October 06, 2015

Safe Harbor, Jurisdiction, Parallel Construction and Pirate Radio

In response (in part) to the Snowden Revelations having undone trust in U.S. companies’ ability to ensure data integrity, the European Court of Justice (ECJ) today invalidated a 15-year-old data privacy pact that allowed U.S. businesses to “legally” transfer EU citizen data across the Atlantic, 

The EU's Charter of Fundamental Rights guarantees the protection of personal data.  In that context, until today, under the so-called “Safe Harbor” agreement, more than 4,000 U.S. companies “self-certified” that they met EU privacy protection laws, thus qualifying them to handle EU data. 

As of today, however, the ECJ rendered Safe Harbor invalid, due to, among other things, America’s global approach to digital surveillance and data collection, as well as the lack of adequate privacy protections in the U.S.

Meanwhile, related, the two-year-old Department of Justice (DOJ) case against Microsoft for refusing to surrender an individual’s data stored on a server at a Microsoft center in Ireland continues to wind its way through the U.S. legal system, with the Supreme Court the likely ultimate arbiter.

At issue: The personal emails of an individual suspected by U.S. authorities in a narcotics case. 

DOJ contends that emails should be treated as the business records of the company hosting them and that a search warrant should compel access to them no matter where they are stored.  

Microsoft argues that the emails are the customers’ personal documents and a U.S. warrant does not carry the authority needed in Ireland - or any foreign jurisdiction - to compel the company to surrender the data.

The Irish government, for its part, maintains that data should only be disclosed on request to the Irish government pursuant to the long standing mutual legal assistance treaty between the U.S. and Ireland.

The case would seem to be a pretty clear no-win all around:

If Microsoft prevails, the global trend towards data localization requirements will almost certainly be accelerated, at the very least undermining the efficiencies of the Cloud, at the very worst Balkanizing the Internet altogether – neither outcome being in anyone’s best interests.

If DOJ carries the day, what little trust may linger in U.S. information service providers will vanish, severely impacting their overseas business prospects and, at the same time, hindering U.S. authorities engaged in legitimate surveillance and data gathering, all the while further setting the precedent for governments worldwide to demand access to data stored in the U.S.

But it’s worse than that.

However the case may ultimately be resolved, uncertainty will reign, piled on top of the chaos echoing in the wake of today’s ECJ Safe Harbor decision, which has left thousands of companies scrambling to sustain businesses and striving for “compliance” with any number of regimes.

Worse yet, governments will not pause their surveillance and data collection.  Indeed, two years of Snowden Revelations might suggest (to some) that the U.S. never really gave a fig about privacy anyway (other governments have yet to be as effectively outed, but are equally suspect).

In that context, whichever way the Microsoft case goes, the U.S. authorities who brought the case will be yet more hindered in the future in terms of “legal” access to the information they desire.  So, they will do what they have already been doing: They will access the data they want in whatever manner they deem necessary.

Meanwhile, in the law enforcement realm, such illicit gathering of information may lead to the institutionalization of the process of “parallel construction,” a method by which the U.S. “exclusionary rule” which protects those accused can be circumvented to allow illegally gathered evidence to be admissible in court, severely undermining the rule of law.

(Parallel construction is already – reportedly - a popular DEA strategy: link)

At the same time, business and criminal enterprises alike may find themselves considering “Pirate Radio”-like data center services, with server banks housed “offshore” (literally or figuratively) in terms of being subject to no-one’s law enforcement or other jurisdiction, potentially threatening the rule of law (but also possibly fostering unique new business opportunities).

Clearly, while concerns related to the confluent conundrums of the Microsoft case and the Safe Harbor collapse are beyond multi-fold, the complexity of the matters involved dictate that there will also be no easy solutions.

So, what next?

Fitful and frustrating global conversations about very complex concepts - ranging from the definition of jurisdiction in a transnational world, to the harmonization of data protection and data compulsion policies, to balancing personal privacy and national security, and beyond.

The goal?

De-conflicting inconsistent data-related (and other) laws and rules across the globe to allow for fair and open and trusted market access to facilitate continued global growth and prosperity in what is an increasingly-digital and borderless world.

How hard can that be?

October 05, 2015

Summit Dust Settled; When's the Next Dust-up?

With the Obama-Xi Summit a comfortable week behind us, it seems timely to dig into some of the rhetoric, particularly in the areas of cyber and national security - matters of critical importance to the global and interdependent information and communications technology (ICT) industry.

Indeed, putting an exclamation point on that critical importance, it is worth noting, that a month in advance of the Summit, on August 11, nineteen major U.S. industry and ICT trade associations wrote to President Obama seeking his strong engagement with President Xi to address growing barriers to ICT trade, and, while not specifically called out, not just in China (link to letter).

The letter appealed (very slightly edited for length):

·         The U.S. and China should reaffirm their commitment to open markets, particularly in the ICT sector, recognizing the significant benefits that both countries enjoy from integration into global ICT industry value chains.

·         The U.S. and China should confirm…that in pursuing measures to protect national security, they should ensure that measures affecting the ICT sector are: (i) necessary to advance a legitimate security objective; (ii) narrowly-tailored to achieve that objective; (iii) the least restrictive of open trade and competition as possible. In particular, both sides should commit to refrain from embedding in their national security laws, regulations, and policies specific requirements related to economic security that are designed to advance policies that distort markets and restrict open competition.

·         The U.S. and China should agree, at the highest levels of government, to ensure that an ongoing high-level consultation mechanism exists and is dedicated to minimize any disruption to mutually-beneficial global ICT trade through the achievement of these goals.

Ah, cyber-motherhood and digital-apple pie.  Good stuff.

And, thankfully – and rather impressively – the two Presidents ponied up, at least rhetorically.

Key takeaways from the Summit in terms of ICT:  Both sides agreed...

·         They would not “conduct or knowingly support” cyber and non-cyber-related theft of intellectual property in order to favor individual companies or sectors. 

·         They would provide timely responses to requests for information and assistance in addressing cyber-related incidents, and, to facilitate this, they would launch a high-level semi-annual dialogue on fighting cybercrime involving key law enforcement and security agencies on both sides.

·         They would work together to identify and promote international norms for government behavior in cyberspace and pledged to establish a senior experts group to discuss these issues further.

·         They would limit the scope of national security reviews, and to refrain from restricting investment/business on the basis of economic or public interest concerns.

Bravo.  (Polite golf applause).

It will come as a surprise to virtually no-one that the joint announcement was met with a bit of skepticism. 

An illustrative example of such sentiment (and by no means am I criticizing any one person or publication in particular), would be the September 25, 2015 article in the Hill, titled “Time for Constructive Confrontation with China” (linked).

The article, which bemoans China’s State-mercantilist approach to world trade, particularly in the IP-intensive ICT industry, and critiques the U.S. for its milquetoast engagement on such concerns, among other things states, in sum:

“In a properly functioning global trading system, countries are supposed to focus on innovating to differentiate themselves in fields where they have comparative advantages, and then trade for things that other countries are better at producing…The United States cannot wait for China's ruling officials to wake up to the error of their ways, however. It must forcefully push back… The strategy should be to put less emphasis on legalistic engagement and more on achieving tangible results…”

Damned straight.  Spot on.  100% non-objectionable.

But let’s be sure to make it a two-way process. 

Indeed, and specifically borrowing from the September 2015 Obama-Xi commitment to refrain from restricting investment/business on the basis of economic or public interest concerns, as well as the U.S. industry associations' plea for both sides to “refrain from…policies that distort markets and restrict open competition,” let's consider a case in point:

On June 1, 2015, the National Cybersecurity and Communications Integration Center’s National Coordinating Center for Communications (quite a mouthful), overseen by the U.S. Department of Homeland Security (DHS), distributed - across the U.S. ICT industry - an amateurish FBI document slandering China-based Huawei Technologies (my employer, as regular readers will recall).

The aptly-named FBI “SPIN” (“Strategic Partnership Intelligence Note”) document, dated February 2015, which regurgitates four pages of beyond-tired and oft-disproven misinformation, can be accessed here

This document, prepared by the FBI and broadly circulated by DHS, is very clearly a U.S. Government initiative to very much restrict (effectively "ice") investment/business on so-called “national security” grounds.  This fact-challenged document – its genesis, approval and dissemination – very obviously reflects a policy that very much “distorts markets and restricts open competition.”

Yes, China should be held to its commitments, and perhaps most efficiently in the context of “constructive confrontation.” 

But, so too must a light be shined on the market-distorting, trade-restricting and – very worrisome – precedent-setting policies of the U.S. Government.

Neither side should expect to have its cake and eat it too.  Any myopic attempt by either side to do so will only result in neither side delivering on their promises, preserving a status quo that is in no-one's best interest.