Astute readers may recall a kerfuffle from a couple of years ago, when the Department of Justice demanded that Microsoft turn over user content stored on its servers located in Ireland. The DOJ claimed that, since Microsoft is a U.S. company, it was bound by U.S. law, while the Republic of Ireland noted that its laws protect Irish citizens — some of whose data were stored on the servers — from privacy invasions by either foreign tech companies or foreign governments.
Microsoft was between a rock and a hard place but chose to fight for user privacy. After several court rulings, it appeared that the tech giant had prevailed over the government. But like all such victories, it may prove to be only temporary. Years later, the DOJ is still trying to overturn the ruling in Microsoft’s favor and get access to user data.
A large part of the problem — and the reason why this fight has been so contentious — is the Electronic Communications Privacy Act (ECPA) that was originally signed into law in 1986, before the power and ubiquity of the Internet could ever have been foreseen. For example, ECPA allows government agents to seize email records that have been sitting in inboxes for more than 180 days without a warrant, for the simple reason that the idea of storing old emails for more than six months was practically unheard of 30 years ago due to storage limitations. The law also offers no framework for interacting with foreign governments or foreign nationals, as today’s international cloud computing systems could not have been predicted at the time.
For years, pro-privacy lawmakers have been calling for an update to ECPA without success. Now, a bipartisan group of congressmen and senators are asking Attorney General Loretta Lynch to lay off Microsoft while they try to hammer out the latest reform package — this time going under the name of the International Communications Privacy Act (ICPA).
The bill, sponsored by Orrin Hatch in the Senate and Tom Marino in the House, would require a valid search warrant for any seizure of electronic communications, regardless of the physical location of the server. In countries with which the U.S. has a “Law Enforcement Cooperation Agreement” (including most countries we’re not at war with), the host nation may object to the search warrant “within 60 days after formal submission of a request” to render it invalid and protect the privacy of its own citizens. This would resolve the conflict between U.S. law and the laws of other nations with which we are generally on good terms, such as Ireland, while allowing those nations to preserve sovereignty and privacy as they see fit.
Some tech companies have already come out in support of the bill, praising it for the clarity it offers, and Attorney General Lynch has been invited to help refine the bill’s language to ensure that law enforcement is not unduly handcuffed.
Of course, not all privacy concerns will be alleviated. If a foreign country takes a lax view of citizen privacy or has declined to enter into a mutual law enforcement agreement, the U.S. government would easily be able to compel the forfeiture of vast amounts of user data. This is also the case if law enforcement is unable — or claims to be unable — to determine the physical location of a person whose data it wishes to seize.
Still, the blanket requirement of due process in the form of legally obtained warrants is a big improvement over the earlier version of ECPA, which allowed privacy violations at will, giving citizens no recourse, or even knowledge, that their data was being extracted. The reforms in the new bill would give American citizens their constitutionally guaranteed due process, as well as allow foreign nationals to appeal to their own governments from protection from U.S. snooping.
Privacy reform for electronic communications is long overdue. Let’s hope that whatever Congress eventually passes is sufficient to protect innocent people everywhere from the prying eyes of the government.
The article originally appeared on Conservative Review.
Add comment