Technology headlines the last few days have emphasized a developing story in which a US judge has ordered Microsoft to comply with a search warrant. The warrant, issued in connection with a drug-trafficking investigation, requires Microsoft to identify and produce electronic mail records hosted on a server in Ireland. Microsoft has appealed the order, and many of the most competitive tech companies are joining forces to make the same arguments in the appeal. Apple, Cisco, AT&T, and Verizon have all filed papers arguing the better course of action is for the US government to ask Ireland, pursuant to an existing treaty, to seek and produce the evidence. Press reports indicate Microsoft (and, arguably, the other companies) base their position on an intent to better protect customers based in Europe who have the benefit of European data protection and privacy laws.
There are two important issues being raised by this case that deserve emphasis. First, the EU data protection structure is not intended to limit or exclude government investigations; to the contrary, the legal framework expressly indicates that privacy is not to be a shield to legitimate investigations. So, regardless of whether pursued directly by the current US search warrant or via the treaty, it seems the argument this is about protecting privacy falls away in fairly short order.
Second, Microsoft’s position would suggest, if extended to its full length, that any US-based company that stores data could affirmatively elect to store that data outside the physical boundaries of the United States and, in so doing, completely obfuscate or disable any legitimate government investigation that seeks digital evidence that is within the company’s systems (or, as is more likely, stored on the non-US geo-located servers of a cloud-based service provider).
That outcome is clearly at odds with an essential principle of citizenship, at least in this country—i.e., to bear witness to events that are subject to legal review, and to cooperate with the production of evidence that will be useful to evaluating compliance and, if needed, prosecuting non-compliance. Nation-states have long established rules and procedures for extraditing potential criminals to stand trial; the Microsoft view seems to be that digital information, by virtue of the mere coincidence of its storage location (but still within the control of a US-based company), becomes eligible for a similar status, insulated from being involved in a “domestic” legal proceeding unless very formal, and often unsuccessful, protocols are satisfied.
Digital trust requires transparency and accountability. Somehow we need to author our citizenship rules to connect the global ubiquity of cyberspace to the essential function of government to collect evidence and evaluate the adequacy of conduct governed by the law. Without that, the nation states will have no choice but to establish digital borders that retain information within the reach of their enforcement authority or, in the most Draconian of alternatives, assume a more aggressive role in retaining such information en masse. Neither of these options is realistic—but barriers to the availability of digital information as evidence of the truth surely cannot be in our collective best interests.