Law enforcement and data privacy: a forward-looking approach.

AuthorShah, Reema

The Edward Snowden revelations illustrated the ramifications of a domestic and international legal infrastructure that failed to keep up with technological advancements. The USA PATRIOT Act and other national security laws were ill-equipped to handle developments in bulk data collection. This failure is increasingly evident in the law enforcement context as well. Cloud computing and encryption have fundamentally unsettled the assumptions underlying the existing warrant regime.

The privacy concerns that crystallized in the wake of the Snowden disclosures have had ripple effects beyond the national security context. Private companies, NGOs, and foreign governments reacted forcefully to the revelations, effecting new laws and policies to shield information from the National Security Agency. A defining feature of this new era is the increasingly contentious relationship between the U.S. government and major U.S. technology companies, such as Apple and Google. (1) Foreign customers, suspicious of U.S. technology companies' relationship with the government, have threatened to switch to local Internet providers. The commercial implications of such a switch would be severe. By some estimates, losing business abroad could cost U.S. technology companies over one hundred eighty billion dollars in the market for cloud computing. (2) Accordingly, these companies have abandoned their longstanding policies of quiet cooperation with Washington. Instead, they now seek to outdo one another in demonstrating their independence from the government and their commitment to consumer privacy. For instance, Microsoft, with the support of many others in the industry, is in the midst of litigation challenging the territorial scope of U.S. warrants. (3) Apple and Google recently announced that their new systems would encrypt content on mobile phones in a manner that makes it impossible for the companies themselves to access the data on locked phones. (4) By encrypting content so heavily as to render warrants ineffective, this policy poses a direct obstacle to law enforcement's ability to access necessary electronic content.

In conjunction with new technologies that make such noncompliance possible, this acrimony clarifies the need to update the existing warrant doctrine. This Comment aims to begin that process. It rethinks the reach of warrants in light of cloud computing and proposes a legislative mechanism to ensure the continued effectiveness of warrants given developments in encryption technology. In doing so, this Comment strives to introduce better incentives and align the numerous interests implicated in data regulation. In order to succeed in the long run, any successful warrant regime must account for not only the government's interest in law enforcement, but also the individual consumer's interest in privacy and the commercial interests of technology companies.

Part I surveys the problems that recent developments have exposed in the current legal regime. Part II argues that in an era of cloud computing, hinging law enforcement access to data on its physical location increasingly makes little sense. Part III explores how encryption renders even clearly valid warrants insufficient and recommends legislative reform to address this impending reality.

  1. LAW ENFORCEMENT AND PRIVACY: THE ECPA'S OUTDATED APPROACH

    Since 1986, the Electronic Communications Privacy Act (ECPA) has regulated law enforcement's ability to access electronic data. Its second section, the Stored Communications Act (SCA), stipulates that providers must disclose the content of electronic communications held in an account for more than 180 days if the government produces a subpoena or court order. (5) If such communication has been stored for fewer than 180 days, the government must obtain a search warrant. (6) Whereas the Fourth Amendment "probable cause" standard is required for a warrant, the government can obtain a subpoena or court order if it can establish reasonable grounds to believe that the contents are relevant to a criminal investigation--a lower standard. As is readily apparent, the ECPA is sorely outdated in terms of the kinds and scope of privacy protection it offers. The distinctions drawn in the ECPA between communications stored for more or less than 180 days are vestiges of a bygone era, and many have argued that they should be abolished. (8) Yet as a recent Second Circuit case illustrates, the ECPA's problems go deeper than these artificial lines.

    In December 2013, federal prosecutors obtained a warrant for emails associated with an account held by Microsoft. Because much of the email content was stored on servers in Ireland, Microsoft challenged the warrant, arguing that it could not be applied extraterritorially. Microsoft pointed to the Federal Rules of Criminal Procedure as well as the statutory presumption against extraterritoriality. (9) It argued that in order to obtain the email content, the United States must go through the bilateral process established in the Mutual Legal Assistance Treaty (MLAT) between the United States and Ireland. (10) Under that mechanism, Irish courts would determine the validity of the request pursuant to their own local law before turning over data to U.S. authorities--a notoriously slow and cumbersome process. (11) Yet in In re Warrant To Search a Certain Email Account Controlled & Maintained by Microsoft Corp., the court rejected this argument, declaring that, under the SCA, U.S. Internet service providers served with a warrant must produce information "within [their] control" regardless of where it is stored. (12) Microsoft appealed, and a decision from the Second Circuit is expected in the coming months. (13)

    Regardless of the outcome, the case highlights the limitations of the SCA, particularly the uncertainty about its extraterritorial application and scope. The statute was devised for a world in which the Internet was predominantly an American system. Yet in the past decades, the Internet has become thoroughly global, both in terms of its users and infrastructure. The SCA has failed to keep up with this transformation. In response, a bipartisan group of senators has attempted to address this deficiency by proposing the Law Enforcement Access to Data Stored Abroad Act (LEADS Act). (14) The LEADS Act requires a warrant for any access to communications content (15) and stipulates that warrants served to U.S. providers cover content stored abroad (as well as content stored in the United States) if that content is held in the account of a U.S. person. For non-U.S. persons whose content is stored abroad, the government must go through the MLAT system.'6 While the bill marks an important first step, a closer look reveals that it does not fully address the flaws of the SCA.

  2. RETHINKING THE REACH OF WARRANTS IN THE ERA OF THE CLOUD

    The approach embodied by current proposals for reform, such as the LEADS Act, is insufficient in an era of rapidly changing technology--in particular, cloud computing. The Act's limitations reveal the need to adjust the current focus on territoriality. A warrant regime that hinges on user nationality and content origination preserves law enforcement's ability to investigate effectively by securing a warrant of appropriate scope, but creates better incentives than the current territorial approach and is more attuned to the commercial and privacy interests at stake.

    1. The Weaknesses of the LEADS Approach

      Most problematically, the LEADS approach will be unable to keep pace with advancements in cloud computing. In cloud computing, Internet service providers move data among different data servers all over the world, rather than storing data in one physical location. This design is meant to meet users' needs efficiently and balance burdens on the networks used by providers. Its benefits are purported to include significant cost savings as well as increased innovation, (17) and the market for such services is expected to be two hundred seven billion dollars annually by 2016.18 Yet if the premise of cloud computing is a load-balancing system that stores data in different countries at different points in time, the LEADS Act approach leaves critical questions unanswered when content belongs to non-U.S. persons. How are we to discern whether a U.S. warrant can reach the data? Will a U.S. warrant be applicable if the data was ever stored in the United States? Or is it valid only while the data is stored in the United States? This ambiguity constitutes a critical shortcoming that will become more acute as the Internet grows more cloud-centered.

      Relatedly, when government access to information turns on the physical location of servers, it increases pressure for data localization mandates. Data localization laws require companies to store data collected in a country on servers in that country. Technology companies have vehemently protested such mandates, emphasizing that localization does not make data more secure and that it could result in the "effective Balkanization of the Internet and the creation of a 'splinternet' broken up into smaller national and regional pieces... to replace the global Internet." (19) Nonetheless, in the post-Snowden era, many foreign governments have proposed or passed such laws in a purported effort to protect their citizens from U.S. surveillance. (20) The dichotomy set up by the LEADS Act approach will accelerate this trend. It gives credence to the notion that governments have special ownership over data stored physically within their borders. In doing so, it encourages foreign governments to view localization mandates as a mechanism for avoiding time-consuming and uncertain requests to other countries when their law enforcement requires access to electronic content.

      The impact of this trend is...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT