Tuesday, February 27, 2018

Does the U.S. Government's right to examine digital evidence stop at the border?

The Supreme Court is hearing a case this week, U.S. v. Microsoft, which will have broad implications in defining the scope of governmental powers in the age of cloud computing.

As described in the New York Times, in 2013, federal agents served Microsoft with a warrant to get the emails of a suspected drug trafficker. Microsoft turned over the suspect's account information and address book, but did not turn over the content of the email messages themselves. Those messages were stored on servers located in Ireland.

The question before the Court is whether the government can obtain warrants pertaining to assets located outside its own borders.

Craig Newman is right that both sides have a legitimate argument to make.  On the one hand, the government - with a warrant - should be able to investigate things like drug trafficking, terrorism, child pornography, and fraud to the greatest extent the law allows. Where the server storing the 0s and 1s of a particular email happens to be located on any given day should be a secondary concern to the larger interest of public safety.

On the other hand, Microsoft rightfully asserts that, if the U.S. government can potentially have access to all data stored by American-based companies - even on overseas servers - then, at best, American tech companies will be at a serious competitive disadvantage, and at worst, they won't be allowed to conduct business at all with many of the largest economies in the world that have stronger privacy laws in place. Germany, for example, has already publicly stated that if the court rules against Microsoft in this case that it will not use any American company for its data services.

Newman proposes a solution whereby the determining factors ought to be the citizenship and geographical location of the individual whose data the government seeks, rather than the physical location of the data. However I believe he misses the point. By his own admission, the real problem lies not in where the server is physically located, but in how data is dynamically stored. All of the 0s and 1s that together make up a single email message are increasingly broken up into millions of individual bits that are then stored on different servers in different locations around the world.  It only becomes, what we perceive as, a single email message when it is reassembled on the requesting end.  In fact, to think of an email message as one single entity stored in one single place is an outdated and increasingly obsolete notion.

It would also be problematic to pursue another suggestion - that the determining factor should be based on where the data can be accessed. The argument there goes that, despite the server being in Ireland, the fact that Microsoft could click a button in Redmond, Washington and immediately have access to those emails ought to guide the law.  However, this too would open up a Pandora's Box considering that the entirety of the Web itself is based on such a system of data, software, and front-end interfaces (i.e. - websites) being accessible with a similar click of a button. Would such a plan, by extension, also grant the U.S. government jurisdiction to virtually all public facing content on the Web?  It's a slippery slope.

Personally, I believe that the public safety interests here ought to trump the (legitimate) fears of an extension of the surveillance State.  My reasoning is that, because of dynamic cloud-based storage, to only grant law enforcement the ability to investigate digital assets that are exclusively located in the geographic U.S. will make it virtually impossible to conduct any type of modern investigation. The digital realm is, after all, borderless, by definition. The legislative effort should focus instead on creating some other checks intent on curbing the actual abuse of such power.

And, no, the blockchain is not the answer either.