In all the commentaries on this important case about where you host your data, the voice of the startups seems to have been lost. Somehow, there seems to be the assumption that if you're pro-business, you're pro-Microsoft. I'm not so sure that assumption is true when you think about more innovative and early-stage companies. In my commentary here in TechCrunch, I outline some of the reasons why supporting Microsoft's position in their current litigation could actually harm the business interests of US startups.
Over the past ten days, civil society has been having kittens over the UK Data Retention and Investigatory Powers Bill, partly because of its extraterritorial extension of UK surveillance powers. This comes at a time when there is already heightened focus on issues of data and jurisdiction because the District Court is due next week to consider Microsoft’s challenge to the magistrate’s decision to uphold a search warrant over data that is stored in Ireland. When the District Court hears this matter, things will no doubt get very technical very quickly. International jurisdiction can have you turning your mind inside out trying to work your way through layers of laws, precedents and analogies, none of which is actually directly applicable to the case at hand. However, before we get swept up in the court’s analysis, let’s take a moment to step outside of the legalities of the Microsoft case and instead think about the fundamental principles behind them. It’s a game of ‘what would we want the laws to look like if we didn’t have to rely on Congress to pass them?’.
The big question that I want to ask is, what criteria should jurisdiction for user data be based on? The four key options that I see are:
- Data location
- User location
- Company location
- Terms of service
Jurisdiction based on data location
This is essentially the approach that Microsoft is advocating. If your biggest fear is the NSA-style overreach of US power, it has definite appeal. It means that US law enforcement doesn’t get a shortcut to the world’s data just because US companies dominate much of the internet. Instead, US law enforcement must use the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation if the data is hosted abroad, which feels reassuringly respectful of international borders and principles of sovereignty.
However, if you’re a vulnerable user in an undemocratic regime, this may not be such an attractive option. Companies that insist on Californian jurisdiction over their data can use this to protect their users’ data when they have concerns about the legitimacy of the foreign government’s request. The Electronic Communications Privacy Act (ECPA) may be an imperfect guardian of user data, but it still provides a baseline level of protection for vulnerable users in undemocratic countries.
Moreover, data is increasingly stored across multiple jurisdictions and moves quickly between them. It seems arbitrary for users to be subject to different laws depending on where their data happens to be at a particular moment in time. For some companies, it may even be difficult to determine where the data is located.
If companies make decisions about where to store data based on legal considerations rather than technical requirements, it could compromise the ability to provide fast, reliable product offerings to consumers. Google highlighted this point in their objections to Brazil’s attempt to legislate for data localization.
Jurisdiction based on user location
Something feels right about users being governed by their own countries’ laws because that’s how it’s traditionally been done. Professor Kerr has argued for US jurisdiction to be based on user location, so that US-based users would receive full statutory protections, regardless of where in the world their data is stored. Applied more broadly, this could have the benefit of ensuring that users in countries with strong data protection and human rights laws receive the protection of their own countries’ regimes even when they’re using a foreign online product. User-based jurisdiction could also facilitate legitimate access to data for criminal investigations by removing the international complications when law enforcement officers are investigating users within their own jurisdiction.
However, companies with a very international user base could find themselves in a nightmarishly complicated situation of having to comply with 193 countries’ legal systems and apply the correct laws to each user wherever that user happened to be. There are also difficulties in identifying where a user is at any given time. Professor Kerr suggests a solution that permits (but does not require) providers doing business in the US to disclose foreign user data (using rebuttable presumptions about user location) in response to foreign legal requests. This goes some way towards solving the problem. However, I'm not sure that it is a complete solution by itself because, if mirrored in other jurisdictions around the world, it places a large amount of discretion in the hands of internet companies and creates significant conflict of laws issues.
Jurisdiction based on company headquarters’ location
This is the approach adopted by companies such as Google, Twitter, and Facebook. It has the advantage of being simple to understand, and ensures that there is at least a baseline level of legal protections (albeit a US-centric baseline).
However, this approach risks entrenching the dominance of US laws and US values over an international space. Countries may be left with limited ability to enforce laws over their own citizens within their own territory on issues such as data protection, intellectual property, or criminal law. It means that countries have to go through the MLAT and US legal process. This creates a large caseload for the US Department of Justice, FBI and US companies, as well as creating delays and frustrations for foreign law enforcement. It is concerns like these that encourage moves towards data localization and fragmentation of the internet.
Jurisdiction determined by terms of service
There is some attractiveness to the idea of being able to specify jurisdiction through the terms of service. It gives a level of user consent and empowerment over their data choices.
However, it is doubtful how many users read and understand the terms of service for every online service they access. This approach also raises concerns about forum-shopping. Terms of service should have to be combined with other indicia of jurisdiction (eg headquarter or user location), otherwise companies or users could just arbitrarily forum-shop for jurisdictions.
So what is the ideal solution?
I’m not sure. I think that the laws governing users and their data should be determined by reference to the location of the parties (ie the user, the provider and the requesting agency), rather than focusing solely on the location of the data. However, no single one of these bases is ideal. I think that we need a combination of factors that are required to provide the basis for jurisdiction. When multiple States assert jurisdiction, there’s then a separate question of how to manage any potential conflict of laws (definitely a question for another day!).
Where does this leave us?
Meanwhile, back in reality, we have to work with the laws that are on the books. It’s important to distinguish the discussion about what the law should be from what it actually is. Some of the arguments being raised in the context of the Microsoft case seem to blur that line by using perceived problems with the MLAT process to justify particular interpretations of the current laws. While legal interpretation should be connected with practical realities, it’s important that the logic of the analysis and interpretation be able to stand on its own merits.
Last month, Microsoft challenged a warrant that was served on their US offices for customer data that the company stores in Ireland (In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation No 13 Mag 2814, April 25 2014). Verizon, Apple and Cisco, AT&T, andEFF have all filed amicus briefs supporting Microsoft. Our first instinct might be to feel that this is a case of an over-reaching government taking short cuts to access user data, and we should therefore get behind Microsoft. However, before we pick sides or jump on the Microsoft bandwagon, I want to unpack the issues and sound a note of caution. It is certainly not clear-cut that Microsoft’s approach is the best for the user, business, or the evolution of the law.
The first thing that I think we need to get straight is that this is not easy. The Electronic Communications Privacy Act (ECPA) is not designed for the scale and complexity of the way in which providers use international servers and cloud computing today. Using strained analogies with filing cabinets and the tools of traditional statutory interpretation to try to push and pull ECPA into the twenty-first century is not going to give a great outcome. If we want the law to be ‘straightforward’, we really need to start rethinking the law from the ground up (as Professor Kerr suggests), or at least make significant amendments to ECPA (sadly, this is not addressed in the current proposal). Microsoft’s claim that this issue is straightforward might be a good litigation strategy, but it is not helpful if we want to move the jurisprudence forward in a meaningful, sustainable way; we need to acknowledge the complexities and the limitations of the current law.
What did the decision say?
The magistrate upheld the warrant. In short, he found that an order under s2703(d) of ECPA is a special hybrid of a search warrant and a subpoena, so it is not bound by all the same geographical limits of a standard search warrant. He argued that there is ambiguity in the way in which a s2703(d) order applies, so courts can look to context in order to interpret ECPA’s geographical scope. The magistrate reasoned that practical considerations, as well as the structure and legislative history of ECPA support enforcing the court order. He noted the difficulties with the mutual legal assistance treaty (MLAT) process and reasoned that it would not be practicable to limit the application of ECPA so that US law enforcement is forced to rely on MLATs.
In any event, the magistrate found that no actual ‘search’ would occur until the government officers looked at the data. This would only occur after Microsoft had retrieved the data from Ireland.
What’s the issue?
There are some very important issues at the heart of this case, and the magistrate’s decision does not spend a lot of time teasing them out. The key questions are:
- what criteria should determine which laws apply to a user’s data?
- Where the data is stored? Where the company’s headquarters are located? Where the user is located? Where the terms of service specify?
- when does a search or seizure of data actually occur?
- When a company officer copies the data from the server? When a company hands the data over to the government? When a government official looks at the data?
The decision notes some of the difficulties in using data location as the basis for jurisdiction, but doesn’t really analyse the alternative bases for jurisdiction. In fact, the decision does not even specify where the user was located or the user’s nationality.
Similarly, the magistrate quickly dismisses the question of what part of the process constitutes the ‘search’ or ‘seizure’. The magistrate quotes Professor Orin Kerr’s 2005 article to conclude that a search occurs when ‘the data is exposed to possible human observation’ (ie when Microsoft hands the data over to government officers in the US). As the EFF amicus brief points out, Prof. Kerr has since refined his view on this issue and has suggested that a ‘seizure’ can occur when data is copied. This analysis could mean that ‘seizure’ occurred when Microsoft copied the data from the server in Ireland. This could amount to an extraterritorial seizure and enliven fourth amendment constitutional protections. Given these ramifications, the issue of when a ‘search’ or ‘seizure’ occurs in the online context deserves further analysis.
Who should care about this?
This issue is important for every individual who uses online products and cares about how access to their data is governed. It also has implications for all tech and telco companies that store user data across jurisdictions.
Apple, Cisco, and AT&T have all shown their support for Microsoft’s approach to this issue. To date, other companies such as Google, Twitter and Facebook have been quiet. Part of the reason for this is that there is not unanimity among the tech world about how to approach the issue.
Microsoft and its supporters seem to be advocating jurisdiction on the basis of the location of the data, not company headquarters. This makes sense when you look at Microsoft’s terms of service, which specify that different jurisdictions’ laws apply depending on where in the world the user is located (which presumably has some correlation with the data location). Microsoft has chosen to accept legal process in many countries (as you can see in their transparency report). In this way, Microsoft’s position in the current case reflects the business decisions that they have already made about how to operate in different countries.
By contrast, companies such as Facebook, Twitter and Google specify that the laws of their headquarters’ location (California) always apply. The reasoning behind this is partly technical and partly principled. The technical argument is that having to make decisions about where to host data based on legal processes rather than technical considerations could compromise the ability to provide fast, reliable online products. Google has spoken of this issue when they publicly opposed Brazil’s attempt to legislate for data localization.
The principled aspect to this argument is that sheltering behind Californian jurisdiction gives the companies the ability to set their own, US-based standards for when data should be handed over. This means that they can provide services internationally, but can still refuse to hand over data to foreign governments who seek that data for nefarious purposes. Twitter’s strong branding around protecting users’ freedom of speech indicates that this is an important issue for them.
What is the right approach to take?
There is no easy answer to this question; each approach involves compromise and trade-offs. I think it’s important to note that being on the opposite side to the government is not necessarily the same as being on the user’s side. In some instances, Microsoft’s approach might result in stronger user protections, but in others it would not. It would place limits on US government access to user data, which may be beneficial in pushing back against government intrusions. However, it would also mean that users in undemocratic regimes would not necessarily benefit from the protections of US laws or US company policies. It also may limit the ability to provide fast and reliable online services to users through optimal data storage practices.
The Internet and Jurisdiction Project has been doing important work on this issue (see their ambitiouscompilation of international cases), but we are a still a long way from developing and implementing a solution. What is clear is that we need to take a nuanced approach to jurisdiction; basing jurisdiction solely on the location of the data, user, or company headquarters will give uneven and often unsatisfactory results. We also need to engage with the complexity to understand where ‘searches’ and ‘seizures’ actually occur in the online context. This is something that we need to get right. The Microsoft case is a wakeup call that the current system is not doing a good job at serving either the needs of users or the needs of business.