Jurisdiction over user data - What is the ideal solution to a very real world problem?

Over the past ten days, civil society has been having kittens over the UK Data Retention and Investigatory Powers Bill, partly because of its extraterritorial extension of UK surveillance powers.  This comes at a time when there is already heightened focus on issues of data and jurisdiction because the District Court is due next week to consider Microsoft’s challenge to the magistrate’s decision to uphold a search warrant over data that is stored in Ireland.  When the District Court hears this matter, things will no doubt get very technical very quickly.  International jurisdiction can have you turning your mind inside out trying to work your way through layers of laws, precedents and analogies, none of which is actually directly applicable to the case at hand.  However, before we get swept up in the court’s analysis, let’s take a moment to step outside of the legalities of the Microsoft case and instead think about the fundamental principles behind them.  It’s a game of ‘what would we want the laws to look like if we didn’t have to rely on Congress to pass them?’.  

 

The big question that I want to ask is, what criteria should jurisdiction for user data be based on?  The four key options that I see are:

  • Data location
  • User location
  • Company location
  • Terms of service

 

Jurisdiction based on data location

This is essentially the approach that Microsoft is advocating.  If your biggest fear is the NSA-style overreach of US power, it has definite appeal.  It means that US law enforcement doesn’t get a shortcut to the world’s data just because US companies dominate much of the internet.  Instead, US law enforcement must use the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation if the data is hosted abroad, which feels reassuringly respectful of international borders and principles of sovereignty.

 

However, if you’re a vulnerable user in an undemocratic regime, this may not be such an attractive option.  Companies that insist on Californian jurisdiction over their data can use this to protect their users’ data when they have concerns about the legitimacy of the foreign government’s request.  The Electronic Communications Privacy Act (ECPA) may be an imperfect guardian of user data, but it still provides a baseline level of protection for vulnerable users in undemocratic countries. 

 

Moreover, data is increasingly stored across multiple jurisdictions and moves quickly between them.  It seems arbitrary for users to be subject to different laws depending on where their data happens to be at a particular moment in time.  For some companies, it may even be difficult to determine where the data is located.

 

If companies make decisions about where to store data based on legal considerations rather than technical requirements, it could compromise the ability to provide fast, reliable product offerings to consumers.  Google highlighted this point in their objections to Brazil’s attempt to legislate for data localization. 

 

Jurisdiction based on user location

 

Something feels right about users being governed by their own countries’ laws because that’s how it’s traditionally been done. Professor Kerr has argued for US jurisdiction to be based on user location, so that US-based users would receive full statutory protections, regardless of where in the world their data is stored.  Applied more broadly, this could have the benefit of ensuring that users in countries with strong data protection and human rights laws receive the protection of their own countries’ regimes even when they’re using a foreign online product.  User-based jurisdiction could also facilitate legitimate access to data for criminal investigations by removing the international complications when law enforcement officers are investigating users within their own jurisdiction.

 

However, companies with a very international user base could find themselves in a nightmarishly complicated situation of having to comply with 193 countries’ legal systems and apply the correct laws to each user wherever that user happened to be.  There are also difficulties in identifying where a user is at any given time.  Professor Kerr suggests a solution that permits (but does not require) providers doing business in the US to disclose foreign user data (using rebuttable presumptions about user location) in response to foreign legal requests.  This goes some way towards solving the problem.  However, I'm not sure that it is a complete solution by itself because, if mirrored in other jurisdictions around the world, it places a large amount of discretion in the hands of internet companies and creates significant conflict of laws issues.

 

Jurisdiction based on company headquarters’ location

This is the approach adopted by companies such as Google, Twitter, and Facebook.  It has the advantage of being simple to understand, and ensures that there is at least a baseline level of legal protections (albeit a US-centric baseline). 

 

However, this approach risks entrenching the dominance of US laws and US values over an international space.  Countries may be left with limited ability to enforce laws over their own citizens within their own territory on issues such as data protection, intellectual property, or criminal law.  It means that countries have to go through the MLAT and US legal process.  This creates a large caseload for the US Department of Justice, FBI and US companies, as well as creating delays and frustrations for foreign law enforcement.  It is concerns like these that encourage moves towards data localization and fragmentation of the internet.

 

Jurisdiction determined by terms of service

There is some attractiveness to the idea of being able to specify jurisdiction through the terms of service.  It gives a level of user consent and empowerment over their data choices. 

 

However, it is doubtful how many users read and understand the terms of service for every online service they access.  This approach also raises concerns about forum-shopping.  Terms of service should have to be combined with other indicia of jurisdiction (eg headquarter or user location), otherwise companies or users could just arbitrarily forum-shop for jurisdictions.

 

So what is the ideal solution?

I’m not sure.  I think that the laws governing users and their data should be determined by reference to the location of the parties (ie the user, the provider and the requesting agency), rather than focusing solely on the location of the data.  However, no single one of these bases is ideal.  I think that we need a combination of factors that are required to provide the basis for jurisdiction.  When multiple States assert jurisdiction, there’s then a separate question of how to manage any potential conflict of laws (definitely a question for another day!).

 

Where does this leave us?

Meanwhile, back in reality, we have to work with the laws that are on the books.  It’s important to distinguish the discussion about what the law should be from what it actually is.  Some of the arguments being raised in the context of the Microsoft case seem to blur that line by using perceived problems with the MLAT process to justify particular interpretations of the current laws.  While legal interpretation should be connected with practical realities, it’s important that the logic of the analysis and interpretation be able to stand on its own merits.

Whose laws control your data? The implications of the Microsoft search warrant challenge

Last month, Microsoft challenged a warrant that was served on their US offices for customer data that the company stores in Ireland (In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation No 13 Mag 2814, April 25 2014).  VerizonApple and CiscoAT&T, andEFF have all filed amicus briefs supporting Microsoft.  Our first instinct might be to feel that this is a case of an over-reaching government taking short cuts to access user data, and we should therefore get behind Microsoft.  However, before we pick sides or jump on the Microsoft bandwagon, I want to unpack the issues and sound a note of caution.  It is certainly not clear-cut that Microsoft’s approach is the best for the user, business, or the evolution of the law.

The first thing that I think we need to get straight is that this is not easy.  The Electronic Communications Privacy Act (ECPA) is not designed for the scale and complexity of the way in which providers use international servers and cloud computing today.  Using strained analogies with filing cabinets and the tools of traditional statutory interpretation to try to push and pull ECPA into the twenty-first century is not going to give a great outcome.  If we want the law to be ‘straightforward’, we really need to start rethinking the law from the ground up (as Professor Kerr suggests), or at least make significant amendments to ECPA (sadly, this is not addressed in the current proposal).  Microsoft’s claim that this issue is straightforward might be a good litigation strategy, but it is not helpful if we want to move the jurisprudence forward in a meaningful, sustainable way; we need to acknowledge the complexities and the limitations of the current law. 

What did the decision say?

The magistrate upheld the warrant.  In short, he found that an order under s2703(d) of ECPA is a special hybrid of a search warrant and a subpoena, so it is not bound by all the same geographical limits of a standard search warrant. He argued that there is ambiguity in the way in which a s2703(d) order applies, so courts can look to context in order to interpret ECPA’s geographical scope.  The magistrate reasoned that practical considerations, as well as the structure and legislative history of ECPA support enforcing the court order.  He noted the difficulties with the mutual legal assistance treaty (MLAT) process and reasoned that it would not be practicable to limit the application of ECPA so that US law enforcement is forced to rely on MLATs.

In any event, the magistrate found that no actual ‘search’ would occur until the government officers looked at the data.  This would only occur after Microsoft had retrieved the data from Ireland.

What’s the issue?

There are some very important issues at the heart of this case, and the magistrate’s decision does not spend a lot of time teasing them out.  The key questions are:

  • what criteria should determine which laws apply to a user’s data?
    • Where the data is stored?  Where the company’s headquarters are located?  Where the user is located?  Where the terms of service specify?
  • when does a search or seizure of data actually occur?
    • When a company officer copies the data from the server?  When a company hands the data over to the government?  When a government official looks at the data?

The decision notes some of the difficulties in using data location as the basis for jurisdiction, but doesn’t really analyse the alternative bases for jurisdiction.  In fact, the decision does not even specify where the user was located or the user’s nationality. 

Similarly, the magistrate quickly dismisses the question of what part of the process constitutes the ‘search’ or ‘seizure’.  The magistrate quotes Professor Orin Kerr’s 2005 article to conclude that a search occurs when ‘the data is exposed to possible human observation’ (ie when Microsoft hands the data over to government officers in the US).  As the EFF amicus brief points out, Prof. Kerr has since refined his view on this issue and has suggested that a ‘seizure’ can occur when data is copied.  This analysis could mean that ‘seizure’ occurred when Microsoft copied the data from the server in Ireland.  This could amount to an extraterritorial seizure and enliven fourth amendment constitutional protections.  Given these ramifications, the issue of when a ‘search’ or ‘seizure’ occurs in the online context deserves further analysis.

Who should care about this?

This issue is important for every individual who uses online products and cares about how access to their data is governed.  It also has implications for all tech and telco companies that store user data across jurisdictions. 

Apple, Cisco, and AT&T have all shown their support for Microsoft’s approach to this issue.  To date, other companies such as Google, Twitter and Facebook have been quiet.  Part of the reason for this is that there is not unanimity among the tech world about how to approach the issue. 

Microsoft and its supporters seem to be advocating jurisdiction on the basis of the location of the data, not company headquarters.  This makes sense when you look at Microsoft’s terms of service, which specify that different jurisdictions’ laws apply depending on where in the world the user is located (which presumably has some correlation with the data location).  Microsoft has chosen to accept legal process in many countries (as you can see in their transparency report).  In this way, Microsoft’s position in the current case reflects the business decisions that they have already made about how to operate in different countries.

By contrast, companies such as FacebookTwitter and Google specify that the laws of their headquarters’ location (California) always apply.  The reasoning behind this is partly technical and partly principled.  The technical argument is that having to make decisions about where to host data based on legal processes rather than technical considerations could compromise the ability to provide fast, reliable online products.  Google has spoken of this issue when they publicly opposed Brazil’s attempt to legislate for data localization.

The principled aspect to this argument is that sheltering behind Californian jurisdiction gives the companies the ability to set their own, US-based standards for when data should be handed over.  This means that they can provide services internationally, but can still refuse to hand over data to foreign governments who seek that data for nefarious purposes.  Twitter’s strong branding around protecting users’ freedom of speech indicates that this is an important issue for them. 

What is the right approach to take?

There is no easy answer to this question; each approach involves compromise and trade-offs.  I think it’s important to note that being on the opposite side to the government is not necessarily the same as being on the user’s side.  In some instances, Microsoft’s approach might result in stronger user protections, but in others it would not.  It would place limits on US government access to user data, which may be beneficial in pushing back against government intrusions.  However, it would also mean that users in undemocratic regimes would not necessarily benefit from the protections of US laws or US company policies.  It also may limit the ability to provide fast and reliable online services to users through optimal data storage practices.

The Internet and Jurisdiction Project has been doing important work on this issue (see their ambitiouscompilation of international cases), but we are a still a long way from developing and implementing a solution.  What is clear is that we need to take a nuanced approach to jurisdiction; basing jurisdiction solely on the location of the data, user, or company headquarters will give uneven and often unsatisfactory results.  We also need to engage with the complexity to understand where ‘searches’ and ‘seizures’ actually occur in the online context.  This is something that we need to get right. The Microsoft case is a wakeup call that the current system is not doing a good job at serving either the needs of users or the needs of business.

Which countries' law enforcement are data hungry?

One of the trends from the industry-wide transparency report that’s worth looking at more closely is which countries are making requests for user data, to which companies, and on what scale.  This post will break down these statistics and suggest some of the trends behind the numbers. As I mentioned in the last post, the figures in transparency reports only refer to requests that foreign law enforcement make directly to companies, not requests through the mutual legal assistance treaty process.  Requests that come through the MLAT process are treated like requests from US law enforcement, and are bundled into the statistics for the US.  This means that the US figures are artificially inflated and I have therefore removed the figures for US requests from this analysis.

When it rains, it pours

number of requests by company
number of requests by company

The first thing to note is that the number of direct foreign requests is still low for most internet companies.  Dropbox and Pinterest did not receive any direct foreign requests.  However, the big four companies are being inundated with requests, with Microsoft receiving almost 30,000 requests in the last six months of 2013.  Twitter is barely in the scene, with less than 723 requests (Twitter’s numbers are given as a range if they fall below 10, so this figure is only approximate).

Some companies, such as Twitter, LinkedIn, Pinterest and Wordpress are not likely to experience the same scale of requests as the big four companies.  This is because most of their content is intended to be publicly accessible.   Law enforcement therefore should not need to contact the companies to access user content; they are more likely only to need to contact the companies in order to access subscriber information to identify anonymous account holders, or to seek preservation of account information before it is deleted.  Other factors that can influence the number of requests from foreign law enforcement that a company receives include a company’s international presence, criminals’ preferences for particular platforms, and law enforcement’s familiarity with the particular company.

I have included Yahoo! in this analysis, but it is very important to note that the data in Yahoo!'s transparency report is quite different from the data in the other companies' reports.  There is still value in looking at Yahoo!'s data, but this is definitely a case of comparing apples with oranges.  Yahoo! only reports on requests that are made by countries in which they have a legal subsidiary.  This means that the requests referred to in Yahoo!'s report are made within those countries and are governed by each country's domestic laws, not US law.  For this reason, these requests can result in handing over content as well as subscriber details.  The big question is what about the countries in which Yahoo! does not have a legal subsidiary - where are those statistics?  Presumably there are Yahoo! users in countries in which Yahoo! does not have a legal subsidiary, and local law enforcement would try to request that data directly from Yahoo! in the US.  However, Yahoo! does not seem to publish any information on the number of those requests and how they responded.   Accordingly, we do not have an accurate figure to compare between Yahoo! and the other companies.

The data-hungry countries

Microsoft top 10
Microsoft top 10
Google top 10
Google top 10
Facebook top 10
Facebook top 10
Yahoo top 10
Yahoo top 10

The next breakdown that is interesting to consider is which countries are making requests to which companies.  These charts show the top 10 requesting countries to Microsoft, Google, Yahoo! and Facebook.  Some of this is unsurprising; Brazil, France, India and Germany have noticeable and reasonably consistent representation across the companies.  Australia seems to punch above its weight, with requests from its law enforcement officers comprising about 5-6% of each company’s total requests.  Singapore also makes a surprise entry in the Google statistics.

Some of the factors that could explain the different levels of requests from countries include:

  • the penetration levels of these companies’ products in particular markets;
  • local law enforcement’s level of awareness and competence in requesting online data; and
  • whether law enforcement feel more able to make direct requests to companies (rather than going through the slower, more cumbersome process of mutual legal assistance).

Taiwan and Hong Kong figure in Yahoo!'s top ten, but not the other companies'.  It is likely that this not only reflects the increased presence of Yahoo! in these countries, but also the skewed nature of the data set that Yahoo! provides because it only provides figures for countries in which there is a Yahoo! subsidiary.

Perhaps the standout issue in these statistics is the large number of requests to Microsoft from Turkey.  Turkey does not even make it into the top 10 for other companies, but accounts for 21% of requests to Microsoft.  This is particularly interesting given the political turmoil in Turkey during this period.  Of course, the next interesting statistic to consider is how the companies respond to the requests that they receive.  I will delve more into this issue in the next post.

International data privacy: what we need is an industry transparency report

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/05/international-data-privacy-what-we-need-industry-transparency-report  GoogleYahoo!, MicrosoftTwitterAppleDropboxLinkedIn, and Pinterest all publish transparency reports.  Wordpress is the latest company to join the party, recently publishing their first transparency report.   However, it’s difficult to see trends and anomalies when the information is scattered across multiple individual company reports.  In order to get a comprehensive view of what is happening, we need to pull all of these fragments into a comprehensive picture.  We need an internet industry-wide transparency report.

To create a kind of hacked industry transparency report, I have consolidated the July-December 2013 transparency data from the main internet companies.  There is such a wealth of information to pore over and slice and dice in different ways that I will separate the analysis into a series of blog entries.  My interest is the international aspect, so I will focus on requests from foreign law enforcement.  This post will outline some of the key themes emerging from my comparison.Combined law enforcement data table

Only part of the picture

The first thing to note is that the transparency reports only show requests from foreign law enforcement that are made directly to the company.  As I have previously noted, there are at least three main ways in which foreign law enforcement can access user data that is held by a US company:

1.     through the US government via the mutual legal assistance treaty (MLAT) process;

2.     directly asking the company; or

3.     asking the FBI to obtain the data on their behalf.

The transparency reports only show requests made via method (2).  This is not the companies’ fault; by the time an MLAT request filters down to companies’ inhouse lawyers and paralegals, it simply looks like a search warrant issued by the US District Court.  For this reason, any requests that go through the MLAT system show up as US requests.  This has the unfortunate consequence of over inflating the statistics for US government requests and hiding where the requests are really coming from.

Same-same but different

The companies’ reports are similar, but not the same.  As the pioneer in this field, Google has set the template that many of the other companies now use.  The Google-inspired template includes (1) number of requests (2) percentage of requests for which data was provided and (3) number of accounts/users affected.   However, there are subtle differences in layout and content, which make it difficult to draw meaningful comparisons across companies.

For example, Microsoft divides their responses into percentages for content and non-content, which means that you can’t easily do a direct comparison with the percentages listed by companies that use the Google template.  Of course, with some 8th grade algebra, you can overcome this, but it slows down the comparison process.  A couple of other notable anomalies are that Twitter does not give a specific number for countries for which there were fewer than 10 requests.  This could be because when the numbers of requests are small, criminal suspects may be tipped off that they are under suspicion.  Dropbox does not break down their foreign requests by country at all (intriguingly, although 90 foreign requests were made, 0 accounts were affected – I can only imagine that this means that they refused all 90 requests).

There isn’t necessarily anything sinister going on here; it just makes direct comparison across companies difficult.  It would be great to see consistent reporting across the internet companies (or even some consolidating reporting!).

Content vs non-content

One of the differences in the transparency reports that reveals a more substantive issue is that the Yahoo! and Microsoft reports indicate whether content or non-content has been handed over to foreign countries.  This is more than just a question of template consistency; Yahoo! and Microsoft are notable exceptions in that they will accept jurisdiction for data requests in certain countries outside of the US.  The other companies will generally only provide content through their US headquarters, in response to a US court order (eg through the MLAT process) or in emergency situations.

It’s harder to see overseas

There is an increase in the granularity of Google’s data with each year since 2010 and other companies are starting to follow suit. The improved transparency of national security requests is also a new development.  However, when it comes to foreign requests, the level of detail takes a nosedive.  There are at least two areas where this is important:  legal process; and user notification.

Legal process

Google, LinkedIn and Dropbox break down the number of US requests according to which process was used eg subpoena, court order, or search warrant.  This is not possible for foreign requests - as noted above, the only foreign law enforcement requests that are separately shown in the transparency reports are those that are made directly to the companies and this means that there has not been any US legal process.  As I’ve noted [previously], the Electronic Communications Privacy Act does not apply to foreign governments, so they cannot use US legal process and companies have unfettered discretion about whether or not to provide non-content information to them.  Some companies take this responsibility very seriously and apply their own due diligence processes before handing over user records.  However, there is no visibility of what these standards and processes are.  As I will discuss in a later post, there are notable differences between different companies’ compliance rates for requests from the same countries, which suggests that the companies may be exercising this discretion quite differently.

User notification

In the domestic context, Dropbox and Pinterest show whether they notified the user that their records had been accessed by US law enforcement.  Apple, Google, Microsoft, and Facebook are all apparently updating their policies to increase their rate of user notification.  Depending on the legal process used, ECPA establishes different obligations with respect to notification for access by law enforcement.  This is quite an interesting statistic but it would arguably be more important to see the statistics for foreign requests.  The fact that ECPA does not apply to foreign governments means that there is no obligation on companies to notify users if foreign law enforcement accesses their records.  Since there is no legal obligation on companies, it is entirely a matter of policy as to whether or not they notify users and we have no visibility of how this plays out in practice.

I have attached the raw data from my unified industry transparency report, but will be sharing charts and diagrams that break up the data into more intelligible chunks over the next week or so.

ECPA reform is not just a U.S. issue

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/04/ecpa-reform-not-just-us-issue If US law enforcement officers want to access your private emails, they need to follow the requirements in the Electronic Communications Privacy Act.  ECPA is an old and imperfect piece of legislation.  Industry and civil society have long been pushing to update ECPA so that it is “technology neutral”; just as government agencies require a warrant to compel disclosure of a person’s locally-stored documents, government should have to obtain a warrant to access private documents stored in the cloud.  While this argument may seem self-evident, reform has been frustratingly slow.  Today, blogs have fired up (such as herehere, and here) with arguments in favor of reform and criticising the Securities and Exchange Commission's opposition to reform.  However, what is missing in the current debate is that ECPA has implications beyond US borders. Technology neutrality is an important principle that should underpin the reform of ECPA.  However, I believe that the ECPA discussion should also include the question of “location neutrality” ie. foreign law enforcement officers' access to user data should be based on the same principles as access by US law enforcement.

How is foreign access to non-content regulated?

It doesn’t matter where in the world a police officer is, if he or she wants to access an individual’s Gmail or Facebook records (or many other US-based products), that access is governed by ECPA.  ECPA providessome limits on US law enforcement access to non-content information by requiring at least an administrative subpoena.  However, ECPA completely overlooks access by foreign governments because it defines “government entities” to mean only US government agencies.  This means that when foreign law enforcement officers ask for a user’s subscriber details or email contacts, it is up to the companies to decide whether or not they hand over that information.  Some companies refuse to provide any information voluntarily and insist on a request under a mutual legal assistance treaty (MLAT), supported by a court order.  Other companies will hand over information if they feel that it is appropriate in the circumstances.  In practice, there is no consistency, transparency, or oversight into when non-content information is handed over to foreign law enforcement.

What about content?

Foreign law enforcement must go through the MLAT process in order to access user content held in the US.  Before you get too excited in thinking that this provides good legal and procedural protections, you need to look a little more closely.  The current MLAT-based system for content access is basically due to a legislative oversight, not because of a well-reasoned policy decision.  ECPA doesn't mention whether or not a foreign law enforcement officer should be able to obtain either a subpoena or court order directly from a US court.  In order to overcome this, a foreign government can make an MLAT request, which effectively asks the US Government to obtain a warrant on behalf of the foreign government.

When it comes to the content of users’ emails, the current system might seem good on first glance because it only allows foreign governments to access user data through the MLAT system, which involves a US warrant process.  However, the MLAT system is not designed to cope with the large volume of requests for online data that are now being made or the tight timeframes that cyber-investigations demand (the President’s Review Group found that MLAT requests for online records take an average of 10 months!).  This means that either (1) legitimate criminal investigations and prosecutions are compromised because the evidence cannot be obtained quickly enough or (2) police find “creative” work-arounds and “informal” means to obtain the data, which undermines transparency, accountability and user protections.  Neither of these is a good outcome.

Where to from here?

In the context of ECPA, technology neutrality means that a user should have the same protections for their personal data, regardless of whether it is stored in physical format, in a locally-based electronic format, or in the cloud.  I suggest that another principle for ECPA should be location neutrality – ie a user’s personal data should have the same protections from all law enforcement agencies, regardless of whether that agency is based in the US or abroad.

The reform of ECPA is certainly not just a US issue; it impacts millions of users outside of the US.  It would be a great step forward to protect users’ data from unwarranted US law enforcement snooping.  However, this is only half the picture; we need to start talking about foreign law enforcement access to electronic communications as part of the ECPA reforms.