For U.S. Tech Firms Abroad And Data In The Cloud, Whose Laws Apply?
The legal dispute over whether Apple should be forced to help the FBI hack into the iPhone used by one of the terrorists in San Bernardino is making headlines in the U.S.
But it's just one skirmish in a broader global conflict: American tech companies are feeling similar pressure from law enforcement agencies around the world, and they say the lack of international legal standards is creating a crisis.
Just this week, a similar dispute in Brazil resulted in the brief arrest of one of Facebook's Latin America executives. Facebook owns the messaging service WhatsApp, which encrypts its messages, something that often frustrates Brazilian law enforcement.
In this case, a judge in the state of Sergipe wanted WhatsApp data linked to drug trafficking suspects. WhatsApp says the court is demanding information it simply doesn't possess.
In an ideal world, we would have some sort of universal agreement, and all the countries in the world would come together, and there would be a baseline set of procedural protections that apply to all requests, and there would be total agreement about what the jurisdictional hook is for when countries can get access to data. That's just not going to happen.
But even if it did have the data, it may have not been able to share. Frederico Meinberg Ceroy, a prosecutor in Brasilia who specializes in computer privacy, says some U.S. tech companies say they're not allowed to comply with requests from Brazilian courts.
"They argue that because they're American companies, they're not supposed to comply with court orders here," Ceroy says. "But we have a new statute that says any company serving Brazilian consumers is subject to Brazilian law — even if that company is based in Dubai or New York or San Francisco."
American companies often can't comply with foreign laws because the data in question is often stored on servers in the U.S. — and federal law says they can't just turn that kind of data over to foreign courts. Foreign authorities are supposed to go through diplomatic channels — through something called a Mutual Legal Assistance Treaty, or "MLAT." But Brazilian prosecutor Ceroy says forget it.
"With the bureaucracy of the MLAT these days, there's no point pursuing an investigation, because it'll take two or three years just to get back the information you've requested," he says.
That kind of frustration is causing more countries — not just Brazil — to skip the diplomatic route. In fact, American judges do it, too. A couple of years ago, a court in New York ordered Microsoft to turn over a user's emails that were stored on a server in Ireland. That came as the result of a search warrant issued in a drug-trafficking investigation. Microsoft refused, saying American courts don't have jurisdiction over data held overseas.
That case is still on appeal, and at a congressional hearing last week, Microsoft President Brad Smith said the broader trend is becoming a serious problem.
"We appreciate that law enforcement needs information sometimes located in other countries to do its job. But this approach to using unilateral process is causing concern around the world," he told the House Judiciary Committee. "It is causing concern in other countries about people's privacy rights. It is causing concern about whether other countries can even trust and use American products and technology."
For the last couple of decades, the mantra of American tech companies has been that they comply with "all lawful orders" in the countries where they operate. But the rise of cloud computing is making that policy unworkable.
U.S. tech companies "do comply with lawful orders, but there's a huge question about whose orders do you comply with, at the moment," says Jen Daskal, an assistant professor of law at American University who has been following this problem closely.
"In an ideal world, we would have some sort of universal agreement, and all the countries in the world would come together, and there would be a baseline set of procedural protections that apply to all requests, and there would be total agreement about what the jurisdictional hook is for when countries can get access to data," Daskal says. "That's just not going to happen."
Some American tech companies have responded to the situation by "mirroring" data on servers in countries where judges are demanding more cooperation. By keeping the data on that country's territory, they hope to comply with foreign court orders without violating U.S. law.
But Daskal says this approach has drawbacks. It's less efficient, from a technical standpoint, and it may lead to a balkanization of data that eventually erodes privacy for people living in those countries.
She says the better solution may be for the U.S. to strike deals with specific countries, allowing their courts more direct access to their citizens' data stored on U.S. servers, and vice versa; the Obama administration is negotiating just such a deal with the United Kingdom.
If this approach catches on, the end result could be a system in which your privacy rights are no longer determined by where your data is stored — but instead by which country you call home. And that makes sense to Microsoft's Brad Smith.
"The most important thing is that people have the protection of their own rights by their own law," he said.
That would certainly make life simpler for American tech companies — though it could eventually mean lower privacy protections for foreigners who have data sitting on American servers.
Copyright 2020 NPR. To see more, visit https://www.npr.org.