Law Enforcement Access to Data Stored Abroad Act

  • September 2, 2015
    Guest Post

    by Kate Westmoreland, Non-Residential Fellow, The Center for Internet & Society at Stanford Law School

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As internet companies and cloud providers hold more and more communications and user data, access to this information has become a key part of criminal investigations and prosecutions. The current system for managing international access to this data is struggling under the increased demand. Microsoft’s Brad Smith has been vocal in his calls for a new international convention on access to user data for criminal matters. But is a whole new convention really necessary?

    The answer depends on (1) whether the system is actually broken and, if so, (2) whether a new international convention is the right solution. Perhaps I should give a spoiler alert on this, but I think the answer is “yes, but don’t put all your eggs in the one basket.” Ultimately, we should be working towards a new international system for managing government requests for user data, but this is a very long-term, ambitious project. In the meantime, we need to pursue a range of shorter-term improvements at the domestic and international levels.

    There is a growing consensus that the current system for international government access to user data in criminal matters is broken. It is governed by a creaky old system of bilateral and multilateral treaties (mutual legal assistance treaties or “MLATs”), relationships between law enforcement officers and companies, and a mishmash of domestic legislation. A government report last year stated that MLAT requests to the United States take an average of at least 10 months to process. The White House then called for increased funding to process the requests more quickly, but the appropriation has stalled. When law enforcement agencies feel that they cannot access the information through mutual legal assistance, they turn to alternative, informal methods, including directly asking companies to hand over the data.

  • February 18, 2015

    by Jeremy Leaming

    U.S. Senators are again pushing a bill aimed at providing more protection of consumer data stored by American tech companies overseas.

    Sens. Chris Coons (D-Del.), Orrin Hatch (R-Utah) and Dean Heller (R-Nev.) recently reintroduced the Law Enforcement Access to Data Stored Abroad Act (LEADS Act), which languished in the last Congress. The LEADS Act would change the Electronic Communications Privacy Act (ECPA) and, in part, would prohibit federal officials from using a warrant to obtain information stored abroad, unless the information sought belongs to an American.

    In a press statement, Sen. Coons said, “Law enforcement agencies wishing to access Americans’ data in the cloud ought to get a warrant, and just like warrants for physical evidence, warrants for content under ECPA shouldn’t authorize seizure of communications that are located in a foreign country. The government’s position that ECPA warrants do apply abroad puts U.S. cloud providers in the position of having to break the privacy laws of foreign countries in which they do business in order to comply with U.S. law. This is not only hurts our businesses’ competitiveness and costs American jobs, but it also invites reciprocal treatment by our international trading partners.”

    The senators’ statement on the LEADS Act claims it would “clarify ECPA by stating that the U.S. government cannot compel disclosure of data from U.S. providers stored abroad if accessing that data would violate the laws of the country where it is stored or if the data is not associated with a U.S. person – that is, a citizen or lawful permanent resident of the United States, or a company incorporated in the United States.”

    The U.S. Court of Appeals for the Second Circuit is hearing an appeal of a federal court refusal to set aside a government issued warrant to obtain email account information stored by Microsoft in Ireland.

    See here for more information about the LEADS Act.

  • September 18, 2014

    by Jeremy Leaming

    * On Feb. 12, 2015 U.S. Senators reintroduced the LEADS Act

    Intending to provide privacy protections to consumers’ data stored on tech companies’ servers overseas or in cloud computing services, a bipartisan group of senators late today introduced legislation to amend the Electronic Communications Privacy Act (EPCA).

    Sens. Chris Coons (D-Del.), Orrin Hatch (R-Utah) and Dean Heller (R-Nev.) announced introduction of the Law Enforcement Access to Data Stored Abroad Act or the LEADS Act. A provision of the bill states that law enforcement offices must “obtain a warrant under the Electronic Communications Privacy Act (EPCA) to obtain the content of subscriber communications from an electronic communications or cloud computing service.”

    The bill comes as Microsoft is fighting in court a warrant from federal prosecutors seeking access to data stored oversees. Microsoft is arguing that the federal government cannot compel disclosure of data it stores in Ireland. Microsoft Bradford L. Smith told The New York Times earlier this year, “What is at stake is the privacy protection of individuals’ email and the ability of American tech companies to sustain trust around the world.” The Times noted that Apple, AT&T and Verizon have all filed briefs supporting Microsoft.