U.S. technology companies continue to find themselves in the difficult position of attempting to both honor legitimate law enforcement data access requests and maintain the privacy and trust of their customers. Microsoft and Apple were exhibits one and two on Thursday, demonstrating how outdated laws are bumping into rapidly advancing technology and security, illustrating the growing need for U.S. Congress to act.
The most talked about privacy issue, of late, is Apple’s legal battle with the Department of Justice, which took a new turn late Thursday afternoon when Apple filed a briefing asking the court to vacate a motion to compel it to provide the FBI with technical assistance in unlocking the iPhone used by one of the San Bernardino shooters.
But Apple's case, in one sense, isn't an isolated one. It's part of a larger issue that sees technology companies butting heads with outdated laws around the world.
The other ongoing legal battle is between the DoJ and Microsoft and involves a suspect’s emails that happen to be stored on a server in Ireland, as well as a growing international trend that pits local law with international data transfers.
In both instances, the tech companies are not only taking on the DoJ in courts, but also asking for Congress to help come up with a solution.
Apple’s formal response asking the court to vacate its demand means there will be a long legal battle – like the one Microsoft is currently embroiled in with the DoJ – that may run all the way to the U.S. Supreme Court, something Apple CEO Tim Cook said the company is prepared for.
And Apple is not alone in its battle, as a number of large tech companies – including Microsoft, Google, Twitter, Facebook, and Yahoo – said they’d provide the court with amicus briefs in support of Apple in its case against the DoJ.
Verizon also said they support Apple’s efforts. Thus far, Brad Smith testified in front of the House Judiciary Committee on law enforcement access to international data requests, arguing that U.S. law – particularly the 1986 Electronic Communications Privacy Act – needs to catch up with technology. To illustrate the widening gap, Smith brought with him several props, including an IBM computer from 1986 and an adding machine from 1911 – the last time the All Writs Act was updated.
When ECPA was passed, “Ronald Regan was president, Tip O’Neill was Speaker of the House, and Mark Zuckerberg was two years old,” he said.
Microsoft, like many other companies, is increasingly facing legal conflicts when doing business internationally. Smith cited two recent examples that illustrate how the law does and does not work. After the Charlie Hebdo attacks in January 2015, Microsoft worked with the FBI and French government to turn over two of the shooters’ emails. The process, he pointed out, went through an international legal process and only took 45 minutes to get the data to the French authorities.
“That was a day when the system worked,” Smith said. “But unfortunately, that has become the exception and not the norm.”
A second case – what Smith calls the “norm” – involves local authorities in Brazil, who want data on a local suspect. Through a Brazilian court order, the local Brazilian authority has requested that Microsoft provide them with data that is stored in the U.S. Doing so, Smith points out, would be illegal under U.S. law. As a result and because the Brazilians have not turned to an international process, Microsoft is facing fines and one of its executives criminal prosecution from the local authority.
“And unfortunately, that kind of case is spreading,” he said. “It’s spreading because other governments, including the United States government, are using unilateral legal process rather than international legal process to obtain data around the world.”
Solutions to the issue are out there, he said, including through the LEADs Act – currently pending in Congress – in updating the Mutual Legal Assistance Treaties as well as other new international treaties “designed and built for the 21st century. All of this requires action by the executive branch,” Smith said, “but it requires action by Congress as well.”
The root cause of all of this, he testified, is that U.S. law is old and outdated.
Old law and its role enforcing government access to modern technology is also being argued in the Apple case. Apple argues that the All Writs Act – passed in 1789 – does not give the DoJ power to compel the company to create new software that essentially hacks its built-in security. “Congress has never authorized judges to compel innocent third parties to provide decryption services to the FBI,” Apple argues in its motion to vacate.
But for the DoJ, the government has long had the authority to compel innocent third-party companies to assist in an investigation. In response to Apple’s filing yesterday, DoJ spokeswomen Melanie Newman said, “The Justice Department’s approach to investigating and prosecuting crimes has remained the same. … The change has come in Apple’s recent decision to reverse its longstanding cooperation in complying with All Writs Act orders.”
Though Microsoft’s Smith presented a number of possible solutions for updating U.S. law and international treaties for dealing with law enforcement access to data stored in different countries, a solution to the Apple case may be a ways off, if possible.
Some lawmakers have proposed legislation to help with parts of the issue. Rep. Ted Lieu, D-Calif., has offered the ENCRYPT Act, which would preempt state laws that would ban encryption in smartphones. And just this week, Sen. Mark Warner, D-Virginia, and Rep. Michael McCaul, R-Texas, announced they will offer legislation that would create a commission – similar to the 9/11 Commission – to help find potential solutions to the encryption issue.
Even if passed, however, the report that would come out of the commission would take a year. In the meantime, Apple will make a rare appearance on Capitol Hill next week, when Senior VP and General Counsel Bruce Sewall testifies in front of the House Judiciary Committee to discuss what's being called "the encryption tightrope."
There's clearly much work to be done, and it's increasingly looking like it's the U.S. Congress that has work to do, but with tight congressional races already underway, and a big unknown as to who will be the next president of the United States, it may be the courts who provide ad hoc and incomplete results for businesses and law enforcement. And that's not good for either side.
Top image courtesy of Microsoft