Breaking news flashed across the country when the Supreme Court of the United States granted certiorari for United States v Microsoft on October 16th. The court’s pending decision will resolve divided lower court rulings on a fundamental privacy dispute.
The landmark case will determine whether the federal government can issue warrants that compel American companies to provide data held on servers in a foreign country. If Microsoft wins, the longstanding precedent that warrants only apply to United States soil will hold. If the government wins, the court will signal new rules for the borderless nature of the internet, expanding the reach of government and potentially chaotic reciprocity by other nations seeking data held in the United States.
The true heart of this problem isn’t actions by Microsoft or the Supreme Court, it’s Congress’s adherence to outdated laws. The Microsoft dispute would be easily resolved by passing the International Communications Privacy Act (ICPA), which would update our laws to match the technologies of the time.
Digital information sharing between the United States and other countries is currently regulated by the Electronic Communications Privacy Act (ECPA) of 1986. If you’re noticing anything strange about that, you’re not alone: many important electronic communications such as email, instant messaging, smart phones, or social media did not exist or were not widely used in 1986. The rules for government interference in electronic communications were written before the commercialization of the internet.
Without updating our laws, United States vs. Microsoft could lead the courts to enforce costly “data localization” on American businesses. Data localization is the idea that digital information should be held in the country where it originates. In this case, the Department of Justice (DOJ) wanted political borders to apply to cloud computing. Microsoft allows users to select their country of origin upon user account creation, and the data from those accounts are stored in data servers within the user’s chosen country.
DOJ sought Microsoft’s data regarding a United States person whose emails were stored on a Dublin, Ireland server. This particular person was targeted for investigations on federal narcotics crimes and had information related to narcotics crimes on a Microsoft-based email account. Microsoft provided all information to the United States government that it held on US soil, pursuant to a warrant. This did not include the contents of the emails stored in Ireland, which the government sued Microsoft to obtain.
A court decision in favor the United States government would allow the courts to enforce data localization from the bench, imposing massive costs and reorganization of our internet infrastructure just to avoid lawsuits. Even worse, data localization could run Microsoft and other American information technology firms out of business. If the Supreme Court decides that outdated ECPA provisions constitute extraterritoriality and increased government access to private data, business partners might feel safer doing business elsewhere. Thousands of Americans jobs could be at stake.
That’s where ICPA comes in. ICPA would establish a clear, workable process for sharing communications between countries.
Under ICPA, law enforcement must obtain a warrant to obtain private communications from the customer of an internet service provider or information technology company. If any of the communications of the targeted customer are located outside of the United States, law enforcement must use established Mutual Legal Assistance Treaties (MLATs) with other countries to inform foreign governments of attempts to obtain data localized abroad. A foreign country holding the data then has the opportunity to review the accusations against an individual and the impact of providing sought information on its own national security.
Additionally, ICPA would require to the DOJ to release information about the number of MLAT requests received and sent by the United States, as well as the duration it takes to resolve each one.
Passing ICPA would eliminate massive potential for judicial overreach, establish clarity in outdated rules, and avoid costly legal expenses for private companies and government officials. There’s no need to enforce costly data localization provisions when MLATs and a clearer delineation would suffice.
FreedomWorks recently signed onto a coalition letter supporting swift passage of ICPA, echoing the sentiments of Microsoft President Brad Smith, who wrote in an October, 16th blog-post: “Current laws were written for the era of the floppy disk, not the world of the cloud.”
Congress should pass ICPA to avoid more disputes like United States vs. Microsoft that fumble the inadequacies of archaic laws.