Court Says Warrants Apply to Data Held Outside USA

A recent legal decision has major implications for big multinational tech businesses based in the USA, after a court decided they must provide data covered by a police warrant, even if the data is stored overseas. In the case Google argued that they could not be compelled to provide data if they did not know where it was, and if it might be held outside of the country. This argument is pretty consistent with a case involving Microsoft that was recently upheld on appeal. However, in the Google case a judge for the US District Court for the Eastern District of Pennsylvania ruled that the search took place in the USA, and that there was “no meaningful interference” with the account holder’s “possessory interest” in the data sought.

In the Microsoft case, the tech giant successfully argued that data held on Irish servers should be obtained by US law enforcement using established procedures to approach a foreign government for access to the data. The reverse conclusion was reached in the new Google case: there was no need to seek assistance from a foreign government because irrespective of where the data is stored, the ‘search’ was performed in the USA.

The US Department of Justice (DoJ) was understandably pleased that the Google case swung their way. Google’s defense was that they could not know where the data was held at any point in time, because of the algorithmic way in which data is moved around their international resources. The DoJ countered that Google’s argument would make it impossible to ever obtain legal access to data relevant to the investigation of crimes:

As Google has explained, Google stores individual data files in multiple data “shards,” each separate shard being stored in separate locations around the world. Google cannot determine where its separate data shards are stored around the world at any given time. Google also moves that data around the world using computer algorithms that decide where data is stored at any given moment. As a consequence, Google’s argument would mean that data that happens to be outside the United States – even data that the government knows about and describes in a search warrant affidavit – is never accessible. Not with a warrant; not with a treaty request to another country; not with anything. And even assuming that the location could be determined, the Google algorithm could move it to another country before legal process could reach it.

The judge’s decision rejected Google’s argument on the basis that there was no issue relating to where Google would comply with the warrant.

…under this court’s interpretation, Google will gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.

In this case the judge may be right about how to interpret the law of the USA. But there is a more fundamental issue of how the USA complies with its treaty obligations to other nations. I have repeatedly argued that US-EU deals like Safe Harbor and the new ‘Privacy Shield’ are fundamentally flawed because US law contradicts the obligations that the USA says it will honor in those other agreements. You cannot tell an EU citizen that the US is bound to respect that person’s data protection rights as defined in EU law when US law allows American authorities to grab data in ways that European authorities cannot.

Some European lawmakers are becoming wise to the risk that government surveillance is a risk to business as well as the individual. In the UK, a Conservative Party MP recently criticized his own party leader’s policy on encryption, arguing that hard encryption is a vital component of modern business and that Britain will lose out on the supply of fintech if British suppliers are forced to water down the quality of encryption in their products and services. This is a similar argument to that often repeated in the USA, where some politicians argue that American businesses are moving overseas to protect the data of their customers. For example, a ten-hour filibuster speech about surveillance by Senator Rand Paul included the observation that a “business person in Europe wouldn’t use email” when there is a genuine fear that such emails may be intercepted by the US government.

Law enforcement bodies want to catch bad guys, and they seek information that helps them to do that. But there is a lot of information in the world and the way it crosses borders raises lots of concerns over who might access it and why. Furthermore, a country might respect the rights of its citizens, whilst making no similar promises to everyone else. This makes data protection a nightmare for big modern tech businesses, including telcos. Whilst Google may have lost this case, it is understandable why they want the least amount of government intrusion into the data they collect and hold about their customers.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.