Microsoft court victory prompts call for data-grabbing regime

The Senate Judiciary Committee Subcommittee on Crime and Terrorism on Wednesday held a hearing to explore the government's inability to have its cake and eat it too.

In July last year, three judges from the Court of Appeals for the Second Circuit ruled that the Stored Communications Act does not require Microsoft to reveal customer information stored outside the US.

The decision followed from an appeal by Microsoft, which sought to undo a motion that held the company in contempt of court for refusing to execute a warrant demanding email data stored in Ireland.

In January, the appeals court, in a four-to-four split decision, decided not to rehear the case with the full set of appellate judges (en banc).

This temporary victory for cloud computing service providers, which cannot afford to be seen by customers as on-demand data dispensaries, hasn't been well-received by those charged with law enforcement, who would like to be able to obtain data they consider vital for investigations.

The dissenting judges, as Deputy Assistant Attorney General Brad Wiegmann noted in his written testimony, argue the ruling "has substantially burdened the government's legitimate law enforcement efforts, created a roadmap for the facilitation of criminal activity, and impeded programs to protect the national security of the United States and its allies."

Judiciary Committee Chairman Senator Chuck Grassley of Iowa acknowledged the problem in his opening statement. "Certainly, we all want law enforcement, in the United States especially, to have the tools to solve crimes and assist victims," he reasoned. "But we also need to ensure that privacy interests are preserved, and that American companies remain the most innovative and competitive in the world."

Best of both worlds

In short, we want it both ways. We want a legal regime that both bypasses and respects privacy barriers, as the situation demands.

At the moment, there's no legal framework that can manage this balancing act. But that's what Microsoft chief legal officer Brad Smith and others testifying before the subcommittee wish to see.

"Congress now has an opportunity to modernize the outdated laws governing cross-border access to digital information," said Smith. "We need a new framework that accounts for law enforcement's needs, the realities of today's technology, and the manner in which people and businesses rely on that technology – now and into the future."

But Smith cautions that the government should not resort to unilateralism by enacting a law that says US authorities can demand data stored from anywhere, without regard to applicable regulations. Doing so, he suggests, would encourage other countries to do the same.

"[W]e know that whatever rules we establish for US law enforcement access are likely to be replicated by other countries," Smith said. "Ultimately, unrestrained unilateralism will undermine our ability to protect the privacy of US citizens."

Smith argues that any solution will need to combine domestic legislation with international agreements. And the viewpoint he presents is optimistic. He suggests that if the US adopts strong legal protections for data and respects the laws of other countries, America can lead by example and encourage other countries to participate in a sensible international legal framework.

This utopia may serve companies like Microsoft that store data around the globe by clarifying the responsibilities of third-party service providers and the limit facing national authorities. But it won't resolve the fundamental conflict – that code represents its own kind of law. When Microsoft turns over data that a customer has encrypted, we'll be back at square one. ®