U.S. Internet companies, and indeed all multinationals with a presence in the United States, appear to be trapped between the data access requirements of U.S. law enforcement agencies and foreign privacy laws.
Microsoft is involved in ongoing litigation against a search warrant issued in December 2013 by a U.S. magistrate, authorizing the search and seizure of e-mail accounts hosted by Microsoft. The company objected to the warrant with regard to data stored at its data center in Ireland, claiming that U.S. courts are not authorized to issue warrants for extraterritorial searches. Microsoft also argued that if it turned over data stored abroad to the U.S. government, it would be more difficult for the company to resist requests by foreign governments for data stored in the U.S. But on April 25, the magistrate judge who issued the warrant found in favor of the government. On July 28, Judge Loretta A. Preska of the U.S. District Court for the Southern District of New York affirmed that decision.
These two decisions turned on the question of whether the search warrant constitutes an extraterritorial search and seizure. Microsoft argues that it does, since it directs the company to produce information stored outside the United States. The government’s argument is that because Microsoft is subject to U.S. jurisdiction, it must turn over data it controls regardless of where the data is stored.
This may be the first case in which a company has formally opposed a U.S. search warrant concerning data stored abroad. But it is not surprising that other major companies (like Apple, AT&T, and Verizon) have publicly supported Microsoft’s position. The revelations of Edward Snowden have put them all under increasing pressure to resist U.S. requests for data access. The disclosures have also intensified their awareness of conflicts between foreign privacy legislation and the demands of U.S. law enforcement.
Dozens of countries around the world grant broad privacy protection to data processed for commercial purposes (the U.S. is one of the few that do not). They generally do not allow data to be transferred to foreign authorities without the approval of local regulators.
U.S. companies have already begun losing business with foreign customers because they are subject to U.S. data access requests. (For example, in June the German government cancelled a contract with Verizon for Internet services). Many more companies have a commercial incentive to contest these cross-border requests for data. The issues raised in the Microsoft case are relevant to all companies subject to U.S. jurisdiction, not just those in the Internet sector—including companies based abroad but active in the U.S. market.
Microsoft has stated that it will appeal Judge Preska’s decision, and sources in the U.S. legal community tell me that the case could eventually go all the way to the U.S. Supreme Court. But while Microsoft’s argument that the case has major policy implications is compelling, the U.S. government’s position may be difficult to overcome under the current state of the law.
What is disappointing about the discussion in this case so far is that it concentrates on the respective interests of companies and law enforcement. The privacy expectations of the Internet users whose data may be accessed have received little attention.
The best way to resolve this conflict would be to make changes to U.S. legislation that balance the interests of companies and law enforcement while taking the privacy expectations of individuals into account. However, the current gridlock in Washington seems to make that impossible. An international treaty being negotiated between the United States and the E.U., known as the “Umbrella Agreement,” might provide some relief by establishing formal rules about data sharing. But its final form and completion date remain unclear. I fear that the tension between the requirements of U.S. law enforcement and foreign privacy laws will get worse before it gets better. And the privacy of individuals whose data is held by companies with a U.S. presence will remain largely unconsidered.
A quick guide to the most important AI law you’ve never heard of
The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.
It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.
If they ever hit our roads for real, other drivers need to know exactly what they are.
Crypto is weathering a bitter storm. Some still hold on for dear life.
When a cryptocurrency’s value is theoretical, what happens if people quit believing?
Artificial intelligence is creating a new colonial world order
An MIT Technology Review series investigates how AI is enriching a powerful few by dispossessing communities that have been dispossessed before.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.