The rise of cloud computing is forcing policymakers to take a long overdue look at the limits of privacy in cyberspace, just how far the U.S. government can go in invading it, and what the rules should to be. The global proliferation of electronic mail has given the issue a sense of urgency.
Prior to the advent of the internet, messages sent by post were presumed the property of the sender until they reached the recipient. Equally important, the post office didn’t open the letter along the way, make a copy, and perpetually keep it on file. Electronic mail differs as the servers through which it pass keeps a copy as they move toward their ultimate destination.
Up to now the government has been creative in its assertion that email trail belongs to the companies owning the servers. At times this has been a useful work around for federal prosecutors trying cases involving money laundering, terrorist financing, and other crimes where the electronic paper trail is evidence of criminal wrongdoing. Nonetheless, U.S. courts have been clear the constitutional protection against illegal search and seizure still applies, meaning a warrant is usually necessary.
A July 14, 2016, ruling by the Second Circuit Court of Appeals stating the United States government cannot compel Microsoft or other companies to turn over customer emails stored on servers outside the United States has that all up for review.
The outcome of the case – Microsoft vs. the United States – hinged on the question of whether Section 2703(a) of the Stored Communications Act (SCA), the provision under which the government sought and received a search warrant for the email account applied extraterritorially. In a reversal of a lower court the circuit found it does not. The Justice Department is appealing and the case is working its way through the judiciary.
If one accepts the server carve out is legitimate – which some people don’t, but it is the issue at hand – current law needs to be updated to take cloud computing and other internet-based services located offshore of the United States into account lest it all be wrecked.
Sometime in May the Senate Judiciary Subcommittee on Crime and Terrorism will be holding a hearing on this issue in response to what is believed to be a request by the U.S. Department of Justice to change existing law to make it easier for the federal government to seize data stored on servers located overseas.
If that were to happen, it would lead directly to data localization and the destruction of cloud computing, at least as it exists today. No one would be safe from the prying eyes of federal investigators as long as they could find a server located outside the United States where a document they wanted was stored or through which an email they wanted to read had passed.
The Justice Department and other federal agencies cannot, in the course of assembling evidence in a criminal case, be allowed to vitiate the long-standing legal theory that warrants are territorial.
There needs to be a path forward to update the law to permit the cloud to be more meaningful and useful to everyone while addressing concerns about data privacy and security.
Congress has a chance to bolster the competitiveness of an emerging and important area of our information economy by moving it along.