Two roads diverge in cyberspace. In one direction lies a free and open internet, marked by the global flow of data and ideas. In the other, lies a fractured network balkanized along national or regional lines, with restricted flows and an authoritarian character. We must choose carefully which path to travel, lest we regret our decision in the future.
The U.S. Court of Appeals for the Second Circuit in New York took a significant but limited step along the better path in July when it ruled that the U.S. government could not force Microsoft to produce data that it stored in an Irish data center, even though Microsoft was an American corporation. Because the data was overseas, American law enforcement demands could not reach it.
Many saw this result as a triumph for privacy over intrusive governments and as a victory restraining American extraterritoriality. I think it was the right result, too “ but before we celebrate too wildly, we should pay heed to Judge Lynch’s cautionary concurring view: Let’s not have “any illusion that the result should . . . be regarded as a rational policy outcome.”
To take but one obvious potential adverse consequence of the ruling, it could be read to encourage the phenomenon of data localization “ nations demanding that data about their citizens be kept exclusively in their country. While that is not problematic if the country is Ireland (with whom we cooperate), imagine a world in which Russia can wall off data about Russian criminal gangs behind a virtual Iron Curtain and you begin to get a sense of the problem.
What this recent court decision should be is an important signal that the time has come for serious, careful thought about managing global data flows. We need to take the correct fork in the road.
The free flow of data around the world is critical to innovation, economic growth, personal privacy, law enforcement, and national security. We cannot, and should not, accept a world in which rules about how those capabilities operate are set unilaterally by any single nation, nor one in which the network has fractured into so many competing legal systems that much of its value is eroded.
To begin with, we have to recognize that this issue is a priority because of its global effects. While the next President will be tempted to put the problem on a back burner because of its long-term nature and intractability, that would be a mistake. America needs to adopt a strategy for an economic and diplomatic offensive to maintain and expand free flows of data around the globe.
One cornerstone for our strategy would be the twin principles of reciprocity and respect. We must understand that every nation has legitimate interests and that, in many instances, their legal processes, though different from our own, are as adequate and effective. In my judgement, the current environment signals the need for bilateral and multilateral working arrangements that foster cooperation between nations to combat crime and terrorism, while adequately protecting privacy and civil liberties.
One model for how this might work is an agreement being negotiated between the U.S. and the United Kingdom. American privacy laws sometimes prevent the U.K. from investigating U.K.-based crimes; if, for example, they try to force U.S.-based companies to provide email from servers in the U.S., American law forbids that production, even if it is information about a suspected terrorist attack by a British citizen in Great Britain. The Administration has proposed legislation that would allow the U.S. to enter into a reciprocal agreement for criminal investigation with other nations.
In other words, the British government would have access to data stored by or transiting the systems of American companies in the exact same way and to the exact same extent that it currently has when it seeks identical digital evidence from British telecom companies such as BT, Virgin, and O2. And the converse would be true – American would have access to data about Americans, even if held in Britain. If agreement works well, as I suspect it will, it could form a model for similar arrangements with other nations.
The other cornerstone of our strategy would be reform of the Mutual Legal Assistance Treaty (MLAT) process – the process by which nations cooperate internationally in law enforcement. Today, response times to requests for assistance are measured in months, if not years. This turgid process is one reason countries act unilaterally “ and it is inadequate in today™’ era of warp-speed network connectivity. With a better functioning cooperative process, the U.S. need not seek data stored overseas outside of the MLAT structure.
But the key choice is the more fundamental one – which path do we want to take? America should forego unilateral extraterritorial data demands if other countries show a reciprocal forbearance. Along that road lies a vibrant global information economy.
Mr. Chertoff was secretary of Homeland Security from 2005 to 2009. He is now executive chairman of The Chertoff Group, a security and risk-management advisory firm with clients in the technology sector.
