SOMETHING OLD, SOMETHING NEW, AND SOMETHING MOOT: THE PRIVACY CRISIS UNDER THE CLOUD ACT.

• Author: Bilgic, Secil

TABLE OF CONTENTS I. INTRODUCTION 321 II. FOURTH AMENDMENT, STORED COMMUNICATIONS ACT, AND MLATS: OLD LAWS FOR NEW TECHNOLOGIES 324 A. The Fourth Amendment 324 B. The Stored Communications Act 325 C. Mutual Legal Assistance Treaties 328 III. SOMETHING OLD, SOMETHING NEW, AND SOMETHING MOOT : UNITED STATES V. MICROSOFT CORPORATION 331 IV. THE CLOUD ACT 333 A. Privacy Problems with Respect to Qualifying Foreign Governments 336 B. Privacy Problems with Respect to Non-Qualifying Foreign Governments 344 C. Privacy Problems from Foreign Countries' Perspectives 347 V. AN ALTERNATIVE ROUTE FOR PRIVACY AND DATA ACCESS: A MULTILATERAL TREATY 351 VI. CONCLUSION 355 I. INTRODUCTION

The ubiquitous use of the Internet has increased law enforcement agents' reliance on data stored by information and communications technology (ICT) companies. Since many of the major ICT companies are located in the U.S., (1) courts and law enforcement agents around the globe have to seek the U.S. government's assistance in obtaining necessary digital evidence. (2) For instance, in an investigation regarding French citizens who reside in Paris, French law enforcement agents might have to request assistance from the U.S. Department of Justice if the suspects in question were using a U.S.-based email service. (3) Unfortunately, the available methods to obtain evidence in the U.S. are slow and opaque. (4) This prolonged cross-border data access process frustrates foreign countries, as it is hard, if not impossible, for them to access evidence about even their own citizens related to a crime occurring in their own territory. (5)

The emergence of cloud computing has exacerbated this frustration. Cloud computing refers to "storing and accessing data and programs over the Internet instead of your computer's hard drive." (6) Accordingly, the cloud prevents the loss of data due to computer crashes, is less vulnerable to theft, and provides an easy medium to share files. (7) To achieve these benefits, cloud service providers move an individual's data from one jurisdiction to another or "shard" the data and store it on servers in different jurisdictions. (8) Thus, though the user and the cloud service provider stay in a single jurisdiction, the data might travel through several jurisdictions, often unbeknownst to the user and the law enforcement agent. (9) This means that, to obtain a few emails, the law enforcement agent may have to initiate cross-border data access procedures in several countries, which would significantly prolong the prosecution or adjudication. As cloud computing becomes more prevalent, data travel, and thus burdensome cross-border data access procedures, may soon become the rule rather than the exception. (10)

Against this backdrop arose United States v. Microsoft Corporation (Microsoft Ireland), (11) where Microsoft refused to comply with a U.S. warrant because the requested data was stored in Ireland. (12) On March 23, 2018, while this case was pending before the Supreme Court, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into law. (13) Though the Microsoft Ireland case was mooted by the CLOUD Act, it remains relevant as it revealed countervailing opinions regarding the impact of cross-border data access on privacy and foreign relations. (14)

This Note will primarily focus on the privacy implications of the Microsoft Ireland case and the CLOUD Act, especially for non-U.S. citizens. Part II of this Note provides a background of the current legal system by explaining the Fourth Amendment privacy framework, the Stored Communications Act, and how Mutual Legal Assistance Treaties (MLATs) work. Part III outlines the facts, procedural history, and holdings of the Southern District of New York and the Second Circuit in the Microsoft Ireland case. Part IV examines the implications of the newly enacted CLOUD Act on the digital privacy of cloud users around the world and concludes that the digital privacy of users both inside and outside of the U.S. will diminish. While many commentators have focused on the privacy implications of the CLOUD Act on U.S. citizens, (15) this Note argues that the privacy ramifications of the CLOUD Act will be more severe for foreign citizens since their own countries, the U.S., and qualifying foreign governments will all have virtually unlimited access to their data with minimal safeguards. With these problems in mind, Part V proposes an alternative framework that would incorporate various stakeholders' interests more aptly than both MLATs and the CLOUD Act. Finally, Part VI concludes.

2. FOURTH AMENDMENT, STORED COMMUNICATIONS ACT, AND MLATS: OLD LAWS FOR NEW TECHNOLOGIES

   Concerned with undue privacy interference by press journalists and photographers, Samuel Warren and future Justice Louis Brandeis conceived the idea of a right to privacy in their seminal article The Right to Privacy. (16) As the case law and doctrine evolved, five dominant species of privacy emerged: tort, Fourth Amendment, First Amendment, fundamental-decision, and state-constitutional privacy. (17) This Note is concerned with the Fourth Amendment's conception of privacy rights.

   1. The Fourth Amendment

      The Fourth Amendment protects individuals against "unreasonable searches and seizures" by the government. (18) Pursuant to Katz v. United States, (19) the Fourth Amendment applies when a person exhibits an "actual or subjective expectation of privacy" which society is prepared to recognize as reasonable. (20) However, throughout the 1980s, the Supreme Court significantly pared back this Fourth Amendment protection. (21)

      The development of the third-party doctrine in cases such as United States v. Miller (22) was particularly significant in this process. (23) Under the third-party doctrine, which is still applicable today, individuals do not enjoy a reasonable expectation of privacy in information that they have voluntarily disclosed to third parties. (24) Though the Supreme Court recently ruled in Carpenter v. United States (25) that access to a person's historical cell-site records constitutes an exception to this doctrine, (26) and hence amounts to a search within the meaning of the Fourth Amendment, Carpenter's impact beyond cell-site records is unclear. (27) Chief Justice Roberts, who penned the opinion, declared "[o]ur decision today is a narrow one." (28) If Carpenter only applies to cell-site records, the Fourth Amendment may not protect wire or electronic communications since these communications are necessarily disclosed to a third party. (29) Thus, in a networked environment, the Fourth Amendment provides little to no privacy protection. (30) The real protection for electronic communications comes from the Stored Communications Act (SCA).

   2. The Stored Communications Act

      To address this privacy gap that the third-party doctrine created, Congress enacted the SCA. (31) The SCA forms Title II of the Electronic Communications Privacy Act (ECPA) and limits access to stored communications and records held by service providers. (32) Title I of the ECPA, the Wiretap Act, is devoted to regulating the interception of realtime communications, (33) and Title III, the Pen Register Act, regulates pen registers and trap and trace devices. (34)

      The SCA was designed by taking into account the prominent functions computers performed when the act was enacted in 19 8 6. (39) For instance, the SCA regulates only two types of service providers--Electronic Communication Service (ECS) providers and Remote Computing Service (RCS) providers--because those were the primary services used by computers in 1980s. (40) ECS is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications." (41) For example, "telephone companies and electronic mail companies" are ECSs since they allow people to send and receive wire or electronic communications. (42) RCS, on the other hand, "is the provision to the public of computer storage or processing services by means of an electronic communications system." (43) For instance, Google Drive and other cloud storage services are RCSs. (44) To compel an ECS provider to disclose contents in storage for more than 180 days or to compel a RCS provider to disclose contents, the government has three options: warrant, subpoena plus notice, or a [section] 2703(d) order ("super search warrant") plus notice. (45)

      With such requirements, the SCA limits both the government's ability to compel internet service providers ("ISPs") to disclose information in their possession about their customers and subscribers as well as ISPs' ability to voluntarily disclose information to the government. Thus, the SCA "extend[s] to electronic records privacy protections analogous to those provided by the Fourth Amendment." (46)

      However, today, most providers undertake both functions. (47) Thus, technological developments complicated the implementation of the SCA. (48) For the purposes of the Microsoft Ireland case, the focal question was whether a [section] 2703(d) order is a type of warrant, a subpoena, or a hybrid form because depending on the answer, the Supreme Court could have come to different conclusions as to the extraterritorial application of the SCA. (49) As I will discuss later, the CLOUD Act answered this question by amending the SCA (50) and specifically authorizing a government entity to compel a U.S.-based provider to turn over data stored in another country. (51)

   3. Mutual Legal Assistance Treaties

      Currently, the U.S. has two types of treaties that govern obtaining evidence abroad: Mutual Legal Assistance Treaties (MLATs) for criminal investigations and the Hague Convention on Taking Evidence Abroad in Civil or Commercial Matters ("Hague Convention"). (52) While the Hague Convention is a multilateral treaty, MLATs are bilateral due to the United States' insistence. (53) The bilateral nature of MLATs means that "progress in mutual assistance in...