By Daniel J. Solove
The law regulating government surveillance and information gathering is in dire need of reform. This law, which consists of the Fourth Amendment and several statutes, was created largely in the 1970s and 1980s and has become woefully outdated. The result is that law enforcement officials and intelligence agencies can readily find ways to sidestep oversight and protections when engaging in surveillance and data collection.
The gaps in current law are powerfully demonstrated by a very important case being fought out in federal court – Microsoft v. United States. The Department of Justice (DOJ) convinced a federal court to issue a warrant to require Microsoft to turn over data it had stored in Ireland. Microsoft has fought the warrant. Microsoft argues that for government officials to obtain data in a foreign country, they must go through the Mutual Legal Assistance Treaty (MLAT) between that country and the United States. The case now sits before the U.S. Court of Appeals.
The case shows how existing laws are being outpaced by changing technology. With cloud computing, data can readily be stored in foreign countries, and ECPA doesn’t really address the issue. The implications of the case are profound, affecting privacy protection in the cloud and the clash between the privacy laws of different nations. In Congress, a new bill has been introduced to address the issue – the LEADS Act – which seeks to amend ECPA to prevent what the DOJ is attempting to do in this case.
Outdated Constitutional Interpretations and Statutes
The laws dealing with government surveillance and data gathering are best analogized to ancient ruins. U.S. Supreme Court decisions in the 1970s created big holes in Fourth Amendment protection against government information gathering. In a series of cases, the Supreme Court held that people lacked a reasonable expectation of privacy in various types of data when maintained by third parties – resulting in no Fourth Amendment protection. These unfortunate cases created a tear in the fabric of Fourth Amendment protection, a tear that has become ever larger over time as an increasing number of third parties maintain personal data. For example, many people now store and back up their digital files with cloud computing services. Should they lose all Fourth Amendment protection over their documents?
The Supreme Court has never fully explored how far these cases go. The cases were decided nearly 40 years ago in an age when the cloud meant something you saw in the sky and a cookie was something you ate.
Congress passed the Electronic Communications Privacy Act (ECPA) in 1986. This is the primary federal statute that regulates electronic surveillance and data gathering. The law was designed to provide additional protections beyond the Fourth Amendment – and to fill some of the gaps left by the Fourth Amendment in the wake of short-sighted decisions that didn’t make sense in light of emerging technologies.
With ECPA, Congress took lead over the courts in regulating electronic surveillance and data gathering. Unfortunately, Congress failed to heed the fable of the Tortoise and the Hare. Instead of continuing on in the race, Congress took a nap . . . and it is still sleeping. ECPA is now nearly 30 years old. It is built around the Internet in the mid-1980s, long before cloud computing took off, before webmail, before countless new technologies and developments.
But unlike the fable, the tortoise (the Supreme Court) has not really finished the race either, and still keeps creeping along. Consider the following quote by the Supreme Court: “The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.” The quote concerns text messaging – in 2010! See City of Ontario v. Quon,130 S. Ct. 2619 (2010).
At this rate, nobody is going to finish the race, and technology marches on.
Microsoft v. United States
Microsoft v. United States exemplifies some of the shortcomings of existing law to fit modern technology. Officially named (in clunky fashion) In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, the case shows how ECPA has fallen out of date and wasn’t really created with contemporary cloud computing in mind.
A New York magistrate judge issued a warrant requested by the Department of Justice (DOJ) on Microsoft to turn over data stored in Ireland. The warrant was issued under ECPA’s Stored Communications Act (SCA). Microsoft sought to quash the warrant. Microsoft argued that the government should not be able to demand from Microsoft data stored in a foreign country without going through the Mutual Legal Assistance Treaty (MLAT) between that country and the United States.
The government cannot use a warrant under the Fourth Amendment to gather data oversees. The warrant would be meaningless in other countries because each country has its own laws for when government officials can obtain data and engage in surveillance. In order to do so, U.S. government officials would need to follow the MLAT process. This process involves U.S. officials going through a judge in the foreign country to obtain the information.
But the MLAT process is also in need of reform, and so the government has found an end-run around it by serving Microsoft with the warrant under ECPA to fetch the information in Ireland and bring it to the government officials in the U.S. ECPA isn’t clear about how to address the issue of data stored beyond U.S. borders. Were ECPA being written today, it would surely cover this issue, as cloud computing often involves data stored in foreign countries. But ECPA was created in 1986, nearly 30 years ago.
The result is that cloud service providers are put in a very difficult position, as they are in the middle, forced to violate foreign law in order to comply with U.S. law.
Being put in this position puts U.S. companies at a competitive disadvantage over other companies. Imagine that John Doe is a citizen of Utopia, a country that has strong civil liberty and privacy protections, that actually keeps its laws up to date, that doesn’t let its spy agencies run amok, and that doesn’t interpret its Constitutional protections into near oblivion. John Doe is deciding between whether to use YSoft cloud service or the cloud service of Zsoft, a company in Utopia. Doe could store his data with YSoft in Utopia, but now the U.S. government could use the weaker U.S. laws to gather Doe’s data from YSoft in the U.S. Doe doesn’t want to be subject to the U.S. law – he wants the protections his own country provides to him. So he chooses ZSoft instead. YSoft is thus put at a competitive disadvantage. That’s why so many U.S. technology companies are supporting Microsoft in this case.
If the U.S. government ignores foreign law when obtaining data abroad, then other countries might reciprocate by ignoring U.S. law. What if countries with weaker laws than the United States demanded information on U.S. citizens stored abroad? These countries might start ignoring U.S. protections and grab the data according to their own permissive rules.
The LEADS Act
A key proposed reform of ECPA is the Law Enforcement Access to Data Stored Abroad (LEADS) Act of 2015, a bipartisan bill sponsored by Senators Hatch, Coons and Heller. The bill was introduced last term and died, but it has been reintroduced again this year.
The LEADS Act would require the government to obtain a warrant under ECPA to obtain electronic information stored by a “U.S. person.” The LEADS Act attempts to clarify at least two deficiencies in ECPA:
1. The LEADS Act’s warrant requirement for all communications overrides a provision in ECPA’s Stored Communications Act that allows the government to obtain a stored email more than 180 days old with a court order less protective than a warrant, a provision that has been found to be unconstitutional under the Fourth Amendment (see United States v. Warshak, 631 F.3d 266 (6th Cir. 2010)). The LEADS Act’s warrant requirement would get rid of the 180-day distinction.
2. The LEADS Act also directly addresses the problems raised in Microsoft v. United States. Under the LEADS Act, warrants would be required whether the information is held in the U.S. or overseas, but they would not be allowed to override conflicting foreign law. The LEADS Act also attempts to improve upon the MLAT process to ease its burden.
For U.S. persons, if the information is maintained in a foreign country, the service provider could request that the court modify the warrant if compliance would make the provider violate the law in the country where the data is stored.
For non-U.S. persons, warrants would not apply. The MLAT process would need to be followed.
So if the government wanted to obtain information stored in Ireland by Microsoft by Jane America, a U.S. citizen, it could obtain the information through a warrant issued to Microsoft, but only if compliance didn’t force Microsoft to violate the laws of Ireland. But if it wanted to obtain information stored oversees by Microsoft by Jane Ire, an Irish citizen, it would need to follow the MLAT process.
The LEADS Act is a great step towards reforming ECPA. The U.S. government should not put itself above the laws of other countries. Nor should the U.S. government force cloud service providers and other companies to violate those laws so that government officials can take a shortcut around the MLAT process.
There are issues in reforming ECPA that are quite controversial, but the LEADS Act has bipartisan support and the support of industry and a wide array of diverse special interest groups. The LEADS Act is a strong step in the right direction.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 890,000 followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.