As the internet permeates more and more of everyday life and the cyber and physical worlds continue to intersect in new ways, legislators are faced with the difficult responsibility of defining law and policy within this complex domain.
In 2013, a wrinkle in cyber policy appeared that the Supreme Court is still ironing out today. A New York district county judge served Microsoft a search warrant requesting email records and information from a particular user account as part of a domestic drug-trafficking investigation. Microsoft responded by turning over the account information and other metadata stored on servers at the company’s headquarters in Redmond, Wash., but declined to cede the actual email content because it wasn’t hosted on United States soil. Instead, the data was stored at a facility in Dublin, Ireland, where the account was created. Microsoft claimed U.S. law enforcement had no jurisdiction over foreign data and would have to go through Irish authorities to obtain access. The U.S. hoped to bypass those cumbersome proceedings because Microsoft is an American company and could relocate the data in question to a server in the U.S. The resulting case, dubbed Microsoft v. U.S, was heard by the Supreme Court February 28. A ruling is expected by the end of the Court’s term in June.
The U.S. does maintain a mutual legal assistance treaty (MLAT) with Ireland that provides an established process for legal requests such as this one that take place on foreign soil. Ireland has also expressed willingness to cooperate through that process. But after five years of appellate court hearings and reversals, it appears the U.S. Department of Justice (DOJ) has its sights set beyond the initial few emails.
Rather, the government hopes to win the case and establish legal precedent that grants law enforcement the conditional right (like in the case of a criminal investigation) to seize data owned by American companies regardless of where the host server is located. This is especially desirable because companies often fracture their data and store it on multiple servers around the world. Instead of dealing with multiple foreign governments and their disparate data laws, the DOJ aims to expedite the process by going directly to the company in question. The U.S. believes a case victory would mean fast, easy access to evidence related to serious crimes and national security threats, WIRED reports.
On the other hand, Microsoft is concerned such policy could deter foreign customers who don’t want their data at the disposal of U.S. law enforcement, according to The Verge. Some argue that a ruling in favor of the U.S. might mean other countries like Russia or China could issue similar requests for communication data stored in the U.S—requests potentially lined with malicious intent.
As of yet, most people don’t consider digital data in terms of location or geopolitical boundaries. But with the advent of the cloud, the onus is on policymakers to more boldly define the borders of cyberspace. For example, do the established geographic and legal boundaries of the physical world extend to cyber? Does digital data have the same protections as paper data?
Microsoft v. U.S. will take a step toward answering these questions, but runs the risk of dividing the IT and cyber communities. A victory for Microsoft could enable the safeguarding of data stored overseas, especially that related to various types of trafficking or terrorism, but a victory for the U.S. could jeopardize rights to personal privacy.
The Verge suggests a compromise may be reached through an amendment to the 1986 Stored Communications Act on which the initial search warrant was founded. Revitalizing and revising old legislation to consider modern technology will likely be necessary for the world to fully embrace the cyber realm.
Photo Credit: Flickr