December 13, 2014

Telescope

One of the more intriguing legal cases going on at the moment is Microsoft's effort to keep from handing over the contents of emails stored on its Dublin-based servers. The company has already provided some data relating to the account, but has drawn the line at the emails themselves. The company bases its argument on a parallelt: that the US would be outraged if a German court ordered a German bank's US-based branch to hand over documents stored by an American customer in one of its safety deposit boxes. The whole thing may come down to an interpretation of what exactly Congress meant in the Electronic Communications Privacy Act, a debate of necessity left to the experts - lawyers.

The question of jurisdiction is one techies have long liked to play with. In the early 1990s, there was a notion that the Principality of Sealand, which consists of a former World War I defensive platform, might be a suitable data haven. The resulting effort, HavenCo, soon vanished. Despite the subversive geek logic, it always seemed a fragile idea, dependent on a few people (prospectively central points of failure) and too easy to cut off or simply raid.

At the time, the Internet was fairly simple, with typically only two locations involved. The earliest online case of jurisdictional conflict was in 1993, when a postal inspector based in Tennessee dialed into a bulletin board system belonging to California residents Robert and Carleen Thomas and then prosecuted them for obscenity under Tennessee's community standards. They were tried, convicted, and lost on appeal in 1996.

Today's Internet is far more complex. A single Web page may be assembled out of data held on myriad servers in multiple countries, none of them in the same country as either the official service provider or the requesting user. Who gets precedence: the nationality, residency, or location of the user, the location of the service provider's headquarters, or the location of the server on which the data is held? No options is without problems.

Technical people seem unhappy about the idea that the location of the data is the determining factor, largely because companies make these decisions for all sorts of reasons that have nothing to do with the law. When it comes to serving up data quickly and securely, geography and physics are more important factors. Reliability often demands that data be backed up in multiple locations, not necessarily all in one country. Users often don't know where their data is held and, in the interests of ease of use, shouldn't have to - but that ignorance leaves them in a state of legal uncertainty. For most individuals this may not matter; but for some, and for businesses, it surely will.

In that sense - rather than the sense of what might win in court - it is a more usable argument if we say that the reason Microsoft should resist is not so much that the data is located in Dublin but that its Irish users are protected by EU laws regarding privacy and data protection and that US authorities wishing access should therefore get a warrant under existing arrangements such as MLAT. The US's PATRIOT Act, however, would require Microsoft's Irish subsidiary to hand over the data.

I have argued previously that users need better mental models for understanding where their data is and which nations' law enforcement have access rights. For them, determining jurisdiction by the national origin of the service provider is a much simpler option. You don't necessarily know at any single moment where Facebook is storing the data that makes up your profile - it may even be split among servers in multiple countries simultaneously - but you do know that Facebook is a US company. If you read net.wars or follow the work of the independent privacy advocate FISA Amendments Act (2008) there is no protection from US government warrants. Separately, the US generally discriminates against foreigners: rights in the US are for citizens.

The US is, of course, not the only country now demanding extraterritorial jurisdiction. This was one of the broadest extension of surveillance powers in the UK's DRIP Act (2014). Under DRIPA, the UK claims the right to compel disclosure even where no party has a UK connection, even while admitting this clause is likely unenforceable.

Alternatively, awarding jurisdiction to the nation under whose flag the service provider originates places the burden on the company's users and lets the company preempt the policies of democratically elected governments. We know already how this works out: Google, Facebook, and other US-based data-driven companies have argued vehemently against EU data protection law.

Finally, if the governing jurisdiction is the country of origin of the users, then the hosting company must contend with myriad jurisdictions and inconsistent data usage policies, easier for large companies than small ones. Basing jurisdiction on nationality is even worse: does anyone think it should be Microsoft's or Google's business to demand to see a copy of their passport or birth certificate as part of the new user signup process?

I'm not sure what common sense would dictate in this situation. Caught between two competing legal systems, Microsoft doesn't have much choice.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.