In all the commentaries on this important case about where you host your data, the voice of the startups seems to have been lost. Somehow, there seems to be the assumption that if you're pro-business, you're pro-Microsoft. I'm not so sure that assumption is true when you think about more innovative and early-stage companies. In my commentary here in TechCrunch, I outline some of the reasons why supporting Microsoft's position in their current litigation could actually harm the business interests of US startups.
Somehow we went from mild interest in December when Microsoft challenged a search warrant over user data stored in Ireland to some kind of frenzy today when Chief US District Judge Loretta Preska ruled in the government’s favor. I know it doesn’t make good sound bites, but this is not a case of good versus evil and today’s ruling is not necessarily a Bad Thing. It might be, but it’s just too soon to tell. If Judge Preska’s decision survives the inevitable appeals, the most important thing will be the basis of her (and the appeal judges’) reasoning. Until then, let’s cut through the hyperbole to see what the case does and does not mean.
What it doesn’t mean
US law enforcement can access your data anywhere in the world
It doesn’t actually mean that the world’s servers are now fair game for the FBI. The e-mail account was created with the US company, Microsoft Corporation, and the records were stored in Ireland. This case applies to US-based companies, not to each and every internet provider in the world.
User data is completely unprotected and at the mercy of the FBI without any checks and balances.
We may all be a little punch-drunk from the seemingly endless revelations of NSA overreach in accessing user data, but this isn’t just another round in “NSA vs the World”. The data was sought under a search warrant. The government still had to meet probable cause in order to access it. The question is not whether the judiciary should be involved, but which judiciary applying whose laws.
Microsoft and the other companies in their corner are strong on defending foreign users’ rights.
When it comes to sharing user data with foreign governments, internet companies have large amounts of discretion (at least when it relates to non-content). As noted previously, there are very few checks and balances on this discretion, and different companies have quite different track records.
Tech companies are united in their objections to the government position.
Apple, Cisco, AT&T, and Verizon have voiced support for Microsoft’s position. Other big providers have been silent. This could be because they take a different approach to data storage and jurisdiction. Importantly, it shows that there is definitely not unanimity on how best to solve this issue.
What it does mean
The rest of the world is watching
Every law enforcement agency in the world is struggling with the question of how to stay one step ahead of criminals and no country really wants to have to go through the involved process of mutual legal assistance in time-sensitive cases if they can avoid it. This doesn’t mean that it will be a total free-for-all on user data; this decision would only apply to companies that are within that country’s borders. It may, however, encourage other countries to adopt more expansive legislation and policies.
There is potential for conflict of laws issues and questions of sovereignty
It is permissible for a country to have legislation with extraterritorial effects, but not to go into another country to enforce it. If this case ends up creating a principle that a search or seizure occurs at the time that a US company copies data from their server in a foreign country, then the US might be trying to exercise enforcement jurisdiction in another country. This is one of the few areas of international law on jurisdiction that’s pretty clear; it’s a no-no.
On the other hand, if the search or seizure doesn’t occur until the data is handed over to US authorities, you have a conflict of laws. This is because a user’s data could be affected by both the US law and the other country’s data protection laws.
This could have significant implications for cloud computing and remote data storage
There are definitely downsides to an approach that uses data location as the basis for jurisdiction. One of these is that it would mean that companies will make decisions about data location based on legal priorities rather than technical needs, which could compromise the speed and robustness of new products.
We’re going to have to wait for legal certainty
The Magistrate’s decision, the ensuing briefs from Microsoft and the government, and the various amicus briefs each focused on different legal issues. Is this essentially a fourth amendment case or a question of statutory interpretation of the Electronic Communications Privacy Act? This is actually a big deal and goes to the heart of issues such as where does an electronic search or seizure occur? To some extent, it is not the outcome of this case that really matters, but the reasoning upon which it is based
Over the past ten days, civil society has been having kittens over the UK Data Retention and Investigatory Powers Bill, partly because of its extraterritorial extension of UK surveillance powers. This comes at a time when there is already heightened focus on issues of data and jurisdiction because the District Court is due next week to consider Microsoft’s challenge to the magistrate’s decision to uphold a search warrant over data that is stored in Ireland. When the District Court hears this matter, things will no doubt get very technical very quickly. International jurisdiction can have you turning your mind inside out trying to work your way through layers of laws, precedents and analogies, none of which is actually directly applicable to the case at hand. However, before we get swept up in the court’s analysis, let’s take a moment to step outside of the legalities of the Microsoft case and instead think about the fundamental principles behind them. It’s a game of ‘what would we want the laws to look like if we didn’t have to rely on Congress to pass them?’.
The big question that I want to ask is, what criteria should jurisdiction for user data be based on? The four key options that I see are:
- Data location
- User location
- Company location
- Terms of service
Jurisdiction based on data location
This is essentially the approach that Microsoft is advocating. If your biggest fear is the NSA-style overreach of US power, it has definite appeal. It means that US law enforcement doesn’t get a shortcut to the world’s data just because US companies dominate much of the internet. Instead, US law enforcement must use the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation if the data is hosted abroad, which feels reassuringly respectful of international borders and principles of sovereignty.
However, if you’re a vulnerable user in an undemocratic regime, this may not be such an attractive option. Companies that insist on Californian jurisdiction over their data can use this to protect their users’ data when they have concerns about the legitimacy of the foreign government’s request. The Electronic Communications Privacy Act (ECPA) may be an imperfect guardian of user data, but it still provides a baseline level of protection for vulnerable users in undemocratic countries.
Moreover, data is increasingly stored across multiple jurisdictions and moves quickly between them. It seems arbitrary for users to be subject to different laws depending on where their data happens to be at a particular moment in time. For some companies, it may even be difficult to determine where the data is located.
If companies make decisions about where to store data based on legal considerations rather than technical requirements, it could compromise the ability to provide fast, reliable product offerings to consumers. Google highlighted this point in their objections to Brazil’s attempt to legislate for data localization.
Jurisdiction based on user location
Something feels right about users being governed by their own countries’ laws because that’s how it’s traditionally been done. Professor Kerr has argued for US jurisdiction to be based on user location, so that US-based users would receive full statutory protections, regardless of where in the world their data is stored. Applied more broadly, this could have the benefit of ensuring that users in countries with strong data protection and human rights laws receive the protection of their own countries’ regimes even when they’re using a foreign online product. User-based jurisdiction could also facilitate legitimate access to data for criminal investigations by removing the international complications when law enforcement officers are investigating users within their own jurisdiction.
However, companies with a very international user base could find themselves in a nightmarishly complicated situation of having to comply with 193 countries’ legal systems and apply the correct laws to each user wherever that user happened to be. There are also difficulties in identifying where a user is at any given time. Professor Kerr suggests a solution that permits (but does not require) providers doing business in the US to disclose foreign user data (using rebuttable presumptions about user location) in response to foreign legal requests. This goes some way towards solving the problem. However, I'm not sure that it is a complete solution by itself because, if mirrored in other jurisdictions around the world, it places a large amount of discretion in the hands of internet companies and creates significant conflict of laws issues.
Jurisdiction based on company headquarters’ location
This is the approach adopted by companies such as Google, Twitter, and Facebook. It has the advantage of being simple to understand, and ensures that there is at least a baseline level of legal protections (albeit a US-centric baseline).
However, this approach risks entrenching the dominance of US laws and US values over an international space. Countries may be left with limited ability to enforce laws over their own citizens within their own territory on issues such as data protection, intellectual property, or criminal law. It means that countries have to go through the MLAT and US legal process. This creates a large caseload for the US Department of Justice, FBI and US companies, as well as creating delays and frustrations for foreign law enforcement. It is concerns like these that encourage moves towards data localization and fragmentation of the internet.
Jurisdiction determined by terms of service
There is some attractiveness to the idea of being able to specify jurisdiction through the terms of service. It gives a level of user consent and empowerment over their data choices.
However, it is doubtful how many users read and understand the terms of service for every online service they access. This approach also raises concerns about forum-shopping. Terms of service should have to be combined with other indicia of jurisdiction (eg headquarter or user location), otherwise companies or users could just arbitrarily forum-shop for jurisdictions.
So what is the ideal solution?
I’m not sure. I think that the laws governing users and their data should be determined by reference to the location of the parties (ie the user, the provider and the requesting agency), rather than focusing solely on the location of the data. However, no single one of these bases is ideal. I think that we need a combination of factors that are required to provide the basis for jurisdiction. When multiple States assert jurisdiction, there’s then a separate question of how to manage any potential conflict of laws (definitely a question for another day!).
Where does this leave us?
Meanwhile, back in reality, we have to work with the laws that are on the books. It’s important to distinguish the discussion about what the law should be from what it actually is. Some of the arguments being raised in the context of the Microsoft case seem to blur that line by using perceived problems with the MLAT process to justify particular interpretations of the current laws. While legal interpretation should be connected with practical realities, it’s important that the logic of the analysis and interpretation be able to stand on its own merits.
This weekend, as an ex-bureaucrat, I felt for the folk at the State Department. It must have been a ridiculously busy weekend for those preparing for this week’s Human Rights Committee Hearing in Geneva. On Friday, the New York Times leaked Harold Koh’s legal advice acknowledging that the US obligations under the International Covenant on Civil and Political Rights do not stop at the border. The NYT article would have meant that the briefing folders that had been merrily making their way up the clearance chain in time to be packed into the delegation’s suitcases would have been discarded (or at least the sections on extraterritoriality would have been yanked out) and all the talking points would have needed to be rewritten. This is not just an important moment for bureaucrats or international human rights law junkies; it is potentially powerful for digital rights activists pushing for reform of global surveillance practices. Digital rights advocates have been calling for the US government to end global mass suspicionless surveillance and to adhere to their international human rights law obligations. There may be a strong moral case to support them, but when it comes to the NSA’s overseas activities, the discourse has often lacked a strong legal underpinning. In order to push governmental policy on this issue, the dialogue needs to mature to the point where it is built on solid legal underpinnings. The next couple of months bring an unprecedented opportunity to do just that.
The current state of the digital rights dialogue
Up until now, civil society dialogue has pushed the idea that States owe an obligation to respect privacy online for both citizens and non-citizens. In an open letter to the UN High Commissioner for Human Rights, the Global Network Initiative “has urged the United States to recognize the right to privacy of non-U.S. persons and to strengthen reforms to effectively protect this right”. The NGO-led International Principles on the Application of Human Rights to Communications Surveillance state that “In order for States to actually meet their international human rights obligations in relation to communications surveillance, they must comply with the principles set out below. These principles apply to surveillance conducted within a State or extraterritorially.”
But it’s hard to find anything in the digital rights sphere that actually specifies the nature and source of an extraterritorial international obligation. You can’t really blame them. While you may have a gut instinct that the “right” thing to do is to extend the article 17 right to privacy beyond a country’s borders, it’s actually really tough to make out the technical legal argument supporting this. The issue goes to heart of what “control” means and whether the scope of a right can be determined by the ability of a State to impact it. Tricky stuff.
The emerging ideas for a legal basis
One of the few academic articles to specifically tackle the issue of extraterritorial application of article 17 of the ICCPR to digital surveillance is by Peter Margulies. This argues that the “effective control” test of jurisdiction is inadequate for the online context. Instead, he posits a test of “virtual control” under which the ICCPR is “applicable when a state can assert control over an individual’s communications, even though it lacks control over the territory in which the individual is located, or over the physical person of that individual”. I’m not sure that this argument is nuanced enough yet to be able to adopt it in legal cases (and indeed, digital rights groups may be unhappy with Margulies’ conclusion that US surveillance abroad actually complies with article 17). However, it does go some way towards breaking down the issues and applying international legal reasoning to the issue.
Marko Milanovic has an excellent series of blog posts on the international human rights law implications of surveillance. He argues that the best way of understanding jurisdiction and international surveillance is to treat rights differently according to whether they are “negative” or “positive”. Accordingly, “The reason why the Convention would apply is because it should apply to all potential violations of negative obligations, e.g. the one to refrain from interfering with my privacy”. This argument has a lot of force and makes sense of some of the confusing jurisdictional cases in international human rights law jurisprudence. However, it is still early days and it is yet to be seen whether a court (or treaty body) would adopt this approach.
The NYT article has prompted a stream of shorter blog posts over the last couple of days, including a great “mini-forum” on Just Security (see especially Jennifer Daskal, Martin Scheinin and Manfred Nowak. This does not really go into the same depth as Margulies' and Milanovic's analyses, but does go some way towards bringing the legal issue of extraterritoriality and surveillance to a slightly broader audience.
There has been some high-quality legal thinking on this issue but it is still at a fairly early stage of development, and discussion remains confined to international human rights law circles.
The opportunities for change
The best way to effect change to international digital surveillance is through powerful advocacy that speaks to the public but is also supported by strong legal reasoning that speaks to the government and bureaucrats. Now is the moment to bring these dialogues together.
The Human Rights Committee tends to listen very closely to NGO input (partly in recognition of their valuable contribution, but also because the committee just does not have the resources to conduct extensive research on all the issues covered by the ICCPR in each State). This means that the NGO community needs to be in the Committee’s ear over the coming week with helpful, informed and well-reasoned views on extraterritoriality and surveillance.
Another key opportunity will be the UN High Commissioner for Human Rights’ forthcoming report. At the end of last year, the UN General Assembly passed a resolution recognizing the right to privacy in the digital age. It backed away from any reference to extraterritorial obligations in the text of the resolution. However, the resolution:
Requests the United Nations High Commissioner for Human Rights to present a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale to the Human Rights Council, at its twenty-seventh session, and to the General Assembly at its sixty-ninth session, with views and recommendations, to be considered by Member States;
This means that there is now an opportunity for a UN report to directly tackle the issue of extraterritorial application of the right to privacy to online surveillance. Again, it will be important for civil society to make submissions that are well-reasoned, pragmatic and legally-robust.
Much of the advocacy and legal groundwork has been done – the challenge is in making sure that the two dialogues come together.