The average email user doesn’t think a whole lot about how it is they can access their communications on a range of devices from almost anywhere on earth. They point. They click. They read. To quote the late Steve Jobs, for users, “it just works.”
The simplicity of email is built on three crucial ingredients: software, data, and trust. Software powers the global network that enables the system, and the data comes from users who rely on the Internet to power their communications and so much more. Those users supply the third ingredient: they must trust that when they log on, they will be able to access that personal information. And they must trust the technology and the services to keep their information safe and secure from prying eyes.
Unfortunately, while the potent mixture of software and data promise any number of incredible advancements in the years to come, U.S. government efforts on access to data are undermining that trust.
The consequences of this are real. Already, amid the ongoing international surveillance revelations, European governments and businesses are openly questioning the trustworthiness of U.S. technology companies. The German government, for example, has crafted procurement rules that will bar many U.S. companies from providing software solutions and services to the state. And the German government is not stopping there. They are sending signals to the private sector that industry should follow regulators’ lead.
Unfortunately, this attack on digital trust is worsening. A case being argued in the Second Circuit Court of Appeals in New York this week has the potential to set a significant precedent. In that case, the Department of Justice is seeking to force Microsoft to turn over the contents of one customer’s email inbox. In the United States, such a demand requires a warrant, and the Department of Justice has successfully obtained a warrant for the information Microsoft holds here in the United States.
The problem in this case is this: Microsoft’s customer is likely in the vicinity of the company’s Dublin datacenter—where the data is stored—and which Irish law governs. In the same way that U.S. police can’t simply fly to Ireland and knock down a suspect’s door to raid their home, their jurisdiction online must be respectful of borders as well. Barging into an Irish data center, however it’s done, would be an incredible invasion of Irish sovereignty. And imagine the uproar if foreign police tried such a move in the United States.
Instead, through a long-standing and well-developed process, many countries have developed rules for obtaining access to information that is held overseas. Those rules are embodied in Mutual Legal Assistance Treaties, or MLATs, and the United States even has an MLAT with Ireland. The Irish government has filed a brief in the 2nd Circuit case letting the court know that, had the Justice Department used the MLAT process, they would already have the information that they will be in court this week to seek.
Rather than using that MLAT process, however, the Justice Department is misguidedly arguing that a users’ email belongs not to the user – but to the email provider. This flies in the face of what digital customers the world over believe about owning their own online files and communications, and it runs contrary to generations of understanding about the privacy of our papers and letters.
Consider the United States Postal Service: would the Justice Department ever try to argue that the contents of your envelopes no longer belong to you once they are dropped in the mail? They wouldn’t, and that is the bedrock of the years of trust between customers and the companies and institutions we all rely on to deliver our communications.
Rather than taking this battle to the courts, we urge the Justice Department to work with governments and industry around the world to craft a forward-looking system to address these questions. The end goal of that effort should be a system of rules that both preserves the rule of law and applies effectively across borders. If the United States does not take a lead in guiding this process, we will be left instead with countries racing to establish a system with the fewest protections possible. Such a regime would neither respect international sovereignty nor fundamental human rights or online privacy. As the digital economy continues to grow, our world will only continue to shrink. Already some online crime is global. The tools that law enforcement uses to investigate and prosecute such crime should be global as well.
Our Congress should pay particular attention to MLAT modernization as well. While the Department of Justice ties logic in knots in order to demand quick access to information held overseas, our current system is frustrating international investigations at the same time. Because much of the world’s data is held by U.S. companies on U.S. servers, international investigators must go through the Justice Department to gain access to it. A lack of dedicated staff here, though, has led to an unacceptably long backlog of foreign requests. The long wait that other governments must endure for digital evidence is leading those governments to demand that companies hold their citizens’ data within their borders. This is not only costly and inefficient, but it will lead to even more cases like Microsoft’s situation in Ireland. The Justice Department is creating problems for itself down the road by trying to take a legal shortcut today.
Finally, Congress must act to update the Electronic Communications Privacy Act (ECPA) and the other outdated electronic privacy laws in the United States. ECPA was a forward-looking law when it was passed back in 1986, but few could have foreseen the amazing technological evolution since then. And while thirty years may not be that long in legal terms, consider this: In software terms, 1986 was the era of Windows 1.0, the 12-pound IBM laptop, and just 2,000 global Internet connections.
More than opportunity awaits by modernizing our laws and regulations to better fit our modern digital age. It must be considered an obligation. The outcome of the September 9 Court of Appeals case will make history, either way. That outcome should favor users’ trust.