Cross-Border Digital Searches: An Innovation-Friendly Approach
Case between the US government and Microsoft reveals the shortcomings of current laws.
As people and companies store more data in the cloud, new questions are arising about how law enforcement agencies gain access to that data and the impact those methods could have on the competitiveness of the US technology industry. Given the importance of this industry to the US economy, it's imperative that the federal government not only establish an innovation-friendly process for cross-border digital searches, but also work with its trading partners to do the same.
The shortcomings of today's laws are being exposed in a case between Microsoft and the US government. Last December, as part of a drug investigation, an as-yet-unidentified US law enforcement agency obtained a warrant for Microsoft to turn over copies of an unknown person's email account associated with a data center in Dublin, Ireland. Microsoft refused to comply, arguing that the US government can't force a private party to do what the government has no authority to do itself: conduct a search and seizure operation on foreign soil. Normally search warrants apply only to evidence stored within the US.
The question here isn't whether the US government can gain lawful access to this data, but rather the process it should use to do so. Instead of using a search warrant, the US government agency in question could have sought access to this account information using a Mutual Legal Assistance Treaty. MLATs are agreements designed for law enforcement agencies to receive and provide assistance to their counterparts in other countries. The US has MLATs with more than 50 countries, including Ireland. Despite these arrangements, the law enforcement agency preferred to obtain a search warrant because it argued the MLATs involve a "slow and cumbersome" process.
No matter how the case is finally decided, there are potentially negative implications for US tech competitiveness. If the court supports the use of search warrants, it will feed the perception that the best way to protect data from the prying eyes of the US government is to store data overseas with a non-US provider, which wouldn't be subject to US warrants. Other countries may also respond by passing laws to gain extraterritorial access to the data of companies operating within their borders.
This has already begun. On July 17, the UK adopted the Data Retention and Investigatory Powers bill, which gives it sweeping new surveillance powers that apply to all communications service providers with a facility in the country. If this ruling holds, expect China, Russia, and other countries to pass similar laws.
Conversely, if the US court rules that search warrants can't be used overseas, foreign governments may try to force companies to store data within their countries' borders to make it impossible for the US to execute a search warrant. A recent example is Russia's edict requiring Internet companies to store Russian user information on data centers in Russia.
In addition, companies (and criminals) could take steps to escape the scrutiny of law enforcement by dividing their data across multiple jurisdictions. Imagine if a company took an email and split the information up across servers in five countries. A law enforcement agency would have to initiate five separate MLAT requests to view that message. And why stop at five -- the company could split the message into 10 pieces or a hundred, creating a labyrinthine legal environment for accessing data. The technical complexity involved would be minimal.
The best option for addressing these challenges is to strengthen the MLAT process so that it's not, as the government argues, too slow, and so that companies can't take actions to make it difficult for government investigators to gain lawful access to data. The US government should take the lead in creating a timely and efficient international framework for allowing governments to request access to data stored abroad. This framework would help meet the needs of law enforcement agencies operating in a digital world and keep the US tech sector competitive globally by making border distinctions inconsequential for legitimate law enforcement requests.
Just as international maritime law evolved to support the development of a global shipping industry, and aeronautical law emerged to oversee the expansion of global civil aviation, so too should international stakeholders construct international rules to govern the global data economy when there's broad consensus on the goals. As the Information Technology and Innovation Foundation has argued, by working to create a global pact on issues of intergovernmental access to data, the US can begin to reassure people at home and abroad that it respects privacy and civil liberties while also allowing the US tech sector to thrive. After all, data respects no boundaries, but governments should.
ITIF research assistant Alan McQuinn also contributed to this article.
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation. Get the new IT Priorities In Order? issue of InformationWeek Government today.
Daniel Castro is a senior analyst with the Information Technology and Innovation Foundation and director of the Center for Data Innovation. Castro writes and speaks on a variety of issues related to information technology and Internet policy, including privacy, ... View Full Bio