We must reconcile privacy and safety in the digital era

The fourth industrial age has been driven by a transformative digital revolution. Billions of people worldwide are now inter-connected. We have nearly unlimited access to knowledge, computer processing power, and cloud-based data storage. 

Such rapid technological advances create serious challenges for us in law enforcement. We struggle to keep up with criminals’ use of technology even as our agencies increasingly rely on digital tools. It is a high-tech game of cat and mouse. 

Attorney General offices, for example, with criminal and civil enforcement functions are at the forefront of leveraging technology. We utilize cutting edge analytics and other advancements for investigations and prosecutions, increasing public safety and consumer protection.

{mosads}However, the digital revolution also intensifies fundamental tensions regarding how best to reconcile the privacy of our citizens with our desire for personal safety; pitting at times national security against our own individual liberties, and balancing the interests of a company’s customers against its civic responsibilities.

Unfortunately, many laws governing data sharing and privacy were created decades ago and are woefully outdated. For example, Congress enacted the Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA) in 1986 to prevent unauthorized government access to private electronic communications such as emails, a relatively new technology at the time.

Needless to say, much has changed since 1986. A mid-1980s floppy disk held 1.44 megabytes (MB) of data. A 2016 smart phone has a minimum storage capacity of 10 gigabytes (GB) — or 10,000 MB. The “cloud” offers data storage measured in units called terabytes (TB) — or 1,000,000 MB. The digital world is vastly larger and more complex than anything Congress contemplated when writing ECPA and SCA. 

An example of how these laws have struggled to keep up with the shifting digital landscape is a recent case from New York. There, a federal magistrate issued a warrant for the digital data of one of Microsoft’s users. Because the data was located in Ireland, Microsoft challenged the warrant as having no extraterritorial jurisdiction. Without question, a warrant issued in the United States to search a private home in Ireland would be unlawful. The law requires authorities to pursue evidence through Mutual Legal Assistance Treaties with the country where the evidence is located.

In this case, however, the data is digital and stored on Microsoft cloud servers in Ireland. Since Microsoft can access its overseas servers from within the United States, the government argues that no international cooperation is required. The lower court agreed with the government and Microsoft appealed to the U.S. Court of Appeals for the Second Circuit.

The Court of Appeals rejected the government’s argument that the warrant provisions of the SCA apply extraterritorially. The ruling turned on the court’s conclusion that the “invasion of the customer’s privacy takes place … where the customer’s protected content is accessed — here, where it is seized by Microsoft” — in Ireland.

The decision is a victory for the Fourth Amendment and privacy rights but is frustrating to law enforcement agencies pursuing criminal investigations. And it by no means ends the controversy, as the U.S. Department of Justice has persuaded the Supreme Court to review the case. In the meantime, other companies may receive similar law enforcement warrants for data stored overseas.

Digital privacy advocates argue that allowing the U.S. government to seize the data of foreign nationals who use American tech companies to store their data undermines longstanding cooperation agreements among law enforcement agencies worldwide. I have grave concerns that such actions would open the door to foreign governments doing the same to American citizens, demanding access to data centers in the U.S. or seizing such data without following treaty requirements. 

Law enforcement agencies, on the other hand, argue that current mutual assistance treaties are too cumbersome for typical criminal investigations. They contend that criminal suspects will attempt to move their data overseas to escape accountability.

This debate brings us to the heart of the matter: we need modern laws that allow law enforcement to access data and protect public safety, while ensuring consumer privacy rights. 

Fortunately, Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del.) have introduced the International Communications Privacy Act (ICPA) — bipartisan legislation that will protect consumer privacy while clarifying and streamlining U.S. law enforcement’s ability to obtain global electronic communications.

ICPA would clarify that U.S. law enforcement can obtain electronic communications of any person who is located in the U.S., pursuant to a warrant, regardless of where the communications are located in the world. It also reforms the mutual assistance treaty process by providing greater accessibility, transparency, and accountability, when the government pursues the electronic communications of foreign nationals who are located overseas.

As a law enforcement leader, I understand the vital need for quick and reliable access to evidence. But as a public official elected to defend privacy and liberty interests of my fellow citizens, I am very sympathetic to arguments made by companies like Microsoft. On one hand, we cannot compromise liberty interests for mere expediency in policing. On the other hand, it’s a travesty to allow international criminals to run free because of Byzantine agreements and outdated laws.

Please join me in calling on Congress to pass ICPA. It is the most responsible way to balance the critically important interests of personal privacy and law enforcement. Thirty years is far too long to wait for our laws to catch up with technology.

Sean Reyes is the 21st attorney general for the State of Utah, husband to his wife Saysha, and father of six.