February 27, 2018
A Problem Congress Should Solve
President and Chief Legal Officer, Microsoft
*This piece was originally posted on Microsoft On the Issues.
Today we’ll make our arguments before the U.S. Supreme Court in what everyone agrees is an important case for privacy rights around the world, for international relations, and for building trust in the technology we all rely on every day.
We believe we have compelling arguments and we look forward to the opportunity to make them before the nine Justices of the Supreme Court. But while attention today will focus on the Supreme Court, we believe the most important work should take place in the Capitol building across the street, by the U.S. Congress.
In 2013 U.S. law enforcement served on Microsoft a search warrant for customer data stored in our datacenter in Ireland. While we don’t believe that U.S. law grants the Government the right to reach across borders to obtain private information, we do believe that the U.S. should work with the Irish government to obtain the data they want. Unilateral actions like this will undermine privacy protections of customers everywhere, and are a recipe for international tensions, conflict and chaos.
Everyone agrees that new technology poses new problems that need to be solved. We’ve argued since the day we filed this case in 2013 that we need modern laws to govern today’s technology. We can’t rely on laws written three decades ago, before the internet as we know it was invented. Ultimately the courts – including the Supreme Court – can decide only whether the Department of Justice’s approach passes muster under current law. The courts are not able to write a new law. Under the U.S. Constitution, only Congress can do that, using its tools to craft a nuanced solution that balances all the competing concerns by enacting a statute for the 21st century.
Strong momentum for new laws
The good news is that there is strong momentum for a legislative solution. Earlier this month the CLOUD Act was introduced in Congress. It has bi-partisan support in both houses of Congress, as well as support from the Department of Justice, the White House, the National Association of Attorneys General and a broad cross section of technology companies. The CLOUD Act creates both the incentive and the framework for governments to sit down and negotiate modern bi-lateral agreements that will define how law enforcement agencies can access data across borders to investigate crimes. It ensures these agreements have appropriate protections for privacy and human rights and gives the technology companies that host customer data new statutory rights to stand up for the privacy rights of their customers around the world.
Standing up for national sovereignty
While we are encouraged by the momentum for legislative solutions, we also look forward to today’s oral argument before the Supreme Court. We believe we have compelling arguments and we’re grateful for the breadth and depth of the support we’ve received in the case. In January, 289 different groups and individuals from 37 countries signed 23 different legal briefs supporting Microsoft’s position that Congress never gave U.S. law enforcement the power to ignore treaties and breach Ireland’s sovereignty by reaching into Ireland to obtain the data they are seeking. The U.S. Government argues that it can reach across borders based on a law enacted in 1986, before anyone conceived of cloud computing. We don’t believe there is any indication that Congress intended such a result.
This is not to say that law enforcement should never access emails in other countries. We’ve said repeatedly that there are times when this is necessary to protect public safety, but that it should be governed by modern laws that respect people’s privacy rights and the sovereignty of other countries.
As we stand before the Justices tomorrow we’ll make four key points:
- Data has a real, physical location: We are not alone in arguing that it does. Fifty-one prominent computer scientists explained in their legal brief that emails are stored in known physical locations, on hard drives, in datacenter facilities. When the U.S. Government requires a tech company to execute a warrant for emails stored overseas, the provider must search a foreign datacenter and make a copy abroad, and then import that copy to the United States. This creates a complex issue with international consequences. It shouldn’t be resolved by having the courts take the law to a place it was never intended to go.
- The Government’s approach infringes on the sovereignty of other countries and risks a significant conflict of law between friendly nations: The international ramifications are clearly illustrated by the list of governments who joined amicus briefs or made public statements in the case, supporting key parts of Microsoft’s position. The list includes Ireland, France, the European Commission, European privacy regulators and members of the European Parliament, to name just some. Other countries want to be in control of when and how law enforcement agencies access data belonging to their citizens. When one country seeks private emails stored in another country, international treaties and norms require bilateral cooperation, not unilateral actions. The risk of foreign relations clashes is all the more acute because state and local U.S. law enforcement—not just federal officials—can invoke the Stored Communications Act, the law the DOJ is using in this case.
- The Government’s approach puts at risk the privacy rights of people around the world including in the United States: People deserve to have their privacy protected by their own country’s laws. If the U.S. Government obtains the power to unilaterally search and seize the private communications of foreign citizens that are stored exclusively in foreign countries, then other governments will be emboldened to do the same to us. Foreign countries will demand that tech companies copy and transmit to them the private emails of U.S. persons without regard for local law and without the knowledge or consent of the local government or the account owner.
- The Government’s approach is bad for the U.S. economy and American jobs: U.S. companies are leaders in cloud computing. This leadership is based on trust. If customers around the world believe that the U.S. Government has the power to unilaterally reach in to datacenters operated by American companies, without reference or notification to their own government, they won’t trust this technology.
Today is an important day. We are looking forward to the opportunity to make our case. And at the same time, we hope that members of Congress will keep moving quickly to create the modern laws that everyone agrees are needed.