I want to talk about jurisdiction. I hope you’re well rested, because although discussing jurisdiction probably sounds like a home remedy for insomnia, it is also one of the most pressing issues facing the future of the Internet. For those who like analogies, jurisdiction is like a country’s arms: it determines how far that country’s laws can reach. Historically this reach has been fairly limited. But now that every country’s arms can reach the Internet, the potential for domestic policy to implicate international law is rising to near crisis levels. International law is already a bit of a mess, and the Internet allows governments to exert influence internationally with little international recourse, leading many to warn of a “compartmentalization of the Internet” as national governments isolate their respective Internets to protect their domestic interests.
This Land is My Land
A brief primer on jurisdiction: at its core, jurisdiction is based on land. Why does the United States government have power over you, instead of, say, the Egyptian government? You live on United States land. This concept is called territorial sovereignty, and it is the foundation of our international system. Each country has control over its own territory, and each country must respect the territorial sovereignty of other countries. This is so deeply ingrained that it probably seems strange to articulate, but the emphasis on land is important to recognize when assessing modern institutions that lack strong ties to land. Increasing globalization, improving technology, and the rise of multinational corporations all make a purely territorial perspective on jurisdiction inadequate, and have led to the rise of approaches like “effects” jurisdiction, where states can exercise jurisdiction outside of their territorial boundaries when foreign activities have “substantial effects” domestically. However, balancing this need to exert influence internationally with the traditional approach of territorial sovereignty is a difficult issue, because extending the reach of one nation extends the reach of all nations.
This Land is Ireland
Which brings me to the real topic of this post: the Microsoft-Ireland case. The Microsoft-Ireland case is conceptually simple: Microsoft owns data storage servers all around the world, (specifically Ireland), and objected to a US search warrant directed at data on these Irish servers. Microsoft argues that the search warrant is illegal because the US lacks jurisdiction in Ireland. The US has no right to conduct the search, because it isn’t on US land. The US counters by arguing that they don’t need jurisdiction over the land: they have jurisdiction over Microsoft. To hold otherwise would allow Microsoft (or anyone else) to hide files overseas and escape the reach of US law enforcement.
The “search warrant” at issue is actually a provision under the Electronic Communications Privacy Act (ECPA) that allows law enforcement agencies to request stored communications, like emails, from the companies that store them, like Microsoft. While ECPA has a specific provision that governs law enforcement requests for stored emails, the act was written in the 1980s, when email storage was limited, and when the Internet was primarily American. Questions of international territoriality weren’t considered, and so the express scope of the ECPA request is unclear. The magistrate who adjudicated the initial dispute characterized the issue as asking whether the specific search (a 2703(d) request) was more like a warrant (probably illegal) or more like a subpoena (probably legal). The magistrate ultimately decided it was a hybrid of the two, and that the government’s request was legal. While I think this characterization is probably correct, I don’t think it ends the debate.
I would argue that the fundamental issue is how we characterize the data. Microsoft’s argument wants data to be treated like physical property; a US warrant on foreign physical property is illegal, so the US instead must proceed through things called Mutual Legal Assistance Treaties (MLATs). (MLATs basically ask foreign governments to conduct the search or seizure on the US government’s behalf. While largely complied with, they are rather slow.) The US government’s argument, by contrast, is that data is just information, and that the US only needs jurisdiction over Microsoft to compel them to disclose information. The US government isn’t searching or seizing the Irish server, they are asking Microsoft to retrieve the data and hand it over.
As might be clear by my characterization (and my previous posts on this blog), I tend to side with the government’s argument. The idea that domestic corporations can evade the government’s reach simply by moving data abroad strikes me as unworkable for the modern Internet, where “cloud storage” means that the location of data has little relation to the location of its owner or user. Strict territoriality makes little sense when data can be transferred internationally at a moment’s notice. Furthermore, characterization of the 2703(d) request as a “search or seizure” that infringes upon another nation’s sovereignty seems misleading; the US government is not searching or seizing property in Ireland, they are compelling Microsoft to search its own property and to provide it to the government. This is normatively different than the police performing the search themselves, and does not seriously infringe upon Ireland’s territorial sovereignty. (While the 2703(d) request might constitute a search or seizure for 4th Amendment purposes, this has little bearing on the issue of sovereignty.)
The analogy I keep coming back to is offshore banking: if you store your money in a Swiss Bank Account, the US government cannot seize those assets, nor can they normally compel that bank to hand over your financial records. But that doesn’t mean the government cannot tax you on those assets or penalize you for tax evasion if you fail to disclose them. A strict territoriality approach to data would practically guarantee an overnight market in unregulated offshore data storage, and the logic for doing so would derive from a flawed perception of how we should classify data.
Yet my opinion is hotly contested. Despite technically only addressing ECPA, the Microsoft Ireland case represents several broader issues facing Internet governance, and has attracted an unprecedented amount of attention from tech companies, academics, and civil liberties organizations, primarily in support of Microsoft. While I think treating data like physical property (my analogy, not theirs) makes little sense, the ramifications of uninhibited government access to data must be considered in an international context. Microsoft is an international corporation, and ECPA places no restrictions on the nationality of the data subject, meaning ECPA would give the US government access to data on practically everyone who uses Microsoft. Such a stance effectively disregards the laws of foreign nations designed to protect the privacy of their citizens, and would be harshly received by the international community, particularly the EU. And perhaps more fundamentally, if the US government can compel Microsoft to disclose records on any person, then any government can potentially compel Microsoft to disclose those records, raising serious concerns for human rights, data privacy, and data security on an international level. While we may have some trepidation about the demands of the US government, these concerns should sharpen for governments known for human rights violations.
(For instance, in one of the few cases addressing the territoriality of ECPA, the plaintiffs alleged that the Chinese government obtained records from Yahoo’s Chinese affiliate pertaining to Chinese dissidents, and used this information to arrest and torture them. While the court ultimately ruled that ECPA did not apply, the case highlights the problematic implications broad governmental rights of access create, particularly in an international context.)
How this case will ultimately be resolved is unclear, although there are several potential solutions. If the courts ultimately adopt a territoriality approach, the government could impose a blanket restriction on storing data from or about domestic persons internationally. This would basically be a statute stating that the Googles and Microsofts of the world must store information about US persons on US servers. While this would preserve a strict compliance with territorial sovereignty, it would also be viewed internationally as a protectionist restriction on trade by artificially bolstering the US market for data storage facilities. This would also raise the problem of data “haves” and “have nots,” because data storage facilities are not currently located in every country, so countries that lack the necessary storage would be left in a difficult position. And perhaps most problematic, this could be the first step on the road to a complete compartmentalization of the Internet, where the threat of international intervention leads to increasing domestic isolation.
We could also proceed more cautiously on bilateral grounds. Much like the EU-US Safe Harbor provision to the Data Protection Mandate (which would take far too long to explain), this would acknowledge a territoriality approach, but would facilitate law enforcement warrants and subpoenas based upon an agreed minimum criteria. We already utilize MLATs to assist in international criminal prosecutions, and these could be extended to allow US law enforcement to automatically access foreign stored data upon a showing of, for example, probable cause. (E.g. US law enforcement can request data from Microsoft stored in Ireland if they have probable cause, presumably with some review and appeal process). The US could then require that corporations only utilize servers in countries with which we have one of these MLATs, and would strike a nice middle ground between acknowledging a free-rein system of data access and a strict territoriality approach. Yet this might still lead to a Cold War-esque division of the Internet, where a Western-style Internet would be segregated from a more authoritarian one.
The most logical solution would be a multilateral treaty specifically articulating when a country may request records stored in a foreign country by a third party. But international law is already a mess, and the idea that something as complex as law enforcement searches and seizures would be articulated and agreed upon is frankly unthinkable. While we might be able to impose minimum requirements: some process, some right of appeal, etc., anything more substantial is highly unlikely to receive widespread adoption.
I think the best solution is that US Courts should start to apply a minimum contacts approach to the specific data being searched/seized under ECPA. Rather than focus on the location of the server, this would focus on the government’s interest in the data itself. “Minimum contacts” is a phrase used in interstate jurisdiction (when does a US state have jurisdiction over you), and basically asks whether you have sufficient contact with the state so that it seems fundamentally fair that you be subject to its jurisdiction. This doesn’t require you to live in that state, or even for you to have physically entered that state; it simply requires that you have sufficient “contact.” While the specifics might differ, such an approach would allow countries to have access to data for which they have legitimate interests, while not allowing access to data on foreign persons for which they have no legitimate interest.
Yet this solution too has problems. Courts are not empowered to rewrite bad legislation, and although they can interpret statutes narrowly to avoid Constitutional problems, ECPA is unlikely to raise any such concerns. (These same foreign citizens who lack sufficient contact with the United States would also lack the protection of the 4th Amendment.) Unless a court could find that it was Congress’ intent to limit the scope of ECPA to persons having minimum contacts with the United States, such a ruling is unlikely to prevail. And while Congress could always update ECPA to clarify its scope, the current pending legislation all present potential problems and none seem likely to even reach the floor.
Frankly, the most difficult aspect of discussing this topic is the myriad factors that could theoretically be controlling. Should a government’s right of access be determined by the nationality of the corporation? The nationality of the data-subject? The government’s contacts with the corporation? The government’s contacts with the data-subject? The location of the server? One could draw distinctions between requesting data from a domestic corporation and one of its foreign affiliates, but does this simply incentivize corporations to compartmentalize to avoid disclosure and/or liability in the US? And do any of these features alter the problem of rapid international data transfer? A poorly written law will be easily avoided, while a broadly written law will draw ire from the international community. And no domestic law can guarantee the adoption of similar norms by foreign nations.
I don’t think there are any great solutions, and this post is running long, so I’ll end the discussion here. One particular issue I’d like to discuss in the future is what I call “spysharing”: where one country’s unrestricted access to information on foreign citizens incentivizes agreements between governments to spy on each other’s citizens to circumvent their domestic restrictions. We already know this occurs to some degree, and a more in depth analysis may be in order.
Until next time.