitted to inform its customers of Russia’s demand.

Is Microsoft obligated to comply?

Most everyone would believe — and hope — that the answer is “no.” But the position of the United States government in United States v. Microsoft is indistinguishable from Sledkom’s request in my hypothetical. The government argues that because emails stored in Ireland are accessible from the Microsoft facilities in the United States, the production of those emails is governed by U. S. law.

If the government wins in the Supreme Court, the Sledkom officer will have a much stronger argument to force Microsoft to comply: “We are only asking you to do for us what you already will for the American government.”

The government tries to argue in the Supreme Court that U. S. law would bar the disclosure of this information. But that’s the same argument being advanced by other nations in their amicus briefs in this case. If Irish law or European Union privacy restrictions would not provide a sufficient reason to preclude this construction of U. S. law by the U. S. government, why would Russia concede that its power should the eu limited?

Of course, these intrusions on privacy wouldn’t the eu limited to the contents of emails. Cloud computing — defined by the Supreme Court as “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself” — is ubiquitous. Individuals store “in the cloud” not just email messages, but also photographs and videos and financial and health data, among many other types of personal information.

As a result, the government’s theory in this case would allow foreign countries to obtain — without any authorization under the U. S. law — information stored in the United States that would reveal, as the Supreme Court put it in Riley v. California, the recent cellphone search case, “the lighthouse more than the most exhaustive search of a house”: not just “many sensitive records previously found in the home,” but also “a broad array of private information never found in a home in any form.”

And the government’s legal position, if accepted by the Supreme Court, would greatly facilitate corporate espionage. Businesses use cloud computing to store proprietary technology, financial data, intellectual property, business protection, area processes, acquisition protection and negotiating strategy, customer data, and privileged and confidential legal advice regarding pending lawsuits and other sensitive matters.

Because other countries use law-enforcement and national-security personnel to help domestic companies compete against foreign rivals, it is inevitable that those nations would use the U. S. government’s legal theory to try to obtain proprietary business information stored in other countries.

Of course, the issue before the Supreme Court is one of statutory construction, not constitutional authority. So a ruling for Microsoft would not prevent Congress from enacting a law incorporating the legal rule the government is advocating before the Supreme Court.

Neither would a ruling for Microsoft stop the Russian government, or others, from asserting the broad authority the U. S. government claims. Indeed, Brazil has long demanded that U. S. cloud computing providers operating there disclose communications stored in the United States.

But a ruling for the government will make it extremely difficult for companies to resist foreign demands, because the U. S. rule — and companies’ compliance with it — will be invoked by those foreign nations.

Rather than trying to assert broad unilaterally authority — and trying to shoehorn that claim into a 1986 law (the Stored Communications Act) that could not possibly have been meant to address this situation because it was enacted decades before the electronic storage of information became commonplace — the proper course for the U. S. government is to seek enactment of a law that properly balance by considering appropriate the various policy interests. And to craft a law that will serve as an international model, recognizing the important interests of every nation in protecting the privacy of individuals and businesses whose information is located within their borders, rather than a legal certainty ” that rides roughshod over those rights.

That is what other nations are doing. The international Convention on Cybercrime, to which the United States is a party, establishes processes for the countries to work together when a government seeks electronic information stored in another country, including provisions for quick action when there is a risk that the information might the eu moved or deleted. That convention does not authorize the use of domestic warrants to obtain information stored extraterritorially. But discussions have begun on how to amend the convention to provide additional means of obtaining that information — neither the Department of Justice recently explained in congressional testimony.

Congressional action and international cooperation, not unilaterally the U. S. action, are the they attempt to address law-enforcement concerns and protect important privacy interests. By rejecting the government’s the code, the Supreme Court will force the government to use those plainly more appropriate approaches.

There is another reason why Americans should the eu concerned about the U. S. government’s the code in this case: It will inflict significant economic damage on the American companies that are now the leaders in providing cloud computing services. In other words, the U. S. government’s legal position, if accepted by the Supreme Court, will hurt the U. S. economy.

Cloud computing in 2017 was estimated to be a $246.8 billion business. The Department of Commerce estimated that cloud computing generated “a trade surplus of approximately $18 billion in 2015.”

But foreign businesses and consumers contemplating the use of U. S.-based cloud computing providers are concerned about the privacy and security of their information. And they are particularly concerned about the ability of the U. S. government to access that information without complying with the requirements of the country in which the data is stored (which the customer typically designates for business and regulatory reasons).

The government’s the code in this case has attracted the attention of foreign nations and businesses, who have indicated that they will not use the U. S.-based providers, if the government prevails. The united states of america, for example, has refused to use Microsoft or any other U. S. data company for its data services if its information could be the eu accessed through the mechanism prove the claimed by the U. S. government in this case.

In Europe there have been calls for “data localization,” which would require that the data owned by a nation’s individuals and companies the eu stored with local companies within the nation’s borders, and for procurement preferences for European providers. European officials have advocated a “massive information campaign” to inform consumers of their privacy rights under European law, noting that privacy protection has “become a factor in competition between companies.”

Upholding the U. S. government’s demands for copies of data stored abroad will thus inevitably injure the U. S. competitiveness in the market. And estimates of the injury run into the many billions of dollars.

The U. S. government’s the code in this case is wrong on the law. It is wrong as a matter of common sense: How can anyone conclude that a law is not being applied extraterritorially when it is being used to obtain copies of information stored outside the United States? And it is wrong as a matter of policy. Hopefully the Supreme Court will agree, and resolution of this issue will return to the proper forums — Congress and international negotiations.

Posted in U. S. v. Microsoft Corp., the Symposium before the oral argument in United States v. Microsoft, Featured

Recommended Citation: Andrew Pincus, Symposium: Why is the U. S. government trying to help Vladimir Putin access information stored in the United States?, SCOTUSblog (Feb. 9, 2018, 2:05 PM), http://www.scotusblog.com/2018/02/symposium-u-s-government-trying-help-vladimir-putin-access-information-stored-united-states/

Contact us at: Westlake Legal Group Your Northern Virginia Full Service Law Firm. Call (703) 406-7616 or click here for our website: http://westlakelegal.com/

Symposium: Whatever happens in US v. Microsoft, three themes will persist

Westlake Legal Group symposium-whatever-happens-in-us-v-microsoft-three-themes-will-persist Symposium: Whatever happens in US v. Microsoft, three themes will persist Symposium before the oral argument in United States v. Microsoft Featured

Posted Thu, February 8th, 2018 10:39 am by Andrew Keane Woods

Andrew Keane Woods is an assistant professor of law at the University of Kentucky College of Law.

On one level, United States v. Microsoft Corp. presents a fairly straightforward matter of statutory interpretation. The statute in question — the Stored Communications Act — is silent about its territorial reach, which raises at least two questions: (1) Is it an extraterritorial application of the statute to issue a U.S. warrant in Washington state for data that Microsoft holds in Ireland, and (2) does the statute apply extraterritorially? Because the statutory issues are covered at length by other posts in this symposium and in the briefing before the Supreme Court, I thought I would say a few words about what is not in the briefing.

Much like Apple’s dispute with the FBI, this case has attracted interest from around the globe. It is seen as a test both of U.S. government efforts to access foreign data — the first time our highest court has considered that issue — and of one nation’s efforts to exert control over a hugely powerful internet company. These two questions matter — symbolically, politically, as a matter of precedent — to the rest of the world. The Supreme Court will, we should hope, deploy its usual arsenal of statutory-interpretation tools and foreign-affairs doctrines to arrive at a sensible solution. But whatever happens in the case, the following issues will persist and reappear in future cases.

Court-made internet policy

One thing that nearly everyone agrees on in this case — including the U.S. Court of Appeals for the 2nd Circuit’s majority and dissenting opinions — is that Congress can and should help the Supreme Court by legislating on whether the SCA ought to apply in this scenario. Rather than court-made policy built to suit the facts of a single case, the argument goes, we would be better off with legislation that fairly and fully reflects the views of all stakeholders involved. The Senate appears poised to meet that need with the recent release of the CLOUD Act of 2018.  That bill may moot the present case, but it will not resolve larger questions about institutional competence in crafting global technology policy.

Is it wise for courts to rule on internet policy disputes that have foreign affairs implications? Or should they refrain from doing anything that might affect another sovereign state’s interests? How one feels about this question may reflect one’s feelings about judicial deference to the political branches more generally. As the briefing suggests, there are longstanding canons of statutory construction that serve to limit a court’s role in foreign affairs cases.

But court-made technology policy is not all bad. One thing that can be said for courts is that they actually hear cases and controversies. And although courts can be criticized for making policy incrementally, one case at a time, this can be just as much a feature as it is a bug. Legislators are slow to act, and when they finally do act, they often attempt to fix many things at once and far into the future. But in an area involving rapid technological change, big one-time, far-reaching regulatory acts — especially those that are hard to reverse — may not always be preferable to smaller, case-by-case incremental changes to the existing rules.

Even if one thinks that it would be desirable, in an ideal world, for courts not to engage in anything approaching foreign affairs, this is not always possible. The more globalized the world becomes, the harder it is for courts to resolve disputes without doing so in a way that has some extraterritorial effect. This is especially true in the context of internet disputes, and even more so when a ruling will affect an American service provider with a huge foreign footprint and foreign customer base. (Indeed, the majority of the most popular web-service companies in nearly every country in the globe are American; most of the customers of American internet firms reside outside the U.S.)

Privacy on the internet

Another issue implicated by this case — and indeed driving much of the interest in its outcome — is user privacy on the internet. Much of the briefing suggests that (a) the case is fundamentally about user privacy and (b) a win for Microsoft is a win for privacy. I’m not sure either of these is right. First, this is a case in which the government has convinced a federal judge that it has probable cause to seek the user’s data. As privacy advocates know, the Fourth Amendment sets quite a high bar as compared to other countries’ search-and-seizure standards. So no one should be arguing that this case somehow represents a violation of this particular suspect’s privacy. We might have a discussion about which privacy rules ought to apply in this case, Irish or American.  Under the logic of Microsoft’s victory in the 2nd Circuit, the appropriate rule regarding government access is the law of the place where the data rests on servers — Ireland — rather than, for example, the law of the place where the search originates. So is the user in this particular scenario better off under an Irish privacy rule than under the American Fourth Amendment standard? I’m not an expert in Irish search-and-seizure law, but I am told that he is not. So much for the claims about the individual user’s privacy.

But beyond this case, privacy advocates might ask, will there be more privacy in the world if the U.S. government has to go through diplomatic channels to get access to this sort of user data in the future? It is simply not clear that if Microsoft wins the world will have more privacy than it had before — and it may very well turn out the other way. If Microsoft prevails, especially under the logic of the 2nd Circuit’s decision, the SCA likely will no longer apply to user data stored in other countries. This could mean — because the SCA is both a sword and a shield — that American firms can no longer tell foreign governments they must meet the strictures of the SCA (and request U.S. government help) to compel user data. This would make firms that store data outside the U.S. less able to resist demands from law enforcement around the world. Whether that means more or less privacy for users will depend on the relative strength of privacy laws around the world as compared to U.S. law.

Ultimately, the debate is not about “which privacy rule ought to apply in this case,” but rather, as a jurisdictional matter, “which state ought to be able to compel the data?” And the optics of that debate are significant, especially in a world in which foreign governments regularly struggle to assert their authority over American technology firms.

State sovereignty

Perhaps more than any other theme, this case highlights the ongoing global struggle over state authority to create and enforce internet policy. This is something we’ve seen in a number of high-profile disputes: the struggle between the United States, China and Russia over internet governance at the International Telecommunications Union; the diplomatic and commercial fallout after Edward Snowden’s revelations about U.S. surveillance of the world’s internet traffic; the repeated failure of cybersecurity norms initiatives; and more. This case matters around the world because it is seen as part of the wider struggle over how and where states can shape the internet in their image.

How far should any state be able to reach into corporate networks in order to satisfy law-enforcement demands? This is a hard question, but in this particular instance it is worth noting that it is made considerably harder by global politics post-Snowden. Trust — in both American firms and the U.S. government — is simply too low. One could imagine a world in which the Snowden disclosures had never occurred and as a consequence: (1) Microsoft would not resist the warrant in the first instance and (2) even if it did, privacy groups and foreign governments would not come to its aid. But we do not live in that world. We live in a world in which a loss for the U.S. government is a per se victory for some.

Is it a victory for all foreign governments? Not obviously. This case requires foreign governments to walk a bit of tightrope — evident in the foreign-government amicus briefs — because many of them see the case as a chance to assert limits to U.S. influence over the internet abroad but also a chance to say to powerful internet companies that they must heel to law enforcement demands. That is, what appears to be foreign-government support for Microsoft is instead, in part, support for the general idea that foreign states ought to be the primary rule makers over how the internet behaves in their territory — an argument made against private firms and the U.S. government alike.

***

These issues will not be resolved by the Supreme Court’s decision. They may not even play a prominent role at oral argument on February 27. But whatever doctrinal arguments prevail at the court, they are motivated by the shifting of these tectonic themes.

Posted in U.S. v. Microsoft Corp., Symposium before the oral argument in United States v. Microsoft, Featured

Recommended Citation: Andrew Woods, Symposium: Whatever happens in US v. Microsoft, three themes will persist, SCOTUSblog (Feb. 8, 2018, 10:39 AM), http://www.scotusblog.com/2018/02/symposium-whatever-happens-us-v-microsoft-three-themes-will-persist/

Contact us at: Westlake Legal Group Your Northern Virginia Full Service Law Firm. Call (703) 406-7616 or click here for our website: http://westlakelegal.com/

Symposium: Four important questions for the court to consider

Westlake Legal Group symposium-four-important-questions-for-the-court-to-consider Symposium: Four important questions for the court to consider Symposium before the oral argument in United States v. Microsoft Featured

Gregory T. Nojeim is senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.

On February 27, the Supreme Court will hear oral argument in a case with global implications for privacy and data protection. In United States v. Microsoft, the U. S. Department of Justice claims that warrants ts o by a U. S. judge or magistrate can compel a U. S. communications service provider to disclose communications content the provider stores abroad – in this case, in Ireland. My organization, the Center for Democracy & Technology, filed a brief in favor of Microsoft, which is resisting the warrant. We did so out of concern that if the DOJ position prevails, it will be adopted by foreign governments and create chaos, neither of those governments will insist that their process compels disclosure of content in the U. S. despite the provisions of the Stored Communications Act governing those disclosures. We also argue that if the court e kosovës republika the DOJ position, it would damage the cloud-computing industry.

The case has drawn a lot of interest from many quarters. Amicus briefs filed in the case raise at least four important questions the Supreme Court should address.

Would compelled disclosures from abroad violate the EU’s GDPR?

On May 18, 2018, the European Union’s General Data Protection Regulation will come into force. The GDPR will permit cloud providers to transfer data from the EU to the U. S. only in certain circumstances. If one of those circumstances does not include compliance with a U. S. warrant, a company that complies with a warrant compelling a disclosure from a data center in the EU faces penalties of up to four percent of its worldwide annual revenues. Obviously, this is a critically important question for providers, many of which have lined up behind Microsoft because they are concerned about such conflicts of law.

Article 48 of the GDPR indicates that foreign court orders to remove personal data from the EU are operational only if based on an international agreement such as a mutual legal assistance treaty, unless there are other grounds for transfer in the GDPR. Although there is an URL between Ireland and the U. S., the transfer of personal data in this case would family kidnapped this week outside the URL. The question then becomes whether there is another ground for transfer.

Article 49 of the GDPR contains other grounds for transfer that include: (i) “important reasons of public interest” recognized by the EU or member state law, and (ii) transfers “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests of rights and freedoms of the data subject.” The European Commission argues that, depending on the circumstances, the fight against serious crime could qualify under the first ground, and the interest of the tech company – in not being subject to legal action for failure to disclose – could qualify under the second.

In contrast, the leading architects of the GDPR in the European Parliament argue, nor did Privacy International and a group of digital rights pricing and legal scholars, that such transfers would violate European Union law. In addition, 21 scholars of data protection and privacy from the EU write that such disclosures “would likely” violate the GDPR. They maintain that the Article 49 public-interest derogation applies only to the interests of an EU member state or the EU itself, and not to, for example, the U. S. government’s interest in fighting serious crime. They also point out that if a provider’s interest in complying with a U. S. warrant is sufficient to overcome the bar to disclosure in compliance with a foreign court order in Article 48, the Article 49 ausnahmeoffset would entirely swallow the rule in Article 48. These arguments seem compelling.

The government of Ireland filed a brief, but did not take a position as to whether microsoft’s compliance with the U. S. warrant would violate Irish law.

What about providers with network architectures different from microsoft’s?

One of the DOJ’s strongest arguments is practical, not legal: Communications service providers are interpreting the U. S. Court of service ‘ argument for the 2nd Circuit’s decision in favor of Microsoft in a way that effectively prohibits the government from obtaining some communications content from other leading U. S. providers – including the communications of Americans in the U. S.

According to court documents, Microsoft stores Hotmail communications content on a static basis. When the user signs up for the service, she declares her country of apartment and the Microsoft stores her date at a is being blocked, the date center in order to reduce network latency. Microsoft has approximately 100 data centers in 40 countries. For a network architected like microsoft’s, a location-based rule can work well, with predictable results.

Google, Yahoo and other providers store data differently – they break the data into “shards,” such that one part of a user’s email inbox might the eu in one country and another part in a different country, and the text of an email message might the eu in one data center in one country and an attached photo in another data center elsewhere. Neither the 51 computer scientists state emphatically in their brief, every piece of data “always has a specific physical location.” However, a single account with the date in multiple locations in multiple countries is more than a headache for law enforcement, which would be hard-pressed to file an URL request in each and get a timely response to each in order to conduct agency its investigation.

How could the Supreme Court deal with this reality? It could decide the case based on the facts in front of it: The dates at issue are stored statically outside the U. S. in one country. Perhaps more importantly, it could limit its decision to that factual circumstance, and leave to Congress and other legal proceedings, the resolution of the issues around network architectures different from microsoft’s.

What is the “focus” of the Stored Communications Act?

Both parties to this litigation agree, based on the 2016 case RJR Nabisco v. European Community, that a status has no extraterritorial application “absent a clearly expressed Congressional intent to the contrary,” and that Congress expressed no such intent in the SCA. Under the RJR Nabisco precedent, whether a statutes is being applied domestically depends on the “focus” of the statutes: If the conduct agency relevant to the statute’s focus occurred in the U. S., the laws is being applied domestically. The government argues that the “focus” of the SCA is “disclosure” to the government of communications content under 18 U. S. C. 2703, and that because the disclosure occurs in the U. S., the focus of the statutes is domestic. It also argues that, even if the focus of the statutes is privacy, any invasion of privacy occurs in the U. S.

This argument is weak on its face, and potentially disastrous in its application. Nor pointed out by the 2nd Circuit, the SCA is part of the Electronic Communications Privacy Act, enacted in 1986 for the express purpose of protecting the privacy of electronic communications, such as email, when they are in electronic storage. The disclosure provisions on which the government relies are simply exceptions to the overall focus of the statutes on privacy, rather than the focus of the statutes itself.

Moreover, if, as the government argues, the invasion of privacy is found to have occurred in the U. S. only when the data are disclosed to the government, then the government could compel providers to copy all of their electronic communications without violating the Fourth Amendment. The Brennan Center, American Civil Liberties Union and others emphasize the danger of this approach. They describe it as the modern equivalent of a general warrant, and persuasively urge the Supreme Court to find that the act by the provider of seizing and copying the email content as an agent of the government interferes with a person’s privacy and possessory interests in the data, triggering the Fourth Amendment.

How would other countries respond to a decision in favor of the DOJ?

If the Supreme Court gallery that the U. S. warrants can compel the disclosure of communications content stored outside the U. S., it could set a global precedent. As we pointed out when this case was pending in the lower courts, the other countries would insist that their legal process can compel the disclosure of communications content stored inside the U. S. Many amici supporting Microsoft made this argument. It is not speculative: the Belgian courts have twice ruled that communications content stored in the U. S. is subject to the Belgian legal process, Brazilian judges have jailed executives of U. S. providers, for failure to turn over such data, and the U. K. in this case signals its view that its Investigatory Powers Act, which governs disclosure of communications for law enforcement in the U. K., has extraterritorial reach.

This would seem an important consideration for anyone concerned with the privacy of Americans in the U. S.: Foreign legal process that compels disclosure of communications content is typically ts o without the same strong level of proof required in the U. S. law – probable cause. Perhaps the most surprising treatment of this issue comes from the brief that state attorneys general filed in the case: They ignore it. Though statutes in many states give state AGs significant responsibility for protecting the privacy of the states’ residents, the AGs’ brief does not address the risk that a ruling in favor of the DOJ would pose to the privacy interests of those residents with respect to other governments.

Conclusion

However the Supreme Court the gallery, it is likely that both courts and policymakers will be dealing with the processes by which information flows between nations for the foreseeable future.

Posted in U. S. v. Microsoft Corp., the Symposium before the oral argument in United States v. Microsoft, Featured

Recommended Citation: Gregory Nojeim, Symposium: Four important questions for the court to consider, SCOTUSblog (Feb. 7, 2018, 2:25 PM), http://www.scotusblog.com/2018/02/symposium-four-important-questions-court-consider/

Contact us at: Westlake Legal Group Your Northern Virginia Full Service Law Firm. Call (703) 406-7616 or click here for our website: http://westlakelegal.com/

Symposium: Justices can, and should, write nuanced ruling to balance competing interests

Westlake Legal Group symposium-justices-can-and-should-write-nuanced-ruling-to-balance-competing-interests Symposium: Justices can, and should, write nuanced ruling to balance competing interests Symposium before the oral argument in United States v. Microsoft Featured

Jennifer Daskal is an associate professor of law at American University Washington College of Law.

With more than 30 amicus briefs filed in the Microsoft Ireland case – including from members of Congress, the European Commission, the Chamber of Commerce, privacy advocates and dozens of media organizations – United States v. Microsoft stands as one of the most closely watched cases this term.  For good reason. The implications are far-reaching – touching on everything from security, privacy, the future of the internet, democratic accountability and core attributes of sovereignty, as attested to by the number of individuals and institutions that have weighed in on the case.

It is, however, a set of issues best dealt with by Congress, not the courts. The good news is that Congress is beginning to engage. Earlier this week, a bipartisan group of senators introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act – a bill that, if enacted quickly enough, would moot the Microsoft Ireland case and authorize the executive to enter into bilateral and multilateral agreements so as to facilitate cross-border access to data in the investigation of serious crime. Amazingly, the legislation has the support of both the Department of Justice and Microsoft – the dueling parties in the case. (I describe the bill in detail at Just Security.)

If Congress moves quickly enough, it would avert a Supreme Court showdown. But assuming that doesn’t happen, the Supreme Court can, and should, write the kind of nuanced ruling that will bolster these congressional efforts and balance the competing interests presented by the case. Specifically, the court should – as does the legislation – reject the idea that the location of data controls access, yet it should also demand respect for the legitimate interest of governments in protecting their own citizens and residents.

On its face, the case is one of statutory interpretation. Does, or does not, the Stored Communications Act (SCA) reach data that is stored overseas? More specifically, can the U.S. government, pursuant to an SCA warrant, compel a U.S.-based service provider (in this case, Microsoft) to turn over data that is in the service provider’s custody or control, but stored overseas (in this case, in Ireland)? Microsoft says no. The government says yes.

Both sides agree that the statute does not apply extraterritorially. The dispute thus centers on what is the “focus” of the statute (an inquiry dictated by the Supreme Court’s ruling in Morrison v. National Australia Bank). Microsoft says the statutory focus is protecting the security of stored communications; according to Microsoft, this depends on where those communications are stored. The government, by contrast, argues that the focus is about regulating disclosure, something that occurs in the United States.

There is, frankly, is no clear-cut answer to this question. The SCA was written in 1986, well before anyone could have conceived of a globally interconnected internet or the possibility of data stored in the cloud. Both the statute itself and the legislative history are therefore silent as to the key question in the case. Microsoft makes its case by asking the court to examine the statute as a whole, whereas the government focuses on the specific provision regulating compelled disclosure orders.

Even if Microsoft is right, however, it faces the additional hurdle of convincing the court that the relevant security breach occurs at the place of storage (in this case, Ireland) as opposed to the place of disclosure (the United States). Internet service providers, after all, move data around all the time without breaching either the SCA or the security of their customers’ stored data. Any additional privacy intrusion or erosion of security arguably occurs when the data is handed over to U.S. law enforcement, not simply when it is accessed and moved to the United States.

Microsoft’s position, as endorsed by the U.S. Court of Appeals for the 2nd Circuit, also carries with it a number of troubling policy implications. A win for Microsoft means that U.S. law enforcement will be unable to compel, via a warrant issued based on probable cause, a U.S. provider to turn over the data of a U.S. citizen accused of a local crime, simply because the data is stored abroad. U.S. law enforcement will be required to make a diplomatic request to the country where the data happens to be held in order to access it, presumably pursuant to a mutual legal assistance treaty.

But the United States has mutual legal assistance treaties with less than half of the world’s countries. And even when such a treaty is in place, the processing time is often lengthy and uncertain. As highlighted by state and local law enforcement brief, the 2nd Circuit rule is already making it difficult, if not impossible, to access critical evidence in certain cases, even pursuant to lawful process, even in cases involving U.S. residents, and even in the investigation of serious crime.

More broadly, the idea that access should turn on the location of highly mobile and divisible data makes little practical or normative sense. By making location the sine qua non of access, such a rule further encourages the proliferation of data-localization mandates as a means of ensuring such access, likely pricing smaller start-ups out of the international market and undercutting the benefits of an open and interconnected internet.

Conversely, however, a straight-up government win carries its own risks. Rightly or wrongly, it will be perceived as the United States claiming the authority to scoop up data anywhere, without regard to the interests of foreign sovereigns. It sets a dangerous precedent, encouraging countries around the world to assert similar authority to access data of anyone everywhere, and without any clear standards as to the substantive and procedural rules that apply.

This risks a race to the bottom, making it harder for the United States to protect the interests of its own residents and citizens, and undercutting ongoing international efforts to develop rules governing access to data across borders (see discussion of these efforts in the Part I.A. of the Electronic Privacy Information Center’s brief). It also risks generating an increasing array of conflicting legal obligations, with one state demanding disclosure and another prohibiting it, and providers being forced to choose whose laws to comply with and whose to break.

The Supreme Court can, however, rule in a way that mitigates some of these perils. It should rule, as the government urges, that the warrant authority applies without regard to the location of data. But it also should couple that ruling with the requirement that lower courts engage in a robust comity analysis if and when the warrant seeks data of a foreign national located outside the United States and the request would generate a conflict of laws.

The E-Discovery brief provides a particularly thoughtful set of recommendations in this regard, as I also have discussed previously at Just Security. It asks the Supreme Court to recognize explicitly the risk of conflicting legal obligations that could arise if the U.S. warrant authority reaches data without regard to location. And it asks the court to require a comity analysis in such situations and to lay out the relevant factors to be considered. The relevant factors include the location and nationality of the target of the investigation, the importance of the case, the importance of the evidence in the case, and the possibility of accessing the evidence by other means (including via the MLAT system).

Such a ruling would set the kind of precedent the U.S. presumably would, and should, want other countries to follow if accessing U.S.-held data. It would mitigate the risk that the U.S. be seen as asserting the authority to access all data anywhere around the world, thus helping to protect the U.S. tech industry from the negative backlash that is likely to ensue. And it would respond to the concern that a government win will subject providers to conflicting legal obligations. In fact, whether or not compelled disclosure orders will conflict with EU data-transfer restrictions in the soon-to-be implemented General Data Protection Regulation remains an open and central question, as addressed by several of the amicus briefs.

Notably, such a ruling also dovetails with the approach taken in the CLOUD Act. The legislation, rightly in my opinion, shifts the focus away from the location of the data to the location and nationality of the target. It puts its thumb on the scale of comity analysis as a means of addressing the kind of conflicting interests that arise if and when the U.S. seeks the data of noncitizens located outside the United States. Specifically, it sets up a new statutory basis to quash a warrant if it seeks the data of a foreigner outside the United States and the disclosure violates the laws of certain “qualifying” foreign nations. And although the list of qualifying nations will, at least initially, likely be quite small, the bill also, via a rule of construction, endorses the application of common-law comity in other cases that yield a conflict of laws – something that the Supreme Court should endorse as well.

Perhaps, fingers crossed, Congress will move fast to enact the CLOUD Act, and the entire case will be mooted. But if not, the Supreme Court should rule in a way that supports these congressional efforts. It should recognize that access to data should depend on more than location, yet put its thumb on the scale in favor of comity analysis as a means of respecting foreign government’s interests in delimiting access to their own citizens’ and residents’ data – much as the United States does and should insist on when foreign governments seek U.S. citizen data.

Posted in U.S. v. Microsoft Corp., Symposium before the oral argument in United States v. Microsoft, Featured

Recommended Citation: Jennifer Daskal, Symposium: Justices can, and should, write nuanced ruling to balance competing interests, SCOTUSblog (Feb. 7, 2018, 10:35 AM), http://www.scotusblog.com/2018/02/symposium-justices-can-write-nuanced-ruling-balance-competing-interests/

Contact us at: Westlake Legal Group Your Northern Virginia Full Service Law Firm. Call (703) 406-7616 or click here for our website: http://westlakelegal.com/

Symposium: Comity tonight — conflicts of law in cross-border data demands

Westlake Legal Group symposium-comity-tonight-conflicts-of-law-in-cross-border-data-demands Symposium: Comity tonight — conflicts of law in cross-border data demands Symposium before the oral argument in United States v. Microsoft Featured

Posted Tue, February 6th, 2018 2:21 pm by Eric Wenger

Eric Wenger is the director of cybersecurity and privacy policy at Cisco Systems.

This term, the Supreme Court considers two cases addressing government access to electronic data in the hands of third-party providers that prompted Cisco and other leading technology companies to submit amicus briefs. In United States v. Carpenter, we questioned whether a blanket rule extinguishing user privacy rights in data shared with third parties makes sense given the rising importance of cloud-based services. Now, in United States v. Microsoft, we urge the court to refrain from reinterpreting a more than 30-year-old data privacy law to allow search and seizure of email messages created and stored abroad. Both cases highlight gaps where the law has not kept pace with the development of technology. Both disputes require a delicate balancing of competing interests that the court should leave to Congress.

The law at issue in the Microsoft case, the Stored Communications Act, was passed as part of the Electronic Communications Privacy Act in 1986. Recall, this was not only decades before the advent of public cloud, but even years before the public internet. Much has been written about the case. So it perhaps bears calling out precisely where the parties agree and disagree. First, Microsoft and the government agree that under Morrison v. National Australia Bank, U.S. law must not be interpreted to have an extraterritorial reach absent an express indication of congressional intent. Further, both parties agree that such intent is lacking here given that ready access to transnational data storage was not contemplated when the law was passed. Finally, both agree that the email messages at issue are stored outside of the United States — in a data center in Ireland — and belong to a user who is neither present in the U.S. nor a U.S. citizen. The point of contention in the case is whether requiring Microsoft to move email messages from Ireland to the United States for the purpose of enabling seizure by U.S. law enforcement is an extraterritorial application of U.S. law.

The very sorts of conflicts of law to be avoided under Morrison are clearly at play in this case. The fact that the messages are stored in Ireland, combined with the European Union’s position that it regulates transfers of personal data from within an EU member state to another jurisdiction, demonstrates that the government’s favored result — compelling Microsoft to disclose customer communications stored abroad — would clearly have an extraterritorial effect. Yet the government persists in arguing that its interpretation of the SCA does not cause the sorts of unintended extraterritorial impacts that Morrison directs the Supreme Court to avoid. The government instead asserts that because providers storing email messages abroad may reserve the right to store and move data for business-related reasons, the government should also be able to compel the movement of that same data for the purpose of enabling compliance with a search warrant. In that view, data capable of being moved to the U.S. in the ordinary course of business must be moved upon the government’s demand and then disclosed as if the data storage were purely domestic.

That is not the right result. Regardless of where the disclosure ultimately occurs, the possibility that the U.S. government’s favored outcome will result in conflicting legal obligations remains unacceptably high, because a requirement to produce data in one country may violate a requirement to protect data in another. Certainly, when the location of data has been found to be on foreign soil, as it has in this case, the Supreme Court should be wary of enabling U.S. law to authorize a seizure that potentially violates another sovereign country’s law.

The government’s view ignores the fact that Microsoft, Cisco and other companies entrusted by customers in the EU or other jurisdictions with handling the contents of electronic communications may not be free to move the data to the U.S. without some legal justification. Enforcing the government’s warrant would, therefore, have an extraterritorial impact regardless of whether the disclosure of the email messages occurs in the U.S. or abroad. The government’s solution would fly in the face of long-held rules of statutory construction intended to promote comity among nations and to avoid unnecessary, unintended conflicts of laws between countries that have adopted mutual legal assistance treaties (MLATs). Notably, the United States and Ireland have entered into such an agreement.

The EU brief clearly demonstrates that member states would view the execution of an SCA warrant to seize the contents of communications stored in the EU as having an extraterritorial effect. This would be true even accepting the U.S. government’s assertion that seizure under the warrant occurs at the location of disclosure. The fact that EU nations believe the government’s recommended outcome would result in the movement of data, that this movement requires a legal justification, and that the application of the SCA to reach the data might not be sufficient legal justification on its own shows that enforcing this warrant has a clear extraterritorial impact. The perception of the Europeans is meaningful regardless of how the U.S. government interprets the location of the key actions mandated by the warrant, and it should be considered by the Supreme Court. Taken together, the arguments in the brief demonstrate there is a very high probability that were the government to prevail, the forced transfer of email messages to the U.S. for the purpose of complying with this search warrant would bump up against the data-protection requirements of EU law.

The government argues that it needs the Supreme Court to interpret the law in a way that enables enforcement of its search warrant in order to protect U.S. citizens against crime and terror. This argument is incorrect for at least three reasons. First, if the existing MLAT processes are not sufficient for the pace of the modern world, the government should work with Congress to update, not sidestep, them. Congress is actively considering this problem, and is, in any event, better suited than the Supreme Court to weigh the competing interests of law enforcement, foreign governments, end-users and multinational companies. Moreover, Congress could craft a law explicitly authorizing U.S. law enforcement to reach data stored abroad in the hands of a provider subject to U.S. jurisdiction. The law might authorize such reach in a variety of situations — e.g., when the selection of a foreign storage location can be shown to have been fraudulent, when there is no MLAT in place, or when the nationality of the owner is unknown or the location of the data is indeterminate. The court should not supplant Congress’ role in making these determinations.

Second, the limitation being sought by Microsoft relates only to the contents of communications that are protected by a search warrant requirement — not subscriber information already within the reach of the government’s subpoena powers. In fact, the parties agree that Microsoft provided law enforcement with all the non-content subscriber information that the government could have obtained with a grand jury subpoena under Bank of Nova Scotia v. United States. During oral argument in Carpenter, the government conceded that there is a critical distinction between provider transactional records and the contents of customer communications. In an exchange with Justice Sonia Sotomayor about the protections that should be accorded to the contents of email messages, the government stated, “There is a difference between content and routing information that the Court recognized … .” That difference stems from the fact that although routing and other transactional information may fairly be considered business records of the provider itself, the contents of email messages entrusted to the provider by its customers are not. It is, therefore, rational for the Supreme Court to conclude that the contents of customer email messages deserve the protections of a warrant, which have not only a higher standard of proof, but also a narrower territorial reach than a subpoena.

Finally, the law as written already enables the government to gather evidence quickly in emergency situations — even when that involves the contents of email stored abroad. The SCA currently empowers the government to seek and providers to share information if there is “danger of death or serious physical injury to any person.” Microsoft’s president, Brad Smith, has publicly noted that within 45 minutes of being asked by authorities in Paris, the company collected and disclosed the contents of suspects’ email accounts in the 2015 Charlie Hebdo shooting.

As it has done in recent years, including in United States v. Jones and Riley v. California, the Supreme Court is again examining critical issues around how antiquated statutory frameworks apply to new and emerging technologies. Here, the court should be wary of the potential for unintended conflicts of law stemming from the government’s position that it can unilaterally reach data owned by an EU user stored in an EU data center. Clearly, existing law needs to be revised to weigh properly the government’s need for data stored in foreign cloud locations operated by entities subject to its personal jurisdiction against the need to respect the comity of other sovereign nations. However, the responsibility for crafting a statute that balances such delicate, competing interest rests with Congress, not the Supreme Court.

Posted in U.S. v. Microsoft Corp., Symposium before the oral argument in United States v. Microsoft, Featured

Recommended Citation: Eric Wenger and Mark Chandler, Symposium: Comity tonight — conflicts of law in cross-border data demands, SCOTUSblog (Feb. 6, 2018, 2:21 PM), http://www.scotusblog.com/2018/02/symposium-comity-tonight-conflicts-law-cross-border-data-demands/

Contact us at: Westlake Legal Group Your Northern Virginia Full Service Law Firm. Call (703) 406-7616 or click here for our website: http://westlakelegal.com/

Symposium: Business decisions should not control whether law enforcement can investigate local crimes

Westlake Legal Group symposium-business-decisions-should-not-control-whether-law-enforcement-can-investigate-local-crimes Symposium: Business decisions should not control whether law enforcement can investigate local crimes Symposium before the oral argument in United States v. Microsoft Featured

Posted Forget, February 6th, 2018 10:25 am by Benjamin Battles

Benjamin D. Battles is the solicitor general of Vermont, which filed an amicus brief with 34 other states and the commonwealth of Puerto Rico in support of the federal government in United States v. Microsoft.

Should a private company be able shield evidence of a crime from law enforcement by electronically sending that evidence out of the country? That, in a nutshell, is what the Supreme Court must decide in United States v. Microsoft. In the decision below, a panel of the U. S. Court of service ‘ argument for the 2nd Circuit answered “yes.” Not surprisingly, every other court to consider the question — more than a dosage at last count — has emphatically answered “no.”

Email providers must disclose customer data to a requesting law enforcement agency under the Stored Communications Act, 18 U. S. C. § 2703, “pursuant to a warrant ts o using the procedure described in the Federal Gallery of Criminal Procedure (or, in the case of a State Court, the price rule and issued using State warrant procedure) by a court of responsible jurisdiction.” Section 2703 thus creates a unique procedural device — an SCA warrant — that functions like a subpoena but incorporates the privacy protections of a traditional warrant, most notably the requirement of a judicial finding of probable cause. That requirement represents the highest level of protection afforded by the Fourth Amendment. In other words, under the SCA, the government must make the same showing to search a suspect’s email account as it would if it wanted to forcibly enter the suspect’s home, search his file cabinets, and seize and examine his computers and hard drives.

The legal question before the Supreme Court in Microsoft is thus not about the privacy. It is about whether Section 2703 applies extraterritorially when it requires a domestic email service provider to use a domestic computer to access and copy data stored on a foreign server, and then to provide that the date to a domestic law enforcement agency. Microsoft argues that the application is extraterritorial and therefore unlawful, while the United States disagrees.

A statutory provision applies domestically if the conduct agency relevant to the provision’s “focus” occurs in the United States, according to Morrison v. National Australia Bank and RJR Nabisco, Inc. v. the European Community. Regardless of whether Section 2703 focuses on disclosure to law enforcement (nor the United States argues), or on user privacy (nor Microsoft argues), the relevant conduct agency occurs in the United States. There is no dispute that the disclosure to law enforcement occurs entirely within the United States. And common sense compels the conclusion that any potential invasion of privacy also occurs here when an email provider’s employee uses a computer in this country to retrieve data that is then disclosed to law enforcement in this country. Indeed, no invasion of privacy occurs at all until the provider actually gives the data to law enforcement. Providers like Microsoft will not need permission to access and copy their customers’ data from one server to another. For example, Google divides the data from a single customer file into component “chunks” or “shards,” which it then continuously copies and moves between a worldwide network of data centers. The location of a Gmail customer’s date at any given time bears no relationship to the customer’s location. Yet, according to microsoft’s logic, when a Google employee sitting at a desk in California retrieves these shards of the date to comply with an SCA warrant, the customer’s privacy is simultaneously invaded in the countries around the world — from Finland to Singapore — even if the customer has never been outside the United States.

The most troubling aspect of the 2nd Circuit’s decision, however, is the unnecessary and artificial obstacles it creates for legitimate law enforcement investigations. In its brief to the Supreme Court, the United States explained how SCA warrants are a critical tool in federal criminal investigations, including cases involving terrorism and other threats to national security. The vast majority of criminal investigations, however, are conducted by state and local law enforcement agencies. These cases range from drug trafficking and burglary to murder and child sexual agency (kepa). State and local law enforcement routinely use the SCA warrants to obtain key evidence in these investigations. And prior to the 2nd Circuit’s decision, providers routinely complied with these requests without protest.

Following the 2nd Circuit’s decision, however, providers — most notably Microsoft, Google and Yahoo — began relying on that decision in courts around the country to refuse to comply with any SCA warrant that would require copying the date from a foreign server. Such refusals have been made even when (i) a court found probable cause that the targeted email account was used in connection with a domestic crime, (ii) the provider could access the requested date from within the United States, (iii) the account user and the provider were both located in the United States, and (iv) law enforcement would receive and review the requested date in the United States. Neither demonstrated by the experience of Vermont’s Internet Crimes Against Children Task Force, this has created serious problems.

This Vermont task force investigates and prosecutes people who use online communications to sexually exploit children. Since 2008, the task force has prosecuted nearly 200 cases involving child pornography and child sexual assault or agency (kepa). In the past two years alone, the task force has obtained hundreds of subpoenas and search warrants, many of which were ts o under the federal Stored Communications Act and its state law counterpart.

The task force recently litigated three motions to compel compliance with SCA warrants against Google. Each case involved someone present in Vermont using a Gmail account to sexually exploit children. In each case, a court found probable cause to believe a crime was committed in Vermont and that the suspect’s email accounts would contain evidence of that crime. And in each case, Google relied on the 2nd Circuit’s Microsoft decision to refuse to disclose the requested date, thereby denying investigators access to time-sensitive electronic evidence that could have been used to identify victims and prevent ongoing crime. A Vermont trial court ordered Google to comply with the warrants, but Google appealed to the Vermont Supreme Court. After the United States Supreme Court granted certiorari in Microsoft, Google dropped its appeal and finally provided the requested date, nearly 10 months after a court first determined the company had the data needed in a serious criminal investigation involving the potentially ongoing sexual agency (kepa) of children, by a Vermont resident.

Vermont’s experience is not unique. Law-enforcement agencies around the country have experienced similar problems because of the decision below. In Utah, for example, a provider refused to comply with a warrant that sought the contents of an account the police knew contained a photograph of the suspect sexually abusing a minor. And in California, a provider recently refused to comply with a warrant for the contents of a cloud account that could eu instrumental in determining the timeline and location of young girl’s disappearance and suspected murder. Providers have refused to comply with SCA warrants for email date in sexual-agency (kepa) investigations in a number of other states, including Massachusetts, Indiana, Illinois, Mississippi, New Hampshire, New Jersey and Texas. Although these examples involve child-agency (kepa) investigations, the problem is farr more widespread. Given the ubiquity of email and other electronic communications, this issue can potentially arise in any criminal investigation.

And these are just the problems under various providers’ current systems. Nothing prevents Microsoft or any other provider from choosing at any time to store all of its customers’ data on foreign servers. Under the 2nd Circuit’s reasoning, providers have carte blanche to fashion their network architecture and store their customers’ data beyond the reach of domestic law enforcement. The ability of state and local law enforcement to investigate and prosecute crime in their jurisdictions should not be held hostage to the business decisions of private corporations.

Posted in U. S. v. Microsoft Corp., the Symposium before the oral argument in United States v. Microsoft, Featured

Recommended Citation: Benjamin Battles, Symposium: Business decisions should not control whether law enforcement can investigate local crimes, SCOTUSblog (Feb. 6, 2018, 10:25 AM), http://www.scotusblog.com/2018/02/symposium-business-decisions-not-control-whether-law-enforcement-can-investigate-local-crimes/

Contact us at: Westlake Legal Group Your Northern Virginia Full Service Law Firm. Call (703) 406-7616 or click here for our website: http://westlakelegal.com/