Jennifer Daskal

  • July 15, 2016
    Guest Post

    by Jennifer Daskal, Assistant Professor of Law, American University Washington College of Law. Follow her on Twitter @jendaskal.

    *This post originally appeared at Just Security

    As readers no doubt already know, the Second Circuit today issued a surprise ruling in the Microsoft Ireland warrant case – siding with Microsoft. The result: location of data controls, at least for purposes of warrant jurisdiction. U.S.-issued warrants can no longer be relied on to compel the production of stored communications (such as emails) located outside the United States’ territorial jurisdiction. Rather, the United States must make a diplomatic request for extraterritorially located data via a Mutual Legal Assistance Treaty (or other avenue if no such treaty is in place)—and then wait for the foreign partner to respond. This is the case even if the target of the investigation is a U.S. citizen and the provider that controls the data can access it from the United States. (It's an issue I've written about extensively herehere, and here.)

    It seems almost certain that the government will appeal the ruling. But a lot less certain that the Supreme Court will take certiorari. In the meantime, we can expect, and hope for, much more executive branch engagement with Congress on the issue.

    Here’s three quick takeaways to keep in mind.

    #1: Read Judge Lynch’s concurring opinion. He gets it exactly right in all key respects. First, this is not a privacy case, although it does have important privacy implications. The government, after all, is proceeding by a warrant issued based on probable cause. No one would think this is a privacy violation if the data were stored in Redding, Washington. It thus does not become a privacy violation because the data is stored in Ireland. Second, nothing in the text or legislative history of the statute suggests that Congress considered or intended the possibility that SCA warrants would have transnational reach; particularly given the Supreme Court's recent reaffirmation of the presumption against extraterritorially, they should not. Third, this is a wholly unsatisfactory result, even if correct as a matter of statutory interpretation and the application of Supreme Court doctrine. It means that U.S. law enforcement can no longer compel, via a lawfully obtained warrant, a U.S.-based provider to turn over the emails of a U.S. citizen being investigated in connection with a N.Y.C. murder if his or her data happens to be stored on a server outside the United States territory. Rather, it must make a diplomatic request for the data in whatever place the data happens to be stored.  And then wait--perhaps months or longer-- for a response. This makes little sense. Fourth, Congress should engage. (More on this in point #3 below).

  • September 8, 2015
    Guest Post

    by Jennifer Daskal, Assistant Professor of Law, American University Washington College of Law; former counsel to the Assistant Attorney General for National Security at the Department of Justice

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA). Daskal’s piece is also cross-posted at Just Security. 

    Tomorrow, the Second Circuit will hear arguments in the almost two-year old dispute between Microsoft and the government over emails stored extraterritorially. Earlier,  I opined (in discussion with Orin Kerr) on the statutory questions raised by the case. The purpose of this post is to focus on the policy issues.  And viewed solely from a policy perspective, neither position—Microsoft’s nor the government’s—is satisfying. 

    For those unfamiliar with the case, the dispute started in December 2013, when the government served a warrant on Microsoft, compelling the production of certain emails. Microsoft refused to comply, arguing that the emails were stored in Ireland, that the government’s warrant authority does not extend extraterritorially, and that therefore the warrant was invalid.  But so far its fight has been unsuccessful.  Both the magistrate and district court judge sided with the government: Because the data could be accessed and controlled from Microsoft employees operating within the United States, the warrant was territorial, not extraterritorial; it is therefore valid.

    While often described as a “privacy case,” that’s not really what the case is about.  The government is, after all, proceeding by a warrant based on a finding of probable cause.  No one suggests that compelled production would be a privacy violation if the data were stored in the United States.  It does not become a privacy violation simply because the data is stored in Ireland.  That said, the case has major privacy implications.  The case raises fundamental questions about sovereignty and jurisdiction in an increasingly interconnected world, with key privacy rights—and related free speech and associational rights—turning on the answer to those sovereignty and jurisdictional questions.  It reflects a new world order in which State A can compel the production of data located in State B, with neither the government agent or the company employee querying the data ever leaving State A.  And the case poses key questions about who does—and should—control access to the data in such a situation—State A or State B?

  • May 8, 2015
    Guest Post

    by Jennifer Daskal, Assistant Professor of Law, American University Washington College of Law. Follow her on Twitter @jendaskal. [Cross-posted at Just Security]

    Yesterday the Second Circuit declared the NSA’s bulk telephone metadata program unlawful.  Specifically, it ruled that it was unauthorized by section 215 of the USA PATRIOT Act (and thus did not reach the constitutional law questions).  At the same time, however, it declined to grant an injunction that would have halted the program and instead sent the case back to the district court to reconsider the issues. As the Second Circuit recognized, many of the issues many of which could may be mooted by congressional action (or inaction) between now and June 1, when this key statutory provision is set to expire.

    The program’s continuing operation, at least for the next few weeks, has prompted commentators such as Orin Kerr to describe the ruling as “merely symbolic.”  I disagree.  To be sure, the telephony metadata program has long been given outsized attention relative to its impact and importance. But the ruling has significant import nonetheless not just for what it means for the continued operation of the program, but for the range of interconnected areas that the opinion addresses.  Below are four key, and substantive, implications of the ruling.

    1.      Collection Matters

    The Second Circuit resoundingly rejected the government’s argument that there is no cognizable injury until data is actually analyzed and reviewed.  According to the government,  appellants had no standing because they could not establish that the metadata associated with their telephone calls (i.e. the numbers called, received, and duration of the call) had actually been analyzed, rather than merely collected; absent subsequent review, the suffered no injury in fact.  The government makes analogous arguments with respect to other forms of bulk collection: Don’t worry we have robust limitations as to who can access the data and why.

    The Second Circuit was not persuaded, and rightly so.  As the Second Circuit concluded, collection is properly analyzed as a government seizure. If the collection is unlawful, then “appellants have suffered a concrete and particularized injury,” even without a subsequent review by human actors.  In other words, collection matters, even if the subsequent use restrictions are robust and strictly followed. That’s because we have a separate privacy interest not just in how the government uses our data, but in the government’s collection of our data in the first place.