Preliminary Thoughts on Cross-Border Data Requests
Technology companies are being squeezed between U.S. and foreign laws that simultaneously compel, and prohibit, production of data in response to governmental surveillance directives. Thoughts towards a solution.
Published by The Lawfare Institute
in Cooperation With
Background Law
Today, there are a growing number of conflicting substantive and jurisdictional approaches in U.S. and foreign surveillance law. The conflicts are most acute when one country’s legal prohibitions on producing data in response to surveillance directives cannot be squared with another country’s legal compulsions to do so. Usually, this occurs when governments issue surveillance directives requiring production of data held outside their national borders.
Under U.S. law, in general, the prohibitions on production of data apply domestically, in keeping with the presumption against extraterritoriality,[7] determined according to the location in which the interception of a communication occurs, or the location in which data are stored. Thus, it is reasonably well settled that the U.S. Wiretap Act (also known as Title III) prohibits the interception of a live communication (e.g., a telephone call) only if the interception occurs in the United States; it does not prohibit or regulate wiretaps (interception) conducted abroad.[8] Similarly, the U.S. Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA),[9] has been interpreted by at least two U.S. courts to forbid production of stored data of certain types only where the data are stored in the United States.[10] With respect to U.S. foreign intelligence surveillance, the rules are much more complex,[11] but unlike the Wiretap Act and the SCA, the Foreign Intelligence Surveillance Act[12] generally prohibits conduct only by persons acting under color of law,[13] and for that reason poses very little problem for U.S. providers responding to production directives from foreign governments.[14] Accordingly, at least for now, the main problems and the likely solutions lie in the area of law enforcement (including counter-terrorism), rather than foreign intelligence.
Although U.S. surveillance prohibitions turn on the location of the interception or stored data, the U.S.’s and other countries’ surveillance compulsions – their laws requiring (rather than forbidding) production of data – take a different approach, turning on the location of the custodian of stored data rather than the data themselves.[15] For example, the United Kingdom’s Data Retention and Investigatory Powers Act 2014 (DRIPA)[16] explicitly applies to data stored outside the UK. As the UK government has explained, DRIPA “makes clear that anyone providing a communications service to customers in the UK – regardless of where that service is provided from – should comply with lawful requests” for production.[17] In other words, the UK’s laws compelling production turn not on the location of stored data, but on something more like the U.S. legal standard for asserting personal jurisdiction over the custodian of data:[18] essentially, if the provider has some form of minimum contacts with the UK (involving the provision of a communications service), then it is subject to UK law and may be compelled to produce data, regardless of where the data are stored or located. The U.S. itself takes exactly the same position with respect to grand jury subpoenas compelling production of records stored abroad, and (as discussed below) with respect to the SCA provisions compelling production of email data stored abroad.
These divergent legal approaches can operate like a whipsaw. For example, a U.S. provider that stores data in the United States, from the email account of a British citizen located in England, might be simultaneously required (by DRIPA) and forbidden (by ECPA/SCA) to produce the email.[19] Correspondingly, a U.S. provider that stores email abroad might be simultaneously required (by the SCA) and forbidden (by a foreign data protection law) to produce the email. Currently pending in the U.S. courts is a case[20] in which the U.S. government is relying on the SCA to compel Microsoft to produce email stored in Ireland;[21] Microsoft is resisting on the ground that the SCA cannot compel production of data stored abroad; and the Government of Ireland has filed an amicus brief asserting its sovereignty, but conceding that it is “incumbent upon Ireland to acknowledge” that its own Supreme Court has “held that . . . there may be circumstances in which an Irish court would order the production of records from an Irish entity on foreign soil,” perhaps even if “execution of the order would violate the law of the foreign sovereign.”[22] In sum, there exists today a growing, international patchwork of conflicting legal prohibitions and compulsions relating to surveillance.
These types of conflicts, of course, are not unprecedented.[23] For example, U.S. courts for many years have had to determine whether to enforce (via contempt citations) U.S. grand jury subpoenas seeking documents, despite claims by the recipients of those subpoenas that compliance would violate foreign laws, such as bank secrecy laws.[24] Some decisions have rejected arguments that it is “unfair to require the [recipient of the subpoena] to be put in the position of having to choose between the conflicting commands of foreign sovereigns,” observing that “such occasions will arise and a [subpoena recipient] indeed will have to choose.”[25] Others have declined to impose sanctions for noncompliance, at least where the recipient is found to be acting in good faith, expressing “considerable discomfort to think that a court of law should order a violation of law, particularly on the territory of the sovereign whose law is in question.”[26] The Restatement of Foreign Relations Law sets out a multi-factor test for addressing the issue and collects many of the published U.S. cases.[27]
The conflicts, however, have been increasing lately in frequency and intensity. That is due to technological and political factors, including the growing size, speed and use of the Internet and other data networks, and greater use of remote data storage (e.g., the cloud);[28] the Snowden disclosures and resulting suspicion of U.S. surveillance practices in Europe;[29] the U.S. government’s reaction to those disclosures;[30] the increased use of encryption;[31] the rise of ISIL and recent attacks including those involving Charlie Hebdo and the French high-speed train;[32] increased surveillance authorized by new foreign laws;[33] and perhaps other aggressive counter-terrorism activities by European governments that may be at least indirectly related to surveillance.[34] Overall, while the U.S. government has increased the transparency and decreased the scope of its surveillance[35] – recalibrating the balance between privacy and security in favor of the former – other governments have been moving overtly in the other direction, thus exacerbating tensions.[36] Whatever the reasons, U.S. providers today seem to feel the pressure like never before.
Preliminary Thoughts on a SolutionA. International agreements (with accompanying legislation) could resolve, or at least rationalize, some of these legal conflicts concerning surveillance. The simplest approach in concept probably would be to remove or override domestic legal prohibitions on disclosure, where desired, in response to certain types of favored foreign production directives.[37] As a matter of U.S. law, this would not be difficult technically (although it might be very challenging politically). The SCA generally prohibits disclosure to federal or state governments of certain email messages and metadata, but this prohibition yields to U.S. court orders that meet the following criteria: “A court order for disclosure . . . shall issue only if the governmental entity [seeking the order] offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”[38] Pursuant to treaty or other international agreement, this language could be modified by Congress to embrace the desired types of production directives issued pursuant to specified foreign law, thus removing the U.S. legal prohibition on responding to those directives with data stored here. Alternatively, to avoid the possible need for country-by-country legislative amendments as new international agreements are reached, the SCA probably could be modified to include any foreign directives as specified in a subsequent ratified treaty or international executive agreement.[39]
Policy preferences could determine the foreign countries, and the types of their production directives, that qualify for relief from the prohibition. One possibility would be to lift the prohibition based on the known or suspected nationality of the surveillance target. On this approach, for example, if the United States and the United Kingdom signed an agreement, an otherwise-qualifying UK directive could compel production of email stored in the U.S. only if it belonged to a British national, or (a broader approach) only if it did not belong to a known or suspected U.S. national. Another possibility would turn on the physical location of the target at the time of the surveillance. On this approach, the agreement might allow the UK to compel production only targeting a person who is reasonably believed to be located inside the UK, or (a broader approach) outside the United States.[40]
Many other limits are possible. For example, the prohibition could be lifted only for specific types of directives issued by the foreign government (e.g., only those issued by certain high-ranking foreign officials or based on particular factual predicates). Another approach would turn on whether the foreign directive pertains to live monitoring or collection of stored data. Another might depend on whether the foreign directive pertains to contents or metadata. Still another approach would take into account the types and/or locus of the predicate offense or other conduct that underlies the foreign investigation – e.g., excluding directives in furtherance of what are deemed to be “political” prosecutions, or limiting the scope of qualifying offenses to those considered most serious and non-controversial, or those that were committed in particular locations.[41] Consideration of these and other possible limits, many of which are in existing Mutual Legal Assistance Treaties (MLATs), would also permit an interesting, and perhaps enlightening, public discussion and comparison of the legal requirements for surveillance under U.S. law and under the law of various other countries (e.g., the role of neutral and detached magistrates in approving production directives).[42]
A further step, beyond merely removing prohibitions on production of data to eliminate conflicts where they arise, would be to try to rationalize and agree on the jurisdictional elements of each country’s surveillance law, in order to prevent as many conflicts from arising. In other words, it might be possible for governments to agree on one or more factors that would, in some or all cases, determine whether they may compel or prohibit the production of data or otherwise issue a surveillance directive. Such jurisdiction could in theory be exclusive, such that one and only one country would enjoy direct access to the data, but that seems unlikely in practice because of overlapping sovereign interests in collecting information. Even if the system allowed for access to data by multiple countries based on multiple factors, however, it would be beneficial to develop a shared understanding of which factors should be used to assert jurisdiction to compel and prohibit surveillance.
Again, policy preferences could determine the relevant factors determining jurisdiction (and whether jurisdiction is exclusive or shared). Nonetheless, some jurisdictional factors are probably better than others, at least in the long run, primarily because of their administrability and determinability.[43] For example, the location of stored data, championed by Microsoft[44] in its dispute with the U.S. government, and analogous to the location of physical property, is understandable and in keeping with tradition, but perhaps increasingly arbitrary, variable, and indeterminate as a long-term legal standard for surveillance in the network age. That is because data’s location often depends on technical or economic factors (e.g., network latency or favorable tax treatment) rather than privacy or security norms; data can move quickly and easily across national boundaries; and data pertaining to a single surveillance target could (at least in theory) be stored in multiple locations.[45] Similarly, the location and nationality of a surveillance target are increasingly difficult to discern reliably and quickly (although the FISA Amendments Act of 2008 does seem to be functioning tolerably well using those criteria, and could be used as a model).[46] The locus or center of gravity of an offense or other conduct underlying surveillance has intuitive appeal, but also seems questionable, because many crimes (especially terrorism) are international in scope and effect, and may not be fully understood until surveillance is complete.
One potentially promising factor is the nationality of the provider – e.g., the laws of the country under which the provider (or its ultimate corporate parent) is organized (or is a citizen, in the case of an individual person who serves as a provider).[47] On that approach, if the UK wanted data from Microsoft (or one of its subsidiaries), it could serve a directive on Microsoft in keeping with the new U.S.-UK treaty or agreement, regardless of where the sought-after data were stored. To be sure, it might seem odd for the UK to rely on an international agreement with the United States to acquire data pertaining to a UK citizen where both the citizen and the data are located in the UK. But the Internet and related developments challenge traditional notions of sovereignty and jurisdiction based on physical objects, and may require new approaches.[48] As one forthcoming article puts it, electronic data “undercut long-standing assumptions about . . . the viability of territorial-based distinctions in surveillance law.”[49] International agreements based on factors other than the physical location of data would avoid that territorial uncertainty.
Of course, these new international agreements would never occupy the entire field of cross-border data requests. Many of the limits discussed above – e.g., those based on citizenship or location of the surveillance target –would require continued use of existing mechanisms, such as Mutual Legal Assistance Treaties (MLATs),[50] or direct interaction between law enforcement or security services in which one service provides information to the other in hopes of exciting independent interest in the surveillance target.[51]
Indeed, one pair of thoughtful commentators, impressed by the challenges inherent in amending the SCA to address cross-border data requests, have instead suggested various improvements to existing MLATs, to make them “faster, better and cheaper,”[52] thus reducing the current average fulfillment time of 10 months.[53] Many of these improvements would be worth pursuing, and if implemented perhaps they will reduce pressure over time. But even if implemented, it is not clear they will suffice, in part because they will inevitably provide less speed and agility than direct interaction between governments and data custodians. They also do nothing to address the fundamental conflicts of law underlying the current state of affairs: even highly efficient MLATs require one government to subordinate its own laws to that of another – e.g., for the UK government to request data only when it can, through a dialogue with the U.S. government, satisfy the requirements of the SCA, regardless of what DRIPA or other UK law provides.
Regardless of exactly how we address the problem of cross-border data requests, the effort might lead governments to rationalize and update their own laws prohibiting and compelling production of data. For example, as discussed above, U.S. law prohibits surveillance for ordinary law enforcement based on the location of the interception or the location of the stored data, but (at least on the U.S. government’s own reading of the law) compels production of stored data based on personal jurisdiction over the custodian, regardless of the location of the data. Similarly, U.S. law prohibits disclosure of certain stored data to U.S. federal or state governments, but not to foreign governments.[54] And U.S. law governing foreign intelligence surveillance relies in the first instance on the law enforcement prohibitions,[55] but authorizes compulsory production according to a very complex set of factors, including the nature of the information being sought, whether it is moving or at rest, the nationality of the target, the location of the acquisition, and other factors.[56] Whatever the merits of the U.S. government’s argument in favor of extraterritorial application of the SCA, it is reasonably clear that traditional FISA cannot compel production of data stored abroad.[57] Thus, there clearly is work to be done as a matter of U.S. domestic surveillance law.
Although it is not certain, some form of an approach based on international agreements might gain support from key constituencies. For the U.S. providers, international agreements could save them from the whipsaw of conflicting laws as Europe expands its (extraterritorial) surveillance demands and the U.S. seems to move in the opposite direction; it could also reduce the perception, among European customers, that data stored with U.S. providers is especially vulnerable to governmental surveillance. European providers, on the other hand, may oppose the agreements for exactly the same reasons. But European governments will almost surely support international agreements because they are increasingly eager to get access to data stored in the United States.
International agreements also could be in the long-term, enlightened self-interest of the U.S. government. Rewarding select foreign governments with some additional access to data held by U.S. providers in this country does not harm U.S. interests (especially because the precise scope of access can be controlled through an agreement’s negotiated terms). Relaxing foreign laws as necessary to afford the U.S. government broader reciprocal access to data stored abroad could advance U.S. national interests. This is increasingly true as U.S. communications home-field advantage continues to erode (e.g., as data centers and other communications facilities proliferate outside the United States). Perhaps these agreements also could build momentum, or at least a framework, for eventually addressing some of the challenges posed by what the U.S. government calls “going dark.”[58]
Finally, an international approach might appeal to thoughtful privacy advocates, especially if the alternative is an increasingly aggressive (but also increasingly disorganized) patchwork of legislation authorizing cross-border data collection. The international approach also might result in at least some foreign governments increasing the required showings under their own laws for orders compelling production of data, in order to be part of the international framework. In other words, the approach of removing surveillance prohibitions from one country’s law to allow the operation of surveillance compulsions from another country’s law might result not only in fewer prohibitions, but also in fewer compulsions. It might also yield certain additional prohibitions to correct perceived anomalies: as noted above, for example, it would permit a tightening of U.S. law governing production of communications metadata, which today can be given to a foreign government more easily than they can to a U.S. governmental entity (federal or state).[59] An international approach might also help providers resist requests from countries that have not signed an international agreement, even if initially only as a matter of public relations, rather than foreign or international law.[60]
In short, privacy, security, commerce and the worldwide rule of law could all benefit from a rationalization of the various legal requirements that prohibit and compel the production of data in response to governmental surveillance directives. A regime based on international agreements seems orderly and sensible for the long run of the Internet and computer network era.
Conclusion
The problem posed by mutually exclusive legal requirements prohibiting and compelling production of information has existed for a long time, but it is getting much worse in the current technological and political environment. The most promising approach to solving the problem involves international agreements. Those agreements could supplement existing MLATs and take into account many factors, including the nationality and location of the surveillance target, the nature and location of the conduct underlying the surveillance, and the nationality and location of the data provider. Regardless of the specific approach, we ought to try to rationalize the legal standards in this area, both between governments and within each government’s own domestic law, and provide greater clarity. This effort will be very challenging, and it is almost surely a good idea to start small – e.g., with a bilateral agreement involving one of our closest allies concerning the most serious and non-controversial offenses. Even if successful, the effort will not resolve every issue affecting surveillance law today – e.g., encryption and other aspects of the “going dark” problem – although it might lay the groundwork for addressing those other issues in time. As is often the case, we have a choice to act thoughtfully now, or defer the problem with the risk of a more haphazard approach prevailing in the immediate aftermath of a future crisis.
ENDNOTES
[1] The thoughts expressed here are preliminary, especially because of the complexity of the issues and the dynamic nature of the legal, technical and political environments in which they arise.
[2] By referring to “surveillance” directives, I mean to include laws and rules of the U.S. and foreign governments prohibiting and compelling production of communications metadata, as well as the contents of communications, and other data, whether in transit or in storage, for law enforcement or foreign intelligence purposes. As discussed below, U.S. surveillance law generally prohibits surveillance, and then authorizes surveillance (and compels providers to assist with governmental surveillance) in certain circumstances. The focus of this discussion is law enforcement surveillance (including counter-terrorism), rather than foreign intelligence surveillance, although the latter is discussed intermittently in connection with descriptions of the U.S. legal environment and background. Espionage or other acquisition of information that does not occur with the consent or knowledge of the data custodian or the local government is not discussed here.
[3] As discussed below, the relevant class of providers are mainly those subject to the prohibitions on disclosure of information in the U.S. Stored Communications Act (SCA), 18 U.S.C. §§ 2701-2712, which is part of the Electronic Communications Privacy Act (ECPA), Public Law No. 99-508, 100 Stat. 1848 (1986). The prohibitions on disclosure in the SCA generally apply to persons or entities providing to the public either “electronic communication service” (ECS) or “remote computing service” (RCS). 18 U.S.C. § 2702(a). An “electronic communication service” is “any service which provides to users thereof the ability to send or receive wire or electronic communications,” 18 U.S.C. §§ 2711(1), 2510(15), and a “remote computing service” is “computer storage or processing services by means of an electronic communications system,” 18 U.S.C. § 2711(2). These definitions have roots in the technology of 1986, when ECPA was enacted, but may include not only communications providers, but also cloud service providers. See, e.g., Orin Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 397 & n.29, 404-410 (2014). For example, Facebook appears to take the position that it is subject to the SCA. See In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, 923 F. Supp.2d 1204, 1205 (2012) (“Facebook now moves to quash the subpoena on the grounds that the subpoena violates the Stored Communications Act”); Facebook, May I Obtain any Account Information or Account Contents Using a Subpoena?, available at https://www.facebook.com/help/133221086752707.
[4] See discussion at text and notes 15-22, infra. See also Dina Bass, As Microsoft Takes on the Feds, Apple and Amazon Watch Nervously, Bloomberg (Sept. 2, 2015) (“Microsoft is engaged in . . . battles [concerning access to stored data] in Belgium and Brazil, where an executive faces criminal charges because the company has refused to turn over Skype records . . . . While failing to do so violates Brazilian law, if Microsoft did forfeit them it would be breaching U.S. wiretapping bans.”).
[5] I have not attempted to identify systematically or catalog such restrictive foreign laws, although the U.S. government or U.S. providers may have done so. As mentioned in note 4, it appears that Brazil has recently enacted a law that requires a Brazilian court order before a provider may produce data stored in Brazil, or communications to or from a party in Brazil. See, e.g., Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet), Law No. 12.965, Apr. 23, 2014 (Braz.), available at https://www.publicknowledge.org/documents/marco-civil-english-version. Russia’s “Bloggers Law” requires certain data to be maintained in Russia. See, e.g., Neil MacFarquhar, Russia Quietly Tightens Reins on Web With ‘Bloggers Law’, New York Times (May 6, 2014), available at http://www.nytimes.com/2014/05/07/world/europe/russia-quietly-tightens-reins-on-web-with-bloggers-law.html?_r=0; Sam Schechner & Olg Razumovskaya, Russia Puts Off Data Showdown With Technology Firms, Wall Street Journal (Aug. 31, 2015) (“Ahead of a law that goes into effect Tuesday [September 1, 2015] requiring companies to store and process data about Russian users within the country’s borders, Russian regulators have told companies such as Facebook, Google Inc. and Twitter Inc. that they don’t plan to check until at least January [2016] whether the companies are in compliance, executives and Russian officials said”), available at http://www.wsj.com/article_email/russia-puts-off-data-showdown-with-technology-firms-1441043618-lMyQjAxMTA1MjMyMTkzODE0Wj; see also James T. Areddy, China Pushes to Rewrite Rules of Global Internet, Wall Street Journal (July 28, 2015) (describing a series of new laws and policies in China that suggest its government “is trying to fracture the international system that makes the Internet basically the same everywhere, and is pressuring foreign companies to help”), available at http://www.wsj.com/articles/china-pushes-to-rewrite-rules-of-global-internet-1438112980. In the past, foreign bank secrecy laws have been invoked (often unsuccessfully) by banks attempting to resist U.S. grand jury subpoenas. See, e.g., In re Grand Jury Proceedings Bank of Nova Scotia, 740 F.2d 817, 828-829 (11th Cir. 1984). New foreign laws restricting production of data certainly could be enacted and cause difficulties for the U.S. government in the future.
[6] See Mailyn Fidler, MLAT Reform: Some Thoughts from Civil Society (Sept. 11, 2015), Lawfare, available at https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society.
[7] See, e.g., E.E.O.C. v. Arabian American Oil Co., 499 U.S. 244 (1991). As the Supreme Court has explained:
It is a longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States. This principle represents a canon of construction, or a presumption about a statute’s meaning, rather than a limit upon Congress’s power to legislate. It rests on the perception that Congress ordinarily legislates with respect to domestic, not foreign matters. Thus, unless there is the affirmative intention of the Congress clearly expressed to give a statute extraterritorial effect, we must presume it is primarily concerned with domestic conditions. The canon or presumption applies regardless of whether there is a risk of conflict between the American statute and a foreign law. When a statute gives no clear indication of an extraterritorial application, it has none.
Morrison v. National Australia Bank, Ltd., 561 U.S. 247, 255 (2010) (internal quotations and citations omitted).
As discussed in greater detail in note 8, infra, in the context of electronic communications and computer networks, it can be difficult to identify the conduct that matters for making the determination of extraterritoriality. Facing a similar question in Morrison, the Court concluded that the extraterritoriality of Section 10b of the Securities Exchange Act of 1934, which regulates fraudulent transactions involving securities, depended on the location of the purchase and sale of securities, rather than the location of the fraud. The Court explained that “the focus of the Exchange Act is not upon the place where the deception originated, but upon purchases and sales of securities in the United States. Section 10(b) does not punish deceptive conduct, but only deceptive conduct in connection with the purchase or sale of any security registered on a national securities exchange or any security not so registered.” 561 U.S. at 266 (internal quotation omitted).
[8] See U.S. v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987) (Kennedy, J.) (wiretaps of telephones in the Phillipines: “Appellants also argue that the wiretap evidence should be excluded as violative of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510–20 (1982). We reject this argument. Title III has no extraterritorial force.”); Stowe v. Devoy, 588 F.2d 336, 341 & nn.11-12 (2d Cir. 1978); David Kris & Doug Wilson, National Security Investigations and Prosecutions § 7:17 & n.5 (2d. ed. 2012) (hereinafter NSIP). In Huff v. Spaw, --- F.3d ---, 2015 WL 4430436 (6th Cir. July 21, 2015), the court addressed an accidentally-made international cell phone call that allowed a person in the United States surreptitiously to monitor an oral discussion occurring between two persons located in Italy, one of whom had the phone in a back pocket. The court held:
when determining whether an alleged interception is extraterritorial . . . we do not consider whether the plaintiffs are citizens of the United States, or whether the communications traveled through United States telecommunication infrastructure. Instead, we look to where the interception took place. Title III defines interception as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). The relevant location is not where the [plaintiffs’] conversations took place, but where [the defendant] used a device to acquire the contents of those conversations.
Id. (most citations and internal quotations omitted).
Although the federal courts agree that the Wiretap Act applies according to where the interception occurred, some courts of appeals have held that “interception occurs where the tapped phone is located and where law enforcement officers first overhear the call.” U.S. v. Luong, 471 F.3d 1107, 1109 (9th Cir.2006) (citing cases) (italics in original). For example, in U.S. v. Rodriguez, 968 F.2d 130, 136 (2d Cir. 1992), the court explained:
It seems clear that when the contents of a wire communication are captured or redirected in any way, an interception occurs at that time. Such an interception plainly occurs at or near the situs of the telephone itself, for the contents of the conversation, whether bilateral as is usually the case, or multilateral as is the case with a conference call, are transmitted in one additional direction. Redirection presupposes interception. Accordingly, a federal court sitting in the jurisdiction in which the to-be-tapped telephone is located would have the authority, under [18 U.S.C.] § 2518(3), to authorize a wiretap. Nonetheless, since the definition of interception includes the ‘aural’ acquisition of the contents of the communication, the interception must also be considered to occur at the place where the redirected contents are first heard.
[9] The Stored Communications Act is codified at Chapter 121 of Title 18, 18 U.S.C. §§ 2701-2712. The Electronic Communications Privacy Act was enacted as Public Law No. 99-508, 100 Stat. 1848 (1986).
[10] See Suzlon Energy Ltd. v. Microsoft Corp., 671 F.3d 726, 728-30 (9th Cir. 2011) (ECPA/SCA prevents disclosure under 28 U.S.C. § 1782 of email stored in the U.S. even if the email account holder is a foreign citizen located abroad: “it’s clear that the ECPA at least applies whenever the requested documents are stored in the United States”); In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, 923 F. Supp.2d 1204 (2012); cf. Zheng v. Yahoo! Inc., 2009 WL 4430297 at *4, No. C–08–1068 MMC (N.D. Cal. Dec. 2, 2009) (ECPA does not prevent disclosure of email and email metadata stored outside of the United States: “Because the alleged interceptions and disclosures occurred in the PRC, the ECPA does not apply to them, even if the communications, prior to their interception and disclosure, traveled electronically through a network located in the United States”).
[11] For a detailed review of how the traditional elements of the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act of 2008 apply, see NSIP Chapters 7 and 17.
[12] 50 U.S.C. §§ 1801 et seq.
[13] For a discussion of FISA’s civil and criminal penalties for misuse of FISA under color of law, see NSIP Chapter 14.
[14] For a detailed review of the interaction between FISA, the Wiretap Act (Title III) and ECPA, see NSIP § 14:2. Of course, conflicts could arise to the extent that FISA orders or directives compel production of data where foreign law prohibits production. See, e.g., discussion in note 5, supra.
[15] Legal niceties aside, of course, as a matter of realpolitik, if a communications provider wants access to foreign markets, and has personnel and equipment located in foreign countries, it is obviously subject to some degree of foreign sovereign power.
[16] 2014 c. 27. DRIPA is available online at http://www.legislation.gov.uk/ukpga/2014/27/enacted. On July 17, 2015, the UK’s High Court declared that the operative provision of DRIPA was inconsistent with EU law. See R. (on the Application of Davis) v. Secretary of State for the Home Department, [2015] EWHC 2092 (Admin), 2015 WL 4275047.
[17] UK Government, Data Retention and Investigatory Powers Act 2014, available at https://www.gov.uk/government/collections/data-retention-and-investigatory-powers-act-2014.
[18] See generally, International Shoe Co. v. Washington, 326 U.S. 310 (1945).
[19] The government of Brazil and Google previously were involved in a dispute concerning Brazil’s demand that Google turn over data pertaining to alleged child pornography in Brazil, although it is not clear from the public media reports whether the dispute concerned the SCA. See, e.g., Erika Morphy, Google, Brazil Lock Horns Over Social Networking Data, Tech News World (Aug. 24, 2006), available at http://www.technewsworld.com/story/privacy/52624.html. See also notes 4-5, supra.
[20] See In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 15 F. Supp. 3d 466 (SDNY 2014), Appeal Pending, No. 14-2985-cv.
[21] The U.S. government thus interprets the SCA asymmetrically, such that its provisions compelling production of stored data apply to data stored abroad, even though U.S. courts have interpreted the SCA’s provisions prohibiting production as applying only to data stored in this country. That same approach, relying on personal jurisdiction over the custodian regardless of the location of the information being sought, also governs U.S. grand jury subpoenas (although grand jury subpoenas cannot reach all forms of email). See, e.g., Marc Rich v. U.S., 707 F.2d 663, 667 (2d. Cir. 1983) (rejecting motion to quash U.S. grand jury subpoena duces tecum served on Swiss commodities trading corporation that does business in the U.S. but is headquartered in Switzerland and has no office in the U.S.: “It would be strange, indeed, if the United States could punish a foreign corporation for violating its criminal laws upon a theory that the corporation was constructively present in the country at the time the violation occurred, but a federal grand jury could not investigate to ascertain the probability that a crime had taken place . . . . The question, then, in the instant case is whether the district court had such personal jurisdiction over appellant that it could enforce obedience to the grand jury subpoena” (citations omitted)).
[22] See In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985-cv (2d Cir. 2014), Brief of Amicus Curiae Ireland at 5-6 (italics in original) (citing Walsh v National Irish Bank [2013] 1ESC 2), available at http://digitalconstitution.com/wp-content/uploads/2014/12/Ireland-Amicus-Brief.pdf.
[23] See, e.g., Societe International Pour Participations Industrielles et Commercials, SA v. Rogers, 357 U.S. 197 (1958).
[24] As discussed in note 21, U.S. grand jury subpoenas reach as far as personal jurisdiction over the custodian of data will allow, regardless of the location of the information that the custodian is compelled by the subpoena to produce. See Marc Rich, supra, 707 F.2d at 667.
[25] In re Grand Jury Proceedings Bank of Nova Scotia, 740 F.3d at 828; see U.S. v. First Nat. City Bank, 396 F.2d 897, 900-01 (2d Cir. 1968).
[26] In re Sealed Case, 825 F.2d 494, 498 (D.C. Cir. 1987) (per curiam).
[27] Restatement (Third) of Foreign Relations Law of the United States § 442 & Comment g, Reporters Notes 7-8 (1987). Section 442 of the Restatement provides:
(1)(a) A court or agency in the United States, when authorized by statute or rule of court, may order a person subject to its jurisdiction to produce documents, objects, or other information relevant to an action or investigation, even if the information or the person in possession of the information is outside the United States.
(b) Failure to comply with an order to produce information may subject the person to whom the order is directed to sanctions, including finding of contempt, dismissal of a claim or defense, or default judgment, or may lead to a determination that the facts to which the order was addressed are as asserted by the opposing party.
(c) In deciding whether to issue an order directing production of information located abroad, and in framing such an order, a court or agency in the United States should take into account the importance to the investigation or litigation of the documents or other information requested; the degree of specificity of the request; whether the information originated in the United States; the availability of alternative means of securing the information; and the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located.
(2) If disclosure of information located outside the United States is prohibited by a law, regulation, or order of a court or other authority of the state in which the information or prospective witness is located, or of the state of which a prospective witness is a national,
(a) a court or agency in the United States may require the person to whom the order is directed to make a good faith effort to secure permission from the foreign authorities to make the information available;
(b) a court or agency should not ordinarily impose sanctions of contempt, dismissal, or default on a party that has failed to comply with the order for production, except in cases of deliberate concealment or removal of information or of failure to make a good faith effort in accordance with paragraph (a);
(c) a court or agency may, in appropriate cases, make findings of fact adverse to a party that has failed to comply with the order for production, even if that party has made a good faith effort to secure permission from the foreign authorities to make the information available and that effort has been unsuccessful.
[28] See, e.g., Orin Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 390-395, 404-410 (2014).
[29] See, e.g., Claire Cain Miller, Revelations of N.S.A. Spying Cost U.S. Tech Companies, New York Times (Mar. 21, 2014), available at http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html; see Dina Bass, As Microsoft Takes on the Feds, Apple and Amazon Watch Nervously, Bloomberg (Sept. 2, 2015) (“Internet service providers may be hard-pressed to sell Web-based products if they can’t promise that digital records stowed in foreign countries will be protected by those countries’ laws – and from unilateral US. search-and-seizure missions”).
[30] See, e.g., NSIP § 19:4.50 (2015 supplement) (discussing PPD-28 and other developments).
[31] See, e.g., James Temperton, No U-Turn: David Cameron Still Wants to Break Encryption, Wired Co. UK (July 15, 2015), available at http://www.wired.co.uk/news/archive/2015-07/15/cameron-ban-encryption-u-turn.
[32] See, e.g., Alan Cowell and Maia de la Baume, France Deploys Troops to Guard “Sensitive Sites,” New York Times (Jan. 12, 2015) (referring to the “demands of security officials, who cite the attacks as evidence of an urgent need to introduce stronger powers to monitor suspects,” and noting that “[o]nly a few weeks ago, people here were sharply criticizing the United States for its surveillance practices and the revelations in a searing Senate report on the torture of terrorism suspects after 9/11”), available at http://www.nytimes.com/2015/01/13/world/europe/france-charlie-hebdo-terrorist-attacks.html?_r=0; Sam Schechner and Matthew Dalton, France Seeks Help in Monitoring Suspicious Activity, Wall Street Journal (Aug. 23, 2015), available at http://www.wsj.com/articles/france-seeks-help-in-monitoring-suspicious-activity-1440346965; See Dina Bass, As Microsoft Takes on the Feds, Apple and Amazon Watch Nervously, Bloomberg (Sept. 2, 2015) (“The two terrorists who killed a dozen people at the newspaper Charlie Hebdo in Paris had Microsoft e-mail accounts stored on servers in the U.S., and 45 minutes later their contents were en route to the [FBI], to be shared with French authorities.”).
[33] See, e.g., Justin Ling, New Mass Surveillance Laws Come to Canada, France, and the United Kingdom, as the NSA May Have its Wings Clipped, Vice News (May 12, 2015), available at https://news.vice.com/article/new-mass-surveillance-laws-come-to-canada-france-and-the-united-kingdom-as-the-nsa-may-have-its-wings-clipped.
[34] See, e.g., Nicholas Winning, U.K. Premier Says Drone Strike Killed Two British Members of ISIS in Syria, Wall Street Journal (Sept. 7, 2015), available at http://www.wsj.com/articles/u-k-premier-says-drone-strike-killed-two-british-members-of-isis-in-syria-1441640520; Matthew Dalton & William Horobin, France Prepares Airstrikes Against Islamic State in Syria, Wall Street Journal (Sept. 7, 2015), available at http://www.wsj.com/articles/frances-hollande-says-country-to-accept-24-000-refugees-1441619184.
[35] See NSIP § 19:4.50 (2015 supplement).
[36] As I have written elsewhere:
More broadly, it is a puzzling moment, both domestically and internationally, for surveillance law in particular, and for national security law and policy in general. It makes a striking contrast to the two major moments of policy convergence in my lifetime – the Church/Pike reports, and 9/11 – where only a few brave souls like Laurence Silberman and Russ Feingold felt the need and had the courage to voice dissenting views. Today, we have a strongly divergent environment, with the Snowden disclosures and governmental reactions to those disclosures on one hand, and the recent attacks in Paris and in other locations, the rise of ISIL, and the increasingly unstable environment abroad (e.g., Yemen, Central African Republic) on the other hand, combining to create a whipsaw that threatens any effort to chart a middle course.
That divergence exists both within the U.S. and also between the U.S. and the rest of the Western world – or at least the UK, France, and Canada, each of which has, recently, taken legislative or other measures to expand surveillance authorities. Arguably, of course, the European intelligence services have for a long time quietly enjoyed more legal latitude (by some measures) and less rigorous oversight than their U.S. counterparts; but the very public nature of the divergence today, in favor of broader surveillance powers for non-U.S. Western governments, is unfamiliar to me, if not actually unprecedented.
The effects of this domestic and international divergence could become even more puzzling depending on the reactions of the major U.S. providers. The providers have been terrified of the post-Snowden competitive advantage, in the form of perceived relative immunity from surveillance, enjoyed by their European competitors. It has caused them to resist, in part and wherever possible in public, some of the U.S. government’s discrete requests for data, and also broadly to support a treaty-based, international surveillance regime to level the playing field and thereby remove the competitive advantage. In the last couple of weeks, however, with the legislative actions abroad, today’s CA2 decision and perhaps the upcoming Congressional (in)action in June, the environment supporting the providers’ strategy may be upended. If present trends continue and certain matters break in certain ways, it’s no longer entirely fanciful to imagine U.S. providers trumpeting the competitive advantage to consumer privacy of the U.S. system of intelligence under law (and its general requirement for advance review by neutral and detached magistrates), and publicly resisting at least some data requests from the UK and other foreign governments!
David Kris, On the Second Circuit’s Section 215 Decision, Lawfare (May 7, 2015), available at https://www.lawfareblog.com/second-circuits-section-215-decision.
[37] Alternatively, of course, countries could also remove compulsions to produce data where prohibited by another country’s law. In the current environment, where much of the sought-after data is in the United States and subject to U.S. prohibitions on disclosure, and other countries in Europe are expanding their surveillance demands, this does not seem likely in a broad way, but certainly could occur in particular contexts.
[38] 18 U.S.C. § 2703(d).
[39] Limiting the exceptions to those approved in treaties would give the Senate more control; including executive agreements would allow for greater speed and agility. A possible compromise would be a set of general statutory standards for the executive agreements.
[40] Lessons learned in applying 50 U.S.C. § 1881a, part of the FISA Amendments Act, would likely help in the development of more detailed protocols for implementing these types of standards that turn on nationality and location. For a discussion of the FISA Amendments Act and its protocols limiting surveillance to non-U.S. persons reasonably believed to be located outside the United States, see NSIP Chapter 17.
[41] Regardless of the scope of the international agreements, they might need to address several other issues, including incidental collection and minimization, including cross-border dissemination. For a discussion of incidental collection, see NSIP §§ 16:11 and 17:5. For a discussion of minimization (including dissemination) and differences between minimization under FISA and the Wiretap Act, see NSIP Chapter 9; Orin Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 414-415 (2014).
[42] For a discussion of MLATs, see text and note 52, infra. A variant on this approach would establish, pursuant to treaty or other international agreement, an affirmative requirement in each signatory’s domestic law for providers to comply with the desired types of foreign directives. On this approach, a provider’s failure to honor a valid foreign production order could lead to consequences under the other government’s domestic law. It also might allow for more transparency and possible review and approval on a case-by-case basis between the two sovereigns as to one another’s production directives, through reporting from one government to another (although government-to-government reporting would, of course, be possible even without an affirmative requirement embodied in domestic law, and probably makes sense at least on a periodic basis). Possibilities range from no reporting at all, to periodic after-the-fact reporting (e.g., annually or semi-annually), to real-time individual reporting (e.g., simultaneous service of production orders on the other government), to real-time reporting plus a specified period of delay during which the other government could lodge an objection if necessary, and only after which the provider would be free to make the production.
On the other hand, an affirmative requirement in U.S. law to produce data to foreign governments, if the data pertained to U.S. persons or persons located in the United States, could be more politically controversial than merely removing prohibitions on production, and might raise Fourth Amendment issues; for those reasons, it would require careful thought before being implemented.
It is also possible to imagine arguments for constitutional issues arising from mere agreements to lift domestic legal prohibitions on production, on the theory that the agreements create U.S. state action in connection with the foreign government’s surveillance directive. But those arguments are less likely to prevail than they would be if U.S. law affirmatively requires the production. Most of the cases finding U.S. state action have involved joint efforts between the U.S. government and a foreign government in the context of a particular investigation or matter, rather than at the more general level of an international agreement and corresponding U.S. legislation. See, e.g., U.S. v. Getto, 729 F.3d 221, 227-228 & n.7 (2d Cir. 2013) (“constitutional requirements may attach in two situations: (1) where the conduct of foreign law enforcement officials rendered them agents, or virtual agents, of United States law enforcement officials; or (2) where the cooperation between the United States and foreign law enforcement agencies is designed to evade constitutional requirements applicable to American officials.” (internal quotation omitted)); U.S. v. Barona, 56 F.3d 1087 (9th Cir. 1995). Cf. Skinner v. Railway Labor Executives Ass’n, 489 U.S. 602, 614-615 (1989) (challenge to breath and urine tests for U.S. railway employees who violate safety rules under federal regulations that authorize but do not require the tests: “Whether a private party should be deemed an agent or instrument of the Government for Fourth Amendment purposes necessarily turns on the degree of the Government's participation in the private party's activities . . . .The Government has removed all legal barriers to the testing authorized by Subpart D [of the regulations] and indeed has made plain not only its strong preference for testing, but also its desire to share the fruits of such intrusions. In addition, it has mandated that the railroads not bargain away the authority to perform tests granted by Subpart D. These are clear indices of the Government's encouragement, endorsement, and participation, and suffice to implicate the Fourth Amendment.”); Railway Employees Dep’t v. Hanson, 351 U.S. 225 (1956).
[43] For a thoughtful discussion of the pros and cons of various factors, see Orin Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 416-418 (2014).
[44] See In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 15 F. Supp. 3d 466 (SDNY 2014); Cameron F. Kerry, Microsoft Challenges the Government: Litigating Extraterritoriality in a Virtual World, Brookings Institution (July 31, 2014), available at http://www.brookings.edu/blogs/techtank/posts/2014/07/31-microsoft-ireland-lawsuit-kerry.
[45] See Orin Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 408 (2014) (“Indeed, the very idea of online data being located in a particular physical ‘place’ is becoming rapidly outdated”).
[46] See NSIP Chapters 16 and 17.
[47] This approach is certainly not perfect. As Orin Kerr has explained, “multinational companies can have affiliates and branches everywhere.” Orin Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 417 (2014). Manipulation, such as through the creation of shell companies, is also possible. In many cases, however, based in part on reporting requirements for public companies, the ultimate parent company will be determinable.
[48] Of course, today, U.S. law does not limit the UK’s ability to obtain stored data from Microsoft if the data are stored in the UK, as discussed above. Thus, the broader jurisdictional reform discussed here would allow for a different set of prohibitions and compulsions, at any level of privacy protection that is desired, but in a more systematic fashion than reflected in current law.
[49] Jennifer Daskal, The Un-Territoriality of Data, forthcoming as 125 Yale L.J. ---, 56-57 (2016), draft available at http://insct.syr.edu/wp-content/uploads/2015/06/Daskal_Un-Territoriality_of_Data.pdf.
[50] See 18 U.S.C. § 3512; 28 U.S.C. § 2872. Essentially, MLATs embody agreements between governments through which each enjoys access to certain evidence coming under the jurisdiction of the other. In the United States, the Department of Justice’s Office of International Affairs (OIA) is the point of contact for foreign governments making requests under MLATs. OIA, in partnership with a U.S. Attorney, seeks a U.S. judicial order for the desired data, which is then served on the custodian of data, who may produce the data to OIA so it can be sent to the foreign government that requested it. MLATs are important and will very likely remain important no matter what reforms are adopted, but they have been criticized, particularly as the number of MLAT requests rise. See, e.g., Greg Nojeim, MLAT Reform: A Straw Man Proposal (“It is widely perceived that MLA processes are too slow for law enforcement investigations in the digital era and that they are not up to the task of dealing with the volume of cross-border demands for data that law enforcement agencies need to make. A number of ideas are being put forth to address this problem and its many complexities. This post is an attempt by the Center for Democracy & Technology (CDT) to spur public debate on one such idea and to solicit input that would inform a solid MLAT reform proposal.”) (Sept. 3, 2015), available at https://cdt.org/insight/mlat-reform-a-straw-man-proposal/; Bryan Cunningham, Measuring MLAT, The Hill (June 19, 2015), available at http://thehill.com/blogs/congress-blog/foreign-policy/245454-measuring-mlat. Specific limitations in MLATs include concerns that they are slow (often taking months to process), that other countries have difficulty meeting U.S. probable-cause and related standards, that they apply only to stored communications (as opposed to allowing for live monitoring), and that they are not applicable outside the criminal context.
[51] See Dina Bass, As Microsoft Takes on the Feds, Apple and Amazon Watch Nervously, Bloomberg (Sept. 2, 2015) (“The two terrorists who killed a dozen people at the newspaper Charlie Hebdo in Paris had Microsoft e-mail accounts stored on servers in the U.S., and 45 minutes later their contents were en route to the [FBI], to be shared with French authorities.”).
[52] Peter Swire & Justin D. Hemmings, Re-Engineering the Mutual Legal Assistance Process, Draft for NYU and PLSC Conferences (May 14, 2015), available at http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx.
[53] President’s Review Group on Intelligence and Communications Technologies, Liberty & Security in a Changing World 227 (2013), available at https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf.
[54] See 18 U.S.C. §§ 2702(c)(6), 2711(4).
[55] See NSIP § 14:2.
[56] See NSIP Chapters 7 and 17.
[57] In other words, where a U.S. provider stores email on a server abroad, the U.S. government must rely on a voluntary repatriation of the data to bring it within the FISA Court’s jurisdiction, at least where the target of the surveillance is located in the United States. See 50 U.S.C. §§ 1801(f)(4), 1824(5); cf. 50 U.S.C. § 1881a. If U.S. providers decide that they must (or should) make categorical public assertions that they do not assist the U.S. government with surveillance requests unless legally required to do so, and they live up to those assertions even with respect to foreign intelligence surveillance, it could have a profound effect on the availability of email and other stored data for purposes of protecting national security. This is, or ought to be, viewed as a serious issue. See Dina Bass, As Microsoft Takes on the Feds, Apple and Amazon Watch Nervously, Bloomberg (Sept. 2, 2015) (“The two terrorists who killed a dozen people at the newspaper Charlie Hebdo in Paris had Microsoft e-mail accounts stored on servers in the U.S., and 45 minutes later their contents were en route to the [FBI], to be shared with French authorities. The company hasn’t always been so eager to comply.”).
[58] It’s important not to overstate the possible benefits to the problem of “going dark.” To be sure, an international approach might encourage development of norms governing the extent (if any) to which providers should maintain access to their customers’ data, so that they can produce it in response to lawful process, rather than intentionally blinding or disabling themselves through encryption or other methods. This might include the possibility of updates to CALEA, 47 U.S.C. §§ 1001-1010, the U.S. law that requires telecommunications providers to maintain the ability to assist the government with certain types of surveillance. However, it seems increasingly clear that CALEA requirements will be very challenging to implement universally in the world of Internet apps. See, e.g., Jonathan Zittrain, An Open Letter to Prime Minister Cameron, The Message (Feb. 6, 2015), available at https://medium.com/message/dear-prime-minister-cameron-20th-century-solutions-wont-help-21st-century-surveillance-ff2d7a3d300c. And one of the key strategic challenges facing the U.S. government in this area may include resisting the impulse to use new international agreements as a vehicle to address all aspects of the “going dark” problem, including issues such as end-to-end encryption. See, e.g., Cody Poplin, Senate Hearings on “Going Dark,” Lawfare (July 8, 2015), available at https://www.lawfareblog.com/senate-hearings-going-dark; Carrie Cordero, On Going Dark, Lawfare (July 26, 2014), available at https://www.lawfareblog.com/going-dark. The issues posed by encryption are critically important, but they are separable from the discussion of conflicts in international surveillance laws, and separating them may allow for greater progress in rationalizing those laws.
[59] See 18 U.S.C. §§ 2702(c)(6), 2711(4).
[60] Of course, as noted in the text, a sovereign nation may always execute a search warrant on a data center located inside its borders, and/or threaten sanctions against property or personnel within its borders to compel production of data.