Privacy, Technology

Who Owns Your Email? An Interview With Brad Smith, General Counsel Of Microsoft

A conversation between Microsoft GC Brad Smith and technology columnist Jeff Bennion about a Second Circuit case with important implications for data privacy.

By  
on

Where is your data? We talk about “the cloud” as if it’s something mystical or unfathomable, but that data is stored in a real place. I suppose calling it “the cloud” is catchier than “offsite server,” but that’s really all that it means. Every Gmail, Hotmail, Yahoo!, and AOL e-mail is saved in some temperature-controlled, secure data center somewhere in the world. But, do you know where? Does it matter? Most of us have a pretty good idea of how much control we have over our paper files, but have absolutely no idea where exactly our cloud data is and who has access to it.

As we wrote about previously, Microsoft is in the middle of a legal battle with the U.S. government over compliance with a search warrant issued in the United States and seeking data stored in Microsoft data centers abroad. Microsoft sums the problem up perfectly in the opening paragraphs to their appellate brief:

Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.

The U.S. Secretary of State fumes: “We are outraged by the decision to bypass existing formal procedures that the European Union and the United States have agreed on for bilateral cooperation, and to embark instead on extraterritorial law enforcement activity on American soil in violation of international law and our own privacy laws.” Germany’s Foreign Minister responds: “We did not conduct an extraterritorial search—in fact we didn’t search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter’s privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate.”

As we move more and more into the cloud, are our privacy rights keeping pace?

I had the opportunity to conduct a Q&A with Brad Smith, Executive Vice President and General Counsel of Microsoft, on this case. Here’s how it unfolded.

JB: With developments in technology evolving faster than the laws regarding technology, how can consumers expect their privacy to be protected?

People’s trust in technology has been shaken, in part because of what Edward Snowden revealed about the U.S. government’s activities and in part because the Internet is a platform for things like the Sony hack. But the Internet is also used to advance positive values – it frequently shapes both the good and bad that happen in the real world.

Sponsored

In the broadest sense we need to act as a society to decide what timeless values we want to endure, including a balance between privacy and public safety, given that both are of such great importance. We then need to translate these values into modern principles and commitments, or laws. Congress is the most important decider here, and the country’s trust in technology will in large part depend on what Congress does. And this is what our case is about, making sure that it’s not the police or technology companies deciding where warrants apply but rather that Congress’s intent is followed. And if the law needs to change, there should be public debate and new legislation.

Technology companies of course have a big part in earning trust, too. We have key principles that guide our decisions and investments – that technology must be secure, it must be under our customers’ control, people’s information should be managed according to the law, and we should be transparent. These principles are seen in things like our investments in encryption, the three lawsuits we’ve filed against the U.S. Government on behalf of customer rights, and regular transparency reports that are open about law enforcement requests we receive and how we respond to them.

JB: If the Government can search a U.S. residence, why should they not be able to access customer e-mails at a U.S. company’s datacenter?

There’s no question that a valid U.S. search warrant applies to physical evidence in the U.S. – like that in a house – or digital content in the U.S. – like that in a data center. But the law and longstanding practice are clear that in the physical world, search warrants stop at a country’s borders, and the U.S. government can’t search a house abroad without going through the local government. The question in our case is whether a U.S. warrant can apply to digital communications that are stored in a data center located in another country.

Part of the answer hinges on another question: Who owns your email? The government argues that the email provider owns the content of your email and the provider should therefore be able to repatriate it as if it’s just a business record. We believe the law has long differentiated between a company’s business records and the content of personal communications that might sit with a custodian. This is not a new concept. It is as old as the postal service, as reflected in the legal holding that the contents of a letter don’t become a business record of the postal service just because you drop it into a mailbox.

Sponsored

JB: We’ve seen an exponential growth of personal data being moved to the cloud in the last five years. How will this case affect cloud service?

Our case is one part of a much larger issue. The Internet will continue to bring us together, but national borders will remain important – and in some circumstances this creates a tension. We think the right path is for governments to find ways to embrace global technology while respecting each other’s rights, and one hope is that a positive outcome in our case contributes to this.

We have heard from customers and governments that people are watching the case closely. If the U.S. government successfully argues it can reach across borders, it could encourage people and governments abroad to lock down their data. It could also open the door for them to adopt similar practices to reach into the U.S.

JB: This case involves an assertion from the government that, since data is stored in data centers based on uncorroborated info provided at the registration phase, people could lie about their location to dodge government subpoenas. The implication is that, based on responses to a questionnaire, consumers’ privacy rights as they relate to the government’s subpoena power might be treated differently. How much should the average consumer be expected to know about data center location and related privacy exceptions for such mundane things as sending an e-mail form a free web account?

One of the points made by the U.S. Supreme Court in the Riley decision last year is that people store their lives on their smartphones and they often don’t know whether their content is actually on the phone or in the cloud. We think that was a good decision because it said to people that the law and the Constitution will protect their rights in a way that doesn’t require them to worry each moment about the underlying technology. It’s a similar principle that we’re arguing for in our case. We keep a customer’s communication as close to them as possible so they can access it more quickly and smoothly, and someone in Ireland shouldn’t need to worry that the U.S. might access their data in a way that’s inconsistent with their own laws.

And of course we believe that laws should work the same way when the shoe is on the other foot. Americans should not have to worry that a foreign government will be able to access their data simply because it is stored in the United States at a data center that is owned by a foreign company.

Your question does raise an important point that in a global society where people move around it’s hard to always store their data where they are with certainty. There are solutions that help ensure principles stay in place even if people move around. For example, legislation in the House and Senate with good momentum – the LEADS Act – would clarify that U.S. warrants stop at the border except in the case that it’s a U.S. citizen who managed to somehow get his or her data stored overseas.

JB: Should there be any difference in the expectation of privacy in an e-mail versus a paper letter?

No. We need to make sure people trust the technology on their desks and in their pockets. And people won’t trust technology if they lose their rights when they hit the send button on an email. It’s important that we find ways to preserve our values while advancing technology.

In the Matter of a Warrant to Search a Certain E-mail Account: Brief for Appellant
[U.S. Court of Appeals for the Second Circuit]
Toward A Modern Statutory Framework For Law Enforcement Access To Electronic Communications [Bancroft PLLC]

Earlier: Technology & Law: Can U.S. Law Enforcement Virtually Break Into Foreign Data Centers?

CRM Banner

Topics

, , , , , , , , , , , ,