The Cloud represents a vast spatiotemporal reconfiguration of data storage. Time and geographical distance are ostensibly meaningless dimensions under a system in which data is accessible practically anywhere, any time. As Cloud-based services gain traction and replace obsolete data infrastructure in all the major industries, information technology causes us to rethink approaches to governance, privacy, and security. By shattering the traditional barriers of time and space, Cloud storage transforms a localized storage system into one that is without boundaries.
The transcendent nature of the Cloud introduces—quite literally—another dimension into the equation of governance. Without borders to demark a government’s jurisdiction, Cloud data draws governments into an uncharted domain where legislation is often sparse and precedents virtually nonexistent. When corporations are added into the fray, antithetical business and government positions on privacy, human rights, and international diplomacy render an unclear and convoluted system in which governments must modulate agreements that reconcile these diametrically opposed interests. In particular, disputes emerge at the intersection of digital privacy rights and national security, with tech companies championing their users’ rights and the government defending its duty to conduct investigations in debates surrounding overseas data.
On February 27, 2018, this conflict between privacy and security came to a head in oral hearings at the Supreme Court in U.S. v. Microsoft. The case hinges on the controversial application of a 1986 law that allows the United States government to request emails and other communications from tech companies. At stake are the $250 billion Cloud-computing industry, privacy rights, national security, and—decisively—the United States’ access to overseas data.
The case began in 2013, when the United States government presented Microsoft with a search warrant to obtain the emails of a user involved in a high-profile drug-trafficking incident. Though Microsoft partially complied by providing the metadata that was hosted on its US-based servers, it refused to hand over the actual content of the emails stored on its servers in Dublin. In the ensuing months, the lower courts were divided in interpreting the 1986 Stored Communications Act (SCA)—the law that ostensibly legitimized the government’s warrant despite the fact that it was enacted before the dawn of mainstream Cloud technology. While the district court held Microsoft in contempt for noncompliance on the grounds that the warrant applies to overseas data, the Second Circuit ruled the opposite, maintaining that the SCA does not apply to data stored on foreign, company-owned servers. As the Supreme Court deliberates over the case in the coming months, it is acutely aware that the ramifications of its decision on privacy and overseas data rights will become a formative landmark in navigating technology policy moving forward.
Microsoft’s case rests on the argument that the warrant only applies within US borders. This defense, upheld by the Second Circuit, is advanced by Microsoft’s litigation team on the grounds that “seizure occurs where the seized object is located, not where the operator happens to sit.” The government, however, occupies an antipodal position: its logic hinges on the premise that the actual act of accessing the data—that is, copying and moving the data from the Cloud—does not itself constitute an act of search and seizure. Rather, the true seizure of the data lies in the exchange of emails between Microsoft and the government after the data is already in company hands on US soil.
Herein lies the central governance dilemma: How is data to be governed in a storage system unhindered by spatiotemporal limitations? What keeps governments and corporations from accessing data overseas when it is merely a click away? And most importantly, what constitutes ‘crossing the line’ in this process? Microsoft and other tech companies argue that—as global corporations—their competitive success is contingent upon synergism between the United States and the countries in which they hold offices. They fear that if the US oversteps its boundaries with invasive search warrants, multinational tech companies will suffer major economic losses. Moreover, Microsoft argues that the very act of issuing a warrant for data on foreign servers is a violation of the Fourth Amendment: “A company acting as a government agent is conducting a Fourth Amendment ‘search and seizure’ when accessing, copying, or moving a user’s data, regardless of when, where, or even whether investigators later search it,” says Jennifer Stisa Granick—a surveillance and cybersecurity counsel for the ACLU. By this logic, the government’s search and seizure poses a two-fold problem: first, it is (arguably) an unconstitutional application of the Fourth Amendment, and second, it presents a risky diplomatic gamble for companies that depend on international accord.
Rozenkranz—the attorney who argued on behalf of Microsoft in front of the Supreme Court—considers the government’s position “a recipe for global chaos.” With a system of Mutual Legal Assistance Treaties (MLATs) already in place to handle data exchanges in federal investigations, search warrants strike a brazen and presumptuous tone; the search warrant blatantly flouts such agreements. As such, Rozenkranz argues: “If ever there were a step that is sure to stoke international tension, it is sidestepping the treaties that were negotiated by countries precisely to protect their sovereignty, and instead unilaterally obtaining reams of personal letters. . . . If another country did this to us, we would be outraged at the most basic level.” Rozenkranz’s latter argument presents yet another argument in favor of Microsoft: if the United States government is permitted to access foreign data through US-based multinational companies, what prevents other countries from doing the same? The ultimate fear is that a ruling in favor of the government will “instigate a global free-for-all, inviting foreign governments to reciprocate by unilaterally seizing U.S. citizens’ private correspondence from computers in the United States.”
Indeed, privacy rights pose what is, perhaps, the most contentious point of debate surrounding Cloud data. In the shadow of the Snowden leaks, privacy rights and customer trust are hot-button topics. Ruling in favor of the government would dramatically increase—and perhaps, condone—surveillance of customer data by the United States and foreign governments. For tech companies like Microsoft, digital privacy is of crucial interest in maintaining customer trust. Indeed, Microsoft’s chief legal officer reassures, “We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk.”
To some extent, however, privacy rights and national security are zero-sum: there is a trade-off between respecting citizens’ liberties and guaranteeing domestic safety. The government’s case rests on the argument that MLATs slow proceedings at crucial junctures in criminal investigations. Ruling against the government would put information that could be critical to investigations just out of reach. Moreover, the government argues that a victory for Microsoft would give other tech companies an incentive to hide incriminating data overseas, out of reach of government officials.
As Justice Ginsburg expresses, the Supreme Court is presented with an unsavory “binary choice between two less than satisfactory outcomes: Rule in favor of Microsoft and put in jeopardy the government’s ability to access the information it needs—or rule in favor of the government and potentially harm the ability of US technology companies to compete globally, and create strains between US and foreign laws.” In the face of two unpalatable options, however, a bipartisan bill introduced in the House on February 6, 2018, may temper the decision by reconciling the two positions: the Clarifying Overseas Use of Data (CLOUD) Act would cover foreign-stored data under the Stored Communication Act while providing companies like Microsoft with the capacity to challenge warrants that diverge from foreign policies in the country where the data is stored.
Nevertheless, the security-privacy tradeoff penetrates far into the future. The Snowden leaks exemplify how technology bears a hypersensitive legacy of concern about surveillance encroachment balanced against the legitimate need to ensure domestic security. The question of the century: how far does this legitimacy go? As innovation continues to push the boundaries of the United States’s core promises to “insure domestic Tranquility, provide for the common defense, … and secure the Blessings of Liberty to ourselves and our posterity,” we find ourselves ever on the cusp of a political bind. Is this constitutional promise merely a romantic, perhaps utopian, vision of what a government should be, or is there some reality to it? In a world where liberty and security are increasingly dissonant values, that promise appears untenable. As the Microsoft case literally expands this trade-off into new territory (foreign countries) and new dimensions (the Cloud) it provokes more questions than answers, ultimately foreshadowing the emergence of what is perhaps one of the greatest policy paradoxes of the coming decades.