Cloud Computing and Internet Surveillance
Since the rise of the internet, lawmakers and courts have struggled to create legal rules for a computer network that disregards geographical boundaries. Issues concerning internet governance have only grown more complex with the recent trend towards cloud computing and revelations of internet surveillance by government agencies. U.S. companies host massive amounts of data from customers around the world, with much of that information being stored overseas. These same U.S. companies have come under fire for giving U.S. government agencies access to customer data. Many countries responded to these revelations by enacting legislation designed to protect the privacy of their citizens’ data. Now we are left with a segmented, country-by-country approach, to govern an internet that has no borders. The lack of a unified international framework for data protection has made it impossible for global internet companies to comply with all of the contradicting demands of their various stakeholders.
Microsoft Refuses to Give Foreign Hosted Data to U.S. Authorities
A court decision determining the circumstances under which U.S. law enforcement agencies may obtain digital information stored outside the U.S. has become the most recent example of the difficulty in reconciling the notion of sovereignty with a globally distributed network. During the summer of 2014, a United States court ordered Microsoft to produce the content of email-data stored on servers in Dublin, Ireland. Microsoft complied with the warrant to the extent of producing the metadata of the email stored on U.S. servers but has refused to turn over the foreign hosted content. Microsoft claims that U.S. courts do not have the power to issue warrants for extraterritorial search and seizure. In the courts view, extraterritoriality does not apply to warrants issued pursuant to the Stored Communications Act (SCA) because the information is within the control of Microsoft.
Stored Communications Act (SCA)
Part of the purpose of the SCA was to address the difficulty in applying Fourth Amendment protections to information communicated and stored electronically. The court argues that a section 2703(a) SCA warrant operates like a hybrid between a subpoena and a warrant. With a subpoena the test for compulsory production of information is whether or not the information is in the possession, custody, or control of the subpoena recipient. Extraterritoriality does not apply because, like a subpoena, an SCA warrant does not involve government agents entering the premises of the ISP to search its servers and seize information. One of the problems in allowing the SCA warrant hybrid to defy jurisdictional boundaries is that it creates a situation where Microsoft cannot comply with both the order and the laws of the host country simultaneously.
The Business of International Internet Companies
Microsoft, with the support of several other tech giants (including AT&T, Apple, Cisco, and Verizon among others), is claiming that this court order could set a precedent that might encourage Europeans to avoid using Microsoft products out of a fear that expansive U.S. discovery rules could expose all of their information. To maintain its European customers and avoid possible liability abroad, Microsoft has a very strong incentive to push back against this order. Microsoft has argued that if it complied with this order, it could decimate the U.S. cloud computing industry – which would cost both jobs and massive tax revenue. To protect its growing business in countries outside the U.S. Microsoft is urging the U.S. government to abide with its mutual legal assistance treaties, or MLATs. This approach would allow for more cooperation between the requesting and host countries, ensuring that the local laws of the host country are not disregarded in the process of acquiring the requested information.
The Cloud Computing Industry Fights Back
While this case has played out in the court systems members of the United States Congress have been working to find an appropriate solution to the issues presented by U.S. based companies hosting data abroad. On September 18, 2014 a bipartisan group of senators introduced the Law Enforcement Access to Data Stored Abroad Act, or LEADS Act. The LEADS Act would implement the warrant-for-content rule, meaning that the account of a U.S. citizen held overseas would only be accessible to law enforcement with a judicial warrant. The goal of the bill is to balance the needs of U.S. law enforcement with consumer privacy rights. Microsoft is supportive of the new bill as a way to continue the conversation over the control of data, but was adamant that it would not be the conversation’s conclusion.
Matthew Aeschbacher is a 4LE law student at the University of Denver Sturm College of Law and a staff editor for the Denver Journal of International Law & Policy.