Recently, oral arguments were heard in a very important case in the U.S. Court of Appeals for the Second Circuit. The case is officially titled In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, but it is being referred to as Microsoft v. United States for short.
The case involves a warrant requested by the U.S. Department of Justice (DOJ) to require Microsoft to turn over to the DOJ data stored in Ireland. A New York magistrate judge issued the warrant under the Electronic Communications Privacy Act (ECPA)’s Stored Communications Act (SCA). Microsoft challenged the warrant by arguing that the government should not be able to use a warrant under ECPA to obtain the data – instead, it should seek the information through a different means – a Mutual Legal Assistance Treaty (MLAT) that countries enter into for law enforcement cooperation.
At first glance, the case appears to be a dull one about procedure – should the government be able to seek the data through a statute (ECPA) or through a treaty (MLAT). Why does this matter?
It matters a lot. If U.S. law enforcement officials can use any statute to obtain information a company maintains in a foreign nation, then other foreign nations might use their own statutes to do the same. And those statutes might have very little protection for privacy or civil liberties.
The Dangers of U.S. Exceptionalism
If a U.S. statute can be used to obtain data on a server in another country, other countries will likely want to use their own statutes to obtain data on U.S. servers. The statutes in these other countries might be far less protective than U.S. laws. The statutes might be passed by far less democratic means.
At the hearing, there was an interesting exchange. Judge Carney asked the Assistant United States Attorney (AUSA): “Therefore a German court requiring disclosure of a provider in Germany, regardless of where its servers are kept or who it’s providing service to, can require the disclosure to happen there and U.S. customers or users can be affected but it should be of no concern to us. Is that right?”
The AUSA answered: “No, it should be of some concern. But the fact is that under international law, this is the norm. The norm is that sovereigns, having jurisdiction over entity and people before them, can compel those entities and individuals to produce materials.”
The U.S. government doesn’t have much of a response to the concern that other countries might want to do the same as we’re trying to do to them. There seems to be a sense of U.S. exceptionalism – an expectation that the U.S. is different and doesn’t have to follow the same rules that everyone else follows. But I doubt other countries will graciously accept this kind of U.S. exceptionalism.
U.S. law enforcement is asking for an interpretation of ECPA that would give it broad powers that would allow it to reach into other countries and grab data that resides there – ignoring the laws of these countries in the process. What is particularly troubling is that there is no endgame to the approach of law enforcement – no real plan or thought-out approach in the event other countries refuse to accept U.S. exceptionalism and start seeking data residing in the U.S.
I find it profoundly unwise and shortsighted to open up a diplomatic can of worms without fully thinking through the implications.
Defer to Congress and Wait?
At the hearing, a recurring argument was that the issue should be addressed by Congress. Should courts stop the government from using ECPA in the way it wants? The outcome of this case has implications for foreign relations, and some might think that this is an issue for Congress not the courts. Indeed, at the hearing there were expressions of desire that Congress should update ECPA and address this issue. A bill to address the issue in this case – the LEADS Act — is currently pending in Congress. I previously wrote about it earlier this year.
ECPA is an old statute, passed in 1986 and on the eve of its 30th birthday. ECPA is built around the Internet of yesteryear, and it is showing its age. Countless cases have arisen in the past few decades where courts have struggled to figure out the puzzle of how ECPA’s antiquated structure fits the modern Internet. For example, what did Congress in 1986 think of Webmail? Nobody was using Webmail back then. So courts must play a guessing game.
Should we hope for Congress to act? Let’s not hold our breath. ECPA reform has been on the agenda for year after year. But nothing has happened.
Congress certainly should act, as Microsoft’s Brad Smith argues compellingly. In the meantime, a decision to allow ECPA to be used in lieu of the MLAT process would create foreign relations havoc. The wiser status quo position is to make the government go through the MLAT process until Congress can clearly address the issue.
The Cost of Shortcuts
The government wants a shortcut in this case – it wants the ability to take the easy road and not follow the MLAT process, which is more cumbersome than using ECPA.
This is a pattern with the government and surveillance. For example, we have seen this trend in the illegal ignoring of the Foreign Intelligence Surveillance Act (FISA) procedures after 9/11. The FISA had procedures in place for government information gathering that the Bush Administration ignored because they weren’t convenient. I discussed this in detail in my book, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale 2011).
These shortcuts are undermining the law, and they are creating a potentially bad situation. There is tremendous shortsightedness in the government’s approach. If the U.S. wins this case, we will likely see other countries seeking information from companies in the U.S. based on their laws, which are much less protective than U.S. law. Essentially, the government is banking on the ability to maintain U.S. exceptionalism. But this is increasingly more difficult in today’s world.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.