from Net Politics and Digital and Cyberspace Policy Program

Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part One)

CFR Cyber Net Politics Microsoft Data Center

August 26, 2015

CFR Cyber Net Politics Microsoft Data Center
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

More on:

Digital Policy


Politics and Government

In December 2013, the U.S. Department of Justice (DOJ) served Microsoft with a warrant requiring the company to hand over the e-mails of a Microsoft customer suspected of drug trafficking. Microsoft refused to turn over the e-mails on the basis that they are stored in servers at a data center in Ireland and that the warrant did not apply to overseas data. Instead, Microsoft argued the DOJ should work with Irish authorities to obtain access to the data. In July 2014, a U.S. district court ordered Microsoft to turn over the e-mails, but Microsoft appealed to the Second Circuit Court of Appeals, which will hear arguments on September 9.

In light of the significance of this case for U.S. consumers and businesses, and the impact that its outcome could have on the privacy of digital communications, Brad Smith, executive vice president and general counsel for Microsoft, took the time to answer some questions regarding the case and what its outcome might mean.

We’ve split our interview with Brad into two posts, with today’s post looking at the policy side of things. Legal issues related to the case will be featured in a post tomorrow.

Question: It’s obvious why foreign citizens have a stake in the outcome of this case: the privacy of their data is in question. Why should a U.S. citizen, whose data is stored only on servers located in the United States, care?

Answer: At the broadest level, this issue is about the future of technology. We need to ensure that people can trust the technology on their desks and in their pockets. And this trust will only come if the laws are clear.

There are other immediate reasons too, and perhaps the most powerful is public safety and national security. If the U.S. government is permitted to serve warrants on tech companies in the United States and obtain people’s e-mails in any country, it will open the floodgate for other countries to serve warrants on tech companies for the private communications of American citizens that are stored in the United States in a data center owned by a foreign company. Imagine the immediate implications for journalists, advocacy organizations, or government officials here.

Q: If you win this litigation, it could be argued that the United States will have less authority than other states to pursue national security and law enforcement investigations across borders. Does greater privacy protection necessarily equal fewer powers for national security investigations? 

A: We need to balance both privacy and national security, and we believe that can be achieved. In the first instance, we believe that the U.S. government should use effectively the international legal tools that exist today. When the French government confronted the horrendous attack on Charlie Hebdo, it routed a request through the U.S. government, and Microsoft provided the e-mail content within forty-five minutes—legally. There exists a good treaty between the U.S and Irish governments that could be used to access the e-mail that is located in Ireland and is the subject of this case. All of the testimony in the lawsuit in fact indicates that this provides an effective mechanism for law enforcement purposes.

But there are additional alternatives as well.

For example, if law enforcement needs more tools than Congress has provided, then we should all turn to Congress to change the law. That in fact is what Microsoft has done by advocating for the LEADS Act in Congress. This would give U.S. law enforcement the ability to obtain e-mail content located outside the United States unilaterally when the content belongs to a U.S. citizen or resident. But it would require the U.S. government to go through international mechanisms when the e-mail belongs to a foreigner who is outside the United States. We think that’s a sensible way to draw a line that will assist law enforcement and also respect international borders.

Finally, there’s a clear need and opportunity to create new international legal rules and processes.  We’ve been making concrete suggestions in this area, too. Ultimately there are clear areas for improvement, but they will come only if everyone focuses on advancing them. And that starts with winning our case and putting all of us on a path that will focus on the changes that are needed.

Q:What if you lose the litigation? What are the technological and legal consequences for Microsoft and others?

A: As we’ve made clear since we filed this case, we’ll certainly do our best to take it all the way to the Supreme Court if that’s what is needed. The case raises important questions about the future of the Internet, privacy, respect for borders, and public safety. When we took on this case, we did so not only with an eye on our own needs, but a much broader set of interests. That is reflected in what I think is an extraordinary set of amicus briefs filed in support of our position, coming from twenty-eight technology and media companies, twenty-three trade associations and advocacy groups, thirty-five leading computer scientists, and the Government of Ireland itself. That captures a bit of what is at stake here.

Q: When the laws governing access to electronic communications were passed in 1986, it was inconceivable that an individual might want to (or even have the capacity to) store large amounts of data on a remote server. Do you think Congress should modernize the law to avoid disputes such as these in the future?

A: In the first instance, we think Congress’ intent was clear and this warrant was meant to be domestic like other warrants. There’s simply no indication that Congress intended to give the Executive Branch the legal authority to reach unilaterally into other countries. This scenario wasn’t even discussed.

But looking beyond that, you’re absolutely right, there’s no way Congress could have known about cloud computing in 1986. The LEADS Act is one example of legislation that would carry Congress’ original intent into the Internet age by updating the law.

Q: What about other governments?  Are you seeing EU or other sovereign governments putting forward solutions that could resolve these types of conflicts between sovereign nations?

A: It’s already public that the United States and EU are discussing these issues, and there’s a foundation in place for the two to forge new trans-Atlantic legal rules that will better enable law enforcement, with appropriate safeguards, to obtain information needed for lawful investigations across borders. I also think there’s work many governments can do to modernize Mutual Legal Assistance Treaties, or MLATs, including by standardizing the terms and moving to electronic systems to process them.

More on:

Digital Policy


Politics and Government