February 20, 2015
By Jeff Gould, SafeGov.
A group of American senators from both parties are offering Europe an olive branch in the transatlantic war of words over Internet surveillance. Concretely, they propose to update the antiquated 1986 Electronic Communications Privacy Act (ECPA) by putting tighter limits on when and how U.S. courts can access electronic data stored abroad.
ECPA was a forward looking law when it was passed. Such things as the Internet and email already existed. Personal computers were commonplace. A few people even had (brick-sized) mobile phones. The law was expressly intended to give courts and police agencies conducting criminal investigations a legitimate way to get at data stored on these devices while still protecting the privacy rights of users.
But the role and scale of online technology in the world are vastly different today than in 1986. No one could have imagined then that one day hundreds of millions of Europeans would routinely store trillions of personal electronic documents on shared computers located in Europe but owned and remotely operated by American firms. Such a scenario would have been pure science fiction. Nor of course did anyone in 1986 dream that a handful of terrorists could knock down New York’s tallest skyscrapers and kill thousands of innocents.
By now most Europeans who follow privacy and surveillance issues know about the specific case that led to the Senators’ proposed ECPA amendment. In a nutshell, a U.S. Federal court in New York issued a warrant demanding that a U.S. Internet firm (Microsoft) turn over emails belonging to a foreign national that were stored on the firm’s servers in Ireland. According to press reports the case concerns drug trafficking, not terrorism. But instead of complying with the demand, Microsoft fought it and took the case to a Federal Appeals court. Observers expect that whatever the Appeals ruling the case will wind up at the Supreme Court.
The dispute between the court which issued the warrant and Microsoft turns on the meaning of ECPA as originally written. Both sides agree that American law enforcement officials do not have the right to conduct searches or seize evidence overseas. For example, an FBI agent can’t hop on a plane to France warrant in hand, knock on the door of an American bank in Paris, and demand that the bank turn over the contents of a customer’s safe deposit box. This is especially true if the customer is not a citizen or resident of the United States. But it would even be true if the customer were American. Everyone agrees on this much.
But the prosecutors in the case argue that the emails stored on Microsoft’s servers in Dublin are different. They argue that they won’t really be searching or seizing the emails until Microsoft brings them back to the United States. According to this logic the warrant will only actually be executed in New York, not in Ireland. It is easy to mock this reasoning as twisted, perverse or insincere. Some have even speculated that the Department of Justice, recognizing that more and more evidence of interest to prosecutors resides on overseas servers, deliberately picked this fight in the hope that it could establish an advantageous precedent. But no one can predict today whether the prosecutors will ultimately win this argument. It will be up to the Supreme Court to decide.
Here is where the proposed amendment to ECPA comes in. Known as the LEADS Act (Law Enforcement Access to Data Stored Abroad Act), the bill was introduced by two Republicans (Senators Hatch and Heller) and a Democrat (Senator Coons). They recognize that regardless of the outcome of Microsoft’s current legal battle, the fundamental question of how and when U.S. authorities can demand access to data abroad will only grow in importance. They therefore propose two simple but powerful rules governing what U.S. courts can do. A warrant for overseas data will only be valid if:
(1) It concerns a U.S. citizen or permanent resident;
(2) It does not violate the laws of the foreign country where it is to be executed.
The LEADS Act is broadly supported by U.S. high tech and media companies, as well as by leading privacy advocates. The government of Ireland and one of the leading advocates of data protection reform in the European Parliament, while not specifically endorsing the act, have submitted amicus briefs in support of Microsoft’s appeal. Surprisingly, among the few significant industry players yet to publicly endorse the LEADS Act are Google, Facebook and Yahoo. Perhaps they fear that the bill in its current form might encourage some foreign users in the belief that putting their data on foreign rather than U.S.-based cloud servers will protect them from the long arm of U.S. authorities. But there can be little doubt that these firms share the same concerns about U.S. access to overseas data as Microsoft, and they may yet give it their full support.
Early indications are that the LEADS Act has a good chance of passing in the current session of Congress. It has strong support from both political parties and has so far not aroused any open opposition from the U.S. law enforcement community.
Europeans should welcome the LEADS Act and acknowledge that, even if it falls short of addressing all their concerns in the wake of the Snowden revelations, it is a powerful and incontestable sign that the U.S. seeks reconciliation and compromise rather than continued conflict with Europe over these vital issues.
Jeff Gould has 20 years of experience in technology publishing and IT market research. Jeff currently serves as the president of SafeGov Inc.safegoveu