Microsoft faces off with the US government before the Supreme Court Tuesday over a warrant for data stored abroad that has important ramifications for law enforcement in the age of global computing.
The case, which dates back to 2013, involves a US warrant ordering Microsoft to turn over the contents of an email account used by a suspected drug trafficker, whose data is stored in a cloud computing center in Ireland.
It has been watched closely because of its implications for privacy and surveillance in the digital age, and specifically how law enforcement can reach across borders to obtain digital evidence that may be scattered across the globe.
Microsoft has maintained that US courts lack jurisdiction over the data stored in Ireland.
The US tech giant, backed by many firms in the sector and civil liberties groups, argues the case is critical in showing that American authorities cannot simply request such data via a warrant without going through the process set out in law enforcement treaties between countries.
– The Snowden effect –
Microsoft president Brad Smith told reporters last week the principle is especially relevant after former intelligence contractor Edward Snowden leaked details on global US surveillance programs in 2013.
“We’ve always said it was important to win this case to win the confidence of people around the world in American technology,” Smith said in a conference call.
Smith said officials in Europe have been notably concerned about the implications of a decision in favor of the US government, and that was made clear during a discussion with a German official on the case after a lower judge ruled against Microsoft.
“He said that unless we persist with this lawsuit and turned it around, no German state would ever store data in a data center operated by an American company,” Smith said.
Last year, a federal appeals court sided with Microsoft, overturning a district judge ruling.
Yet the case is complicated by the intricacies of cloud computing, which allow data to be split up and stored in multiple locations around the world even for a single user, and some analysts say the court has no good solution.
“The speed by which data can be moved about the globe, the fact of third-party control and the possibility of data being held in locations that have absolutely no connection to either the crime or target being investigated makes location of the 0s and 1s that comprise our emails a particularly poor basis for delimiting jurisdiction,” American University law professor Jennifer Daskal wrote on the Just Security blog.
“Conversely, there is a real risk that a straight-up US government win will — rightly or wrongly — be perceived around the world as US law enforcement claiming the right to access data anywhere, without regard to the countervailing sovereign interests. This creates a precedent that foreign nations are likely to mimic.”
– ‘Larger problem’ –
Both sides have said that any court decision may be flawed, and that Congress needs to address the issue by rewriting the 1986 Stored Communications Act at issue.
Microsoft’s Smith said he was encouraged by a bill introduced this year called the CLOUD Act that would authorize cross-border data warrants with countries that meet certain standards for privacy and civil liberties.
The proposal has the backing of the tech sector, according to Smith, and respects the laws of each country where a request is made.
John Carlin, a former assistant US attorney general for national security, agreed that a legislative solution is preferable.
“Regardless of how this case turns out, it’s not going to solve the larger problem,” Carlin said.
Carlin said current law affecting crimes with cross-border components are not designed for the digital age.
“The problem now is there is a lack of clarity over how you can serve traditional legal process for what used to be local crimes,” he added. Carlin said the CLOUD bill could address the issues because it “provides incentives for countries that have protections for civil liberties.”
But some civil liberties activists have expressed concern the measure would expand US surveillance capabilities.
The measure “would give unlimited jurisdiction to US law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it,” said Camille Fischer of the Electronic Frontier Foundation.
It also “creates a dangerous precedent for other countries who may want to access information stored outside their own borders, including data stored in the United States,” she said.