Why a U.S. warrant on Microsoft Cloud should not be enforced on data held overseas

by | Jan 10, 2018 | Open Blog, Open Net, Privacy | 0 comments

1. Warrant is not an order to private parties but to an authorization to law enforcement

Both under civil law tradition and common law traditions, the essence of a warrant is an authorization to law enforcement that it may do whatever is necessary to search and seize certain things, places, and persons for the purpose of bringing a person to a fair trial in a criminal court.  It is not an order issued to private citizens, and therefore cannot compel them to do anything affirmative.  Otherwise, it may find itself violating the Fifth Amendment privilege against self-incrimination depending on to whom it is issued or will become an equally unconstitutional affirmative order on private parties to rat on fellow citizens.  An order under the Writs Act may be different in effect but the Writs Act orders are issued through different procedure and we are limiting our discussion to warrants for now.

Because a warrant is not an affirmative order, it cannot compel Microsoft to produce the sought-for data while it authorizes the law enforcement to forcefully take the data. If the target data remains off-shore, the law enforcement many not be able to achieve what has been authorized because the law enforcement’s jurisdiction is territorial, i.e., “stops at borders”.  However, it is the natural corollary of international norm of sovereignty that a nation’s authority cannot be exercised unilaterally, i.e., without the consent or permission of the authority of the locus).

If warrant loses its character as an authorization, the governments both in the civil law or common law traditions can abuse their powers to commandeer private parties in their criminal investigations. Imagine a judicial order for a scientist to conduct an experiment to prove some hacking crimes.

In summary, the U.S. government’s current inability to access overseas-stored data flows naturally from the nature of a warrant and the international-legal norm of sovereignty.

 2. Warrant must be issued by an officer constitutionally responsible for its target.

 Both under civil law traditions and common law traditions, The warrant requirement is the result of a compromise between the need for conducting a criminal investigation and a criminal trial on an unwilling suspect and that suspect’s right to presumption of innocence. The idea is that at least the investigation-worthiness of a suspect (i.e., “probable cause” in the U.S..) must be shown through an ex parte hearing before his or her privacy is infringed by the compulsive act of the state, or his/her procedural safeguards of presumption of innocence will be forsaken.

Now, the warrant will fulfill the envisioned role of procedural safeguards only if such state intrusions into a person’s privacy or communication are previously reviewed by officials disinterested in and independent and impartial of the progress of the criminal investigation. Almost always these officials are called “judges”.

However, what is more important than the requirement of independence, these judges must be somehow held politically accountable to that person: judges will have legitimate authority to decide on the privacy of only those people who have directly or indirectly certain mutual responsibilities with them and whose privacy they are institutionally incentivized and politically required to have concern over.  It will be odd that requiring a warrant to be issued by a judge of a foreign country will act as a procedural safeguard for the target of the warrant when that foreign judge has absolutely no reason to care for the target’s privacy.  So, surveillance/censorship requests on American people’s privacy must be supervised by American judges and requests on French people’s privacy by French judges.

Now, what if the locus of data and the locus of data controller diverge, as in the case of surveillance/censorship on user-controlled data residing on an overseas cloud server? Such surveillance/censorship involves intrusion into both the privacy of the server operator and the users, therefore it is constitutionally kosher (and mandated by human rights) to go through the filtering of both judicial systems.

That is what exactly MLAT does in the privacy area: it is consistent with the essence of a warrant by requiring both a warrant on the person and a warrant on the data before the search and seizure is conducted. Now, if MLAT is bypassed, for instance, Korean judges alone can decide whether user data residing in the Bay area should be disclosed to the Korean prosecutors, just because the owner of that data is Korean. To stretch the analogy, a Korean judge can order Apple to crack open an iPhone just because it is a Korean citizen who happened to drop it while traveling on street during his trip through Riverside Country, the United States, during the terrorist attack. Also, this will create a whole new pot of thorny questions concerning whether global intermediaries should be allowed to discriminate their users by nationality.

3. People depend on overseas servers to protect themselves from unreasonable search and seizure of their domestic law enforcement

 The Internet, being an extremely and globally distributed communication network, has been relied upon by people living under authoritarian regimes to communicate with one another free from domestic surveillance and censorship. Actually, it is not just about people under authoritarian regimes. Governments around the world have varying standards and procedures for surveillance and censorship, and so far people could forum-shop in communicating one another, depending on surveillance/censorship governance applicable to the servers they will be communicating through.

If in this case the U.S. government is allowed to enforce a warrant on data residing overseas, the foreign government will do the same on the data residing in the U.S. This will be devastating to the privacy of people overseas because the U.S. servers were the preferred forum because of the high ‘probable cause’ standard. To people under authoritarian or conflict regimes, Twitter, Facebook, and Gmail provide the only secure forms of communication and therefore became popular communication forum. Whenever there is a surveillance scandal in Korea, the market share of Gmail has peaked for a reason that many welcomed.

If foreign governments can easily search and seize data hosted on the U.S. servers, we will be forbearing that single most important gift for the powerless individuals around the world who chose the U.S. server as their communication conduit. Even if they are procedurally legitimate, i.e., meet some surrogate of ‘probable cause’ in their domestic surveillance scheme, what if they are substantively illegitimate, i.e., issued for crimes that do not meet international human rights standards such as ‘false news’ crime, insult, blasphemy, demonstration law violation, national security law violation, etc.?

One may argue “why should people be given higher procedural safeguards just because they chose one mail server as opposed to another?” However, the state must respect and play with the choices that people make. Some people may choose to conspire only by talking in a bed room or only behind a water fall.  Others may use encryption to communicate remotely.

We are not saying that people can hide their data simply by choosing to put it overseas. Law enforcement can access overseas data but must follow universal principles safeguarding people’s right to privacy, which are currently best protected by MLAT which protects both the data owner’s privacy and the data controller’s privacy.  Once the owner of data incurs the cost and efforts of putting something overseas, the law enforcement must respect that decision in tracking down that down.  If a suspect decides to live in one country as opposed to another, the international principles of extradition treaties govern how law enforcement can arrest that person while respecting his rights.  The same resilient approach should be afforded to search and seizure of overseas-residing data.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *