By: Alan Wehler, Senior Associate
Over the past year, U.S. courts have grappled with important legal questions surrounding how U.S. law enforcement gains access to data stored in the cloud. On February 3rd U.S. Magistrate Judge Thomas Rueter issued a decision ordering Google to comply with two Federal search warrants compelling the company to turn over customer email data stored outside of the United States. This decision contradicts a July 2016 decision by the United States Second Circuit Court of Appeals on a similar case involving Microsoft, a decision that court declined to re-hear only a week before Judge Rueter’s decision. Both cases concern Federal search warrants issued under the authorities of the Stored Communications Act (SCA), a 1986 law that dictates how the government is able to obtain access to “stored wire and electronic communications and transaction records.” As one might expect, the law hasn’t held up particularly well over the past thirty years of technological change. Congress didn’t anticipate the invention of cloud computing technologies and never envisioned the complicated, transnational data storage and transit systems technology companies have created to serve their customers.
Despite its flaws, the SCA has remained largely unaltered since its original passage—creating problems for both technology companies and the government. These most recent cases illustrate the conflict that arises when data about a particular customer in question is stored outside of the United States. In the Microsoft case, Microsoft argued, and the Second Circuit Court of Appeals agreed, that the government’s warrant ordering the disclosure of data stored in an Irish data center was invalid as the seizure itself would take place in Ireland, which would constitute an extraterritorial seizure beyond the scope of the SCA.
In the Google case, Judge Rueter came to a different conclusion, finding that the seizure of the data and the accompanying privacy infringement take place in the United States, after the technology provider accesses the information stored in data centers abroad from computers in the United States. As a Judge outside of the United States Second Circuit, Judge Rueter was under no obligation to conform with the Second Circuit’s ruling. Google has vowed to appeal.
What we are left with is a mess, and neither decision produces an outcome that makes much sense— as noted by the Second Circuit Court Judges who heard the Microsoft case. If you accept Judge Rueter’s decision, the government is able to obtain ready access to the data it needs, but at the cost of subjecting U.S. technology companies to conflicts of law while undermining the privacy rights of Americans and underlying principles of a global internet—a point made by my colleagues Paul Rosenzweig and Jim Pflaging.
If you accept the Second Circuit’s decision, you protect U.S. technology companies from potentially violating foreign laws when they turn over data stored abroad (which is subject to the laws of the country in which it is stored) and undermine the privacy rights of U.S. citizens. However, you also leave U.S. law enforcement in the unenviable position of using the antiquated Mutual Legal Assistance Treaty (MLAT) process, necessitating a “game” of “pin the data on a country.” This “game” can be incredibly difficult as a result of data storage models that dynamically distribute data around the globe based on server load and other operational considerations, leaving the government to try to figure where the various parts of the emails and files needed are being stored at this moment.
What all parties have been able to agree on is that Congress must act. As currently written, the SCA and its parent, the Electronic Communications Privacy Act (ECPA), leave little room for the courts to do more than reach one of the two decisions outlined above. Even the Supreme Court, which may ultimately be asked to rule on these cases, cannot solve the fundamental disconnect between a 1986 law and modern technology. All five of the opinions issued by the Second Circuit in relation to its denial for a rehearing of the Microsoft case called for Congress to act.
Fixing the problem may require some creative thinking. Congress will need to address a variety of issues within ECPA as well as the broader question of how the United States and other countries should treat electronic data that can be stored in any number of countries at any given time. A few bills are already under consideration to address at least some of these issues, including the recently re-introduced Email Privacy Act and the International Communications Privacy Act, which was introduced into Congress last session. Congress will also need to consider new bilateral arrangements, such as the proposed U.S.-U.K. data sharing agreement, which would improve cross-border data access for law enforcement in both countries, and facilitate improvements to the MLAT process.
Any definitive solution will need to rethink how questions of jurisdiction are settled in cases in which data relating to a data-subject is stored in a country outside that of the subject’s residence or citizenship. There may be no easy answers, but it is clear that the onus is on Congress to act. Congress needs to ensure that U.S. law reflects the technological realities of the cloud while providing law enforcement with reasonable access to the data it needs to conduct investigations. The laws of 1986 do not meet today’s policy needs, just as Apple’s 1986 Macintosh Plus is unable to meet today’s technology needs.
Alan Wehler is a Senior Associate with the Chertoff Group and holds a M.A. in Security Policy from the Elliott School of International Affairs at George Washington University. He works with a variety of clients in the technology and government space. All opinions expressed are his own.