At a hearing of the Senate Judiciary Committee's Subcommittee on Crime and Terrorism yesterday, witnesses debated what kinds of rules are needed to ensure the U.S. government can investigate crimes at home and abroad, as well as work with foreign governments looking to do the same.
The problem, some witnesses testified at "Law Enforcement Access to Data Stored Across Borders: Facilitating Cooperation and Protecting Rights," is twofold: the effect the Microsoft v. United States decision has had on U.S. law enforcement's ability to investigate crimes and the fact that the Electronic Communications Privacy Act of 1986 has yet to see an update.
In Microsoft v. United States, the Second Circuit ruled U.S. law enforcement couldn't force Microsoft to hand over data pertaining to a U.S. citizen but stored on servers overseas and that warrants served under ECPA only apply to data stored within the U.S.
Brad Wiegmann, deputy assistant attorney general at the U.S. Department of Justice, said the Microsoft decision has been detrimental to law enforcement's ability to investigate crimes that involve child exploitation and pornography, tax fraud, and drug trafficking, among others. The Microsoft decision has also challenged U.S. law enforcement's ability to cooperate with foreign governments' mutual legal assistance requests (MLATs), which were already problematic from a law enforcement standpoint given the amount of time the legal procedure takes to execute.
Weigmann also made a push in his testimony for a bilateral agreement introduced in 2016 between the U.S. and U.K., which would allow for data sharing between the two governments. The framework was put before Congress in response to the Microsoft ruling and was fully backed by U.K. Deputy Security Advisor Paddy McGuinness, who also testified at the hearing, saying that "real-time data sharing is absolutely imperative" between the two nations. He said such a framework could serve as a model for other "like-minded countries" with good laws on the books on things like privacy and freedom of speech.
Sen. Orrin Hatch, R-Utah, who has been a leader in the push for ECPA reform, said that, before the Second Circuit's decision on Microsoft, foreign companies had been complying with U.S. warrants. He asked what those companies would do now if the U.S. asks for information and their government now forbids disclosure.
Wiegmann said, "The whole U.S.-U.K. framework we're proposing is an effort to prevent the scenario Senator Hatch is describing. In order to make the framework work, we have to have the same authority on our end that the U.K. has on its end. We won't have that authority unless we reverse the Second Circuit decision."
Though he supports the U.S.-U.K. framework, provided it's coupled with a "modern legal framework" that does away with ECPA's shortcomings, Microsoft President Brad Smith wasn't big on Wiegmann's suggestion that the Second Circuit's decision be overturned. He pointed to the forthcoming General Data Protection Regulation as one reason that won't work in the end.
Under the GDPR, demands for data from a party other than EU courts or law enforcement aren't recognized or enforceable, Smith notes in his written testimony. That puts companies in a real bind.
"One year from tomorrow, the GDPR will take effect," he told the subcommittee. "On that day, tech companies that comply with the DOJ's proposed warrants are almost certain to violate European law. In fact, they'd be subject to fines of up to 4 percent of worldwide revenue."
Professor Jennifer Daskal of American University Washington College of Law dislikes the Microsoft v. United States decision. In the months since the Microsoft ruling, its perils have become evident. U.S. law enforcement is struggling to get the data it needs to fight crime, having to go through foreign governments' protocols to seek it, while they legally have access — via a warrant — to any and all data held on U.S. soil, despite how foreign governments might feel about that.
"What we do gets looked at and mimicked by others," she testified. "In failing to take into account the sometimes legitimate foreign government interests, we set a precedent that other foreign governments will access our citizens' data without regard for U.S. law and U.S. interests."
Though she dislikes the Microsoft ruling, she disagrees with Weigmann that the solution is its reversal. She said that would be perceived by the rest of the world as the U.S. simply wanting data without concern for countries aiming to safeguard their own citizens.
Daskal wants Congress to require what's called "comity analysis." It's a practice sometimes employed by courts when dealing with foreign states. But Daskal wants it to be codified, so when a U.S. warrant is issued on a resident outside of the U.S., the court takes into account "factors such as the location and nationality of the target, the location of the crime, the seriousness of the crime, the importance of the sought-after data to the investigation, and the possibility of accessing the data via other means (e.g., with the assistance of the foreign government)." She also thinks the U.S. should be required to notify a foreign government when it's issuing a warrant for data on one of that government's residents if located outside the U.S. and that the notice agreements should be reciprocal.
To Daskal, it's kind of a treat-your-neighbor-as-you-want-to-be-treated kind of policy, to put it in plain English.
"This is an opportunity for the U.S. to use its leverage as the home of so much of the world's data, and its moral authority," she said.
If you want to comment on this post, you need to login.