The influence of the LEADS act on cloud computing
In our digital age, it’s absolutely crucial that our lawmakers strike the right balance between the legitimate requirements of law enforcement, the privacy of individuals and the sovereignty of foreign jurisdictions.
With the US government turning up the heat on companies to gain access to data stored on servers overseas, there is great concern about the risk of antiquated laws delaying the growth of cloud computing. In fact, Congress set out rules governing law enforcement access of customer content in the cyber age with the 1986 passage of the Electronic Communications Privacy Act, or EPCA. However, the current law, a relic from the dawn of the PC era, has aged badly.
ECPA’s biggest failing is in how it treats the privacy of data stored outside of the United States. The question of “data extraterritoriality” obviously wasn’t a burning topic of discussion when ECPA passed back. But again, that was long before cloud providers began storing data on servers throughout the world. It was also long before the long reach of US spy agencies into the cyber world was disclosed, and I’m not just talking about the Snowden revelations about the NSA. In fact, the US government can use ECPA to view customer data, a reality that also creates new and troubling questions for IT shops with customers or employees residing in other countries.
So, in terms of cloud computing, even though there are substantial advantages for companies in adopting cloud-based technologies, there also are risks. Businesses in all industries often handle highly sensitive information, and they rely on a foundation of trust between customers and their providers. If a company concludes that entrusting its data with a cloud service provider will result in that data being less private or secure, then the organization is less likely to embrace cloud technologies.
The good news is that a year-long debate about what to do and where to set the markers is reaching its final stages. The bipartisan Law Enforcement Access to Data Stored Abroad (LEADS) Act of 2015, introduced earlier this year in the U.S. House of Representatives, offers essential reforms that rectify outdated privacy laws.
The LEADS Act safeguards U.S. electronic data stored abroad, and establishes a balanced process for how the government can obtain data while honoring the liberties of other countries and abiding by individual privacy rights. So, here are the relevant bullet points in the LEADS act and how they’re going to influence the cloud:
- The authorities may not use warrants to compel cloud providers to disclose customer content stored outside the United States. For such information, law enforcement should instead rely on Mutual Legal Assistance Treaties (“MLATs”), treaties designed and implemented for the express purpose of allowing the government of one country to obtain evidence stored in a different country that is relevant to an ongoing criminal investigation.
- Extraterritorial warrants for U.S. persons will be authorized. The LEADS act takes account of the legitimate needs of law enforcement by permitting the government to obtain warrants for content if the account holder is a United States person, regardless of where that content may be stored. Basically, companies won’t find themselves in politically compromising positions where they might be accused of blocking a legitimate investigation
- The act will not contravene the privacy laws of foreign countries. If a cloud service provider receives a warrant for the content of a U.S. person that is stored abroad – and if the data privacy law of the foreign country where the data is stored would bar disclosure of the data – then the provider can ask a U.S. court to vacate or modify the warrant. Basically, American companies with branch offices overseas won’t need to worry about getting into trouble with host countries that have different privacy laws.
- The attorney general will have to implement reforms to make the MLAT process stronger and more streamlined. For example, the government will need to create an online docketing system for MLAT requests, which allows foreign governments to track their status. Basically, the LEADS Act would create a comprehensive framework that would help address many issues presented by ECPA’s increasing elimination.
Of course there is still more to do to ensure that 2015 becomes a year for solutions that promote personal privacy and protect public safety, but the LEADS Act is surely a very important first step. Don’t hesitate to share your thoughts in the comments.
Photo Credit: https://www.flickr.com/photos/[email protected]/16135137918/