Electronic privacy

  • October 20, 2015
    Guest Post

    by Brad Smith, president and chief legal officer, Microsoft

    *This piece first appeared at Microsoft on the Issues

    When people who care about technology look back at the year 2015, they will remember October as the month when the EU-U.S. Safe Harbor collapsed. An international legal agreement that has been in place for 15 years was invalidated in a single day. On Oct. 6, the Court of Justice of the European Union struck down an international legal regime that over 4,000 companies have been relying upon not just to move data across the Atlantic, but to do business and serve consumers on two continents with over 800 million people.

    The decision made clear what many have been advocating for some time: Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud. In both the United States and Europe, we need new laws adapted to a new technological world.

    As lawyers and officials scurry to assess the situation, it’s apparent that both a variety of smaller steps and a more fundamental long-term change will be needed. We need to focus on both of these aspects.

    It’s important to focus on a wide variety of steps, especially given the potentially drastic ripple effects caused by the collapse of the U.S.-EU Safe Harbor. Government officials in Washington and Brussels will need to act quickly, and we should all hope that Congress will enact promptly the Judicial Redress Act, so European citizens have appropriate access to American courts. In addition, companies like our own that have put in place additional safeguards such as the EU Model Clauses will rely on and add to them, even while everyone discusses additional measures.

    But for the sake of the long-term we should also recognize some obvious and fundamental facts. We need solutions that will work not just for large tech enterprises but for small companies across the economy, and for consumers most of all. If we’re going to ensure that data more broadly can move across the Atlantic on a sustainable basis, we need to put in place a new type of trans-Atlantic agreement. This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards.

  • September 2, 2015
    Guest Post

    by Kate Westmoreland, Non-Residential Fellow, The Center for Internet & Society at Stanford Law School

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As internet companies and cloud providers hold more and more communications and user data, access to this information has become a key part of criminal investigations and prosecutions. The current system for managing international access to this data is struggling under the increased demand. Microsoft’s Brad Smith has been vocal in his calls for a new international convention on access to user data for criminal matters. But is a whole new convention really necessary?

    The answer depends on (1) whether the system is actually broken and, if so, (2) whether a new international convention is the right solution. Perhaps I should give a spoiler alert on this, but I think the answer is “yes, but don’t put all your eggs in the one basket.” Ultimately, we should be working towards a new international system for managing government requests for user data, but this is a very long-term, ambitious project. In the meantime, we need to pursue a range of shorter-term improvements at the domestic and international levels.

    There is a growing consensus that the current system for international government access to user data in criminal matters is broken. It is governed by a creaky old system of bilateral and multilateral treaties (mutual legal assistance treaties or “MLATs”), relationships between law enforcement officers and companies, and a mishmash of domestic legislation. A government report last year stated that MLAT requests to the United States take an average of at least 10 months to process. The White House then called for increased funding to process the requests more quickly, but the appropriation has stalled. When law enforcement agencies feel that they cannot access the information through mutual legal assistance, they turn to alternative, informal methods, including directly asking companies to hand over the data.

  • May 8, 2015
    Guest Post

    by Jennifer Daskal, Assistant Professor of Law, American University Washington College of Law. Follow her on Twitter @jendaskal. [Cross-posted at Just Security]

    Yesterday the Second Circuit declared the NSA’s bulk telephone metadata program unlawful.  Specifically, it ruled that it was unauthorized by section 215 of the USA PATRIOT Act (and thus did not reach the constitutional law questions).  At the same time, however, it declined to grant an injunction that would have halted the program and instead sent the case back to the district court to reconsider the issues. As the Second Circuit recognized, many of the issues many of which could may be mooted by congressional action (or inaction) between now and June 1, when this key statutory provision is set to expire.

    The program’s continuing operation, at least for the next few weeks, has prompted commentators such as Orin Kerr to describe the ruling as “merely symbolic.”  I disagree.  To be sure, the telephony metadata program has long been given outsized attention relative to its impact and importance. But the ruling has significant import nonetheless not just for what it means for the continued operation of the program, but for the range of interconnected areas that the opinion addresses.  Below are four key, and substantive, implications of the ruling.

    1.      Collection Matters

    The Second Circuit resoundingly rejected the government’s argument that there is no cognizable injury until data is actually analyzed and reviewed.  According to the government,  appellants had no standing because they could not establish that the metadata associated with their telephone calls (i.e. the numbers called, received, and duration of the call) had actually been analyzed, rather than merely collected; absent subsequent review, the suffered no injury in fact.  The government makes analogous arguments with respect to other forms of bulk collection: Don’t worry we have robust limitations as to who can access the data and why.

    The Second Circuit was not persuaded, and rightly so.  As the Second Circuit concluded, collection is properly analyzed as a government seizure. If the collection is unlawful, then “appellants have suffered a concrete and particularized injury,” even without a subsequent review by human actors.  In other words, collection matters, even if the subsequent use restrictions are robust and strictly followed. That’s because we have a separate privacy interest not just in how the government uses our data, but in the government’s collection of our data in the first place.

  • February 18, 2015

    by Jeremy Leaming

    U.S. Senators are again pushing a bill aimed at providing more protection of consumer data stored by American tech companies overseas.

    Sens. Chris Coons (D-Del.), Orrin Hatch (R-Utah) and Dean Heller (R-Nev.) recently reintroduced the Law Enforcement Access to Data Stored Abroad Act (LEADS Act), which languished in the last Congress. The LEADS Act would change the Electronic Communications Privacy Act (ECPA) and, in part, would prohibit federal officials from using a warrant to obtain information stored abroad, unless the information sought belongs to an American.

    In a press statement, Sen. Coons said, “Law enforcement agencies wishing to access Americans’ data in the cloud ought to get a warrant, and just like warrants for physical evidence, warrants for content under ECPA shouldn’t authorize seizure of communications that are located in a foreign country. The government’s position that ECPA warrants do apply abroad puts U.S. cloud providers in the position of having to break the privacy laws of foreign countries in which they do business in order to comply with U.S. law. This is not only hurts our businesses’ competitiveness and costs American jobs, but it also invites reciprocal treatment by our international trading partners.”

    The senators’ statement on the LEADS Act claims it would “clarify ECPA by stating that the U.S. government cannot compel disclosure of data from U.S. providers stored abroad if accessing that data would violate the laws of the country where it is stored or if the data is not associated with a U.S. person – that is, a citizen or lawful permanent resident of the United States, or a company incorporated in the United States.”

    The U.S. Court of Appeals for the Second Circuit is hearing an appeal of a federal court refusal to set aside a government issued warrant to obtain email account information stored by Microsoft in Ireland.

    See here for more information about the LEADS Act.

  • January 20, 2015
    Guest Post

    by Cameron F. Kerry. Kerry is the Sara R. & Andrew H. Tisch Distinguished Visiting Fellow at the Brookings Institution and a Visiting Scholar at the MIT Media Lab. He is the former General Counsel and Acting Secretary of the U.S. Department of Commerce.

    President Obama went to the FTC this past week to address ways to protect privacy and identity in what he called “a dizzying age” of new technologies. 

    One of the many new technologies changing the ways people interact with information is cloud computing. Whether it's Jennifer Lawrence saving intimate photos to Apple's iCloud, startups scaling up with Amazon Web services, or businesses and consumers moving their documents to Microsoft 365 or Google Docs, cloud computing is becoming a familiar part of our digital daily lives.

    Cloud services offer benefits of large-scale computing, which include efficiency, scalability, security, and computing power, as well as ubiquitous access to data from an increasing variety of devices. But turning over data wholesale to someone else also comes with questions about privacy, confidentiality, security, and control. 

    As evidenced by Microsoft’s challenge to a U.S. government warrant for emails stored in a data center in Ireland, these questions also present challenges to traditional notions of sovereignty and territorial jurisdiction because global networks and cloud systems transcend national borders.