Surveillance Sans Frontiers, Thanks to the Internet

When Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, it amended the federal Stored Communications Act in a way that now requires internet companies including Verizon, AOL, Yahoo, Google and Facebook to produce records that belong to foreigners wherever such records may be located, pursuant to an order by any court in the United States by virtue of the fact that the company that transmitted or houses the records has a corporate identity in the United States.

What this means is that a search warrant by a court in Moscow, Idaho, can compel a U.S. registered company to produce the personal communications, medical records, corporate files, intimate photographs, political affiliations or anything in the company’s “possession, custody and control,” irrespective of the citizenship of the owner of the records or their location. If the ISP or cloud provider is in the United States (or can be served in the United States), then everything it can access is fair game.

The statute is in response to the fact that, to paraphrase Ezra Pound, when it comes to the internet, “there is no there, there.” A medical record, diary entry or nude picture doesn’t know or care whether it is in electronic storage in Rome, Italy, or Rome, Georgia. Indeed, with a click of a button (or surge in cloud demand) it instantly can be in both places—and then neither.
For traditional search warrants—you know, the ones where cops kick in the door at 3 a.m.—location matters, and matters quite a bit. A judge in Carthage, New York, can’t order the Jefferson County Sheriff’s Office to kick in the doors to a building in Tunis, Tunisia. In fact, the New York judge can’t issue a search warrant executable in nearby Canada, Pennsylvania or Vermont—and indeed can’t even issue a warrant for Syracuse, New York, a few counties away. Where the search is to be conducted, and where the records are located is important, because a warrant that calls for a search outside the jurisdiction of the court that issued it is invalid. It’s just a piece of paper.

Moreover, if you are a French citizen living in Paris, France, using a cloud provider that stores your files in France, you certainly don’t expect these files to be subject to a search warrant or other compulsory process by a court in Paris, Texas, or Paris, Virginia. Sovereignty means something. If a U.S. court or prosecutor or cop wanted the records from France, they would either work with the gendarmerie in France, or with the Ministry of Justice and get either an M-Lat (cooperation under a Mutual Legal Assistance Treaty) or what is called “Letters Rogatory” from a French court to compel the French cloud provider to turn over the records—from the cloud provider to the French court, to the U.S. court, to the U.S. cops. That’s how it works.

And that rule protects Americans, too. It means that a user in San Diego, Calif., does not have to worry about their emails being read by a curious prosecutor in Santiago, Chile—at least not without adhering to U.S. privacy and Fourth Amendment laws.

Whose Records Are They, Anyway?

Here’s where it gets complicated. In general, if you are an international company—say, “International Shoe Company” or Google, and you do business all over the world, you “exist” in any jurisdiction in which your company conducts a non-insubstantial amount of business. So Google, as a U.S. company, certainly “exists” in the United States, and can sue and be sued there. But it also “exists” in the UK, Japan, Australia and other countries. Like Chickenman, it’s everywhere, it’s everywhere. So if an Australian court had a legally valid reason for needing Google’s records stored in Mountain View, Calif., it could compel the search behemoth to produce its records to the antipodean court—that is, of the corporate records of Google itself. In fact, for Google’s corporate records, a few keystrokes in any authorized computer and, voila! The records are there.

But it’s not clear that the same standard can and indeed should be applied to records that do not belong to the ISP, but are merely in their temporary care. A law firm in Milan may store its documents securely on a cloud server that is accessible by members of the firm anywhere they happen to be. The cloud provider may be a U.S. company, or it may not be. It may conduct business only in the United States, or it may conduct business worldwide.

The recently passed CLOUD Act now says:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”

What this means is that the law firm’s records stored on the provider of remote computing services is subject to a search warrant in the United States because the ISP or cloud provider is a U.S. company or operates in the United States. The statutory amendment elevates the concept of the “provider’s possession, custody, or control” over both the issue of actual ownership or rights to the records and over the location and privacy interests in the records. It means that users who want some independence from U.S. surveillance will be forced to use search engines such as Yandex (Russia), Seznam (Czech Republic), Conduit (Spain) or Vinden (Netherlands), and use cloud providers that are not U.S.-based, such as OVH, and email providers such as 1&1 (Germany), T-Online, GMX or others. Germans who use the most popular providers, such as Apple, Google, AOL or Yahoo become subject to having their communications monitored by U.S. courts without regard for EU privacy law, including GDPR.

Location, Location, Location

Location matters. Citizenship matters. Soverignty matters. A byte doesn’t care where it is located, but the law cares. And the data subject cares. This isn’t about hacking or security—it’s about expectations of privacy. If you are in the United States, you expect to be subject to U.S. law, and if a Russian judge wants to read your email, you expect them to go through the proper channels—in the United States.

A U.S. court could order a U.S. company to do something in the United States, and could authorize U.S. law enforcement agents to conduct a search within the United States, but could not authorize U.S. law enforcement agents to conduct a search in, say Burma. I say “for the most part,” because the federal rules which relate to the issuance of search warrants permits search warrants for things such as U.S. embassies overseas or U.S. properties (including residences of U.S. persons paid for by the U.S. government), or to permit remote access to search electronic storage media and to seize or copy electronically stored information under certain circumstances as well. In one case, the FBI got a warrant from a judge in Washington State to search the contents of a computer in Moscow used by hackers who were invited by the FBI for a fake job interview by a fictitious U.S. company. While the FBI agents responsible for the investigation were given awards by the U.S. government for their activities, they were also indicted by the Russian government.

As a general rule, a court’s authority to compel production of records extends only as far as the jurisdiction of that court, which extends only as far as the sovereignty of the country in which that court operates. When it comes to search warrants, that’s usually pretty easy. The cops can’t cross the border to execute a warrant. When the cross the border, they aren’t cops anymore; they’re just people dressed in funny outfits.

When Congress passed the Stored Communications Act it permitted the government to “serve” a search warrant on an internet service provider or other provider of electronic communications services compelling the entity to produce the records called for in the warrant—effectively compelling the ISP to execute a search warrant on itself. Unlike a real search warrant, the police don’t execute the SCA warrant. They don’t kick in the door. They don’t leave a copy of the warrant with the person whose data they take. They don’t place the results of the search in the custody of the clerk of the court. They treat this search warrant as a subpoena—when it’s convenient for them. When it’s not—for example, when entities such as Facebook move to quash the super-subpoena—the government then takes the position that the order isn’t a subpoena, it’s a warrant that can’t be quashed.

What Does This Mean?

Cloud providers and email providers can expect that data about their customers will be subject to search warrants and other orders in the United States even if the customers and their data is located overseas. Non-U.S. residents may then move away from Google and Facebook to domestic alternatives. Alternatively, documents and records (including emails) held by U.S. providers may be encrypted with the author or creator holding the key—effectively vitiating the ability of the ISP or cloud provider to produce records anyway.

And to U.S. law enforcement agencies that applaud this new rule, I say, “Be careful what you wish for, you just might get it.”

Featured eBook
The Complete Guide on Open Source Security

The Complete Guide on Open Source Security

This joint report by Microsoft and WhiteSource discusses the difference in finding & fixing vulnerabilities in open source components opposed to proprietary code, how to grasp the unique challenges of open source security and how to tackle them, as well as how to master the best practices of managing your open source security risks. This ... Read More
WhiteSource
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 21 posts and counting.See all posts by mark