As the U.S. Supreme Court reviews the Second Circuit ruling on Microsoft’s data privacy case, ACT | The App Association member Bruce Backa reiterates the need for Congressional action to provide clear rules defining law enforcement access to data.
Email and other electronic data are currently governed by the Electronic Communications Privacy Act (ECPA) from 1986, a time before the World Wide Web had even been invented, and only half a dozen universities had been connected to the network that would become the internet we know today. Now, even our cars have an internet connection. These old guidelines are completely out of touch.
The Supreme Court can only interpret laws that are on the books, and ECPA is the most recent law we have governing communications privacy. That’s why Congress must act now to pass modern communication laws that the Supreme Court can use to judge modern communication privacy disputes.
A coalition of conservative groups sent a letter to House Judiciary Chairman Bob Goodlatte, Ranking Member John Conyers, Senate Judiciary Chairman Chuck Grassley, and Ranking Member Diane Feinstein, urging their attention and action on H.R. 3718, International Communications Privacy Act (ICPA) legislation to clarify rules on law enforcement access to data stored overseas. The letters’ signatory organizations include American Commitment, American Consumer Institute, Americans for Tax Reform, Campaign for Liberty, Competitive Enterprise Institute, Council for Citizens Against Government Waste, Digital Liberty, Free the People, FreedomWorks, National Taxpayers Union, R Street Institute, Small Business & Entrepreneurship Council, and Taxpayers Protection Alliance.
ICPA is an important step in modernizing the legal regime surrounding electronic communication in a way
that will help protect the rights of American citizens, provide clear guidelines for law enforcement, and
improve engagement between domestic and foreign law enforcement. This will help create an
environment in which American technology companies can continue to innovate, provide valuable
services to their customers, and help keep the American technology sector on the cutting edge of
innovation while producing jobs.
We urge the committee to consider and pass ICPA at the earliest possible opportunity. House members
should be afforded the chance to pass this legislation, and provide a needed update to ECPA, which has
been eclipsed by technology its authors could not foresee.
This week, the Supreme Court agreed to hear a case on data sovereignty — the concept that a country has control of the data stored within its borders — resulting from a dispute between Microsoft and the Justice Department. In 2013, the Justice Department demanded Microsoft hand over foreign citizens’ emails stored on its servers in Ireland. The Justice Department alleged this would provide evidence needed to settle a drug trafficking case. Microsoft refused to comply with the government’s search warrant and took the matter to court. After a long legal battle, the 2nd Circuit Court of Appeals sided with Microsoft; however, in its opinion, the court urged Congress to act to update the Electronic Communications Privacy Act, an archaic law that serves as the only guidance for courts on how to handle the question of data sovereignty.
There is a consensus among both houses that this law must be updated — after all, it was written well before the advent of international cloud computing, let alone the Internet itself. “The laws governing digital data were written more than 30 years ago and were never intended to reach across international borders,” Sen. Orrin Hatch said in a statement issued earlier this week. Hatch has urged his colleagues to pass the International Communications Privacy Act (ICPA). We agree.
Following the U.S. Supreme Court announcement to review the Second Circuit ruling on law enforcement access to data stored abroad, Microsoft President and Chief Legal Officer Brad Smith wrote the following:
In July 2016, the Court of Appeals for the Second Circuit agreed with Microsoft that U.S. federal or state law enforcement cannot use traditional search warrants to seize emails of citizens of foreign countries that are located in data centers outside the United States. Today, the Supreme Court granted the Department of Justice’s petition to review Microsoft’s victory. This is an important case that people around the world will watch. We will continue to press our case in court that the Electronic Communications Privacy Act (ECPA) – a law enacted decades before there was such a thing as cloud computing – was never intended to reach within other countries’ borders.
But as we have said from the beginning of this litigation, there’s a broader dimension to this issue as well. The continued reliance on a law passed in 1986 will neither keep people safe nor protect people’s rights. If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States? We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk. Therefore, Congress needs to modernize the law and address these fundamental issues.
ACT | The App Association Disappointed by Supreme Court Decision to Review Second Circuit Ruling on Warrants for Data
The App Association President Morgan Reed issued the following statement in response to the Supreme Court’s announcement.
“As Americans, business owners, and innovators, we are disappointed by the Supreme Court’s decision to grant cert, which could reverse the Second Circuit’s recent ruling on extraterritorial warrants for data. Granting law enforcement access to foreign citizens’ data stored overseas would allow other nations to demand the same access to U.S. citizens’ data, even when that data is stored within the United States. This environment could complicate the free flow of data on which so many American businesses depend. Congress must act, or else American companies will continue to face challenges and missed opportunities when presented with legal ambiguities in requests for data stored abroad.
“We need Congressional action now more than ever. Under the current laws, American businesses are turned into victims of conflicting laws around the world, or worse, unwitting law-breakers. Courts can only interpret the laws that are on the books, and the decision by the Supreme Court underscores the urgency for Congress to act on this important issue. We urge Congress to move forward to advance modern legislation that respects law enforcement requests, protects people’s rights, and supports American businesses.”
There is an invisible resource that is essential to how we use our computers, phones, and even our household appliances. That resource is the cloud, and it is fundamental to the work of tech companies in Virginia like mine. However, our use of the cloud is hampered by outdated and contradictory laws controlling law enforcement access to data stored on foreign soil.
Our Representative Bob Goodlatte, Chairman of the House Judiciary Committee, has an opportunity to join his colleagues in Congress to update these important laws and preserve America’s continued leadership in the internet age.
ACT | The App Association Applauds House Introduction of ICPA Legislation
Representatives Doug Collins (R-GA-09), Hakeem Jeffries (D-NY-08), Darrell Issa (R-CA-49), and Suzan DelBene (D-WA-01) introduced H.R. 3718, International Communications Privacy Act (ICPA), which will help provide clear rules outlining law enforcement access to data stored overseas. With a membership base that relies on digital data flows and cloud computing to access and store data for users around the world, the introduction of this legislation is a significant step for ACT | The App Association’s members.
App Association President Morgan Reed released the following statement in support of the legislation.
“The House introduction of ICPA legislation is an important step for app developers, tech innovators, and American companies supported by the flow of data overseas. We applaud Representatives Collins and Jeffries for their attention and dedication to this crucial issue. Legal uncertainty regarding law enforcement access to data can have crippling effects on our members and American innovators at large. We have long advocated for a clear legal framework to remove conflicts between U.S. and other sovereign data access laws to support law enforcement, bolster consumer confidence in data privacy, and enable data-driven businesses to succeed. We look forward to working with Congress as this legislation moves forward.”
Tech companies and app developers have traveled a long and winding road awaiting legislation that would clarify when and how U.S. law enforcement agencies can access data stored abroad. We find ourselves in the middle of the journey to achieve these desperately needed reforms, caught between competing policy interests. In the absence of clear guidance defining lawful access to data, our members have encountered snags and obstacles around every bend. Fortunately, efforts to update the law benefit from strong leadership in Congress. Senators Orrin Hatch, Chris Coons, and several other policymakers and their staff are to thank for the significant progress in clearing a path for the International Communications Policy Act (ICPA) this year.
Pennsylvania Congressman Tom Marino issued the following statement following the Department of Justice’s petition seeking Supreme Court review of the Microsoft warrant case, in which the 2nd Circuit ruled that U.S. law does not extend warrants extraterritorially.
“Whether or not the Supreme Court decides to hear this case it is abundantly clear that congress should be progressing along with technological advancements. Congress can and should modernize digital data laws, ensure law enforcement can access evidence in a timely manner, and protect people’s rights.
“The United States’ digital data laws have not been updated in 30 years and we are now in need of a modern framework, such as my legislation introduced last Congress, the International Communications Privacy Act (ICPA), that establishes a legal standard for accessing all electronic communications. I intend to continue working with the other members of Congress in creating an updated, working data framework that will ensure the American people’s safety as well as our privacy.”
Senator Orrin Hatch, R-Utah—the senior member and former Chairman of the Senate Judiciary Committee and Chairman of the Senate Republican High-Tech Task Force, released a statement on the US Department of Justice’s decision to seek Supreme Court review of the Second Circuit’s ruling that US law does not extend warrants extraterritorially:
“I’m disappointed by the Department’s decision to seek Supreme Court review of the Microsoft warrant case. As I’ve said all along, courts should respect the time-honored principle that warrants stop at the water’s edge. Nevertheless, Congress can and should modernize data privacy laws to ensure that law enforcement can access evidence in a timely manner. My bipartisan International Communications Privacy Act (ICPA) would create a workable, modern framework for law enforcement access to electronic communications, and I intend to work my hardest to enact this crucial legislation into law.”
Brad Smith, Microsoft President and Chief Legal Officer, writes:
“Today the U.S. Justice Department asked the Supreme Court to reconsider a legal decision, in a case brought by Microsoft, which found that U.S. warrants cannot be unilaterally applied to email in other countries. It seems backward to keep arguing in court when there is positive momentum in Congress toward better law for everyone. The DOJ’s position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans.”
ACT | The App Association Responds to U.S. Department of Justice Request for Supreme Court Review of Lawful Access Case
Today, the U.S. Department of Justice asked the Supreme Court to review of the 2nd Circuit ruling that U.S. law enforcement warrants cannot extend to data stored abroad. ACT | The App Association President Morgan Reed issued the following statement in response to the decision.
“Today, the Department of Justice requested Supreme Court review of the 2nd Circuit ruling that U.S. warrants for data stored abroad do not extend overseas. The request provides important attention to this issue, but even a Supreme Court decision would not offer a comprehensive solution to the legal ambiguities American app developers and tech companies face when they receive requests for data stored abroad.
“We believe Congress must act to update antiquated digital data laws to not only protect people’s rights and support American businesses, but ensure U.S. law enforcement can effectively access data to conduct their investigations. Our businesses and law enforcement bodies deserve clarity. We will continue to push Congress to move legislation modeled after the International Communications Privacy Act (ICPA) to set clear rules and expectations for accessing electronic communications. America’s leadership in technology and integrity in international investigations hinges on legislative action to make this right.
Brad Smith, Microsoft President and Chief Legal Officer, writes:
“A consensus is emerging among technology companies, civil society, judges, law enforcement officials and other stakeholders on the need to modernize our country’s antiquated digital data laws. The Electronic Communications Privacy Act (ECPA) – enacted nearly 31 years ago – was written at a time when American industry’s technology, customer base and infrastructure were largely domestic. Congress never contemplated the need to establish rules for law enforcement to access data belonging to non-U.S. persons located abroad, or where technology companies are subject to conflicting legal obligations in another country.”
ACT | The App Association member Charlotte Tschider writes:
Cloud computing provides unprecedented opportunities for innovative small businesses to flourish in Minnesota, across the United States and around the globe. As the owner of Cybersimple Security, a small data privacy and security consulting firm, my clients frequently provide cloud-based services to global customers. Modern cloud services are an undeniably critical, cost-effective platform for small business technology operations. However, our country’s laws have not evolved to solve new technology challenges introduced by cloud services impacting U.S. growth and security, and this inaction has serious implications for America’s tech community.
As a small business owner and affiliated law school professor, I believe a bipartisan agreement on this issue is vital to the success of businesses in Minnesota and across the country, as well as our nation’s relationship with foreign governments. Congress cannot ignore this opportunity to protect American businesses, improve our relationships with foreign governments and support law enforcement’s ability to keep us safe.
A letter sent to lawmakers before Thursday’s hearing on lawful access made it abundantly clear that ICPA enjoys broad support within the tech industry. ACT | The App Association, BSA| The Software Alliance, Computer & Communications Industry Association (CCIA), Computing Technology Industry Association (CompTIA), Entertainment Software Association (ESA), Information Technology Industry Council (ITI), Internet Association (IA), National Association of Manufacturers (NAM), NetChoice, Reform Government Surveillance, TechNet, Telecommunications Industry Association (TIA), and the U.S. Chamber of Commerce all agree that ICPA would provide a good framework to build from.
ACT | The App Association’s Letter to the House Judiciary Committee
In a letter penned to House Judiciary Chairman Bob Goodlatte and Ranking Member John Conyers, ACT | The App Association urged members to reform the badly outdated Electronic Communications Privacy Act (ECPA). The legal ambiguity under the current framework not only harms the American tech industry’s ability to innovate, but also hurts law enforcement’s ability to effectively protect national security.
Old Law, New Technology, and the Congressional Need to Update ECPA
Last week, witnesses before the Senate Judiciary Committee faced much more amicable questions than then-Judge Gorsuch. In a rare moment of bipartisan consensus, Senators on both sides of the aisle agreed to pass legislation by year end. The subject: law enforcement’s ability to collect email evidence under the Electronic Communications Privacy Act (“ECPA”). While electronic communications have changed rapidly, the law protecting consumers’ private data has stood still. ECPA was written when Facebook founder Mark Zuckerberg was two years old. Back then, emails were an up-and-coming technology with no international implications, and storing an email was a costly affair. As the hearing last week underscored, it is time for Congress to take ECPA out of storage and fix it.
With Privacy Legislation, Congress Can Safeguard the Digital Domain
Seemingly overnight, sending an email has become fraught with peril. Every day, we hear reports about phishing scams and malevolent viruses designed by cybercriminals and belligerent governments alike. But, unknown to many surfers of the digital domain, our own government has exploited loopholes and ambiguities in current law to snag important user information without obtaining permission in a court of law.
Op-ed: Utah’s tech renaissance threatened unless Congress acts to update archaic law
ACT | The App Association member Jeff Hadfield, owner of Salt Lake City’s 1564B, writes:
“[Senator Orrin] Hatch helped jump-start Congress’ interest in this issue last year when he introduced the International Communications Privacy Act (ICPA). Though it did not pass, this legislation would have helped to clarify the responsibilities of businesses storing data overseas, ensure law enforcement has the tools it needs to access information abroad and restore the trust of foreign companies storing data in the United States. This week, legislators on the Senate Judiciary Committee have an opportunity to revisit this vital issue.
“It’s imperative that Congress quickly address the ambiguity within our current law. As every company becomes a software company, we need legislation that supports our companies’ ability to store data overseas, protects our individual privacy rights and helps U.S. law enforcement do its important job. Utah’s tech renaissance, and the success of cloud-driven companies across our country, depends on it.”
During AppCon, ACT | The App Association’s annual fly-in, 50 App Association members stormed Capitol Hill to deliver a strong message that Congress must update the Electronic Communications Privacy Act (ECPA). The ambiguity in current law, enacted in 1986, troubles App Association members, all of whom are small- and medium-sized companies. Every day 2.5 quintillion bytes of data are created, and nearly all of our members provide apps or platforms that require the transmission, storage, or processing of that data across international borders. Without clear guidance within ECPA outlining when and how U.S. law enforcement may access data, businesses of all sizes face uncertainty and serious threats to their operations and success.
Constituent meetings, like the ones held during AppCon, allow Members of Congress to hear from the people they represent on the issues that impact them most. In more than 120 meetings, App Association members engaged Members of Congress, committee staff, and White House officials, in discussions about the impacts and challenges regarding ECPA. Throughout the meetings, one message was clear: while our members support law enforcement officials and want to help them do their job, ECPA’s ambiguity is legally and financially untenable for small businesses attempting to comply with conflicting laws.
Here’s why. Treatment of data stored abroad is not exclusively the concern of big businesses, and small business are often at greater risk. Despite their size, small app companies make a big impact—they not only make the interfaces, but they design and maintain the software components of everything from the internet of things (IoT) to back-office inventory management. They are part of a rapidly-growing, $143-billion ecosystem, without which the $8-trillion IoT revolution would not be possible, and they are sharing and storing data in all corners of the globe. Considering the international nature of cloud storage, ECPA’s outdated approach puts small companies between U.S. and foreign jurisdictions, without the resources to combat sovereign governments in court.
If we allow conflicts between U.S. and foreign data access laws to continue, we risk quietly killing our most productive businesses and stifling our fastest-growing, most innovative sectors. That’s why App Association members sought an audience with their representatives in Washington and why the App Association will continue to advocate for updated ECPA legislation. We hope policymakers are listening closely.
To urge congressional support for this important legislation, please join the petition here.
Congress Must Act Quickly To Protect Americans’ Safety And Privacy
Take a look at your email inbox. Are there emails older than 180 days? If so, you should know that the United States government considers them to be “abandoned,” which entitles Uncle Sam to get his hands on them.
An outdated loophole in the Electronic Communications Privacy Act (ECPA) makes Americans vulnerable to snooping federal agents seeing very things such as health information, credit card statements and racy pictures. This antiquated law was created long before emails, text messages and online messaging services became a vital part of modern life. As a result, the ECPA must be updated to reflect today’s technology, while striking the proper balance between privacy and security.
This month, a Senate Committee is expected to study the idea of just how far around the world U.S. warrants should reach. The outcome of that study will directly influence how data is stored worldwide. Seizure of data stored overseas is being proposed in the name of fighting crime, yet it could affect the average Iowan who stores data in the cloud. Most Iowans have heard of the cloud, but know almost nothing beyond that … cyberspace! The vast majority of Americans have no idea that their data is likely to be stored in a foreign nation.
Ambiguity and Conflict in Access to Data: A Job for Congress
A simple flaw in federal law has led to a series of setbacks for both U.S. companies and law enforcement. Believe it or not, the law is not settled on whether or how U.S. law enforcement can access data stored overseas by a U.S. company. The answer depends on whom you ask and which federal circuit you’re in. The problem can be traced to ambiguity in a federal statute written in 1986, long before the internet became a commercial phenomenon. Simply put, the Electronic Communications Privacy Act (ECPA) does not clearly say how law enforcement may access data stored by an American company overseas.
According to the Department of Justice (DOJ), U.S. law enforcement may obtain the content of communications stored overseas using a warrant or subpoena under ECPA, even if the communications belong to someone who is neither a U.S. citizen nor a U.S. legal permanent resident. Governments (including ours) generally view data pertaining to their citizens—and stored within their borders—to be subject to their jurisdiction. The DOJ’s view of its cross-border authority and foreign governments’ jurisdictional views are in direct conflict. This jurisdictional clash puts companies that are the subject of such requests in an untenable situation—companies must either break the law of the country where the data is stored to comply with the U.S. warrant; or ignore U.S. law enforcement requests and abide by the other country’s laws.
This isn’t to say DOJ’s position is meritless or impossible to understand. If it can’t access data overseas with a warrant, DOJ is forced to make a request of the foreign government under rules set forth in the mutual legal assistance treaty (MLAT) the United States has with that country. Unsurprisingly, this process can be time-consuming and, when dealing with an uncooperative country, fruitless. On top of this, many existing MLATs are thought to be just as out-of-date as U.S. law in this area. If ECPA gives DOJ extraterritorial reach, many of these difficulties are mitigated.
But the reality isn’t so simple. The conflict has come to a head in the Second and Third Circuits, which have thus far reached different conclusions. In the first case, U.S. law enforcement sought an Irish citizen’s communications, stored by Microsoft in servers based in Ireland. Microsoft disputed the warrant, arguing that it threatened its core business, Ireland’s sovereignty, and the privacy and security of consumer data. A three-judge panel of the Second Circuit ruled for Microsoft in July 2016, quashing the warrant, and a split circuit denied an en banc rehearing on January 24, 2017. Conversely, a magistrate judge in the Third Circuit on February 3, 2017, ordered Google to comply with warrants issued under ECPA regarding data stored overseas. As a result, at least one magistrate judge in the Third Circuit sides with DOJ’s view that it can obtain communications stored in jurisdictions outside the United States, while the Second Circuit would quash a warrant seeking access to data overseas.
So what does this mean for U.S. companies that store data abroad? For one thing, it means their obligations are unclear when U.S. law enforcement seeks that data. Separately, when such a request is made, a company must be prepared to fight whichever government’s laws it chooses to ignore. This is especially difficult for small- and medium-sized businesses, like many App Association members, that often don’t have the extra resources necessary to take on sovereign governments in court. As Chairman of the House Judiciary Committee, Bob Goodlatte, said in 2016, “The result of these conflicts is that U.S. technology companies find themselves with a Hobson’s choice. Either comply with U.S. law, or comply with foreign law. But, it is increasingly impossible to comply with both. This is an untenable situation for U.S. tech companies.”
The problem Congress needs to solve is twofold: 1) U.S. law is written for old technology, making it ambiguous enough to permit conflicting interpretations; and 2) DOJ’s current interpretation is apparently inconsistent with foreign jurisdictions’ laws. Representative Tom Marino (R-PA-10), Senator Orrin Hatch (R-UT), Senator Coons (D-DE) and Representative DelBene (D-WA-1), developed laudable solutions last year. Although these measures apparently failed to satisfy DOJ, they garnered significant support among tech groups and other Members of Congress. The App Association strongly supported the 2015 Law Enforcement Access to Data Stored Abroad (LEADS) Act—which had 137 cosponsors in the House—as well as its next iteration, the International Communications Privacy Act (ICPA). Both measures would have clarified the rules of the road for U.S. law enforcement agencies as they seek to obtain communications stored abroad in a manner that is reconcilable with foreign jurisdictions’ laws. This year, we are looking forward to the introduction of the next version of these measures. And we are happy to support the policymakers who are working on a solution that respects foreign sovereignty while empowering DOJ to effectively investigate international criminal enterprise.
Microsoft’s lawsuit against government gag orders will move forward
Microsoft’s lawsuit against the Department of Justice will continue, according to a ruling today from Western Washington District Court. The ruling is a crucial early hurdle for Microsoft’s case, which argues that the government’s gag-ordered searches of Microsoft accounts violates the constitutional right to free speech.
“Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them,” the company argued in its initial complaint.
Although it clearly violates the Fourth Amendment, the government claims that the 1986 Electronic Communications Privacy Act (ECPA) grants them this authority. Under this Reagan-era legislation, law enforcement can access any electronic communications data it wants so long as it is over 180 days old.
The truth is that ECPA is making us less safe. While Big Brother’s true intention might be to fend off cyber attacks, it is actually weakening our security by creating tens of thousands of false leads.
A holiday surprise: Will Congress protect privacy?
The recent move by the Department of Justice (DOJ) to re-open a case against Microsoft illustrates the need for Congress to protect the privacy rights of all Americans by passing International Communications Privacy Act (ICPA). The rumor has it that this bill will be considered on the floor before Christmas, and that’s a good thing — enacting ICPA and safeguarding the Fourth Amendment should be a priority for this session.
The case against Microsoft involved an attempt by the DOJ to obtain information stored on foreign located “cloud servers” without a warrant from law enforcement in the country where the server is hosted.
In a response to DOJ’s recent petition asking the 2nd Circuit Court of Appeals to rehear the Microsoft case — which established that U.S. law enforcement agencies could not use warrants to obtain email data stored overseas — the legislative sponsors of the International Communications Privacy Act note that this back-and-forth further strengthens the case for advancing the bill.
ACT | The App Association also noted that the DOJ filing reaffirmed the legislative gap that currently exists. “The Justice Department’s petition for a rehearing of the Second Circuit’s earlier unanimous decision only reinforces the need for Congress to act by passing the International Communications Privacy Act and clarifying law enforcement’s ability to access data stored abroad,” writes Morgan Reed, the [App Association]’s executive director. “Rather than continuing to litigate, the Justice Department should work with Congress to modernize our laws for the digital world.”
Lawmakers question DOJ’s appeal of Microsoft Irish data case
Four U.S. lawmakers are questioning a Department of Justice decision to appeal a July court decision quashing a search warrant that would have required Microsoft to disclose contents of emails stored on a server in Ireland.
Last Thursday, Preet Bharara, U.S. Attorney for the Southern District of New York, filed an appeal of the ruling by a three-judge panel of the U.S. Court of Appeals for the Second Circuit.
But the four lawmakers, two Republicans and two Democrats, said the DOJ should be working instead with them on legislation that gives law enforcement agencies access to data on foreign servers in limited cases. The DOJ should instead help fine tune the International Communications Privacy Act (ICPA), introduced earlier this year, the four sponsors said in a Friday letter.
The Entertainment Software Association, a trade group for computer and video game companies, chimed in with its support for the International Communications Privacy Act this week, citing the need to “modernize our outdated electronic privacy laws.” In a letter to congressional leaders of the House and Senate Judiciary committees, the organization notes that gamers develop virtual communities online that are filled with stored communications that should be protected. The group suggests ICPA could help by establishing a standard for law enforcement agencies to handle requests for accessing data at home and abroad. “Every day millions of gamers link up on game networks to compete in games ranging from a handful of participants to thousands. They communicate by text and voice chat,” ESA writes. “Their privacy matters.”
Progress will…require closer collaboration internationally. Data needs to move across borders, but people need to retain their rights in their personal information and governments need the ability to work together to protect public safety. A new generation of global technology requires a new generation of international law.
A coalition of tax organizations is pushing for passage of the International Communications and Privacy Act of 2016,arguing it would protect the privacy of U.S. citizens, while ensuring that law enforcement has necessary channels to access information stored abroad. In a letter to Sen. Chuck Grassley and Rep. Bob Goodlatte, the groups suggest the bill offers a balanced approach: “[It] expresses the sense of Congress that data providers should not be subject to data localization requirements that are incompatible with the borderless nature of the internet,” they write.
Senators Orrin Hatch (R-Utah), Chris Coons (D-Del.), and Dean Heller (R-Nev.) have recently introduced a bipartisan bill that they think is the right place to start: the International Communications Privacy Act (ICPA).
Officially, the ICPA would “clarify U.S. law enforcement’s ability to obtain electronic communications around the world.” Unofficially, it would put an end to the Judiciary Department’s potential temper tantrum.
It’s time for update to communication privacy laws
A bipartisan group of U.S. senators and representatives has introduced legislation that will safeguard the electronic communications of businesses and citizens alike. The International Communications Privacy Act clarifies the scope of legal authority U.S. law enforcement has when obtaining electronic communications, including those stored overseas. The legislation enables law enforcement access to electronic communications, through a lawful process, protecting our right to privacy.
Reform of ECPA Balances Privacy with Law Enforcement Needs
As a result of change in technology, the Electronic Communications Privacy Act (ECPA) has come in need of being modernized. Three federal legislators, Sens. Orrin Hatch (R-UT), Chris Coons (D-DE) and Dean Heller (R-NV), also working with House Speaker Paul Ryan (R-WI), Senate Majority Leader Mitch McConnell (R-KY) as well as Sens. Chuck Grassley (R-IA) and Patrick Leahy (D-VT), the Chairman and Ranking Member of the Senate Judiciary Committee respectively, have introduced the International Communications Privacy Act (ICPA). This legislation will update ECPA to address privacy and law enforcement issues in a world where technology has marched forward beyond current law.
The key to the reform is balancing the need for strengthened consumer privacy in electronic communications while also recognizing and facilitating the need for law enforcement to access data, via the requirements of a warrant process, when needed. ICPA accomplishes both of these concerns, neither of which are addressed by the current law.
2nd Circ. Microsoft Ruling: A Plea For Congressional Action
…a bipartisan group of legislators, led by Sens. Orin Hatch, R-Utah, Christopher Coons, D-Del., and Dean Heller, R-Nev., has already joined to sponsor a proposed law known as the International Communications Privacy Act (ICPA).
In addition to amending Electronic Communications Privacy Act to require a search warrant to obtain the content of all electronic communications stored with electronic communication and remote computing service providers, the ICPA would make clear that U.S. prosecutors can only use U.S. law to seize data located abroad if the data belongs to a U.S. person or entity or, in the case of a foreign person, where the relevant country does not object or does not have a law enforcement cooperation agreement with the U.S. ICPA would also reform the mutual legal assistance treaty process by providing greater accessibility, transparency and accountability. In addition, the bill expresses the sense of Congress that data providers should not be subject to data localization requirements.
Extraterritorial Search Warrants for Internet Content: A Bad Idea
The United States should refrain from extraterritorial search warrants to seize electronic information stored abroad on foreign servers from United States Internet companies. A panel of the United States Court of Appeals for the Second Circuit in Microsoft Corporation v. United States (July 14, 2016), recently held that the 1986 Stored Communications Act did not authorize such warrants, but the Department of Justice will seek new legislation to do so.
Privacy is the rule and government encroachments are the exception under the Fourth Amendment in our liberty-centered constitutional universe. An investigation, simpliciter, causes the target continuing anxiety, hefty attorney’s fees, and permanent reputational damage without legal redress. Thus, Congress should refrain from authorizing an investigative tool without tangible, non-speculative proof of necessity in the detection and prosecution of serious crimes.
Microsoft’s president explains the company’s quiet legal war for user privacy
Brad Smith: We’re not fans of data localization — the last thing the world needs is 193 members of the United Nations demanding that data only be stored within their own borders. This is really a set of issues where the tech sector tends to be pretty united.
What we really therefore need is new regulation. We think there is a good bipartisan bill now pending in both houses of Congress called the International Communications Privacy Act or ICPA.
U.S. to Allow Foreigners to Serve Warrants on U.S. Internet Firms
Microsoft President and Chief Legal Officer Brad Smith said the company shares concerns about the “unintended consequences” of excessive data localization requirements.
“But rather than worry about the problem, we should simply solve it” through legislation, Mr. Smith said. Microsoft supports the proposed International Communications Privacy Act. The legislation would, among other provisions, create a framework for law enforcement to obtain data from U.S. citizens, regardless of where the person or data was located.
ACT | The App Association and several tech groups, including CTA, CCIA and TechNet, sent a letter to the House and Senate Judiciary Committees this morning, expressing support for the International Communications Privacy Act , a bipartisan bill introduced this past May. The legislation establishes a legal framework for how U.S. law enforcement can access the digital data of Americans and foreign nationals, regardless of where it’s geographically stored. “ICPA reinforces that U.S. law enforcement must obtain a warrant for any electronic content for U.S. persons, settles uncertainty around obtaining such information for foreign nationals, and augments international rule of law by improving the MLAT process,” they write.
Tech Groups: Pass International Communications Privacy Bill
A group of major tech industry groups are calling on House and Senate Judiciary Committee leaders to act on legislation to clarify the legal process for law enforcement officials to seize communications stored abroad.
The tech groups, which include the Consumer Technology Association, the Internet Association, CompTIA, and [ACT | The App Association], called on leaders to pass a bill to help firms competing in cloud computer services in a letter released Thursday.
Congressional backers of the International Communications Privacy Act (ICPA) hailed the Second Circuit appeals court’s decision in Microsoft v. U.S. as providing momentum to their bill.
In a 3-0 decision, the U.S. Court of Appeals for the Second Circuit Thursday (July 14) ruled that courts are not authorized to issue warrants on U.S. service providers for the seizure of e-mails stored on foreign servers.
The ICPA provides a way for U.S. law enforcement to get access to electronic communications wherever they are located.
Microsoft Wins Protection for E-Mails Stored Outside U.S.
The company hopes the ruling prompts the Justice Department to prioritize new legislation, now that it can no longer rely on this statute to gain overseas data, Microsoft President and Chief Legal Officer Brad Smith said in an interview. Microsoft supports a bill called the International Communications Privacy Act that would make people subject to the data privacy rules of the country where they reside or have citizenship, Smith said.
“The government is going to have to decide where it wants to go with this case — we can all spend two years in court arguing about a statute that was passed in 1986 or we can focus our energy on a hammering out a law for the future,” Smith said. “Our view is we should focus on the future rather than argue about the past.”
Microsoft scored a big legal victory today in a closely watched court case with data privacy implications for individuals and businesses around the world.
On July 14, the United States Court of Appeals for the Second Circuit in New York reversed an earlier District Court ruling that ordered Microsoft to turn over Outlook.com emails sought by the U.S. Department of Justice that were stored on a data center located in Ireland. In 2013, the DOJ had served the Redmond, Wash.-based technology giant a warrant for the emails. Arguing that under U.S. law, warrants cannot be enforced in other countries, Microsoft challenged the U.S. government in court.
Justice Department Overreach Slammed By US Appeals Court
The United States Court of Appeals for the Second Circuit has slammed a Department of Justice effort to bypass normal procedures when attempting to secure information stored on cloud-based storage services. The decision is a major victory for the Fourth Amendment.
The facts of the case were clear-cut. An Irish citizen under investigation by DOJ stored information on an Irish company’s servers. By treaty obligation, DOJ was required to request the cooperation of the Dublin government to obtain a warrant on their behalf. Instead, DOJ lawyers demanded that Microsoft, the storage service’s parent company, turn over the information with just a simple domestic warrant. Microsoft refused, demanding that the government follow established procedures.
Long past time to fix evidence-sharing across borders
The International Communications Privacy Act (ICPA), introduced at the end of May by Sens. Orrin Hatch (R-Utah), Dean Heller (R-Nev.) and Chris Coons (D-Del.), takes steps in this direction, picking up where last year’s Law Enforcement Access to Data Stored Abroad (LEADS) Act left off but improving it. The LEADS Act, in addition to implementing various process and transparency improvements to the MLAT process, sought to effectively prevent U.S. judges from compelling cloud companies to bring content data stored overseas back to the United States unless that content is of a U.S. person. The ICPA maintains this legal limitation but, in a major improvement, also allows such a warrant if the content is of a foreign national located in a country without an MLAT agreement with the United States.
Senators want warrant protections for US email stored overseas
A new bill in Congress would require U.S. law enforcement agencies to obtain court-ordered warrants before demanding the emails of the country’s residents when they are stored overseas.
The International Communications Privacy Act, introduced Wednesday by three senators, would close a loophole that allows law enforcement agencies to request emails and other electronic documents without warrants.
Sens. Move To Set Limits On Feds’ Overseas Data Demands
A bipartisan trio of senators on Wednesday took another stab at clearing up the debate over the U.S. government’s ability to access user data stored abroad by rolling out a revamped legislative proposal that would establish a blanket warrant requirement and reform the process for cooperating with foreign governments on such demands.
Under the International Communications Privacy Act, or ICPA, law enforcement agencies would be allowed to obtain from service providers the electronic communications of U.S. citizens and permanent residents regardless of where the individual or communications are located, but must first obtain a warrant before being permitted to access the data.
Extraterritorial law enforcement: Be careful what you wish for
We should not open ourselves to complicity in the suppression of democracy and human rights abroad for a miniscule law enforcement advantage to us.
That does not mean that nothing can be done to enhance international collaboration. Mutual Legal Assistance Treaties (MLAT) are a time-honored instrument for government-to-government sharing of evidence relevant to criminal cases or other government investigations. They can be custom tailored to avoid implicating the United States in the oppressions of many foreign governments, for example, carving out political offense or human rights exceptions.
In sum, the United States has not made a convincing case for extraterritorial search warrants. It should withdraw its effort to compel Microsoft to produce electronic information stored in Ireland, and go work on improving its MLATs.
Despite the fact that game consoles, gas prices and movies have all evolved, the 1986 Electronics Communications Privacy Act (ECPA) remains on the books today, despite stagnant provisions that failed to imagine the exponential evolution of the Internet and computers over three decades.
Access to Data Must Be Governed by Modern Law — Why Congress Must Act
Antiquated and outdated are words I hear too often when someone describes the federal government’s approach to information technology — or the corresponding laws and policies governing its implementation. During my nearly 27 years of public service, it was clear that the government’s response to new technology was often delayed by the challenges of reconciling new technology with existing law. Many laws today, including the Electronic Communications and Privacy Act, are decades out of date and do not address the use of cloud computing and mobile devices.
For years, Congress has been struggling to find a way to balance privacy in the digital age with the needs of law enforcement to do their job. That problem becomes more complex when American data is stored overseas. Finding a way to balance the rights of citizens, the role of information technology companies, and the justice system is difficult. But it has been done. Now Congress needs to act.
Microsoft’s Brad Smith on balancing privacy and security in data access case
In December 2013, the Department of Justice served Microsoft with a warrant requiring the company to hand over the e-mails of a Microsoft customer suspected of drug trafficking.
Microsoft refused to turn over the e-mails on the basis that they are stored in servers at a data center in Ireland and that the warrant did not apply to overseas data. Instead, Microsoft argued the DOJ should work with Irish authorities to obtain access to the data. In July 2014, a district court ordered Microsoft to turn over the e-mails, but Microsoft appealed to the Second Circuit Court of Appeals, which heard arguments earlier this month.
In light of the significance of this case for US consumers and businesses, and the impact that its outcome could have on the privacy of digital communications, Brad Smith, executive vice president and general counsel for Microsoft, took the time to answer some questions regarding the case and what its outcome might mean.
Google demands reform for 30-year-old U.S. data privacy act
One of the circumstances in which law enforcement can currently exploit vagaries in the ECPA is to obtain access to data owned by a foreign citizen without a warrant. The Department of Justice, for example, can claim that right when the data is stored in the servers of an American company, regardless of data privacy rights granted the citizen by his own country’s laws.
Some believe this use of the ECPA is hurting U.S. tech companies’ trade relations with other countries. The App Association’s Morgan Reed had this to say about that claim during testimony in front of a Senate committee Wednesday:
“For American tech companies to remain global leaders, we must be clear with our trading partners that their citizens can store data in their home country with a U.S. company and retain the privacy protections provided by their sovereign government,” Reed said.
Microsoft case: DoJ says it can demand every email from any US-based provider
The United States government has the right to demand the emails of anyone in the world from any email provider headquartered within US borders, Department of Justice (DoJ) lawyers told a federal appeals court on Wednesday.
The case being heard in the second circuit court of appeals is between the US and Microsoft and concerns a search warrant that the government argues should compel Microsoft to retrieve emails held on a Hotmail server in Ireland.
Microsoft contends that the DoJ has exceeded its authority with potentially dangerous consequences. Organizations including Apple, the government of Ireland, Fox News, NPR and the Guardian have filed amicus briefs with the court, arguing the case could set a precedent for governments around the world to seize information held in the cloud. Judges have ruled against the tech company twice.
The Case That Has Microsoft, Apple and Amazon Agreeing for Once
The U.S. and other countries should work on a legal framework for cross-border data-access protocols, Smith said. In Brazil, Microsoft is caught in a “firing line between two sets of laws,” just one of “what will be many instances like this if governments don’t come together to put their laws on a similar path.”
Think of what would happen, he said, if China demanded the e-mails of a U.S. citizen kept in the data-storage center that Chinese Internet giant Alibaba Group Holding Ltd. is opening in Santa Clara, California. “Do we want American privacy rights to be subject to foreign laws rather than our own?” he said. “If the answer is no, we better decide we’re not going to try to impose our law on other people.”
This warrant case only encourages foreign leaders who argue American companies should be excluded from providing cloud services within their borders. That would shut out companies such as Microsoft, Amazon, Apple, Cisco and Google. If these companies were banned from foreign markets, it would have a devastating impact on the U.S. technology industry.
Such actions would have significant consequences for the $87 billion mobile app industry. App companies are found in every congressional district, and make a large portion of their revenue from overseas sales through the Apple App Store, Google Play and Microsoft’s Windows Phone store. If those companies are restricted from operating in foreign markets, app makers would be left without a marketplace.
The Snowden revelations aren’t a genie we can stuff back in the bottle. And the DOJ is continuing to pursue its warrant case. But Congress can address those concerns and ensure that American Internet companies can safely store critical data abroad.