Australian privacy advocates are concerned about a case that could see data held by American companies seized anywhere in the world.
Microsoft has been in a five-year legal standoff with the US Justice Department over whether a warrant issued in the United States as part of a drug trafficking case can be used to access an email held on its servers in Dublin, Ireland.
The Justice Department’s appeal, currently before the Supreme Court, could have global implications given so much of the world’s digital infrastructure is run by American companies.
The case could set “a very dangerous precedent”, according to Monique Mann, an Australian Privacy Foundation (APF) board member and research fellow in the Queensland University of Technology’s law faculty.
The APF has signed onto a court brief issued on Thursday by Privacy International in support of Microsoft.
The court will consider whether an American provider of email services must comply with a warrant if the email is within that provider’s control, even if the provider stores the email abroad.
Implications for the cloud
The case raises tricky questions for suppliers of cloud services such as Microsoft, Google, Amazon and IBM.
Although the data may be accessed in the US when someone checks their email, it may be stored thousands of kilometres away.
As a brief to the court from 51 computer scientists put it:
Although many Australians use Hotmail or Gmail, we do not always know where our data is.
“The majority of people in the Western world have some sort of reliance on US providers,” said Dan Svantesson, a law professor at Bond University who was not part of the brief.
“If the US Government can get access to any data they want from these US companies, that will cause a real risk to privacy.”
There is also concern about the power the case could give American law enforcement, Dr Mann said.
“Enabling the US to have these powers would basically give them carte blanche to access data about anyone in the world, stored anywhere in the world,” she said.
Who controls your data?
Microsoft argues being made to hand over the email in the drug trafficking case could break local data protection laws in the country where the data is held.
“It puts everyone’s emails at risk,” Microsoft’s president and chief legal officer Brad Smith wrote in 2017.
In its brief, Privacy International said that allowing the US Government to seize and review data “hosted on foreign soil” undermines the ability of countries to determine their own privacy and data protection laws.
Dr Mann called it “long-arm law enforcement”.
European Union (EU) officials have also warned the case risks coming into conflict with local data protection laws, given the Republic of Ireland is within the EU.
New Zealand’s Privacy Commissioner filed a brief to the court in December suggesting that local laws must be paramount.
It urged the court to consider “the prerogative of each country — large or small — to apply its own law, including fundamental protections for the rights of its own citizens, to information within its own jurisdiction”.
The needs of law enforcement
Now that data can be stored anywhere in the world, it can be challenging for authorities to access.
This has significant implications for cross-border crimes facilitated online, such as child exploitation or drug trafficking.
In its petition to the court, the US Government wrote that “hundreds if not thousands of investigations of crimes” are being or will be hampered by the Government’s inability to obtain electronic evidence.
Traditionally, evidence needed for local cases that is held overseas can be obtained using Mutual Legal Assistance Treaties (MLATs) between countries, but the process can be cumbersome.
Professor Svantesson said he does not expect a good outcome from the case.
If the Government wins, Microsoft may be put in conflict with EU law. If Microsoft wins, law enforcement will continue to be thwarted by the cloud.
“There are no winners in such an approach,” he said.
“What we need is an overhaul of the whole system.”
While MLATs are far from perfect, Dr Mann said they were still important.
The case will be heard on Tuesday, February 27. Microsoft and the US Justice Department have been contacted for comment.