Justice Department to Propose ‘Legislative Fix’ to Warrants for Data Stored Abroad

Assistant Attorney General Leslie Caldwell

Assistant Attorney General Leslie Caldwell Pablo Martinez Monsivais/AP

A federal appeals court is reviewing whether DOJ can demand customer data stored by Microsoft in Ireland.

The Justice Department plans to propose a “legislative fix” to guarantee U.S. judges can issue warrants for digital data stored abroad, Assistant Attorney General Leslie Caldwell said Thursday.

The department has long argued the Stored Communications Act allows law enforcement to seek warrants from U.S. judges for customer data stored by U.S. tech firms—even if that data is physically stored in another country.

Many tech firms, however, argue the data’s location should determine which nation has jurisdiction and that the DOJ position could put them in the untenable position of having to break one nation’s laws to comply with another’s.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

It could also set a bad precedent for other nations, they say. The Chinese or Russian governments, for example, could demand the emails of dissidents stored on U.S. servers.

The issue came to a head in July when the U.S. Court of Appeals for the Second Circuit reversed a lower court’s ruling that Microsoft must comply with a warrant to turn over customer emails stored in a data center in Dublin.

Since that ruling, other tech firms, including Google, Microsoft and Yahoo, have similarly refused to comply with extraterritorial warrants, Caldwell told an audience at the Center for Strategic and International Studies. The department asked the full Second Circuit to rehear the Microsoft case in October, a process called en banc review, and hasn’t ruled out appealing to the U.S. Supreme Court if it loses at the en banc stage.

“These are policy issues that need to have policy responses,” Caldwell said. “They can’t be decided by the marketplace. We can’t allow the most consequential decisions affecting our public safety to be decided either by the whim of a company, a group of companies or changing technology or the market.”

Justice Department spokesman Peter Carr declined to expand on Caldwell’s remarks or to say whether the legislative proposal will come before or after President Barack Obama leaves office in January.

President-elect Donald Trump has not taken a position on the Microsoft-Dublin case but has generally sided with law enforcement in disputes with tech firms. He urged a boycott of Apple this year when the company refused to comply with an FBI demand it help the bureau break into an encrypted iPhone used by San Bernardino shooter Syed Farook.

Sens. Orrin Hatch, R-Utah, Dean Heller, R-Nev., and Chris Coons, D-Del., introduced legislation in 2015, the Law Enforcement Access to Data Stored Abroad, or LEADS Act, which would explicitly authorize law enforcement to seek warrants for extraterritorial data created by U.S. citizens but bar such requests for noncitizens. Similar legislation was introduced in the House, but neither chamber passed the bills.

Tech firms are currently refusing to comply with extraterritorial warrants for data of U.S. citizens and noncitizens alike, Caldwell said during the CSIS event.

The Senate Judiciary Committee is unlikely to focus on data access issues early in the next Congress because of competing priorities, including confirming a Supreme Court justice to fill the seat vacated by the death of Associate Justice Antonin Scalia and immigration reform, said Carter Burwell, a top Senate Judiciary Committee aide to Sen. John Cornyn, R-Texas.

Burwell spoke during a panel discussion following Caldwell’s address.

If law enforcement can’t seek warrants for data stored abroad, the alternative is to ask the country where that data is stored to request it through a “mutual legal assistance treaty.” That’s the preferred route for many digital rights activists and tech companies.

The MLAT process is too onerous and slow for fast-moving criminal cases, though, Caldwell argued Thursday. The U.S. has negotiated MLAT agreements with less than half the world’s nations, she said and even close allies, such as Ireland, take 15 to 18 months to comply with MLAT requests in routine cases, she said.

Caldwell also praised the implementation of an update to Rule 41 of the Federal Rules of Criminal Procedures during her address. That update, which took effect Dec. 1, makes it easier for law enforcement to seek warrants to hack into computers used by criminal networks when those computers span multiple jurisdictions or when users have shielded the computers’ locations.

She also urged action to address end-to-end encryption systems that make the content of communications indecipherable even to the company hosting the conversation—thus making it impossible for law enforcement to access the data by serving a warrant on the provider.

The Justice Department argues such systems allow criminals and terrorists to “go dark” and plan crimes and attacks beyond the reach of investigators. Digital rights activists and many tech firms argue there’s no way to undermine the encryption that protects criminals and terrorists without undermining the same encryption that protects innocent people from data breaches.

House Homeland Security Chairman Michael McCaul, R-Texas, pledged Wednesday to reintroduce compromise legislation that would appoint a commission to study the issue.