Desktop Enterprise Agreement Business Value for the BDM
Perkins Analysis on US Patriot
1. E-Mail Privacy
How the USA PATRIOT Act and International Laws Affect Law Enforcement
Access to Data Stored in the United States
Microsoft Corporation and Michael Sussmann, Perkins Coie LLP
Published: September 9, 2009
Abstract
The USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is
a collection of amendments to existing laws that seek to enhance public safety. In certain
instances, law enforcement's tasks are made easier and communications data is more readily
accessible. Like all U.S. laws, the Patriot Act applies equally to every company doing business in
the United States – whether U.S.-based or not – and most developed countries have similar
investigative powers that also reach every company that conducts business within their borders.
3. Contents
Contents.....................................................................................................................................................3
The USA Patriot Act and Access to Data.................................................................................................4
Applicability of U.S. Laws to Things Within U.S. Borders......................................................................5
U.S. Laws Amended by the Patriot Act....................................................................................................5
Privacy Protection for Any Disclosure of Data ......................................................................................6
International Laws Similar to the U.S. PATRIOT Act..............................................................................7
U.S. Privacy Protections Meet or Exceed Those of Other Countries....................................................7
Summary....................................................................................................................................................9
3
4. The USA Patriot Act and Access to Data
The USA PATRIOT Act ("Patriot Act") has been in the headlines, on and off, since the September 11,
2001 attacks. It has been championed and vilified, alternatively, as either enhancing the government's
abilities to protect public safety or as unnecessarily eroding civil liberties and basic privacy rights. For
many, the Patriot Act has become a rallying point and catchall phrase for government overreaching.
What is most controversial about the Patriot Act is that it makes lawful government surveillance and
access to stored data easier in certain instances. Indeed, the law was created to enhance the abilities of
the U.S. government to prevent, detect, and investigate terrorist acts. However, from the time the
legislation was signed into law through the time of its reauthorization, people have debated the
reasonableness of many of these changes.
Unfortunately, most commentators have not read the Patriot Act and many cannot accurately describe
more than a few of its provisions. And that is no wonder: the Patriot Act and its reauthorizing legislation1
make up 217 pages of text. So, what exactly is the Patriot Act and is there a basis for all the controversy?
The USA PATRIOT Act was signed into law by President Bush on October 26, 2001. Its title stands for
“Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism.” Most of the Patriot Act is a compilation of amendments to other existing laws.
One of the main sections of the Patriot Act deals with government access to electronic data. These
provisions do such things as require cable providers who offer communications services to comply with
the same investigative procedures that apply to telephone companies and Internet service providers;
make the standard for government access to stored voice-mail messages the same as for access to
stored e-mail messages; expand the list of basic subscriber information that can be obtained with a
subpoena to include payment information for the account; allow for voluntary disclosure of data (without
legal process) in emergencies “involving immediate danger of death or serious physical injury”; and allow
nationwide applicability for court orders and search warrants that are issued from a particular jurisdiction.
It is true that, under some circumstances, the Patriot Act makes it easier for the U.S. government to gain
access to a customer’s data. For example, the Patriot Act streamlined certain legal requirements and
procedures. The government can now use a single search warrant, obtained from a federal judge, to
order disclosure of data held by communications providers in multiple states, instead of having to seek
separate search warrants (from separate judges) for providers that are located in different states. The
Patriot Act also lowered certain legal requirements to make them more uniform. By the same token, the
Patriot Act also made certain things "easier" for ISPs and other communications providers, in that it made
certain ambiguous or disputed requirements uniform and clear. One example is the uniformity regarding
stored voice mail. Another example is the clear authority in the new computer trespass provision for a
provider, if it chooses, to invite law enforcement onto its premises to assist with the investigation of an
ongoing computer intrusion or attack.
1
With a number of the most controversial parts of the Patriot Act set to expire after five years, in March
2006 President Bush signed legislation to reauthorize it, making permanent several “sun-setting
provisions,” extending two provisions until 2009, and incorporating a number of new rights protections.
4
5. Applicability of U.S. Laws to Things Within U.S. Borders
Many people ask whether data stored in the United States by Microsoft or one of its competitors would be
subject to the Patriot Act. While the short answer is “yes,” the longer and more relevant answer is that
any data stored in the United States is subject to all of the laws of the United States. Likewise, goods or
tangible objects that are located in the United States and persons residing in the United States are all
subject to all of the laws of the United States – not just the Patriot Act. By virtue of physically being in the
United States, these things and people are subject to the jurisdiction of U.S. law enforcement and the
U.S. courts, as well as third-party legal process in any civil matter. It is that simple. If you or your things
are here, you can be investigated by the government or sued, and your property can be examined and/or
seized through lawful means.
As you might imagine, the same situation exists for data stored in another country. Data stored in the
United Kingdom, for example, would be subject to all of the laws of the United Kingdom. By virtue of
being located there, the data would be subject to the jurisdiction of British law enforcement and British
courts. The data could be examined and/or seized through any means available under British law. The
point is, data stored in any particular country will be susceptible to access by that country’s government.
If you store data in Country X, the government of Country X will have greater access to that data than
would any other country.
U.S. Laws Amended by the Patriot Act
Since the Patriot Act largely is just a large collection of amendments to other laws, in the context of
government investigations involving electronic data, it is helpful to explain briefly what those other laws
are.
The three main laws concerning government access to electronic data are:
• the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. § 2701);
• the Pen Register and Trap-and-Trace Statute (“Pen/Trap”) (18 U.S.C. § 3121); and
• the Wiretap Act – commonly referred to as “Title III” (18 U.S.C. § 2510).
The ECPA defines the circumstances under which the government can demand disclosure of stored
communications and other stored data, and it sets increasingly difficult legal standards for the government
to gain access to each of three successive categories of stored data: subscriber information; information
about the source and destination of communications (e.g., who is e-mailing whom); and the content of
communications. The Pen Register and Trap-and-Trace statute concerns real-time access to non-
content information regarding the source and destination of communications (e.g., who is e-mailing
whom). And Title III concerns real-time government interceptions of the content of communications, and
it has the most stringent legal standard and procedures to meet.
Those are the main laws that the U.S. government would use to access data in the United States. But
there are also legal processes available to the U.S. government if, for example, it wants access to data
stored by a Microsoft competitor in Canada. Suppose "CanadianStorage" were a competitor of Microsoft
based in Canada, with data storage in Canada, but with a sales office, servers, or personnel physically
located in the United States. Under those circumstances, U.S. law enforcement could serve a subpoena,
court order, or search warrant on CanadianStorage's U.S. office and demand that it retrieve the data from
its servers in Canada and provide that data to U.S. law enforcement. (This is sometimes referred to as a
“Bank of Nova Scotia subpoena” because of a case by that name that ruled (favorably) on the
5
6. government’s powers in this regard.)2
If, on the other hand, CanadianStorage was located in Canada, stored its data in Canada, and had no
presence (e.g., sales office or employees) outside of Canada, then the United States would have to seek
the assistance of Canadian law enforcement to gain access to CanadianStorage data. In that case, U.S.
law enforcement would make a request to Canadian authorities for mutual legal assistance. The
Canadians would get a court order, serve it on CanadianStorage, and then send that data back to U.S.
authorities.3
Of course, law enforcement can also simply demand that the customer/user produce the stored records –
even if such records are stored in another country. If someone living in the United States was storing his
or her data with CanadianStorage – with the data on servers in Montreal – U.S. law enforcement could
serve a grand jury subpoena on the person in the United States for production of the records stored in
Canada. Such subpoena would seek all records in the person's "possession, custody, or control." If the
person refused, a judge would issue an order to compel production and, if the person still refused, he or
she could be found in contempt of court and jailed.4
Privacy Protection for Any Disclosure of Data
Many people wonder what the U.S. government can do with data it receives through these laws and legal
procedures. U.S. privacy protections ensure that evidence obtained through investigative means can only
be used for official purposes and generally cannot be used for purposes beyond the scope of the
investigation. While investigative information is usually kept from public view, information that is needed
for trial or for public filings, such as indictments, will thereby enter the public domain.
It is worth noting that the United States does not share with U.S. businesses any data it collects through
investigations. In fact, there are criminal and civil penalties for such unlawful disclosures. For example,
the Electronic Communications Privacy Act provides that "[a]ny willful disclosure of a 'record' . . . obtained
by an investigative or law enforcement officer, or a governmental entity, pursuant to [this statute or the
Pen-Trap statute] that is not a disclosure made in the proper performance of the official functions of the
officer or governmental entity making the disclosure is a violation of this chapter."
One thing that is hard to predict or guarantee is whether a Microsoft customer would know if he or she is
the subject of an investigation and if the U.S. government has sought his or her customer records from
Microsoft. Such notice would depend on the specific investigation. Some investigative processes require
notice to a customer. For example, under certain circumstances, if the government uses a subpoena or
court order to obtain communications stored by Microsoft, the government must give prior notice to the
customer. (See 18 U.S.C. § 2703(b)(1)(B).) Other investigative processes, such as those filed under
seal with the court, forbid notice to the customer. Still others are silent on notice and the provider may
notify the customer on its own.
2
Likewise, if Microsoft stored its data in the United States but maintained a sales office in Toronto,
Canadian law enforcement could serve a court order on the Toronto office, demanding that records stored
in the United States be produced.
3
And the same is true, in the reverse, about Canadian law enforcement seeking data stored in the
United States: they could make a mutual legal assistance request asking the United States to obtain and
turn over to them data that is stored in the United States.
4
The reverse also would be true for a person in Canada, with data stored in the United States, who was
served legal process by the RCMP.
6
7. International Laws Similar to the U.S. PATRIOT Act
While the Patriot Act has received a lot of national and international media attention, the United States is
far from the only country to seek such laws. For example, in 2000, the United Kingdom enacted the
Regulation of Investigatory Powers Act of 2000 ("RIPA"), which updated processes for the interception of
communications and other related investigative powers. While quite cumbersome, the long title for RIPA
provides a view into the scope of changes to the law: "An Act to make provision for and about the
interception of, communications, the acquisition and disclosure of data relating to communications, the
carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the
means by which electronic data protected by encryption or passwords may be decrypted or accessed; to
provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and
interferences with property or with wireless telegraphy and to the carrying out of their functions by the
Security Service, the Secret Intelligence Service and the Government Communications Headquarters;
and for connected purposes."
Likewise, in Canada, on June 18, 2009, the Technical Assistance for Law Enforcement in the 21st
Century Act was introduced and is currently pending in the House of Commons.5 If enacted, the Act will
require service providers to include interception capability in their networks and to supply basic subscriber
information (e.g., name, address, telephone number, IP address, e-mail address, service provider
identification and certain cell phone identifiers) to law enforcement agencies and the Canadian Security
Intelligence Service (CSIS) on request. According to the Canadian Public Safety Ministry, there currently
is no legislation specifically designed to require the provision of this information to police forces and CSIS
in a timely fashion.6 As a result, the practices of releasing this information to police forces and CSIS vary
across the country: some service providers release this information to law enforcement immediately upon
request; others provide it at their convenience, often following considerable delays; while others insist on
law enforcement obtaining search warrants before the information is disclosed.
U.S. Privacy Protections Meet or Exceed Those of Other
Countries
What may be the biggest surprise to those who are concerned about their privacy and the security of their
data is that the privacy protections in the United States – as they relate to government access – far
exceed those in Europe and they are quite comparable to the protections in Canada. The general
perception is that there are greater protections in the United States than in Europe regarding government
access to data; conversely, there are far better protections in Europe with regard to how corporate
businesses are allowed to handle their user data and a user’s personal information. For example, data
collected in the EU by businesses can only be used for the limited purpose for which it was collected and
cannot be transferred outside the EU, to the United States, unless the data's "owner" has given express
consent to do so – and only then under strict security rules – or for law enforcement purposes. (Many
believe this privacy regime hinders global business operations.)
In truth, the United States has a very mature and detailed legal regime for restricting government access
to data. Privacy protections begin with the U.S. Constitution and extend to federal and state laws
protecting health care and financial records, electronic communications, and other kinds of information.
Unfortunately, such things as the debate over the Patriot Act renewal have had a negative effect on
perceptions of data privacy and data security in the United States.
5
See Bill C-47, “An Act regulating telecommunications facilities to support investigations,” available at
http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4007628&file=4
6
Summary of Technical Assistance for Law Enforcement in the 21st Century Act, Canadian Public Safety
Ministry, June 18, 2009, available at http://www.publicsafety.gc.ca/media/nr/2009/nr20090618-1-eng.aspx
7
8. Another way to analyze the effectiveness of privacy protections is to compare the extent to which
individual countries access customer data. In this regard, the United States and Canada share a
comparable level of privacy protections and use of investigative powers to access data. European
countries are far more liberal with regard to investigators' access to data, and their procedures are far
less rigorous. This conclusion is based on independent reporting and analysis (see below).
One of the best barometers for judging respect for civil liberties and use of investigative powers to access
data is analysis of the use of lawful interception of communications by individual countries. Maintenance
of national statistics concerning interceptions is often mandated by national laws. (In the United States,
reports are not prepared by law enforcement; instead, the Administrative Office of the U.S. Courts
prepares them, as it gets its data from the individual courts that approve interception requests from law
enforcement.) In addition, the interception of the content of a communication is considered by many to be
the most egregious invasion of privacy and therefore countries' restraint (or lack thereof) in using this
technique is a powerful indicator for other, less monitored, investigative techniques. Through country
reporting, the following data is available for total number of annual interceptions:
Total Number of Interceptions
2001 2002 2003 2004 2005 2006 2007
Italy7 32,000 45,000 77,000 100,000 n/a n/a n/a
(est.)
Germany8 21,874 n/a n/a >30,000 42,508 35,329 n/a
U.S.9 1,405 1,273 1,367 1,633 1,694 1,714 2,119
Canada10 1,203 2,131 1,498 1,292 839 855 726
France11 n/a 4,654 n/a n/a n/a 5,985 n/a
U.K.12 1,445 1,605 1,983 1,973 2,407 1,435 2,026
7
Italian GSM provider warns: too many wiretaps, European Digital Rights, Feb. 24, 2005, available at
http://www.edri.org/edrigram/number3.4/wiretap
8
German court outlaws wiretapping without court order, European Digital Rights, Aug. 10, 2005, available
at http://www.edri.org/edrigram/number3.16/wiretapping; Paul M. Schwartz, Evaluating
Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s Study, 72 Geo.
Wash. L. Rev. 1244, 1255 (2004), available at http://www.paulschwartz.net/pdf/SchwartzGeoFinal.pdf;
Privacy International’s Privacy Profile for the Federal Republic of Germany, Dec. 18, 2007, available at
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559535
9
Annual Wiretap Reports of the Administrative Office of the United States Courts, available at
http://www.uscourts.gov/library/wiretap.html
10
Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on the Use of
Electronic Surveillance, 2007, available at http://www.publicsafety.gc.ca/abt/dpr/le/elecsur-07-
eng.aspx#s3; Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on
the Use of Electronic Surveillance, 2005, available at http://www.publicsafety.gc.ca/abt/dpr/le/elecsur_05-
eng.aspx
11
KEVIN M. KEENAN, INVASION OF PRIVACY 46 (ABC-CLIO 2005); Privacy International’s Privacy Profile for the
French Republic, Dec. 18, 2007, available at http://www.privacyinternational.org/article.shtml?
cmd[347]=x-347-559537
8
9. Because reporting of interceptions is not entirely uniform among countries, a 2003 study on
telecommunications surveillance by the Max Planck Institute in Germany created a common denominator
for comparison; it took the available statistics from 14 countries and calculated the number of surveillance
orders per 100,000 inhabitants13:
Surveillance Orders Per 100,000 Inhabitants, 1998-2000
(Max Planck Institute 2003 study)
Italy 76.0 surveillance orders per 100,000 inhabitants
Germany 15.0 surveillance orders per 100,000 inhabitants
UK 6.0 surveillance orders per 100,000 inhabitants
US 0.5 surveillance orders per 100,000 inhabitants
Canada 0.4 surveillance orders per 100,000 inhabitants
***
Summary
The USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is a
collection of amendments to existing laws that seek to enhance public safety. In certain instances, law
enforcement's tasks are made easier and communications data is more readily accessible. Like all U.S.
laws, the Patriot Act applies equally to every company doing business in the United States – whether
12
Report of the Interception of Communications Commissioner for 2007, at 6, July 22, 2008, available at
http://www.official-documents.gov.uk/document/hc0708/hc09/0947/0947.pdf; Report of the Interception of
Communications Commissioner for 2006, at 13, Jan. 28, 2008, available at http://www.official-
documents.gov.uk/document/hc0708/hc02/0252/0252.pdf (the 2006 numbers above are from April 1,
2006 through December 31, 2006); Report of the Interception of Communications Commissioner for
2005-2006, at 19, Feb. 19, 2007, available at http://www.official-
documents.gov.uk/document/hc0607/hc03/0315/0315.pdf (the 2005 numbers above are from January 1,
2005 through March 31, 2006); Report of the Interception of Communications Commissioner for 2004, at
13, Nov. 3, 2005, available at http://www.statewatch.org/news/2005/nov/teltap-2004.pdf; Report of the
Interception of Communications Commissioner for 2003, at 11, July 22, 2004, available at
http://www.privacyinternational.org/countries/uk/surveillancecomm/ukinterceptrel2004.pdf; Report of the
Interception of Communications Commissioner for 2002, at 12, Sept. 9, 2003, available at
http://www.libertysecurity.org/IMG/pdf/2002report-of-uk-interception-comm.pdf; Report of the Interception
of Communications Commissioner for 2001, at 18, Oct. 31, 2002, available at http://www.archive2.official-
documents.co.uk/document/deps/hc/hc1243/1243.pdf
13
Source: Max Planck Institute 2003 study on telecommunications surveillance,
http://www.iuscrim.mpg.de/verlag/online/Band_115.pdf (in German); see also Paul M. Schwartz,
Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s
Study, 72 Geo. Wash. L. Rev. 1244, 1255 (2004), available at
http://www.paulschwartz.net/pdf/SchwartzGeoFinal.pdf.
9
10. U.S.-based or not – and most developed countries have similar investigative powers that also reach every
company that conducts business within their borders.
10