A bipartisan group of senators are backing the idea that emails held by U.S. services providers overseas need greater legal protection than they currently enjoy, but some are praising its existence and pointing out what they see as its significant flaws.
On Thursday, Sens. Orrin Hatch (R-Utah), Chris Coons (D-Del.) and Dean Heller (R-Nev.) introduced the Law Enforcement Access to Data Stored Abroad Act, or LEADS Act. The bill centers on the argument that digital content contained within the account of a "U.S. person" but held on a server overseas would be accessible to law enforcement only with a judicial warrant. The backdrop for the bill is one of the most intriguing, consequential, and complex legal cases having to do with technology now in the courts: a fight over emails held in one of Microsoft's facilities in Ireland. In July, a federal judge in New York ordered the company to turn over the data.
For its part, Microsoft is a fan of the LEADS Act. The company's general counsel, Brad Smith, put out a statement saying that, "This bill proposes a more principled legal blueprint for balancing law enforcement needs with consumer privacy rights. It also creates an important model that will help advance the international conversation that is so critically needed."
That notion was echoed by IBM in its statement: "We are proud that our customers entrust their data to IBM, wherever in the world they choose to have us secure it. By introducing this legislation, Congress is taking a positive step to clarify and modernize the legal framework regarding government access to digital data."
But even some of those who had praise for what the senators are trying expressed only limited support. Microsoft's Smith, for one, said that the bill was the next step in the global conversation over who controls which data where, but that it could not be that conversation's conclusion.
And Greg Nojeim, senior counsel at the Center for Democracy and Technology, wrote that his organization praises the bill's "overall thrust," celebrating in particular what he called its "codification of the warrant-for-content rule," a goal CDT and allies have long pursued.
But, said Nojeim, he's concerned that the law only applies to emails in accounts held by "U.S. person." Those in accounts of non-U.S. persons would be released only under coordination achieved through the multi-national Mutual Legal Assistance Treaty, or MLAT. The MLAT process, CDT argues, is under-resourced and clunky -- in his January speech on NSA reforms, President Obama talked of the need for improvement -- but represents a global agreement that CDT would prefer would be triggered in all email cases.
That duality, argues CDT, risks establishing the idea that governments have a special power over their own citizen's data that extends across border. For that reason, says Nojeim, those involved in the debate must take into consideration how the bill "would affect the global balance of privacy versus government power with respect to data U.S. providers store outside the U.S. for account holders who are not Americans."
It's a tricky situation that is only going to grow trickier as the Internet becomes ever more global -- in part because countries like Ireland have been aggressive in attracting Internet-based providers to base at least some of their operations within their borders. That might make technological and economic sense, but it raises legal questions with which the world has never before had to cope. Jim Dempsey is a senior counsel at the Center for Democracy and Technology. In an interview last month, Dempsey predicted that "there is increasingly going to be situations where two governments have a legitimate interest in the same piece of data."