Why Government Collecting Data from Private Sector Is Trouble


By Paul RosenzweigThe George Washington University Law School

After the 9/11 terror attacks, the intelligence community recognized the value of the government collecting data. Airline companies now routinely share passenger travel records with the government to assess the risk of international travelers arriving in the United States. It’s difficult to measure, but almost everyone is quite sure that the private sector collects—by volume—more data than any government agency.

A person typing on a laptop with the screen showing the words: PERSONAL INFORMATION
The government can force companies to hand over the personal information of citizens. (Image: Rawpixel.com/Shutterstock)

How the Private Sector and Government Cooperate

When the government requested assistance after 9/11, commercial providers cooperated in the interest of national security. Where they were unwilling, the providers were often compelled by law to cooperate.

In time, however, that choice has become more uncomfortable for the commercial sector. And so, for example, today, Google is encrypting information to avoid NSA scrutiny. Other companies, like Apple, have limited the amount of data they hold as a way of avoiding the obligation to turning it over to the government. As Apple has said in a public report: ‘We have no interest in amassing personal information about our customers. We do not store location data, Maps searches, or Siri requests in any identifiable form.’

Government access to commercial data is creating crosscurrents that put companies under competing legal obligations and that are eroding traditional international cooperation. Let’s use one of these events to kind of pull the mess apart and into manageable pieces.

This is a transcript from the video series The Surveillance State: Big Data, Freedom, and YouWatch it now, on Wondrium.

Microsoft-Government Tussle over Data Collection

In December 2013, Microsoft received a warrant from a magistrate in the Southern District of New York directing the company to turn over content and metadata relating to a Microsoft user whose records were stored in the company’s Dublin, Ireland, data center. 

Microsoft had assigned the customer’s content-related records to its Ireland data center based on proximity to the customer, who was European. Meanwhile, the non-content metadata—the to and from line—about the customer was stored here in the United States.

It’s a perfect example of separate jurisdictions in the virtual world. Taking a practical approach, Microsoft—which is, of course, a U.S. corporation subject to U.S. law—produced the non-content metadata associated with the user, which was stored on its U.S. servers. But Microsoft objected to the warrant for content-related information stored in Ireland. How would you argue the case? How would you decide?

Is the Location of the Server Relevant?

Microsoft argued that compliance with the warrant would require an extraterritorial search and seizure of data located on servers in Ireland. That type of seizure, they said, is not authorized under the applicable statute—the Stored Communications Act. In Microsoft’s view, a search of digital data takes places where the data is physically stored, not at the point from which the data is accessed.

Microsoft has not argued that Irish law prohibits the company from complying with the American warrant, but it has noted that the U.S. government could instead use diplomatic means—and an existing treaty with Ireland—to secure the content data with Ireland’s agreement and cooperation.

Learn more about why Google search results in Europe are different from those in the U.S.

A man on a laptop with the laptop screen showing the DATA PRIVACY icon
The revelation that data on foreign servers isn’t safe could have broader implications in the near future. (Image: Rawpixel.com/Shutterstock)

Government Wins the Argument

On the other side of the coin, the federal government’s argument is based on the location of the service provider rather than the location of the data being sought. Since Microsoft is located in the United States and has control of the data, the government argued that it can and should be obliged to comply with the warrant. 

In addition, the government contended that a decision in favor of Microsoft would have much broader implications, signaling to criminals that simply registering as a non-U.S. account holder would allow them to escape the Stored Communications Act warrant and avoid federal scrutiny.

The federal district court in New York adopted the government’s argument and said that the government’s order was valid. Microsoft was required to disclose the content of its customer’s files even though they were stored outside the United States.

Microsoft then appealed the matter to the U.S. Court of Appeals for the Second Circuit. The issue brought to the fore by this case is that American cyber policymakers may soon be put to a test that challenges their consistency. 

Learn more about democratization of newsgathering.

How the Tables Turn

When Alibaba—the Chinese e-commerce company—open up a new data center in Silicon Valley, the center allowed it to expand one of its product lines—cloud services for businesses—into the American market. It demonstrated an effort by Alibaba to go head-to-head with other cloud service providers. 

The U.S. says that U.S. law gives it the right to compel evidence from U.S. corporations anywhere in the world. Therefore, to be consistent and not hypocritical, the U.S. must similarly recognize foreign oversight of foreign corporations on U.S. soil. 

If we accept that view, then—of necessity—we must be logically consistent and say that the same is true of American data stored on the Alibaba server in Silicon Valley. The Chinese government is legally free to compel a Chinese company, like Alibaba, to disclose any information in the company’s control even if that data is stored in America.

You can see from these stories about Microsoft and Alibaba that the current legal structure creates perverse incentives. 

Common Questions about Why Government Collecting Data from Private Sector Is Trouble

Q: How do companies make sure they don’t share their data with the government?

Some companies such as Apple just don’t keep a lot of the data they have, so when the government is collecting data from them, they aren’t technically refusing to give the data away. Some like Google encrypt their data.

Q: How did Microsoft respond when the government wanted data stored in their servers in Ireland?

Microsoft believed that because the server was in a foreign country, they couldn’t give them the data, but they wouldn’t oppose the government collecting data if it went through the right diplomatic channels.

Q: In the Microsoft case, why didn’t the government go through diplomatic channels to get access to the data on a foreign server?

The government believed that since Microsoft is an American company, the location of their servers is irrelevant. The company itself is subject to U.S. law. They also argued that if the ruling was against the government collecting data, it would have repercussions on a broader scale.

Keep Reading
Cyberattack and Espionage: The Easy Way In?
Chinese Cyberattacks: A Systematic Espionage Campaign
Hacking and Cyberattacks: The Modern Spies