Cloud-based Evidence Management and the Inherent Challenges
Introduction
Technological advancements continue to test the agility of our executive, legislative and judicial branches of government. While civil liberty watchdogs work to keep online exposure in check, how do we get the old rules of collecting evidence to reflect on a virtual-based future? The context of evidence has grown to mean more than just the physical evidence the courts have been accustom to in the past, which has recently led to the adoption of the CLOUD act. As citizens, should this impact our online privacy expectations?
Cloudy Jurisdiction
The symbiotic nature of law, legislation, and enforcement is clear in the case of Microsoft Corp. v. United States (U.S.,) (later to become US v. Microsoft Corp. on appeal.)As methods of communication evolve, so must our laws on obtaining evidence. In response to a warrant for emails created in the U.S., yet stored on a server in Ireland, Microsoft moved to quash the warrant, claiming that their was no jurisdiction for the data stored overseas. The Southern District of New York disagreed, citing "ambiguous" language in the Stored Communications Act (SCA) (p.3), ruling against Microsoft and finding them in contempt for failure to abide by the warrant.
Not So Fast
Microsoft appealed the District Court’s ruling in the 2ndCircuit. There it was determined that the SCA “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.” (2ndCircuit) The appellate court reversed, vacated and remanded the lower court decision.
Solution and Conclusion
It became clear that the very nature of our evolving cyber world would require revision to existing laws. While the Department of Justice (DOJ) petitioned the Supreme Court for a writ of certiorari on the 2ndCircuits ruling, legislators began addressing the issue by drafting new legislation. (p.7)The result was the Clarifying Lawful Overseas Use of Data (CLOUD)Act. Some civil liberties groups, however, are challenging this action, (See EFF& FCW articles) due to privacy concerns. In the time that it took to enacted the new legislation and issue a new warrant the Supreme Court granted certiorari, however the new legislation had rendered the case moot. (SCOTUS opinion)This is a good example of how the executive, legislative and judicial branches function within their respective powers. Problem identified, problem solved, right?
I hope I understood this right but I gathered that if a corporation is based within the United States and operates its’ business from inside the United States, this CLOUD act (allowing warrants access to information stored outside the United States) seems reasonable. There may be a jurisdictional question here that I am not asking, but from my thought process, I noted that the legislation saw the problem and amended the current act, in which the president signed off on, and after that the judicial branch determined the Microsoft case moot because of the changed act.
ReplyDeleteAs I read through the blog and the hyperlinks, I agree with you Martha. There seemed to be a problem at hand and the different branches of government each played their role in resolving it. Putting aside the conflicts this CLOUD act may raise regarding the privacy of individuals, this seems like a clear cut ruling and a smooth operation of how the branches of government were intended to function.
This was an excellent example of a problem that was essentially a legislative policy question that legislators had failed to address for many years (i.e. updating the Stored Communications Act). This failure to act forced the judicial branch to apply a 30 year-old statute to facts and circumstances that did not exist when it was adopted. Congress finally acted after oral arguments at the Supreme Court, but before a ruling, thus mooting any case and controversy.
DeleteAgreed!! This is a classic case of not knowing to ask a question until you know what the question is, until you know that you have a question, until you know the issue that prompts the question you don't know to ask until you know what you don't know until you know it ... not congress's strong suit by a mile.
DeleteSo you are taking that stance that the US should work on strengthening the MLAT system, which would ensure that 4th amendment rights are met? I guess what my question is, is when did the lawmakers need to use the CLOUD? Or are you arguing that there are too many chefs in the kitchen—the executive, legislative, and judicial branches are all mixing together? Or is this how the branches SHOULD work together? After reading the articles and the Supreme Court opinion, I would agree that fixing the MLAT system would be best, but it seems to have some pretty big flaws, which are a hinderance to law enforcement. I am never a fan of the government being able to track my data and information, and definitely as we move into a more data and technology-based age that our forefathers never could have anticipated, we need to restructure and develop our laws to deal with new threats to our country but also protect the people within it. Maybe you could explain your position to me a bit more?
ReplyDeleteRecently I tried to explain “the cloud” to my father. I couldn’t do it—it’s way above my head! All I could really say was that it was a way to store a lot of data...(?? haha).
ReplyDeleteMy comment is more of a follow-up question. The CLOUD Act allows a foreign government to demand data from U.S. companies about a non-US person for purposes of investigating crimes. How might this particular act clash with foreign laws concerning an individual’s privacy rights, particularly where that information is gathered via an MLAT? I also read that there could be a potential for foreign countries with a history of human rights abuses to gain access through an agreement with the U.S. to gather privately stored information on U.S. servers with the intent to harm minority groups within their borders. While the spirit of the act may have been enacted to aid in criminal prosecution within foreign countries via the exchange of privately stored data, the CLOUD Act is already controversial and seen by many (inside the U.S. and abroad) as an overextension of the U.S. executive’s power, with a host of potential problems that might come from it.
Good observation that the CLOUD Act's provisions could be used by a foreign government to access data on U.S. servers of it's citizens for purposes of persecution or social control, although it is too early yet to determine if that is a real or simply a theoretical possibility.
DeleteIt's not hard to appreciate the competing perspectives on this. If we think of data the way we think of other assets, we have good reason for questioning the motives of a US-based company storing that data on servers overseas: What might someone want to hide? Just as a Swiss bank account can serve as a tax shelter, a foreign data server could harbor information of major interest to national security.
ReplyDeleteOn the flipside...well, I used to orchestrate transfers to a former employer's Swiss bank account; to me, the CLOUD Act seems far more intrusive and all-encompassing than comparable restrictions on other corporate assets held overseas. There's a certain perception of overreach here on the part of the US government, not only into its citizens' privacy, but into the jurisdiction of other nations. It is a raw nerve in the face of other recent tensions between the US and the international justice community.
This bears similarities to the debate over Net Neutrality, and the controversies surrounding datamining, consumer privacy, and informed consent. It is well worth asking whether government or big business has the best interests of individual consumers at heart. In the current climate, motives seem dubious on all sides.
You raise some of the main criticisms about the Act, although analogizing the decision of where to store one's data with the decision to open a Swiss bank account is not on all fours in that the former decision is made by the consumer, whereas the latter decision is made by the holder of the information. The motive of a US cloud provider of where data is stored is primarily one of convenience and data security with little, if any, regard for national security interests.
DeleteI was looking into the Cloud Act and found, “the Executive Branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens.” Reading that line made me wonder what foreign country would I trust with my data as well as what data my representatives would agree to have stored for them.
ReplyDeleteI grew up at a time when every time my friends and I played good guys and bad guys, you wanted to be the good guys (the U.S) and never the bad guys (Soviet Union). The Russian “bad person” sediment was also echoed in 1980s movies I watched, Rocky IV and Rambo. I am trying to extract why would I trust the Attorney General, in concurrence of the Secretary of State, to identify what foreign country my data should be able to be viewed by? The movies of the 80s made it so easy by showing me who the bad guy was that was fighting Rocky. It is not that simple, and although the U.S. also has it fair share of bad folks, I want my data to be protected on soil I know U.S. jurisdiction applies without the eyes of a foreign power taking a look. I do not trust many people to not use my data for the financial benefit of others.
My argument could quickly be dispatched of by posing a situation: “If giving a foreign nation the ability to access your data the U.S. gets a lateral agreement with another foreign country to access and stop human rights violations, would you?” I want to believe I would hand over my passwords, but I still question who wants my data and why would I want my government to hand it over?
As our digital fingerprint grows and younger generations enter the digital market, I hope we can deeper explore how to safeguard our data. I don’t trust the government to have my best interest with my data as the discussion continues, and that is why I try to make my opinion know to my representatives.
Todd~You mentioned the younger generations, and I have to say that my experience is that young people aren't concerned that their information is out there on the internet. It's part of life. I'm caught in the middle--knowing it's out there, not particularly happy about it, but also still shopping on Amazon and checking FaceBook. I consolidated myself by thinking that I am not doing anything wrong, so what's the big deal. It's not like I'll be caught up in some big internet scheme. However, the amount of information that the internet contains on each person is growing. When does it become too much?
DeleteI tend to disagree here. I definitely use social media but have removed myself from certain platforms due to the amount of information is required to even "sign up". However, there is a part of me that understands there isn't much I can do about it - my information is out there and anything on the internet is forever. When does it become too much? That is a great question - I think as individuals, we are responsible for what the internet has access to (whether that is Instagram, Facebook, etc.) and what information we provide to those platforms. Some provide Facebook with their phone number and address - then are upset that the government has access this personal information. It's a difficult debate to have!
DeleteTodd, Tyrrell & Lauren...you all raise legitimate concerns regarding the collection, use, storage and protection of personal data, topics the CLOUD ACT only addresses indirectly in the context of access to data stored on a server outside the country of the subject of the data. Maybe you should audit my Privacy Law class!
DeleteI will be the first to admit, I am not the most “technically savvy” person out there. Jaclyn mentioned she tried to tell her dad about the cloud and I am in the same boat! I have no clue how to explain it to someone else (which I think is true with a lot of technology these days…). With that being said, I hope I understood what this case was trying to accomplish.
ReplyDeleteHowever, and this might be a little off topic, but this Cloud case reminds me of some issues that continue to pop up in the news with Apple not allowing the FBI to surpass its security system if needed for a case. For example, the FBI wants Apple to write software that would give it unlimited attempts at the PIN with a computer program, but Apple's answer is a hard no. In a motion to dismiss the court's order, filed Thursday, the company says it has cooperated with investigators as much as it can, and this software request is dangerous, illegal and unconstitutional. Why would this be unconstitutional but allowing the government to access Cloud data is not?
What do you guys think?
Below is the link I was referring to in my above comments: https://www.npr.org/sections/thetwo-way/2016/02/25/468158520/why-apple-says-it-wont-help-unlock-that-iphone-in-5-key-quotes (in case it doesn't hyperlink).
Lauren, I too am not tech savvy, but your post got me curious. I wanted to understand why Apple and the FBI are at odds. What I gathered from this great article (https://techcrunch.com/2016/03/13/why-apple-is-right-to-resist-the-fbi/) is that the FBI was asking Apple to essentially create a new software product designed with specifications provided by FBI that would allow the government to perform electronic surveillance on those who use the software. Now even though there is a wiretapping law (CALEA) that requires private companies to create access to their systems for law enforcement to perform electronic surveillance, that law only applies to telecommunications companies. It would be silly to consider Apple simply a “telecommunication company,” so arguably there is no way to compel them to comply with the FBI's "request." If, however, CALEA did apply to a company like Apple, they would basically create software that could easily be hacked by the government. Would something like this weaken the software technology and how would that later impact user privacy? It kind of seems that as technology continues to develop, we are more and more inclined to accept a continued decrease in privacy.
DeleteTo tie this back into Martha’s post, the CLOUD Act was intended to address obtaining data and information, whereas Apple was being asked to create a product that did not exists-and one that actually undermined their current product! Is this why the FBI's request is considered unconstitutional and the Act is considered constitutional? If so, it makes sense that Apple challenged the FBI. However, it is curious though that Apple later supported the CLOUD Act. It is interesting because those in support of Apple’s fight and those in opposition of the CLOUD Act cited that both the FBI and the Act were unconstitutional. I wonder how Apple ended up on both sides...
Apple walks a fine line between protecting customer privacy and aiding legitimate law enforcement needs. Apple recently announced the creation of an online portal for authenticated law enforcement officers globally to submit lawful requests for data, track requests, and obtain responsive data from Apple, while at the same time reiterating its commitment to protecting customer privacy. See this Apple post about the new announcement. https://www.apple.com/privacy/government-information-requests/
DeleteThe Cloud Act (Act) seems like a total abdication of Congressional responsibility. The Act allows the president to make agreements without Congressional approval. Also, requests from foreign governments for data kept in the U.S. will only be required to follow the procedures of the requesting country. Are there other areas of law that we relinquish to foreign interests? As I understand it, the traditional due process requirements will not be applied to each request for data under this Act. What happened to the due process protections under the U.S. Constitution?
ReplyDeleteI believe there is also a problem with the process by which this Act passed. Congress did not review the text, send it to a committee, or hold a hearing on it. I’m not arguing that MALT was not in need of an update, but a sweeping change such as this should not have been tucked away in a 2,232-page omnibus spending bill. Purportedly, the bill’s purpose is to improve law enforcement access to data stored across borders. My take is that the Act goes much further than it may need to, but when people are afraid, it is human nature for them to accept curtailment of their liberties. Have U.S. citizens lost their due process rights? It sure feels like it.
I share the concerns mentioned including Congress "punting" their responsibility to another branch of government, disregarding due process rights and the executive branch being granted unilateral power to review data requests. I found an article (https://www.theverge.com/2018/3/22/17131004/cloud-act-congress-omnibus-passed-mlat) which raised some interesting points.
Delete"The legislation deals with how governments and courts request data kept outside national borders, where no single country’s court system would have a clear jurisdiction...Right now, those requests are governed by international agreements called “mutual legal assistance treaties,”...A number of nonprofit groups oppose the bill on privacy grounds...The harshest criticism focuses on the new powers granted to the attorney general, who can enter into agreements with foreign countries unilaterally. Those agreements could potentially circumvent the protections of US courts. The act also wouldn’t require users or local governments to be notified when a data request is made, making meaningful oversight significantly harder."
I still stand by my position of abdication of Congressional responsibility. However, the language of the bill states the "Attorney General has determined and certified to Congress" a number of elements of an agreement. A US persons (see the definition I wrote under Raelene Blocker's post) privacy is in the hands of the Attorney General with the concurrence of the Secretary of State. Hmm...
DeleteThe rush to pass the CLOUD ACT by bypassing the normal legislative process is a legitimate criticism, but was prompted (and justified by legislators) by the Supreme Court's imminent ruing in the Microsoft case. This justification is a bit disingenuous since the Microsoft case was pending in the appellate courts for more than two years and Congress needed to short circuit the normal hearing process because it started focusing on the issue at the eleventh hour.
DeleteI'm glad to see the executive, legislative, and judicial branches working together to solve a problem. We don't see that too often. After watching Senator Orrin Hatch's oral arguments on C-SPAN2 in favor of the CLOUD ACT, I found it interesting that bilateral agreements can be made between the US and foreign countries to lift the bar of disclosure on servers located in each country. On one hand, I'm glad to see different countries cooperating, but on the other hand, I am worried what this may mean for human rights of privacy upheld in the constitution. Hatch did say that any request under foreign law enforcement "cannot target or request information on a US person." What does that mean exactly? One other item that disturbs me is that the CLOUD ACT was folded into an Omnibus bill, which means congress couldn't vote to reject it. What about jurisdiction? I picture courts with a big long arm reaching our into foreign countries and grabbing their information. I am not familiar with what international law may say about this. It would be interesting to find out.
ReplyDeleteSenator Hatch's comment is confusing to me. This is the definition used in the Cloud Act from Title 18-CRIMES AND CRIMINAL PROCEDURE PART I-CRIMES CHAPTER 119-WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS §2523.(a)(2) the term "United States person" means a citizen or national of the United States, an alien lawfully admitted for permanent residence, an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation that is incorporated in the United States.
DeleteIf I understand correctly, the CLOUD act is attempting to address some of the issues that the court decisions in Microsoft and Olmstead did not. While this may feel like progress, it is quite unsettling to think a bill such as the CLOUD act, can be attached to a HUGE spending bill and never given the attention it deserved in Congress. What do privacy and future government spending have to do with one another? It’s bothersome to see yet another example of government responsibility deflected.
ReplyDeleteAs far as privacy is concerned, it’s frightening to think this piece of legislation has empowered so many arms of the government (including foreign governments) access to private information without providing the individual whose information is being sought with notice and due process. To think that the executive branch has the power to enter into agreements with foreign countries to provide requested data and ensure they are protecting this information is also troubling. This could create some quid pro quo negotiations where the release of information is more around benefit to the governments involved than the protection of privacy rights. Don’t get me wrong if you are doing something illegal, or that puts the general population in danger than you should be held accountable. But this seems to come a bit too close for comfort to compromising the 4th amendment rights of all citizens.
It seems like the issue of privacy and search and seizure comes down to licensing issues and contracts these days. It sounds like this case is different from the case involving Google tracking user data and preventing a method of opting out, but it would be interesting to explore the topic further and discuss the extent to which a company providing a "necessary" electronic service may take advantage of its customers by forcing its customers to give up those rights, oftentimes without the customers realizing what they signed up for.
DeleteMy main reaction to this is that it sounds like it will be harder for tech companies to shift their electronic data to oversees servers in an attempt to avoid having this data be discoverable or subject to a warrant. The issue seems to be parallel to a Defendant hiding or shifting assets (fraudulent conveyance/transfer) in order to avoid collection in the event of litigation, or a Defendant filing for Bankruptcy after an unfavorable judgment in order to have the judgment debt discharged.
TNT & Peter...you raise interesting and important issues relating to the larger issue of data and privacy. I wish we had time to address these substantive issues; maybe you should audit my Privacy Law course. :-)
DeleteAt first, I was comforted by the fact that Microsoft and Apple were companies in support of the CLOUD Act. Since I do not understand technology and data protection at all, it seemed reasonable that leading technological companies might have helped legislators understand laws that would be applying to issues they may not completely understand. Then I found a CLOUD Act Coalition Letter (https://www.aclu.org/sites/default/files/field_document/cloud_act_coalition_letter_3-8_clean.pdf) that 24 organizations, including the ACLU, signed in opposition of the Act. This was troublesome. It cites concerns that include providing considerable power to executive branch (thereby limiting the power of Congress), allowing foreign governments to wiretap in the U.S. even if the U.S. government is not permitted to, and requests for information may not be subject to warrants if communication is more than 180 day old. While I think it is nice to see Congress address a concern by establishing a law, in this case, I wonder if it is just a matter of time before the Supreme Court is determining whether the CLOUD Act is constitutional under the Fourth Amendment. But you’re right Martha-if this eventually is heard by the Supreme Court, our branches of government will be operating within their respective powers and serving the proper check and balance on one another.
ReplyDeleteI know you have plenty to read at this point, and I've enjoyed where the discussion has gone here, I did find a couple of articles that address some fo the issues and concern posted in some fairly plain English. In your spare time, have a look: https://www.debevoise.com/~/media/files/insights/publications/2018/05/20180507_cloudy_with_a_chance_of_clearing_u_s_cloud_act_and_european_response_2.pdf
ReplyDeletehttps://www.eff.org/deeplinks/2018/05/email-privacy-act-comes-back-hopefully-stay
Martha, your introduction of the CLOUD act is well defined. I related that case to the work I do. And sadly I have to say that this act not only impact the privacy of the American citizens. But it has been impacting many non-citizens who travel to the U.S for different purposes. I have clients that have been deported and denied access to enter the U.S by CBPs just because their phones were confiscated and illegally “CLOUD act” investigated for no reason, people deported simply for making funny comments of president Trump. Their privacy rights were violated. Very unconstitutional but yet applied in different levels. It is the interpretation of the law what it gives rights to the U.S Government to conduct such violations. The U.S. Courts of Appeals for the Fourth and Ninth circuits have ruled that information on a traveler's electronic materials, including personal files on a laptop computer, may be searched at random, without suspicion.
ReplyDeleteThe fourth Amendment was stripped away against rights of unreasonable searches. What does it make you think, the U.S Government will not breach our privacy through these acts? Problem identified? Yes, the U.S executive, legislative and judicial branches use their powers to create jurisdiction anywhere by interpreting the Amendments for its advantage. I have read the Fourth Amendment many times and I do not find consistency with these many acts. This is a government loop-whole “and no Warrants shall issue, but upon probable cause”. Ha this is enough to pass these non-sense acts and become constitutional.
It really does not matter whether you want to protect or not your privacy. Based on these acts, the government has jurisdiction in its territory and internationally to obtain any information if you are under investigation. Treaties with foreign countries give the U.S access to manipulate your data. Big corporations like Microsoft can fight these cases because of their economic power, that is why the case with the new legislation had rendered the case moot. Remember stolen data from Equifax from millions of American citizens. “where is your privacy there?”. Who stole the data from their servers? I do not want to take this issue personal. My conclusion is that I do not have privacy rights anymore based on these acts neither do you.
Hey Victor, do you have any citations for the cases of confiscation, illegal search and deportation? I'm curious under what pretense those actions were taken. Were they directly related to the CSA and CLOUD or immigration? What were the circumstances for the apprehension in the first place? Are these events that you feel are becoming more prevalent, of late?
DeleteGreat post, Martha. Excellent use of hyperlinks to direct the reader to additional relevant information and a cogent framing of the issues surrounding law enforcement's need to access cloud based data. Your reference to the CLOUD Act stimulated an interesting debate about the merits of the legislation, how it was enacted and the overall issue of data privacy. These are all significant policy and legal topics, but topics for another day. For the purposes of our litigation course, however, the primary takeaway from your post is how the concept of "mootness" undercuts a "case and controversy," which is a prerequisite to a court exercising jurisdiction.
ReplyDelete