There’s a really big battle brewing concerning privacy protections online that involves some Silicon Valley tech companies, Ireland and the US government. And chances are this fight is going to get nasty.
Over the last decade, Ireland has become a popular destination for US tech firms to set up international operations, in part because of Ireland setting itself up as sort of a tax haven for tech firms via its “Double Irish” tax dodge. A bunch of tech companies have been criticized for this, though the response of “we’re following exactly what the law allows” is reasonable enough. Either way, that tax loophole is closing, though others may show up instead.
But this move doesn’t seem predicated by that. Instead, there are two related elements that may be at work here. First: Ireland is also seen as having some of the most company-friendly privacy laws in the EU, though those are also coming under some amount of scrutiny. But, at the same time, by claiming that users are now under the Irish company, it gives Twitter and Dropbox at least some power to try to say no to US government requests for information. So, depending on if you’re more afraid of government intrusions in your data than corporate intrusions (as I am), then these moves are probably good for your privacy.
Except… the US government still thinks that it can do whatever the hell it wants. First, in some ways, data inside the US has potentially more protections against the US government in a somewhat bizarre way. Whether you believe it or not, the NSA cannot “hack” its way into US computer systems. It can only use the various other processes it has to demand information from companies. Overseas, however, there are no such restrictions. The NSA has interpreted Executive Order 12333 to mean that it can hack into anything overseas, and this was the authority it used to break into the data centers of Google, Yahoo and likely more overseas (sneaking in via Level 3 and others).
But, that still requires hacking into stuff. If US tech companies believe they can successfully fend off such hacks, putting non-US users under Irish law does give them greater protection from the NSA. The NSA can no longer use its other authorities in the US to get the FISA Court to demand information (along with gag orders) from these companies. Or… maybe not. As we’ve been discussing, there’s an ongoing court battle between the US Justice Department and Microsoft, over whether or not the DOJ can issue a warrant demanding Microsoft hand over information stored in Ireland. Microsoft has resisted, but the courts have so far sided with the DOJ. Ireland recognizes this is an important fight, and has asked for the EU to come out in support of Microsoft’s position.
Meanwhile, with a new Attorney General in office, the DOJ has made it clear that it’s going to continue this course of action:
US prosecutors will continue to seek data stored in Ireland using a federal search warrant, despite leadership changes at the Justice Department.
A spokesperson confirmed in an email that the department’s position has “not changed,” two weeks after Loretta Lynch, the Obama administration’s choice to head up the federal agency, was confirmed by Congress as the new US attorney general.
This battle is going to be rather important for those other companies seeking to protect users under Irish law. Warrants aren’t supposed to apply outside of the US. But the DOJ (and the courts) have been simply making up new laws, in arguing that if it’s a US company, but the data is overseas, the warrant magically morphs into a quasi-warrant/subpoena hybrid. But that’s ridiculous. Warrants and subpoenas have different purposes and different protections — and the DOJ wants the best of both worlds. As Microsoft itself explained in one of its legal filings:
The Government’s interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this.
This fight is far from over — and with companies like Twitter and Dropbox now trying to shift more non-US users under Irish laws, the fight with Microsoft is going to become even more important.
And, that’s not even getting into the discussion of how all of this is, effectively, driving US businesses overseas. The US’s efforts to spy on everyone is, once again, harming the US economy, rather than helping it.