SlideShare a Scribd company logo

Perkins Analysis on US Patriot

Download as DOC, PDF
J
jessiethe3rd

This is a Perkins analysis of the US Patriot Act as it relates to Cloud and privacy of information

1 of 10
E-Mail Privacy How the USA PATRIOT Act and International Laws Affect Law Enforcement Access to Data Stored in the United States Microsoft Corporation and Michael Sussmann, Perkins Coie LLP Published: September 9, 2009 Abstract The USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is a collection of amendments to existing laws that seek to enhance public safety. In certain instances, law enforcement's tasks are made easier and communications data is more readily accessible. Like all U.S. laws, the Patriot Act applies equally to every company doing business in the United States – whether U.S.-based or not – and most developed countries have similar investigative powers that also reach every company that conducts business within their borders.
Microsoft Exchange Hosted Filtering – Technical Overview The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This paper does not constitute legal advice. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. © 2009 Microsoft Corporation. All rights reserved. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents Contents.....................................................................................................................................................3 The USA Patriot Act and Access to Data.................................................................................................4 Applicability of U.S. Laws to Things Within U.S. Borders......................................................................5 U.S. Laws Amended by the Patriot Act....................................................................................................5 Privacy Protection for Any Disclosure of Data ......................................................................................6 International Laws Similar to the U.S. PATRIOT Act..............................................................................7 U.S. Privacy Protections Meet or Exceed Those of Other Countries....................................................7 Summary....................................................................................................................................................9 3
The USA Patriot Act and Access to Data The USA PATRIOT Act ("Patriot Act") has been in the headlines, on and off, since the September 11, 2001 attacks. It has been championed and vilified, alternatively, as either enhancing the government's abilities to protect public safety or as unnecessarily eroding civil liberties and basic privacy rights. For many, the Patriot Act has become a rallying point and catchall phrase for government overreaching. What is most controversial about the Patriot Act is that it makes lawful government surveillance and access to stored data easier in certain instances. Indeed, the law was created to enhance the abilities of the U.S. government to prevent, detect, and investigate terrorist acts. However, from the time the legislation was signed into law through the time of its reauthorization, people have debated the reasonableness of many of these changes. Unfortunately, most commentators have not read the Patriot Act and many cannot accurately describe more than a few of its provisions. And that is no wonder: the Patriot Act and its reauthorizing legislation1 make up 217 pages of text. So, what exactly is the Patriot Act and is there a basis for all the controversy? The USA PATRIOT Act was signed into law by President Bush on October 26, 2001. Its title stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.” Most of the Patriot Act is a compilation of amendments to other existing laws. One of the main sections of the Patriot Act deals with government access to electronic data. These provisions do such things as require cable providers who offer communications services to comply with the same investigative procedures that apply to telephone companies and Internet service providers; make the standard for government access to stored voice-mail messages the same as for access to stored e-mail messages; expand the list of basic subscriber information that can be obtained with a subpoena to include payment information for the account; allow for voluntary disclosure of data (without legal process) in emergencies “involving immediate danger of death or serious physical injury”; and allow nationwide applicability for court orders and search warrants that are issued from a particular jurisdiction. It is true that, under some circumstances, the Patriot Act makes it easier for the U.S. government to gain access to a customer’s data. For example, the Patriot Act streamlined certain legal requirements and procedures. The government can now use a single search warrant, obtained from a federal judge, to order disclosure of data held by communications providers in multiple states, instead of having to seek separate search warrants (from separate judges) for providers that are located in different states. The Patriot Act also lowered certain legal requirements to make them more uniform. By the same token, the Patriot Act also made certain things "easier" for ISPs and other communications providers, in that it made certain ambiguous or disputed requirements uniform and clear. One example is the uniformity regarding stored voice mail. Another example is the clear authority in the new computer trespass provision for a provider, if it chooses, to invite law enforcement onto its premises to assist with the investigation of an ongoing computer intrusion or attack. 1 With a number of the most controversial parts of the Patriot Act set to expire after five years, in March 2006 President Bush signed legislation to reauthorize it, making permanent several “sun-setting provisions,” extending two provisions until 2009, and incorporating a number of new rights protections. 4
Applicability of U.S. Laws to Things Within U.S. Borders Many people ask whether data stored in the United States by Microsoft or one of its competitors would be subject to the Patriot Act. While the short answer is “yes,” the longer and more relevant answer is that any data stored in the United States is subject to all of the laws of the United States. Likewise, goods or tangible objects that are located in the United States and persons residing in the United States are all subject to all of the laws of the United States – not just the Patriot Act. By virtue of physically being in the United States, these things and people are subject to the jurisdiction of U.S. law enforcement and the U.S. courts, as well as third-party legal process in any civil matter. It is that simple. If you or your things are here, you can be investigated by the government or sued, and your property can be examined and/or seized through lawful means. As you might imagine, the same situation exists for data stored in another country. Data stored in the United Kingdom, for example, would be subject to all of the laws of the United Kingdom. By virtue of being located there, the data would be subject to the jurisdiction of British law enforcement and British courts. The data could be examined and/or seized through any means available under British law. The point is, data stored in any particular country will be susceptible to access by that country’s government. If you store data in Country X, the government of Country X will have greater access to that data than would any other country. U.S. Laws Amended by the Patriot Act Since the Patriot Act largely is just a large collection of amendments to other laws, in the context of government investigations involving electronic data, it is helpful to explain briefly what those other laws are. The three main laws concerning government access to electronic data are: • the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. § 2701); • the Pen Register and Trap-and-Trace Statute (“Pen/Trap”) (18 U.S.C. § 3121); and • the Wiretap Act – commonly referred to as “Title III” (18 U.S.C. § 2510). The ECPA defines the circumstances under which the government can demand disclosure of stored communications and other stored data, and it sets increasingly difficult legal standards for the government to gain access to each of three successive categories of stored data: subscriber information; information about the source and destination of communications (e.g., who is e-mailing whom); and the content of communications. The Pen Register and Trap-and-Trace statute concerns real-time access to non- content information regarding the source and destination of communications (e.g., who is e-mailing whom). And Title III concerns real-time government interceptions of the content of communications, and it has the most stringent legal standard and procedures to meet. Those are the main laws that the U.S. government would use to access data in the United States. But there are also legal processes available to the U.S. government if, for example, it wants access to data stored by a Microsoft competitor in Canada. Suppose "CanadianStorage" were a competitor of Microsoft based in Canada, with data storage in Canada, but with a sales office, servers, or personnel physically located in the United States. Under those circumstances, U.S. law enforcement could serve a subpoena, court order, or search warrant on CanadianStorage's U.S. office and demand that it retrieve the data from its servers in Canada and provide that data to U.S. law enforcement. (This is sometimes referred to as a “Bank of Nova Scotia subpoena” because of a case by that name that ruled (favorably) on the 5
government’s powers in this regard.)2 If, on the other hand, CanadianStorage was located in Canada, stored its data in Canada, and had no presence (e.g., sales office or employees) outside of Canada, then the United States would have to seek the assistance of Canadian law enforcement to gain access to CanadianStorage data. In that case, U.S. law enforcement would make a request to Canadian authorities for mutual legal assistance. The Canadians would get a court order, serve it on CanadianStorage, and then send that data back to U.S. authorities.3 Of course, law enforcement can also simply demand that the customer/user produce the stored records – even if such records are stored in another country. If someone living in the United States was storing his or her data with CanadianStorage – with the data on servers in Montreal – U.S. law enforcement could serve a grand jury subpoena on the person in the United States for production of the records stored in Canada. Such subpoena would seek all records in the person's "possession, custody, or control." If the person refused, a judge would issue an order to compel production and, if the person still refused, he or she could be found in contempt of court and jailed.4 Privacy Protection for Any Disclosure of Data Many people wonder what the U.S. government can do with data it receives through these laws and legal procedures. U.S. privacy protections ensure that evidence obtained through investigative means can only be used for official purposes and generally cannot be used for purposes beyond the scope of the investigation. While investigative information is usually kept from public view, information that is needed for trial or for public filings, such as indictments, will thereby enter the public domain. It is worth noting that the United States does not share with U.S. businesses any data it collects through investigations. In fact, there are criminal and civil penalties for such unlawful disclosures. For example, the Electronic Communications Privacy Act provides that "[a]ny willful disclosure of a 'record' . . . obtained by an investigative or law enforcement officer, or a governmental entity, pursuant to [this statute or the Pen-Trap statute] that is not a disclosure made in the proper performance of the official functions of the officer or governmental entity making the disclosure is a violation of this chapter." One thing that is hard to predict or guarantee is whether a Microsoft customer would know if he or she is the subject of an investigation and if the U.S. government has sought his or her customer records from Microsoft. Such notice would depend on the specific investigation. Some investigative processes require notice to a customer. For example, under certain circumstances, if the government uses a subpoena or court order to obtain communications stored by Microsoft, the government must give prior notice to the customer. (See 18 U.S.C. § 2703(b)(1)(B).) Other investigative processes, such as those filed under seal with the court, forbid notice to the customer. Still others are silent on notice and the provider may notify the customer on its own. 2 Likewise, if Microsoft stored its data in the United States but maintained a sales office in Toronto, Canadian law enforcement could serve a court order on the Toronto office, demanding that records stored in the United States be produced. 3 And the same is true, in the reverse, about Canadian law enforcement seeking data stored in the United States: they could make a mutual legal assistance request asking the United States to obtain and turn over to them data that is stored in the United States. 4 The reverse also would be true for a person in Canada, with data stored in the United States, who was served legal process by the RCMP. 6
International Laws Similar to the U.S. PATRIOT Act While the Patriot Act has received a lot of national and international media attention, the United States is far from the only country to seek such laws. For example, in 2000, the United Kingdom enacted the Regulation of Investigatory Powers Act of 2000 ("RIPA"), which updated processes for the interception of communications and other related investigative powers. While quite cumbersome, the long title for RIPA provides a view into the scope of changes to the law: "An Act to make provision for and about the interception of, communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters; and for connected purposes." Likewise, in Canada, on June 18, 2009, the Technical Assistance for Law Enforcement in the 21st Century Act was introduced and is currently pending in the House of Commons.5 If enacted, the Act will require service providers to include interception capability in their networks and to supply basic subscriber information (e.g., name, address, telephone number, IP address, e-mail address, service provider identification and certain cell phone identifiers) to law enforcement agencies and the Canadian Security Intelligence Service (CSIS) on request. According to the Canadian Public Safety Ministry, there currently is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion.6 As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. U.S. Privacy Protections Meet or Exceed Those of Other Countries What may be the biggest surprise to those who are concerned about their privacy and the security of their data is that the privacy protections in the United States – as they relate to government access – far exceed those in Europe and they are quite comparable to the protections in Canada. The general perception is that there are greater protections in the United States than in Europe regarding government access to data; conversely, there are far better protections in Europe with regard to how corporate businesses are allowed to handle their user data and a user’s personal information. For example, data collected in the EU by businesses can only be used for the limited purpose for which it was collected and cannot be transferred outside the EU, to the United States, unless the data's "owner" has given express consent to do so – and only then under strict security rules – or for law enforcement purposes. (Many believe this privacy regime hinders global business operations.) In truth, the United States has a very mature and detailed legal regime for restricting government access to data. Privacy protections begin with the U.S. Constitution and extend to federal and state laws protecting health care and financial records, electronic communications, and other kinds of information. Unfortunately, such things as the debate over the Patriot Act renewal have had a negative effect on perceptions of data privacy and data security in the United States. 5 See Bill C-47, “An Act regulating telecommunications facilities to support investigations,” available at http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4007628&file=4 6 Summary of Technical Assistance for Law Enforcement in the 21st Century Act, Canadian Public Safety Ministry, June 18, 2009, available at http://www.publicsafety.gc.ca/media/nr/2009/nr20090618-1-eng.aspx 7
Another way to analyze the effectiveness of privacy protections is to compare the extent to which individual countries access customer data. In this regard, the United States and Canada share a comparable level of privacy protections and use of investigative powers to access data. European countries are far more liberal with regard to investigators' access to data, and their procedures are far less rigorous. This conclusion is based on independent reporting and analysis (see below). One of the best barometers for judging respect for civil liberties and use of investigative powers to access data is analysis of the use of lawful interception of communications by individual countries. Maintenance of national statistics concerning interceptions is often mandated by national laws. (In the United States, reports are not prepared by law enforcement; instead, the Administrative Office of the U.S. Courts prepares them, as it gets its data from the individual courts that approve interception requests from law enforcement.) In addition, the interception of the content of a communication is considered by many to be the most egregious invasion of privacy and therefore countries' restraint (or lack thereof) in using this technique is a powerful indicator for other, less monitored, investigative techniques. Through country reporting, the following data is available for total number of annual interceptions: Total Number of Interceptions 2001 2002 2003 2004 2005 2006 2007 Italy7 32,000 45,000 77,000 100,000 n/a n/a n/a (est.) Germany8 21,874 n/a n/a >30,000 42,508 35,329 n/a U.S.9 1,405 1,273 1,367 1,633 1,694 1,714 2,119 Canada10 1,203 2,131 1,498 1,292 839 855 726 France11 n/a 4,654 n/a n/a n/a 5,985 n/a U.K.12 1,445 1,605 1,983 1,973 2,407 1,435 2,026 7 Italian GSM provider warns: too many wiretaps, European Digital Rights, Feb. 24, 2005, available at http://www.edri.org/edrigram/number3.4/wiretap 8 German court outlaws wiretapping without court order, European Digital Rights, Aug. 10, 2005, available at http://www.edri.org/edrigram/number3.16/wiretapping; Paul M. Schwartz, Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s Study, 72 Geo. Wash. L. Rev. 1244, 1255 (2004), available at http://www.paulschwartz.net/pdf/SchwartzGeoFinal.pdf; Privacy International’s Privacy Profile for the Federal Republic of Germany, Dec. 18, 2007, available at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559535 9 Annual Wiretap Reports of the Administrative Office of the United States Courts, available at http://www.uscourts.gov/library/wiretap.html 10 Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on the Use of Electronic Surveillance, 2007, available at http://www.publicsafety.gc.ca/abt/dpr/le/elecsur-07- eng.aspx#s3; Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on the Use of Electronic Surveillance, 2005, available at http://www.publicsafety.gc.ca/abt/dpr/le/elecsur_05- eng.aspx 11 KEVIN M. KEENAN, INVASION OF PRIVACY 46 (ABC-CLIO 2005); Privacy International’s Privacy Profile for the French Republic, Dec. 18, 2007, available at http://www.privacyinternational.org/article.shtml? cmd[347]=x-347-559537 8
Because reporting of interceptions is not entirely uniform among countries, a 2003 study on telecommunications surveillance by the Max Planck Institute in Germany created a common denominator for comparison; it took the available statistics from 14 countries and calculated the number of surveillance orders per 100,000 inhabitants13: Surveillance Orders Per 100,000 Inhabitants, 1998-2000 (Max Planck Institute 2003 study) Italy 76.0 surveillance orders per 100,000 inhabitants Germany 15.0 surveillance orders per 100,000 inhabitants UK 6.0 surveillance orders per 100,000 inhabitants US 0.5 surveillance orders per 100,000 inhabitants Canada 0.4 surveillance orders per 100,000 inhabitants *** Summary The USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is a collection of amendments to existing laws that seek to enhance public safety. In certain instances, law enforcement's tasks are made easier and communications data is more readily accessible. Like all U.S. laws, the Patriot Act applies equally to every company doing business in the United States – whether 12 Report of the Interception of Communications Commissioner for 2007, at 6, July 22, 2008, available at http://www.official-documents.gov.uk/document/hc0708/hc09/0947/0947.pdf; Report of the Interception of Communications Commissioner for 2006, at 13, Jan. 28, 2008, available at http://www.official- documents.gov.uk/document/hc0708/hc02/0252/0252.pdf (the 2006 numbers above are from April 1, 2006 through December 31, 2006); Report of the Interception of Communications Commissioner for 2005-2006, at 19, Feb. 19, 2007, available at http://www.official- documents.gov.uk/document/hc0607/hc03/0315/0315.pdf (the 2005 numbers above are from January 1, 2005 through March 31, 2006); Report of the Interception of Communications Commissioner for 2004, at 13, Nov. 3, 2005, available at http://www.statewatch.org/news/2005/nov/teltap-2004.pdf; Report of the Interception of Communications Commissioner for 2003, at 11, July 22, 2004, available at http://www.privacyinternational.org/countries/uk/surveillancecomm/ukinterceptrel2004.pdf; Report of the Interception of Communications Commissioner for 2002, at 12, Sept. 9, 2003, available at http://www.libertysecurity.org/IMG/pdf/2002report-of-uk-interception-comm.pdf; Report of the Interception of Communications Commissioner for 2001, at 18, Oct. 31, 2002, available at http://www.archive2.official- documents.co.uk/document/deps/hc/hc1243/1243.pdf 13 Source: Max Planck Institute 2003 study on telecommunications surveillance, http://www.iuscrim.mpg.de/verlag/online/Band_115.pdf (in German); see also Paul M. Schwartz, Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s Study, 72 Geo. Wash. L. Rev. 1244, 1255 (2004), available at http://www.paulschwartz.net/pdf/SchwartzGeoFinal.pdf. 9
U.S.-based or not – and most developed countries have similar investigative powers that also reach every company that conducts business within their borders. 10

Recommended

Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In PreviewRockwell Bower, Esq., CIPP(US), CIPM
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...anthonywong
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 
Data Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsData Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsBradley Buchanan
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
Mozilla privacy policy
Mozilla privacy policyMozilla privacy policy
Mozilla privacy policyMichael Santos
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 

Recommended

Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In PreviewRockwell Bower, Esq., CIPP(US), CIPM
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...anthonywong
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 
Data Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsData Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsBradley Buchanan
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
Mozilla privacy policy
Mozilla privacy policyMozilla privacy policy
Mozilla privacy policyMichael Santos
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
20121016 letter google-article-29-final
20121016 letter google-article-29-final20121016 letter google-article-29-final
20121016 letter google-article-29-finalGreg Sterling
 
GDPR READY SOLUTION FOR UNSTRUCTURED DATA
GDPR READY SOLUTION FOR UNSTRUCTURED DATAGDPR READY SOLUTION FOR UNSTRUCTURED DATA
GDPR READY SOLUTION FOR UNSTRUCTURED DATAXeniT Solutions nv
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR"John "Jeb"" Beckwith
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR"John "Jeb"" Beckwith
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceSuccor Consulting Group, Inc.
 
COPPA
COPPACOPPA
COPPAculturewins
 
The FTC’s Revised COPPA Rules (Stanford Presentation)
The FTC’s Revised COPPA Rules (Stanford Presentation)The FTC’s Revised COPPA Rules (Stanford Presentation)
The FTC’s Revised COPPA Rules (Stanford Presentation)WilmerHale
 
COPPA for Newbies
COPPA for NewbiesCOPPA for Newbies
COPPA for NewbiesKegan Blumenthal
 
Ethics and legislation in the it industry
Ethics and legislation in the it industryEthics and legislation in the it industry
Ethics and legislation in the it industryjamiehaworth1
 
Google Health - NYHIMA
Google Health - NYHIMAGoogle Health - NYHIMA
Google Health - NYHIMARaj Goel
 
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryWeb and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryPageFreezer
 
Magazine Feature
Magazine FeatureMagazine Feature
Magazine Featuredchin25
 
Uga Social Media Privacy June2011
Uga Social Media Privacy June2011Uga Social Media Privacy June2011
Uga Social Media Privacy June2011Deborah Gonzalez, Esq.
 
COPPA Compliance
COPPA ComplianceCOPPA Compliance
COPPA ComplianceKegan Blumenthal
 
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1cRaj Goel
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challengingJoe Orlando
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxEdFeranil
 
Cyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatCyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatMicrosoft
 
2008 12 08 2008 Privacy
2008 12 08 2008 Privacy2008 12 08 2008 Privacy
2008 12 08 2008 PrivacyLance Hoffman
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 

More Related Content

What's hot

GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
20121016 letter google-article-29-final
20121016 letter google-article-29-final20121016 letter google-article-29-final
20121016 letter google-article-29-finalGreg Sterling
 
GDPR READY SOLUTION FOR UNSTRUCTURED DATA
GDPR READY SOLUTION FOR UNSTRUCTURED DATAGDPR READY SOLUTION FOR UNSTRUCTURED DATA
GDPR READY SOLUTION FOR UNSTRUCTURED DATAXeniT Solutions nv
 
The FTC’s Revised COPPA Rules (Stanford Presentation)
The FTC’s Revised COPPA Rules (Stanford Presentation)The FTC’s Revised COPPA Rules (Stanford Presentation)
The FTC’s Revised COPPA Rules (Stanford Presentation)WilmerHale
 
Ethics and legislation in the it industry
Ethics and legislation in the it industryEthics and legislation in the it industry
Ethics and legislation in the it industryjamiehaworth1
 
Google Health - NYHIMA
Google Health - NYHIMAGoogle Health - NYHIMA
Google Health - NYHIMARaj Goel
 
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryWeb and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryPageFreezer
 
Magazine Feature
Magazine FeatureMagazine Feature
Magazine Featuredchin25
 
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1cRaj Goel
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challengingJoe Orlando
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 

What's hot (18)

GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
 
20121016 letter google-article-29-final
20121016 letter google-article-29-final20121016 letter google-article-29-final
20121016 letter google-article-29-final
 
GDPR READY SOLUTION FOR UNSTRUCTURED DATA
GDPR READY SOLUTION FOR UNSTRUCTURED DATAGDPR READY SOLUTION FOR UNSTRUCTURED DATA
GDPR READY SOLUTION FOR UNSTRUCTURED DATA
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
 
COPPA
COPPACOPPA
COPPA
 
The FTC’s Revised COPPA Rules (Stanford Presentation)
The FTC’s Revised COPPA Rules (Stanford Presentation)The FTC’s Revised COPPA Rules (Stanford Presentation)
The FTC’s Revised COPPA Rules (Stanford Presentation)
 
COPPA for Newbies
COPPA for NewbiesCOPPA for Newbies
COPPA for Newbies
 
Ethics and legislation in the it industry
Ethics and legislation in the it industryEthics and legislation in the it industry
Ethics and legislation in the it industry
 
Google Health - NYHIMA
Google Health - NYHIMAGoogle Health - NYHIMA
Google Health - NYHIMA
 
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryWeb and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
 
Magazine Feature
Magazine FeatureMagazine Feature
Magazine Feature
 
Uga Social Media Privacy June2011
Uga Social Media Privacy June2011Uga Social Media Privacy June2011
Uga Social Media Privacy June2011
 
COPPA Compliance
COPPA ComplianceCOPPA Compliance
COPPA Compliance
 
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challenging
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issues
 

Similar to Perkins Analysis on US Patriot

Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxEdFeranil
 
Cyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatCyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatMicrosoft
 
2008 12 08 2008 Privacy
2008 12 08 2008 Privacy2008 12 08 2008 Privacy
2008 12 08 2008 PrivacyLance Hoffman
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Fundamentals of cyber_law_y_yivvt_ys
Fundamentals of cyber_law_y_yivvt_ysFundamentals of cyber_law_y_yivvt_ys
Fundamentals of cyber_law_y_yivvt_ysAnkitKumar250429
 
ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...
ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...
ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...Mary Calkins
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 
The Data Privacy Imperative
The Data Privacy ImperativeThe Data Privacy Imperative
The Data Privacy Imperativebutest
 
Online Identity Theft: Changing the Game
Online Identity Theft: Changing the GameOnline Identity Theft: Changing the Game
Online Identity Theft: Changing the Game- Mark - Fullbright
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of datadan hyde
 
Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Researchmarciahofmann
 
Understanding Internet of Things - White Paper on Device Choices
Understanding Internet of Things - White Paper on Device ChoicesUnderstanding Internet of Things - White Paper on Device Choices
Understanding Internet of Things - White Paper on Device ChoicesDavid J Rosenthal
 
Farm Data: Examining the Legal Issues
Farm Data: Examining the Legal Issues Farm Data: Examining the Legal Issues
Farm Data: Examining the Legal Issues Roger Royse
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...Yar Chaikovsky
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyMicrosoft Österreich
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningPolsinelli PC
 

Similar to Perkins Analysis on US Patriot (20)

Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptx
 
Cyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatCyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threat
 
2008 12 08 2008 Privacy
2008 12 08 2008 Privacy2008 12 08 2008 Privacy
2008 12 08 2008 Privacy
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
Fundamentals of cyber_law_y_yivvt_ys
Fundamentals of cyber_law_y_yivvt_ysFundamentals of cyber_law_y_yivvt_ys
Fundamentals of cyber_law_y_yivvt_ys
 
ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...
ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...
ACCS 2006 ANNUAL MEETING T HE ROAD TO EFFECTIVE LEADERSHIP 701 Merging Acqu...
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
 
The Data Privacy Imperative
The Data Privacy ImperativeThe Data Privacy Imperative
The Data Privacy Imperative
 
Online Identity Theft: Changing the Game
Online Identity Theft: Changing the GameOnline Identity Theft: Changing the Game
Online Identity Theft: Changing the Game
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of data
 
Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Research
 
Understanding Internet of Things - White Paper on Device Choices
Understanding Internet of Things - White Paper on Device ChoicesUnderstanding Internet of Things - White Paper on Device Choices
Understanding Internet of Things - White Paper on Device Choices
 
Farm Data: Examining the Legal Issues
Farm Data: Examining the Legal Issues Farm Data: Examining the Legal Issues
Farm Data: Examining the Legal Issues
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database Protection
 
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
 
Internet Privacy Essay
Internet Privacy EssayInternet Privacy Essay
Internet Privacy Essay
 

More from jessiethe3rd

Comparison for Office Versions
Comparison for Office VersionsComparison for Office Versions
Comparison for Office Versionsjessiethe3rd
 
Blackberry now free with BPOS/Office 365
Blackberry now free with BPOS/Office 365Blackberry now free with BPOS/Office 365
Blackberry now free with BPOS/Office 365jessiethe3rd
 
Cloud Accelerate & Cloud Essential Partner Faq
Cloud Accelerate & Cloud Essential Partner FaqCloud Accelerate & Cloud Essential Partner Faq
Cloud Accelerate & Cloud Essential Partner Faqjessiethe3rd
 
The Economics Of The Cloud
The Economics Of The CloudThe Economics Of The Cloud
The Economics Of The Cloudjessiethe3rd
 
Partner Overview of Office 365 (BPOS v2.0)
Partner Overview of Office 365 (BPOS v2.0)Partner Overview of Office 365 (BPOS v2.0)
Partner Overview of Office 365 (BPOS v2.0)jessiethe3rd
 
Microsoft Online Services Partner Core Deck
Microsoft Online Services Partner Core DeckMicrosoft Online Services Partner Core Deck
Microsoft Online Services Partner Core Deckjessiethe3rd
 
Microsoft Core Infrastructure Overview
Microsoft Core Infrastructure OverviewMicrosoft Core Infrastructure Overview
Microsoft Core Infrastructure Overviewjessiethe3rd
 
Desktop Enterprise Agreement Business Value for the BDM
Desktop Enterprise Agreement Business Value for the BDMDesktop Enterprise Agreement Business Value for the BDM
Desktop Enterprise Agreement Business Value for the BDMjessiethe3rd
 

More from jessiethe3rd (9)

BPOS for the MSP
BPOS for the MSPBPOS for the MSP
BPOS for the MSP
 
Comparison for Office Versions
Comparison for Office VersionsComparison for Office Versions
Comparison for Office Versions
 
Blackberry now free with BPOS/Office 365
Blackberry now free with BPOS/Office 365Blackberry now free with BPOS/Office 365
Blackberry now free with BPOS/Office 365
 
Cloud Accelerate & Cloud Essential Partner Faq
Cloud Accelerate & Cloud Essential Partner FaqCloud Accelerate & Cloud Essential Partner Faq
Cloud Accelerate & Cloud Essential Partner Faq
 
The Economics Of The Cloud
The Economics Of The CloudThe Economics Of The Cloud
The Economics Of The Cloud
 
Partner Overview of Office 365 (BPOS v2.0)
Partner Overview of Office 365 (BPOS v2.0)Partner Overview of Office 365 (BPOS v2.0)
Partner Overview of Office 365 (BPOS v2.0)
 
Microsoft Online Services Partner Core Deck
Microsoft Online Services Partner Core DeckMicrosoft Online Services Partner Core Deck
Microsoft Online Services Partner Core Deck
 
Microsoft Core Infrastructure Overview
Microsoft Core Infrastructure OverviewMicrosoft Core Infrastructure Overview
Microsoft Core Infrastructure Overview
 
Desktop Enterprise Agreement Business Value for the BDM
Desktop Enterprise Agreement Business Value for the BDMDesktop Enterprise Agreement Business Value for the BDM
Desktop Enterprise Agreement Business Value for the BDM
 

Perkins Analysis on US Patriot

  • 1. E-Mail Privacy How the USA PATRIOT Act and International Laws Affect Law Enforcement Access to Data Stored in the United States Microsoft Corporation and Michael Sussmann, Perkins Coie LLP Published: September 9, 2009 Abstract The USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is a collection of amendments to existing laws that seek to enhance public safety. In certain instances, law enforcement's tasks are made easier and communications data is more readily accessible. Like all U.S. laws, the Patriot Act applies equally to every company doing business in the United States – whether U.S.-based or not – and most developed countries have similar investigative powers that also reach every company that conducts business within their borders.
  • 2. Microsoft Exchange Hosted Filtering – Technical Overview The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This paper does not constitute legal advice. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. © 2009 Microsoft Corporation. All rights reserved. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
  • 3. Contents Contents.....................................................................................................................................................3 The USA Patriot Act and Access to Data.................................................................................................4 Applicability of U.S. Laws to Things Within U.S. Borders......................................................................5 U.S. Laws Amended by the Patriot Act....................................................................................................5 Privacy Protection for Any Disclosure of Data ......................................................................................6 International Laws Similar to the U.S. PATRIOT Act..............................................................................7 U.S. Privacy Protections Meet or Exceed Those of Other Countries....................................................7 Summary....................................................................................................................................................9 3
  • 4. The USA Patriot Act and Access to Data The USA PATRIOT Act ("Patriot Act") has been in the headlines, on and off, since the September 11, 2001 attacks. It has been championed and vilified, alternatively, as either enhancing the government's abilities to protect public safety or as unnecessarily eroding civil liberties and basic privacy rights. For many, the Patriot Act has become a rallying point and catchall phrase for government overreaching. What is most controversial about the Patriot Act is that it makes lawful government surveillance and access to stored data easier in certain instances. Indeed, the law was created to enhance the abilities of the U.S. government to prevent, detect, and investigate terrorist acts. However, from the time the legislation was signed into law through the time of its reauthorization, people have debated the reasonableness of many of these changes. Unfortunately, most commentators have not read the Patriot Act and many cannot accurately describe more than a few of its provisions. And that is no wonder: the Patriot Act and its reauthorizing legislation1 make up 217 pages of text. So, what exactly is the Patriot Act and is there a basis for all the controversy? The USA PATRIOT Act was signed into law by President Bush on October 26, 2001. Its title stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.” Most of the Patriot Act is a compilation of amendments to other existing laws. One of the main sections of the Patriot Act deals with government access to electronic data. These provisions do such things as require cable providers who offer communications services to comply with the same investigative procedures that apply to telephone companies and Internet service providers; make the standard for government access to stored voice-mail messages the same as for access to stored e-mail messages; expand the list of basic subscriber information that can be obtained with a subpoena to include payment information for the account; allow for voluntary disclosure of data (without legal process) in emergencies “involving immediate danger of death or serious physical injury”; and allow nationwide applicability for court orders and search warrants that are issued from a particular jurisdiction. It is true that, under some circumstances, the Patriot Act makes it easier for the U.S. government to gain access to a customer’s data. For example, the Patriot Act streamlined certain legal requirements and procedures. The government can now use a single search warrant, obtained from a federal judge, to order disclosure of data held by communications providers in multiple states, instead of having to seek separate search warrants (from separate judges) for providers that are located in different states. The Patriot Act also lowered certain legal requirements to make them more uniform. By the same token, the Patriot Act also made certain things "easier" for ISPs and other communications providers, in that it made certain ambiguous or disputed requirements uniform and clear. One example is the uniformity regarding stored voice mail. Another example is the clear authority in the new computer trespass provision for a provider, if it chooses, to invite law enforcement onto its premises to assist with the investigation of an ongoing computer intrusion or attack. 1 With a number of the most controversial parts of the Patriot Act set to expire after five years, in March 2006 President Bush signed legislation to reauthorize it, making permanent several “sun-setting provisions,” extending two provisions until 2009, and incorporating a number of new rights protections. 4
  • 5. Applicability of U.S. Laws to Things Within U.S. Borders Many people ask whether data stored in the United States by Microsoft or one of its competitors would be subject to the Patriot Act. While the short answer is “yes,” the longer and more relevant answer is that any data stored in the United States is subject to all of the laws of the United States. Likewise, goods or tangible objects that are located in the United States and persons residing in the United States are all subject to all of the laws of the United States – not just the Patriot Act. By virtue of physically being in the United States, these things and people are subject to the jurisdiction of U.S. law enforcement and the U.S. courts, as well as third-party legal process in any civil matter. It is that simple. If you or your things are here, you can be investigated by the government or sued, and your property can be examined and/or seized through lawful means. As you might imagine, the same situation exists for data stored in another country. Data stored in the United Kingdom, for example, would be subject to all of the laws of the United Kingdom. By virtue of being located there, the data would be subject to the jurisdiction of British law enforcement and British courts. The data could be examined and/or seized through any means available under British law. The point is, data stored in any particular country will be susceptible to access by that country’s government. If you store data in Country X, the government of Country X will have greater access to that data than would any other country. U.S. Laws Amended by the Patriot Act Since the Patriot Act largely is just a large collection of amendments to other laws, in the context of government investigations involving electronic data, it is helpful to explain briefly what those other laws are. The three main laws concerning government access to electronic data are: • the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. § 2701); • the Pen Register and Trap-and-Trace Statute (“Pen/Trap”) (18 U.S.C. § 3121); and • the Wiretap Act – commonly referred to as “Title III” (18 U.S.C. § 2510). The ECPA defines the circumstances under which the government can demand disclosure of stored communications and other stored data, and it sets increasingly difficult legal standards for the government to gain access to each of three successive categories of stored data: subscriber information; information about the source and destination of communications (e.g., who is e-mailing whom); and the content of communications. The Pen Register and Trap-and-Trace statute concerns real-time access to non- content information regarding the source and destination of communications (e.g., who is e-mailing whom). And Title III concerns real-time government interceptions of the content of communications, and it has the most stringent legal standard and procedures to meet. Those are the main laws that the U.S. government would use to access data in the United States. But there are also legal processes available to the U.S. government if, for example, it wants access to data stored by a Microsoft competitor in Canada. Suppose "CanadianStorage" were a competitor of Microsoft based in Canada, with data storage in Canada, but with a sales office, servers, or personnel physically located in the United States. Under those circumstances, U.S. law enforcement could serve a subpoena, court order, or search warrant on CanadianStorage's U.S. office and demand that it retrieve the data from its servers in Canada and provide that data to U.S. law enforcement. (This is sometimes referred to as a “Bank of Nova Scotia subpoena” because of a case by that name that ruled (favorably) on the 5
  • 6. government’s powers in this regard.)2 If, on the other hand, CanadianStorage was located in Canada, stored its data in Canada, and had no presence (e.g., sales office or employees) outside of Canada, then the United States would have to seek the assistance of Canadian law enforcement to gain access to CanadianStorage data. In that case, U.S. law enforcement would make a request to Canadian authorities for mutual legal assistance. The Canadians would get a court order, serve it on CanadianStorage, and then send that data back to U.S. authorities.3 Of course, law enforcement can also simply demand that the customer/user produce the stored records – even if such records are stored in another country. If someone living in the United States was storing his or her data with CanadianStorage – with the data on servers in Montreal – U.S. law enforcement could serve a grand jury subpoena on the person in the United States for production of the records stored in Canada. Such subpoena would seek all records in the person's "possession, custody, or control." If the person refused, a judge would issue an order to compel production and, if the person still refused, he or she could be found in contempt of court and jailed.4 Privacy Protection for Any Disclosure of Data Many people wonder what the U.S. government can do with data it receives through these laws and legal procedures. U.S. privacy protections ensure that evidence obtained through investigative means can only be used for official purposes and generally cannot be used for purposes beyond the scope of the investigation. While investigative information is usually kept from public view, information that is needed for trial or for public filings, such as indictments, will thereby enter the public domain. It is worth noting that the United States does not share with U.S. businesses any data it collects through investigations. In fact, there are criminal and civil penalties for such unlawful disclosures. For example, the Electronic Communications Privacy Act provides that "[a]ny willful disclosure of a 'record' . . . obtained by an investigative or law enforcement officer, or a governmental entity, pursuant to [this statute or the Pen-Trap statute] that is not a disclosure made in the proper performance of the official functions of the officer or governmental entity making the disclosure is a violation of this chapter." One thing that is hard to predict or guarantee is whether a Microsoft customer would know if he or she is the subject of an investigation and if the U.S. government has sought his or her customer records from Microsoft. Such notice would depend on the specific investigation. Some investigative processes require notice to a customer. For example, under certain circumstances, if the government uses a subpoena or court order to obtain communications stored by Microsoft, the government must give prior notice to the customer. (See 18 U.S.C. § 2703(b)(1)(B).) Other investigative processes, such as those filed under seal with the court, forbid notice to the customer. Still others are silent on notice and the provider may notify the customer on its own. 2 Likewise, if Microsoft stored its data in the United States but maintained a sales office in Toronto, Canadian law enforcement could serve a court order on the Toronto office, demanding that records stored in the United States be produced. 3 And the same is true, in the reverse, about Canadian law enforcement seeking data stored in the United States: they could make a mutual legal assistance request asking the United States to obtain and turn over to them data that is stored in the United States. 4 The reverse also would be true for a person in Canada, with data stored in the United States, who was served legal process by the RCMP. 6
  • 7. International Laws Similar to the U.S. PATRIOT Act While the Patriot Act has received a lot of national and international media attention, the United States is far from the only country to seek such laws. For example, in 2000, the United Kingdom enacted the Regulation of Investigatory Powers Act of 2000 ("RIPA"), which updated processes for the interception of communications and other related investigative powers. While quite cumbersome, the long title for RIPA provides a view into the scope of changes to the law: "An Act to make provision for and about the interception of, communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters; and for connected purposes." Likewise, in Canada, on June 18, 2009, the Technical Assistance for Law Enforcement in the 21st Century Act was introduced and is currently pending in the House of Commons.5 If enacted, the Act will require service providers to include interception capability in their networks and to supply basic subscriber information (e.g., name, address, telephone number, IP address, e-mail address, service provider identification and certain cell phone identifiers) to law enforcement agencies and the Canadian Security Intelligence Service (CSIS) on request. According to the Canadian Public Safety Ministry, there currently is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion.6 As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. U.S. Privacy Protections Meet or Exceed Those of Other Countries What may be the biggest surprise to those who are concerned about their privacy and the security of their data is that the privacy protections in the United States – as they relate to government access – far exceed those in Europe and they are quite comparable to the protections in Canada. The general perception is that there are greater protections in the United States than in Europe regarding government access to data; conversely, there are far better protections in Europe with regard to how corporate businesses are allowed to handle their user data and a user’s personal information. For example, data collected in the EU by businesses can only be used for the limited purpose for which it was collected and cannot be transferred outside the EU, to the United States, unless the data's "owner" has given express consent to do so – and only then under strict security rules – or for law enforcement purposes. (Many believe this privacy regime hinders global business operations.) In truth, the United States has a very mature and detailed legal regime for restricting government access to data. Privacy protections begin with the U.S. Constitution and extend to federal and state laws protecting health care and financial records, electronic communications, and other kinds of information. Unfortunately, such things as the debate over the Patriot Act renewal have had a negative effect on perceptions of data privacy and data security in the United States. 5 See Bill C-47, “An Act regulating telecommunications facilities to support investigations,” available at http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4007628&file=4 6 Summary of Technical Assistance for Law Enforcement in the 21st Century Act, Canadian Public Safety Ministry, June 18, 2009, available at http://www.publicsafety.gc.ca/media/nr/2009/nr20090618-1-eng.aspx 7
  • 8. Another way to analyze the effectiveness of privacy protections is to compare the extent to which individual countries access customer data. In this regard, the United States and Canada share a comparable level of privacy protections and use of investigative powers to access data. European countries are far more liberal with regard to investigators' access to data, and their procedures are far less rigorous. This conclusion is based on independent reporting and analysis (see below). One of the best barometers for judging respect for civil liberties and use of investigative powers to access data is analysis of the use of lawful interception of communications by individual countries. Maintenance of national statistics concerning interceptions is often mandated by national laws. (In the United States, reports are not prepared by law enforcement; instead, the Administrative Office of the U.S. Courts prepares them, as it gets its data from the individual courts that approve interception requests from law enforcement.) In addition, the interception of the content of a communication is considered by many to be the most egregious invasion of privacy and therefore countries' restraint (or lack thereof) in using this technique is a powerful indicator for other, less monitored, investigative techniques. Through country reporting, the following data is available for total number of annual interceptions: Total Number of Interceptions 2001 2002 2003 2004 2005 2006 2007 Italy7 32,000 45,000 77,000 100,000 n/a n/a n/a (est.) Germany8 21,874 n/a n/a >30,000 42,508 35,329 n/a U.S.9 1,405 1,273 1,367 1,633 1,694 1,714 2,119 Canada10 1,203 2,131 1,498 1,292 839 855 726 France11 n/a 4,654 n/a n/a n/a 5,985 n/a U.K.12 1,445 1,605 1,983 1,973 2,407 1,435 2,026 7 Italian GSM provider warns: too many wiretaps, European Digital Rights, Feb. 24, 2005, available at http://www.edri.org/edrigram/number3.4/wiretap 8 German court outlaws wiretapping without court order, European Digital Rights, Aug. 10, 2005, available at http://www.edri.org/edrigram/number3.16/wiretapping; Paul M. Schwartz, Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s Study, 72 Geo. Wash. L. Rev. 1244, 1255 (2004), available at http://www.paulschwartz.net/pdf/SchwartzGeoFinal.pdf; Privacy International’s Privacy Profile for the Federal Republic of Germany, Dec. 18, 2007, available at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559535 9 Annual Wiretap Reports of the Administrative Office of the United States Courts, available at http://www.uscourts.gov/library/wiretap.html 10 Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on the Use of Electronic Surveillance, 2007, available at http://www.publicsafety.gc.ca/abt/dpr/le/elecsur-07- eng.aspx#s3; Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on the Use of Electronic Surveillance, 2005, available at http://www.publicsafety.gc.ca/abt/dpr/le/elecsur_05- eng.aspx 11 KEVIN M. KEENAN, INVASION OF PRIVACY 46 (ABC-CLIO 2005); Privacy International’s Privacy Profile for the French Republic, Dec. 18, 2007, available at http://www.privacyinternational.org/article.shtml? cmd[347]=x-347-559537 8
  • 9. Because reporting of interceptions is not entirely uniform among countries, a 2003 study on telecommunications surveillance by the Max Planck Institute in Germany created a common denominator for comparison; it took the available statistics from 14 countries and calculated the number of surveillance orders per 100,000 inhabitants13: Surveillance Orders Per 100,000 Inhabitants, 1998-2000 (Max Planck Institute 2003 study) Italy 76.0 surveillance orders per 100,000 inhabitants Germany 15.0 surveillance orders per 100,000 inhabitants UK 6.0 surveillance orders per 100,000 inhabitants US 0.5 surveillance orders per 100,000 inhabitants Canada 0.4 surveillance orders per 100,000 inhabitants *** Summary The USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is a collection of amendments to existing laws that seek to enhance public safety. In certain instances, law enforcement's tasks are made easier and communications data is more readily accessible. Like all U.S. laws, the Patriot Act applies equally to every company doing business in the United States – whether 12 Report of the Interception of Communications Commissioner for 2007, at 6, July 22, 2008, available at http://www.official-documents.gov.uk/document/hc0708/hc09/0947/0947.pdf; Report of the Interception of Communications Commissioner for 2006, at 13, Jan. 28, 2008, available at http://www.official- documents.gov.uk/document/hc0708/hc02/0252/0252.pdf (the 2006 numbers above are from April 1, 2006 through December 31, 2006); Report of the Interception of Communications Commissioner for 2005-2006, at 19, Feb. 19, 2007, available at http://www.official- documents.gov.uk/document/hc0607/hc03/0315/0315.pdf (the 2005 numbers above are from January 1, 2005 through March 31, 2006); Report of the Interception of Communications Commissioner for 2004, at 13, Nov. 3, 2005, available at http://www.statewatch.org/news/2005/nov/teltap-2004.pdf; Report of the Interception of Communications Commissioner for 2003, at 11, July 22, 2004, available at http://www.privacyinternational.org/countries/uk/surveillancecomm/ukinterceptrel2004.pdf; Report of the Interception of Communications Commissioner for 2002, at 12, Sept. 9, 2003, available at http://www.libertysecurity.org/IMG/pdf/2002report-of-uk-interception-comm.pdf; Report of the Interception of Communications Commissioner for 2001, at 18, Oct. 31, 2002, available at http://www.archive2.official- documents.co.uk/document/deps/hc/hc1243/1243.pdf 13 Source: Max Planck Institute 2003 study on telecommunications surveillance, http://www.iuscrim.mpg.de/verlag/online/Band_115.pdf (in German); see also Paul M. Schwartz, Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s Study, 72 Geo. Wash. L. Rev. 1244, 1255 (2004), available at http://www.paulschwartz.net/pdf/SchwartzGeoFinal.pdf. 9
  • 10. U.S.-based or not – and most developed countries have similar investigative powers that also reach every company that conducts business within their borders. 10