Another data privacy war is brewing in the United States. The country is on the verge of changing archaic laws from the pre-internet era. All this, as the world’s economic superpower struggles to accept an administrative change, one that is almost imperialistic in nature and has managed to alarm not just its own citizens, but that of the entire world.
"We are all in for a serious breach of our privacy"
In the midst of this uncertain and politically unstable environment, a U.S. Magistrate Judge from Philadelphia, Thomas Rueter, has ruled that transferring emails from foreign servers, so that the FBI can access them, does not qualify as seizure. The FBI warrant seeks to access data from Google’s servers based outside of the United States. If the ruling is upheld by higher courts, it is feared that it would imply to all American tech companies in the future, including the likes of Facebook and Microsoft. If that happens, we are all in for a serious breach of our privacy. How?
Well, the judge asserted that such data is part of a domestic fraud probe and there is "no meaningful interference" with the account holder's "possessory interest" in the data sought. "Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States," Rueter wrote.
U.S. law does not work outside the country
This ruling seeks to broaden the very scope of U.S. jurisdiction, creating a large privacy loophole as far as user data is concerned. A similar warrant was overturned back in July 2016, when a federal appeals court ruled in favour of Microsoft, saying that U.S. based companies cannot be forced to turnover customer emails that are stored on servers outside the country. The U.S. Circuit court asserted the fact that U.S. law does not work outside the country.
Google plans to quote the Microsoft ruling as its defense in an appeal. "The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants," the Mountain View tech giant noted in a statement. But, things won’t be so simple for Google, while the future of other such companies also hangs in the balance.
Data, the most coveted commodity in the digital world, is stored on hundreds of server farms across the world. These data farms house thousands of servers, which are in turn linked together. Each time you and I send a Facebook message, share a post, send an email through services like Gmail, hotmail, upload filed on a cloud-based drive, our data goes to these servers, where it is stored and/or distributed to its intended destination. Sometimes companies like Google, Facebook and Microsoft also use end-to-end encryption (E2E) for their services, in which case user data is protected by private keys that are generated and stored on the communicating users’ devices, and not even the companies themselves can unscramble or decrypt that data. Some examples of E2E encryption include Facebook owned WhatsApp, Messenger’s Secret Conversations and Google Allo’s optional incognito messages.
"The act itself was established in 1986, three years before the invention of the World Wide Web"
For a long time now, the Stored Communications Act (SCA) in the U.S. has allowed law enforcement authorities to access user data by presenting warrants. However, the SCA does not apply extraterritorially. It should also be noted that the act itself was established in 1986, three years before the invention of the World Wide Web, a time when cloud-based services were unheard of and webmail did not exist.
Another redundant law known as the Electronic Communications Privacy Act (ECPA) allows U.S. law enforcement to access any stored files without a warrant, if such files are left on a server for more than 180 days. The rationale behind this is that if online communications are stored beyond a period of 180 days, they are considered abandoned and thus do not fall under the purview of privacy. The ECPA, like the SCA was also established back in 1986. U.S. lawmakers are trying to replace this archaic act, with The Email Privacy Act, which universally requires warrants for any access to stored files. This Email Privacy Bill received an approval from the U.S. House of Representatives as recently as two days ago and is awaiting the Senate, and ultimately the Presiden't approval.
The clock is ticking for the U.S. Congress to reform these age-old acts, given President Trump’s stronghold on the Justice Department. The Trump administration is expected to be pro-surveillance and if reforms are not made any time soon, people like us will have no choice but to accept the fact that if we use US based online services, our private and confidential data can be accessed without our consent at any given moment.
In case of Google, the company itself claims that it sometimes breaks up information into pieces, and does not necessarily know where that data is stored. Google receives over 25,000 requests annually from U.S. authorities to disclose private user information in criminal matters. There is no clarity on how this privacy debate will shape up in the US, but one thing is for sure, it will affect us all. One can either expect a widened scope of domestic warrants in the U.S., endangering the privacy of millions of internet users, or a push towards localisation of data stored by U.S. companies, resulting in a similar catastrophe, not to forget, some upturned international relationships. Let’s seriously hope they find a middle path.
Header Image Courtesy: The Economist