Symposium: Why is the U.S. government trying to help Vladimir Putin access information stored in the United States?
on Feb 9, 2018 at 2:05 pm
Andrew Pincus is a partner in Mayer Brown LLP and filed an amicus brief in support of Microsoft on behalf of 12 business and consumer organizations. The views expressed are his and not those of his clients.
Consider this scenario:
An officer of Sledkom, the national law-enforcement investigatory agency in Vladimir Putin’s Russia, demands a meeting with the head of Microsoft’s operations in Russia. He hands over a list of journalists and dissidents living and working in the United States — some of whom are Russian citizens — together with authorization sufficient under Russian law to obtain the contents of an individual’s email account. Microsoft officials in Russia can, as a matter of technology, copy the contents of those email accounts and transfer the copy to Microsoft/Russia. Under Russian law, Microsoft will be held in contempt if it fails to provide the emails demanded by Sledkom. And it is not permitted to inform its customers of Russia’s demand.
Is Microsoft obligated to comply?
Most everyone would believe — and hope — that the answer is “no.” But the position of the United States government in United States v. Microsoft is indistinguishable from Sledkom’s request in my hypothetical. The government argues that because emails stored in Ireland are accessible from Microsoft facilities in the United States, the production of those emails is governed by U.S. law.
If the government wins in the Supreme Court, the Sledkom officer will have a much stronger argument to force Microsoft to comply: “We are only asking you to do for us what you already do for the American government.”
The government tries to argue in the Supreme Court that U.S. law would bar the disclosure of this information. But that’s the same argument being advanced by other nations in their amicus briefs in this case. If Irish law or European Union privacy restrictions do not provide a sufficient reason to preclude this construction of U.S. law by the U.S. government, why would Russia concede that its power should be limited?
Of course, these intrusions on privacy wouldn’t be limited to the contents of emails. Cloud computing — defined by the Supreme Court as “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself” — is ubiquitous. Individuals store “in the cloud” not just email messages, but also photographs and videos and financial and health data, among many other types of personal information.
As a result, the government’s theory in this case would allow foreign countries to obtain — without any authorization under U.S. law — information stored in the United States that would reveal, as the Supreme Court put it in Riley v. California, the recent cellphone search case, “far more than the most exhaustive search of a house”: not just “many sensitive records previously found in the home,” but also “a broad array of private information never found in a home in any form.”
And the government’s legal position, if accepted by the Supreme Court, would greatly facilitate corporate espionage. Businesses use cloud computing to store proprietary technology, financial data, intellectual property, business plans, manufacturing processes, acquisition plans and negotiating strategy, customer data, and privileged and confidential legal advice regarding pending lawsuits and other sensitive matters.
Because other countries use law-enforcement and national-security personnel to help domestic companies compete against foreign rivals, it is inevitable that those nations would use the U.S. government’s legal theory to try to obtain proprietary business information stored in other countries.
Of course, the issue before the Supreme Court is one of statutory construction, not constitutional authority. So a ruling for Microsoft would not prevent Congress from enacting a law incorporating the legal rule the government is advocating before the Supreme Court.
Neither would a ruling for Microsoft stop the Russian government, or others, from asserting the broad authority the U.S. government claims. Indeed, Brazil has long demanded that U.S. cloud providers operating there disclose communications stored in the United States.
But a ruling for the government will make it extremely difficult for companies to resist foreign demands, because the U.S. rule — and companies’ compliance with it — will be invoked by those foreign nations.
Rather than trying to assert broad unilateral authority — and trying to shoehorn that claim into a 1986 law (the Stored Communications Act) that could not possibly have been meant to address this situation because it was enacted decades before electronic storage of information became commonplace — the proper course for the U.S. government is to seek enactment of a law that properly balances the various policy interests. And to craft a law that will serve as an international model, recognizing the important interests of every nation in protecting the privacy of individuals and businesses whose information is located within their borders, rather than a legal principle that rides roughshod over those rights.
That is what other nations are doing. The international Convention on Cybercrime, to which the United States is a party, establishes processes for countries to work together when a government seeks electronic information stored in another country, including provisions for quick action when there is a risk that the information might be moved or deleted. That convention does not authorize the use of domestic warrants to obtain information stored extraterritorially. But discussions have begun on how to amend the convention to provide additional means of obtaining that information — as the Department of Justice recently explained in congressional testimony.
Congressional action and international cooperation, not unilateral U.S. action, are the ways to address law-enforcement concerns and protect important privacy interests. By rejecting the government’s position, the Supreme Court will force the government to use those plainly more appropriate approaches.
There is another reason why Americans should be concerned about the U.S. government’s position in this case: It will inflict significant economic damage on the American companies that are now the leaders in providing cloud computing services. In other words, the U.S. government’s legal position, if accepted by the Supreme Court, will hurt the U.S. economy.
Cloud computing in 2017 was estimated to be a $246.8 billion business. The Department of Commerce estimated that cloud computing generated “a trade surplus of approximately $18 billion in 2015.”
But foreign businesses and consumers contemplating the use of U.S.-based cloud computing providers are concerned about the privacy and security of their information. And they are particularly concerned about the ability of the U.S. government to access that information without complying with the requirements of the country in which the data is stored (which the customer typically designates for business and regulatory reasons).
The government’s position in this case has attracted the attention of foreign nations and businesses, who have indicated that they will not use U.S.-based providers if the government prevails. Germany, for example, has refused to use Microsoft or any other U.S. data company for its data services if its information could be accessed through the mechanism claimed by the U.S. government in this case.
In Europe there have been calls for “data localization,” which would require that data owned by a nation’s individuals and companies be stored with local companies within the nation’s borders, and for procurement preferences for European providers. European officials have advocated a “massive information campaign” to inform consumers of their privacy rights under European law, noting that privacy protection has “become a factor in competition between companies.”
Upholding the U.S. government’s demands for copies of data stored abroad will thus inevitably injure U.S. competitiveness in the market. And estimates of the injury run into the many billions of dollars.
The U.S. government’s position in this case is wrong on the law. It is wrong as a matter of common sense: How can anyone conclude that a law is not being applied extraterritorially when it is being used to obtain copies of information stored outside the United States? And it is wrong as a matter of policy. Hopefully the Supreme Court will agree, and resolution of this issue will return to the proper forums — Congress and international negotiations.