Creating accessible information for customers on international data privacy and government access

The past week has brought key decisions on the status of cell site location data, the validity of the NSA’s metadata collection under section 215 of the Patriot Act, and the little matter of the USA FREEDOM Act.  To say it’s like drinking from the fire hose is an understatement.  Companies and users are rightly concerned about how to interpret these decisions, and how best to respond.  But (to continue an overworked metaphor), when it comes to finding information that is clear, accessible, and actually applies to companies and customers, it’s a bit of a case of water all around but not a drop to drink. 

This is a real problem for cloud-based companies with an international customer base; it is important to be able to address customer questions and concerns with clear, concise information.  It is in this context that I created information sheets on international government access to user data in the cloud for cloud-based document management and email management company, NetDocumentsThe first of these sheets explains the legal framework in the United States, Australia, and the United Kingdom, and outlines NetDocuments’ policies and procedures to protect confidential client data.    

What didn't happen in Austin: quick wrap-up of the BCLT Privacy Forum

For those of us who didn’t make it to Austin this week, I thought I would take a moment to share a quick wrap-up of some key themes from Berkeley Center for Law and Technology’s Privacy Law Forum last Friday.

Surveillance, law enforcement access to data, extraterritorial jurisdiction, and even the previously obscure world of MLATs were underlying themes of the day.  Will deVries from Google’s privacy team even declared government access to data as the “issue of our time”. 

This might seem entirely predictable now, given this week’s Pew survey statistics that 87% of the adult American population is aware of the surveillance programs (perhaps more baffling is how 13% have managed to remain unaware). Helping companies, governments, and users make good decisions about if, when, and on what terms governments should be able to access user data is not only an interesting topic to discuss over conference pastries and drip coffee, it’s genuinely important.  It’s critical for criminal justice, national security, and user privacy that the right decisions are made and the rule of law is followed.  Surprisingly, while the level of public, civil society, and industry interest in this topic has mushroomed, there is still not much practical advice or resource materials for companies facing these issues (stay tuned as this is something I plan to help remedy).

Other recurring themes throughout the day included:

  • the privacy challenges created by the Internet of Things and the role for the FCC.
  • cyber insurance and the need to carefully analyse your policy (because all policies are definitely not created equal)
  • attempts to create a federal data breach notification law and the role of consumers in the wake of the Clapper decision
  • whether 2015 will be the year that the EU General Data Protection Regulation is passed.

If you’re up to date with the backlog of things to read from SXSW, you can check out the audio recordings of the BCLT conference on their website.  

Don’t get too comfortable – the need for tension between government and tech companies

As I’ve always said, “We don’t want the relationship between companies and government to be without tension; we want friction”.  Actually, Anupam Chander said this at Monday’s privacy lecture at Berkeley, but it’s the kind of statement that I wish I’d said.  This idea of an optimum level of friction is a good frame of reference at a time when law enforcement and companies trade words as to whether encryption will create the “phone of choice for the pedophile” or simply mean that “privacy doesn’t stop because of a government information request”.

At the same lecture, James Aquilina of Stroz Friedberg noted that a great travesty of the Snowden revelations was that it destroyed the relationship between government and companies.  He explained that the trust built after 9/11 has been completely eroded and the relationship destroyed.  The problem with this relationship breakdown is that the public still expects the government to be able to protect them.  While this might seem to be at odds with Chander's statement, I think that these statements can actually be seen as reflecting questions about how much tension there should be.

Much of our legal and political system is based on the idea that the best outcome is achieved when opponents representing different sides of a debate are able to battle it out; the separation of powers between executive, legislature, and judiciary; the adversarial court process; and the halls of Congress all rely on the tension between opposing views.  While I wouldn’t advocate for a relationship based on the level of tension within Congress, we also don’t want tech companies to be the government’s lapdogs.  It’s hard to know where the right line is on facilitating legitimate government investigations and ensuring individuals’ right to privacy. 

Twitter’s new legal fight to publish full transparency figures reminds us that the right level of tension can’t necessarily be quietly negotiated.  Instead, it may need to be lobbied and litigated.  This is particularly important when legislative change is glacially slow.  Where does this leave smaller companies, who don’t necessarily have the deep pockets to fight it out in court?  I’ve had conversations with a small, very pro-user tech company where the C-suite has agreed that if they get a national security letter, they’ll close their US operations rather than hand over the data.  But this isn’t an approach that many companies would be willing or able to take. 

As a baseline, companies of all sizes should insist on a search warrant (or the appropriate legal process under the Electronic Communications Privacy Act) before handing over user data and notify users (wherever permitted).  Companies should be proactive in their own privacy policies and procedures, paying attention to what personal information they’re collecting and storing, where they store it, and with whom they share it for commercial purposes.  Whereas the US Government has been happy to overlook the rights of non-US persons, companies that operate in the global marketplace should take a principled approach to all users (see my explanation of the glaring gaps in ECPA with respect to foreign government requests).  And if you happen to have deeper pockets and in-house legal support, consider having your day in court.

At the moment, we’re headed back into another round of the cryptowars between government and industry.  Hopefully we will soon be able to reach some kind of détente where we have a set of clearer, more appropriate boundaries for where privacy ends and legitimate government access begins.  In the meantime, let’s not shy away from a good fight.

Techcrunch article - If Microsoft wins do startups lose?

In all the commentaries on this important case about where you host your data, the voice of the startups seems to have been lost.  Somehow, there seems to be the assumption that if you're pro-business, you're pro-Microsoft.  I'm not so sure that assumption is true when you think about more innovative and early-stage companies.  In my commentary here in TechCrunch, I outline some of the reasons why supporting Microsoft's position in their current litigation could actually harm the business interests of US startups.  

USA V. Microsoft: what the decision does and doesn't mean

Somehow we went from mild interest in December when Microsoft challenged a search warrant over user data stored in Ireland to some kind of frenzy today when Chief US District Judge Loretta Preska ruled in the government’s favor.  I know it doesn’t make good sound bites, but this is not a case of good versus evil and today’s ruling is not necessarily a Bad Thing. It might be, but it’s just too soon to tell.  If Judge Preska’s decision survives the inevitable appeals, the most important thing will be the basis of her (and the appeal judges’) reasoning.  Until then, let’s cut through the hyperbole to see what the case does and does not mean.

What it doesn’t mean

US law enforcement can access your data anywhere in the world

It doesn’t actually mean that the world’s servers are now fair game for the FBI.  The e-mail account was created with the US company, Microsoft Corporation, and the records were stored in Ireland.  This case applies to US-based companies, not to each and every internet provider in the world.

User data is completely unprotected and at the mercy of the FBI without any checks and balances.

We may all be a little punch-drunk from the seemingly endless revelations of NSA overreach in accessing user data, but this isn’t just another round in “NSA vs the World”.  The data was sought under a search warrant.  The government still had to meet probable cause in order to access it.  The question is not whether the judiciary should be involved, but which judiciary applying whose laws.

Microsoft and the other companies in their corner are strong on defending foreign users’ rights.

When it comes to sharing user data with foreign governments, internet companies have large amounts of discretion (at least when it relates to non-content).  As noted previously, there are very few checks and balances on this discretion, and different companies have quite different track records.

Tech companies are united in their objections to the government position.

Apple, Cisco, AT&T, and Verizon have voiced support for Microsoft’s position.  Other big providers have been silent.  This could be because they take a different approach to data storage and jurisdiction.  Importantly, it shows that there is definitely not unanimity on how best to solve this issue.

What it does mean

The rest of the world is watching

Every law enforcement agency in the world is struggling with the question of how to stay one step ahead of criminals and no country really wants to have to go through the involved process of mutual legal assistance in time-sensitive cases if they can avoid it.  This doesn’t mean that it will be a total free-for-all on user data; this decision would only apply to companies that are within that country’s borders.  It may, however, encourage other countries to adopt more expansive legislation and policies.

There is potential for conflict of laws issues and questions of sovereignty

It is permissible for a country to have legislation with extraterritorial effects, but not to go into another country to enforce it.   If this case ends up creating a principle that a search or seizure occurs at the time that a US company copies data from their server in a foreign country, then the US might be trying to exercise enforcement jurisdiction in another country.  This is one of the few areas of international law on jurisdiction that’s pretty clear; it’s a no-no.

On the other hand, if the search or seizure doesn’t occur until the data is handed over to US authorities, you have a conflict of laws.  This is because a user’s data could be affected by both the US law and the other country’s data protection laws.

This could have significant implications for cloud computing and remote data storage

There are definitely downsides to an approach that uses data location as the basis for jurisdiction.  One of these is that it would mean that companies will make decisions about data location based on legal priorities rather than technical needs, which could compromise the speed and robustness of new products.

We’re going to have to wait for legal certainty

The Magistrate’s decision, the ensuing briefs from Microsoft and the government, and the various amicus briefs each focused on different legal issues.  Is this essentially a fourth amendment case or a question of statutory interpretation of the Electronic Communications Privacy Act?  This is actually a big deal and goes to the heart of issues such as where does an electronic search or seizure occur?  To some extent, it is not the outcome of this case that really matters, but the reasoning upon which it is based