As if the last few weeks weren't sufficiently full of surprises, this week several more showed up like rare Pokemon characters in the form of remarkably sensible judgments in court cases that form part of several chains of long-running disputes.
The first is the Microsoft case concerning international jurisdiction, significant because it will doubtless prove to be one of the first salvos in a lengthy process of deciding who gets access to what and where in a connected world.. The case began in December 2013, when a New York district judge issued a warrant ordering Microsoft to turn over to US authorities the contents of emails stored on its servers in Ireland. The US government argued that since Microsoft could access this data from within the US, it had the right to compel the company to do so. Microsoft argued that EU fundamental rights - that is, data protection law - applied, and that the US should make a formal request to the Irish government using the Mutual Legal Assistance Treaty (MLAT). The government argued in return that since Microsoft is an American company, MLAT was not necessary. The Second Circuit Court of Appeals has now ruled in favor of Microsoft.
As I understand it from various discussions, law enforcement tends not to like MLATs much. The process involved in making such requests is slow; last year, the Information Technology Industry Council asked Congress to provide more funding to eliminate the apparently growing backlog; like Microsoft, they wanted governments to follow legal procedures instead of bypassing them by making direct requests to the companies themselves.
As crime - and therefore investigation - becomes increasingly international, this is clearly an important issue for all concerned. Even given the difficulties, it seems clear that granting governments direct access to whatever data they want via direct arrangements is a bad idea, as it allows little transparency and no documented trail of accountability. It seems to be in all our interests to improve the MLAT process to eliminate the temptation to bypass them. The Center for Democracy and Technology, while welcoming the ruling on the basis that it avoids "a parade of horribles", warns that the government will likely appeal.
The second case, which dates to 2014, was the case brought against the UK government by the MPs Tom Watson (Labour - West Bromwich East) and David Davis (Conservative - Haltemprice and Howden) over the passage of the Data Retention and Investigatory Powers Act (2014) Last year, the High Court ruled in their favor, finding that the Act is incompatible with the right to private life and the protection of personal data enshrined in the EU Charter of Fundamental Rights. The government appealed, that this week the European Court of Justice has indicated it, too, will rule in Watson's favor. Last week, Davis was forced to withdraw when new Prime Minister Theresa May appointed him to the cabinet. Apparently you can't sue the British government while being part of it. Philip K. Dick would be so disappointed.
There are of course caveats: the ECJ's advocate general said that the fight against serious crime might justify bulk data retention - but that ordinary offenses and civil matters would not. This has ramifications for the Investigatory Powers bill, currently under consideration in the House of Lords and which reflects much the same approach as DRIPA. What the government will do now is an interesting question. Groups such as Privacy International, Liberty, and the Open Rights Group have argued all along for better safeguards, and that targeted, rather than bulk, surveillance is both more compatible with human rights and a better, more effective method of investigation. But will the UK government listen? Or will Theresa May - who has made her name advocating the policies the court has just indicated it will rule against - simply shrug and take the view that the ECJ's opinion is irrelevant since the UK's departure from the EU will remove it from the court's jurisdiction?
Finally, over in the torrent wars, the High Court of Paris has ruled that search engines do not have to censor torrent links (or in French, at NextImpact).This in the same week that the world's largest torrent site, Kickass Torrents, was seized and its owner arrested after investigators used historical data to match IP address, Facebook account, and real-world identity sourced from an iTunes transaction, a rare worked example of the power of data matching. As Charles Arthur noted in this morning's Overspill, it's nicely ironic that the alleged owner of a torrent site got caught in part because he made a purchase on iTunes (PDF).
In the French case, the French music industry association SNEP wanted the court to require Google and Bing to block search results featuring the word "torrent" and any of the names of the artists Kendji Girac, Shy'm, and Christophe Willem. Microsoft argued that such filtering would be "imprecise, disproportionate, and inefficient". So, the court made a sensible response to the old problem of blunt-force blocking. I assume SNEP can try again with a more precise, more proportionate, and more efficient version of the same request. Maybe one that wouldn't block a search to this piece, for example, which also features those artists' names and the word "torrent".
I feel sure this is just a brief summer outbreak of sanity.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.