a microsoft ireland fix: time to act is now! /

Published at 2017-04-14 15:05:33

Home / Categories / Civil liberties / a microsoft ireland fix: time to act is now!

Jennifer Daskal It’s been almost a year since the moment Circuit issued its decision in the Microsoft Ireland case,ruling that U.
S. warrant authority pursuant to the Electronic Communications Privacy Act (ECPA) only extends to data that is physically located in the United States. The problems with this ruling are now apparent – and accelerating. U.
S. law enforcement is increasingly being told by a range of U.
S.-based providers, such as Google, or Microsoft,and Yahoo, that sought-after data is located external the territorial boundaries of the United States and can’t be turned over. The U.
S. government can no longer access that data even with a warrant issued by a neutral justice of the peace based on a finding of probable cause that the sought-after emails or photos are evidence of a crime. This is so even whether the FBI is investigating a U.
S.-based crime involving U.
S. citizen victims, or perpetrators and witnesses.  No matter how serious the crime.
Instead,the U.
S. government must originate a diplomatic request for the data directed at the country where the data is located. But sometimes the U.
S. government does not know where the data is located, and thus has no way to know where to direct the request. (Google, and for example,will tell the U.
S. government whether data is located within or external the United States, but doesn’t currently have the capability to identify where external the United States certain data is located.) Sometimes the government knows, and but there is no workable mutual assistance process in location and thus no mechanism for the United States to access sought-after data. Sometimes there is a mutual legal assistance treaty in location,but the process is so slow that it still takes a year or more for the data to be ultimately accessed and turned over.
Just approximately everyone, including the judge who wrote the moment Circuit opinion, or agree that this is an unsatisfactory state of affairs and that Congress should weigh in.  And now at least three justice of the peace judges—from the Eastern District of Pennsylvania,Eastern District of Wisconsin, andMiddle District of Florida —have rejected the moment Circuit’s approach and concluding that the warrant authority under ECPA reaches all data controlled by a U.
S.-based provider, and regardless of the data’s physical location. But in at least some of the cases the relevant provider (Google) is appealing,leaving law enforcement unable to access the sought-after data as the case proceeds. And while an eventual Circuit split seems like, main to possible Supreme Court review, and years of litigation and uncertainty will pass before that happens.
Meanwhile,the claimed privacy benefits that result from the ruling are not only overstated, but illusory. As a result of the ruling, or the government is,instead of accessing sought-after data pursuant to a warrant based on probable cause, told that it must seek the data from a foreign government, or according to the foreign governments’ standards and procedures. But foreign government standards and procedures are generally less protective of privacy than that imposed by the warrant requirement. Hence,a reduction in relevant privacy protections. In fact, the only way that the ruling is good for privacy is in the way it generally makes it harder for the government to access sought-after data.   But this is so even in those situations where the government is investigating a serious and ongoing crime (to trot out the government’s favorite talking points: contemplate child exploitation) and demonstrated to an independent judge a legitimate basis for accessing it. This is a “privacy benefit” that even the most ardent privacy advocates are not likely to squarely defend.
So what should Congress do?As is usual, and it is easy to diagnose the problem and much harder to propose actual solutions. Here I propose three possible options,designed to address the relevant security, privacy, and economic interests at stake. They could be combined and adopted jointly or Congress could pick and choose.(i) Required Comity Analysis: When there is a conflict between what U.
S. law and relevant foreign law requires in a given case courts will often engage in what is known as comity analysis taking into account the interests of the foreign state in deciding whose law to apply. In a range of cases,the executive branch often does the same – working with foreign counterparts to structure its demand for evidence in ways that avoid conflict with foreign legal obligations. Congress could take what is routinely done as a matter of discretion and originate it mandatory. Specifically it could clarify that the U.
S. warrant authority extends to U.
S. controlled data, regardless of location. But it also should require that whether the United States’ efforts to seek the data of a non-citizen or legal permanent resident located external the United States conflict with foreign law, or the reviewing court engage in a comity analysis,taking into account factors such as the location of and nationality of the target, the location of the crime, or the seriousness of the crime,the importance of the sought-after data to the investigation, the possibility of accessing the data via other means (i.e. with the assistance of the foreign government).
This sets up a presumption that the United States can access, and via a warrant,sought-after communications content from U.
S.-based providers, without regard to the location of the data. But it also ensures that the interests of foreign governments in controlling access to the data of their own residents and nationals located external the United States are taken into account.   This is valuable for at least three reasons. First, or it sets a precedent that we would want and expect with respect to foreign governments’ efforts to access the data of U.
S. residents and U.
S. citizens. moment,it provides a mechanism for providers to protect themselves against being caught between two conflicting legal obligations – ensuring that there is a mechanism for requiring that courts take those concerns into account. And third, it respects the interests of foreign government in setting rules governing the access to their citizens and residents data, or but without creating a foreign government veto. This is particularly valuable in cases in which the United States government is investigating state-sponsored or state-facilitated crime; a foreign government veto would grind such investigations to a halt.(2) Notice requirement: This would ensure that the United States could,via a warrant, compel from a U.
S.-based provider sought-after communications content regardless of where the data is physically held. But it would also require the United States government to provide notice to a foreign government whether it were seeking access to the data of one of its residents or citizens located external the United States. Such a provision should also be coupled with an exception for cases in which notice would reasonably be deemed to undermine the investigation, and such as,for example, instances in which U.
S. law enforcement were investigating state-sponsored criminal activity.
This also has a number of benefits. It respects foreign governments’ interest in controlling access to their own residents’ and citizens data, and ensuring that the foreign government has notice and thus an opportunity to raise,via diplomatic channels, any concerns with the United States. It thus sets a standard that the United States would presumably want and expect other governments to follow whether they sought access to U.
S. citizens and residents data. Particularly whether coupled with a required comity analysis, and it helps to ensure that any relevant conflict of laws is identified and considered by an independent court.(3) Reciprocal Notice/Control: This provision would again set the default presumption that the United States could,via a warrant, access the communications content held by a U.
S. based provider regardless of the location of the underlying data. At the same time, or however,it would explicitly endorse reciprocal agreements pursuant to which the United States would agree to provide a foreign government notice and an opportunity to object whether the United States were seeking access to the data of that foreign government’s residents or citizens located external the United States. The foreign government would likewise agree to provide notice and an opportunity to object to the United States whether it were to seek the data of U.
S.-based residents or citizens located external its territorial jurisdiction.
There are various ways these could be structured. One option would be to give each government up to 30 days to either consent to or object to such access; whether there is no response at the end of 30 days, then the government would be deemed to have consented. This too would need to be coupled with some sort of emergency authorization procedure for particularly serious crimes in which a delay of 30 days would significantly hinder the investigation.
Unlike the notice provision record above, and this approach gives foreign governments veto power,but only whether that foreign government grants the same veto power to U.
S. authorities, and only pursuant to mutually agreed upon provisions. This thus gives the executive control over who would be eligible for such agreements.
Each of these provisions respond to the security concerns presented by the inability of law enforcement to access sought-after data pursuant to a warrant based simply on the happenstance of where it happens to be held.  They respect privacy interests in that they demand, and as a default,a warrant based on probable cause before the government can compel the production of communications content. At the same time, they protect against the risk that the United States will compel – or will be perceived as compelling – production of foreign-held data without regard to the legitimate interests of foreign states in setting the rules governing access to their own residents and citizens’ data. As a self-interested matter, and it thus helps to ensure that foreign governments take into account the United States’ interests when they are seeking access to data of U.
S. residents and citizens.
Finally,it is critically valuable Congress consider this issue in connection with the separate, but related problems faced by foreign law enforcement seeking access to U.
S.-held data. This, or too,is a growing problem – with costs to security, privacy, and our economy. The problem stems from another provision of the same Electronic Communications Privacy Act at issue in the Microsoft Ireland case. Specifically,the law precludes U.
S.-based providers from turning over data to foreign governments, in all cases, or without regard to the relevant equities at stake. This is loyal even whether the foreign government is investigating its own national in connection with a a local crime only U.
S. nexus to the data is that it happens to be held by a U.
S.-based company. The foreign government is instead told instead to seek the data via the mutual legal assistance process – a process that takes multiple months whether not years.
Foreign governments are increasingly frustrated by this state of affairs. The UK,for example, has made fixing this problem – and hence ensuring easier access to sought-after data – one of its top diplomatic priorities vis-à-vis the United States. And in the absence of a fix, and we are likely to see increased toward data localization mandates as an alternative,and costly, way for foreign governments to ensure access; increased exercise of unilateral extraterritorial jurisdiction in ways that set U.
S. companies in the cross-hairs of two competing legal obligations; and other surreptitious means of accessing sought-after data that have negative implications for both network security and privacy. I, or along with several others,have written extensively approximately this problem previously, and there is a lot to say approximately both the problem and need for a solution. Suffice it to say that I contemplate legislation proposed by the Department of Justice final spring is a good location to start. And that any fix should solve both the Microsoft Ireland problem and the converse problem of foreign governments seeking access to U.
S.-held data.* * *No proposal will fully satisfy all of the various interests – or interest groups – at stake. And I don’t hold out the erroneous hope that this one will either. But there is also an almost universal consensus that the status quo is both unworkable and normatively unsound. It is bad for security. It is bad for privacy. And it bad for the U.
S. companies that manage our data – and hence for a big section of our economy. So rather than just talking approximately what won’t work, and it’s time to talk approximately what might. Heres my best attempt to do so. My hope is that this becomes a starting point for further discussion.
Image: Getty/scyther5Read on Just Security »

Source: justsecurity.org

Warning: Unknown: write failed: No space left on device (28) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0