The LEADS Act and cloud computing

Bipartisan legislation, introduced last month in the House and Senate, promises to reform and update the antiquated Electronic Communications Privacy Act (ECPA) and in the process push back against the practice by agencies of government to gain access to personal data stored on U.S. corporation servers abroad.

The legislation, called the LEADS Act, is co-sponsored in the Senate by Sens. Orrin Hatch (R-Utah), Chris Coons (D-Del.) and Dean Heller (R-Nev.), and in the House by Reps. Tom Marino (R-Pa.) and Suzan DelBene (D-Wash.).

{mosads}Short for “Law Enforcement Access to Data Stored Abroad,” the LEADS Act’s principal improvements on ECPA are in recognizing that U.S. law enforcement may not use warrants to compel the disclosure of customer content stored outside the United States unless the account holder is a U.S. person, and by strengthening the process — called MLATs (mutual legal assistance treaties) — through which governments of one country allow the government of another to obtain evidence in criminal proceedings.

One of the better examples of the need for updating ECPA centers on a government warrant served on Microsoft for the contents of the email of an Irish citizen stored on a Microsoft server in Dublin. The government’s interest in this individual is reported to be in connection with drug trafficking. Microsoft denied the request and is currently embroiled in litigation, now before a federal appeals court.

At the mention of drug trafficking one imagines that many people might, at first glance, side with the government in this. But consider the same scenario, only with the countries reversed. Imagine the outrage if the Irish government demanded that a server located in the U.S. turn over to it the contents of the personal email of a U.S. citizen!

The larger issue in the Microsoft case, and as addressed by the LEADS legislation, is the fear, especially since the Edward Snowden revelations, that foreigners will lose confidence that the content of their email on U.S. servers will be open to government inspection, and go elsewhere for the purpose.

Organizations like Forrester Research and the Information Technology and Innovation Foundation have attempted to put a price tag on the cost to the U.S. cloud computing industry of what is called the PRISM project, an outgrowth of the Protect America Act which authorizes the NSA to conduct metadata searches of email. Those estimates are uneven, and evolving, but all the figures reported are in the billions of dollars. And while PRISM operates on a different legal foundation than the one, ECPA, that is the subject of the LEADS Act, there can be no question that if Microsoft were to lose its case, and in the absence of the passage of the LEADS Act, U.S. cloud providers will suffer.

Nor is the suffering to be endured just by cloud computing companies. As published in a paper by the Media Institute, media and privacy lawyer Kurt Wimmer makes a compelling case that media companies may be especially sensitive to issues like those addressed by the Microsoft case and the LEADS Act legislation:

In an era of tight budgets for newsrooms and infrastructure, cloud computing has helped many media companies reduce costs and make their newsgathering operations more efficient and effective. It can be much more efficient for a newsgathering and publishing operation to purchase a package of cloud-based services (e.g., word processing, photography, publishing, storage) rather than maintain its own IT department, servers, and software.

Although there are substantial advantages for media companies in adopting cloud-based technologies, there are also risks. Newsgathering operations routinely handle highly sensitive information, and they rely on a foundation of trust between reporters and their confidential sources. If a media organization concludes that entrusting its data with a cloud service provider will result in that data being less private or secure, then the organization is less likely to embrace cloud technologies. …

This concern has been accentuated by the controversy surrounding Edward Snowden’s disclosures in 2013 regarding government surveillance. Particularly for media organizations with headquarters or operations outside the United States, the Snowden disclosures increased concern that if the companies entrusted their data to a U.S. cloud provider, that would make it easier for U.S. law enforcement to obtain their data.

For media companies, these are not abstract questions. As the Department of Justice (DOJ) recognized in updating its rules regarding subpoenas to reporters, maintaining the confidentiality of the newsgathering process is essential to both a free press and a working democracy. The DOJ now has strong guidelines governing the considerations that will be considered before subpoenas will be directed to reporters, but these are only internal guidelines and they only apply to the DOJ. The bipartisan LEADS Act provides a path forward to update the law to permit the cloud to be more meaningful and useful to media companies — and to others concerned about the privacy and security of their data. And by doing so, Congress can bolster the competitiveness of an emerging and important area of our information economy.

Maines is president of the Media Institute, a nonprofit organization that promotes free speech, sound communications policy and excellence in journalism. The opinions expressed are those of Maines alone.