Perkins Analysis on US Patriot


Published on

This is a Perkins analysis of the US Patriot Act as it relates to Cloud and privacy of information

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Perkins Analysis on US Patriot

  1. 1. E-Mail PrivacyHow the USA PATRIOT Act and International Laws Affect Law EnforcementAccess to Data Stored in the United StatesMicrosoft Corporation and Michael Sussmann, Perkins Coie LLPPublished: September 9, 2009AbstractThe USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it isa collection of amendments to existing laws that seek to enhance public safety. In certaininstances, law enforcements tasks are made easier and communications data is more readilyaccessible. Like all U.S. laws, the Patriot Act applies equally to every company doing business inthe United States – whether U.S.-based or not – and most developed countries have similarinvestigative powers that also reach every company that conducts business within their borders.
  2. 2. Microsoft Exchange Hosted Filtering – Technical Overview The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This paper does not constitute legal advice. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. © 2009 Microsoft Corporation. All rights reserved. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
  3. 3. ContentsContents.....................................................................................................................................................3The USA Patriot Act and Access to Data.................................................................................................4Applicability of U.S. Laws to Things Within U.S. Borders......................................................................5U.S. Laws Amended by the Patriot Act....................................................................................................5Privacy Protection for Any Disclosure of Data ......................................................................................6International Laws Similar to the U.S. PATRIOT Act..............................................................................7U.S. Privacy Protections Meet or Exceed Those of Other Countries....................................................7Summary....................................................................................................................................................9 3
  4. 4. The USA Patriot Act and Access to DataThe USA PATRIOT Act ("Patriot Act") has been in the headlines, on and off, since the September 11,2001 attacks. It has been championed and vilified, alternatively, as either enhancing the governmentsabilities to protect public safety or as unnecessarily eroding civil liberties and basic privacy rights. Formany, the Patriot Act has become a rallying point and catchall phrase for government overreaching.What is most controversial about the Patriot Act is that it makes lawful government surveillance andaccess to stored data easier in certain instances. Indeed, the law was created to enhance the abilities ofthe U.S. government to prevent, detect, and investigate terrorist acts. However, from the time thelegislation was signed into law through the time of its reauthorization, people have debated thereasonableness of many of these changes.Unfortunately, most commentators have not read the Patriot Act and many cannot accurately describemore than a few of its provisions. And that is no wonder: the Patriot Act and its reauthorizing legislation1make up 217 pages of text. So, what exactly is the Patriot Act and is there a basis for all the controversy?The USA PATRIOT Act was signed into law by President Bush on October 26, 2001. Its title stands for“Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and ObstructTerrorism.” Most of the Patriot Act is a compilation of amendments to other existing laws.One of the main sections of the Patriot Act deals with government access to electronic data. Theseprovisions do such things as require cable providers who offer communications services to comply withthe same investigative procedures that apply to telephone companies and Internet service providers;make the standard for government access to stored voice-mail messages the same as for access tostored e-mail messages; expand the list of basic subscriber information that can be obtained with asubpoena to include payment information for the account; allow for voluntary disclosure of data (withoutlegal process) in emergencies “involving immediate danger of death or serious physical injury”; and allownationwide applicability for court orders and search warrants that are issued from a particular jurisdiction.It is true that, under some circumstances, the Patriot Act makes it easier for the U.S. government to gainaccess to a customer’s data. For example, the Patriot Act streamlined certain legal requirements andprocedures. The government can now use a single search warrant, obtained from a federal judge, toorder disclosure of data held by communications providers in multiple states, instead of having to seekseparate search warrants (from separate judges) for providers that are located in different states. ThePatriot Act also lowered certain legal requirements to make them more uniform. By the same token, thePatriot Act also made certain things "easier" for ISPs and other communications providers, in that it madecertain ambiguous or disputed requirements uniform and clear. One example is the uniformity regardingstored voice mail. Another example is the clear authority in the new computer trespass provision for aprovider, if it chooses, to invite law enforcement onto its premises to assist with the investigation of anongoing computer intrusion or attack.1 With a number of the most controversial parts of the Patriot Act set to expire after five years, in March2006 President Bush signed legislation to reauthorize it, making permanent several “sun-settingprovisions,” extending two provisions until 2009, and incorporating a number of new rights protections. 4
  5. 5. Applicability of U.S. Laws to Things Within U.S. BordersMany people ask whether data stored in the United States by Microsoft or one of its competitors would besubject to the Patriot Act. While the short answer is “yes,” the longer and more relevant answer is thatany data stored in the United States is subject to all of the laws of the United States. Likewise, goods ortangible objects that are located in the United States and persons residing in the United States are allsubject to all of the laws of the United States – not just the Patriot Act. By virtue of physically being in theUnited States, these things and people are subject to the jurisdiction of U.S. law enforcement and theU.S. courts, as well as third-party legal process in any civil matter. It is that simple. If you or your thingsare here, you can be investigated by the government or sued, and your property can be examined and/orseized through lawful means.As you might imagine, the same situation exists for data stored in another country. Data stored in theUnited Kingdom, for example, would be subject to all of the laws of the United Kingdom. By virtue ofbeing located there, the data would be subject to the jurisdiction of British law enforcement and Britishcourts. The data could be examined and/or seized through any means available under British law. Thepoint is, data stored in any particular country will be susceptible to access by that country’s government.If you store data in Country X, the government of Country X will have greater access to that data thanwould any other country.U.S. Laws Amended by the Patriot ActSince the Patriot Act largely is just a large collection of amendments to other laws, in the context ofgovernment investigations involving electronic data, it is helpful to explain briefly what those other lawsare.The three main laws concerning government access to electronic data are: • the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. § 2701); • the Pen Register and Trap-and-Trace Statute (“Pen/Trap”) (18 U.S.C. § 3121); and • the Wiretap Act – commonly referred to as “Title III” (18 U.S.C. § 2510).The ECPA defines the circumstances under which the government can demand disclosure of storedcommunications and other stored data, and it sets increasingly difficult legal standards for the governmentto gain access to each of three successive categories of stored data: subscriber information; informationabout the source and destination of communications (e.g., who is e-mailing whom); and the content ofcommunications. The Pen Register and Trap-and-Trace statute concerns real-time access to non-content information regarding the source and destination of communications (e.g., who is e-mailingwhom). And Title III concerns real-time government interceptions of the content of communications, andit has the most stringent legal standard and procedures to meet.Those are the main laws that the U.S. government would use to access data in the United States. Butthere are also legal processes available to the U.S. government if, for example, it wants access to datastored by a Microsoft competitor in Canada. Suppose "CanadianStorage" were a competitor of Microsoftbased in Canada, with data storage in Canada, but with a sales office, servers, or personnel physicallylocated in the United States. Under those circumstances, U.S. law enforcement could serve a subpoena,court order, or search warrant on CanadianStorages U.S. office and demand that it retrieve the data fromits servers in Canada and provide that data to U.S. law enforcement. (This is sometimes referred to as a“Bank of Nova Scotia subpoena” because of a case by that name that ruled (favorably) on the 5
  6. 6. government’s powers in this regard.)2If, on the other hand, CanadianStorage was located in Canada, stored its data in Canada, and had nopresence (e.g., sales office or employees) outside of Canada, then the United States would have to seekthe assistance of Canadian law enforcement to gain access to CanadianStorage data. In that case, enforcement would make a request to Canadian authorities for mutual legal assistance. TheCanadians would get a court order, serve it on CanadianStorage, and then send that data back to U.S.authorities.3Of course, law enforcement can also simply demand that the customer/user produce the stored records –even if such records are stored in another country. If someone living in the United States was storing hisor her data with CanadianStorage – with the data on servers in Montreal – U.S. law enforcement couldserve a grand jury subpoena on the person in the United States for production of the records stored inCanada. Such subpoena would seek all records in the persons "possession, custody, or control." If theperson refused, a judge would issue an order to compel production and, if the person still refused, he orshe could be found in contempt of court and jailed.4Privacy Protection for Any Disclosure of DataMany people wonder what the U.S. government can do with data it receives through these laws and legalprocedures. U.S. privacy protections ensure that evidence obtained through investigative means can onlybe used for official purposes and generally cannot be used for purposes beyond the scope of theinvestigation. While investigative information is usually kept from public view, information that is neededfor trial or for public filings, such as indictments, will thereby enter the public domain.It is worth noting that the United States does not share with U.S. businesses any data it collects throughinvestigations. In fact, there are criminal and civil penalties for such unlawful disclosures. For example,the Electronic Communications Privacy Act provides that "[a]ny willful disclosure of a record . . . obtainedby an investigative or law enforcement officer, or a governmental entity, pursuant to [this statute or thePen-Trap statute] that is not a disclosure made in the proper performance of the official functions of theofficer or governmental entity making the disclosure is a violation of this chapter."One thing that is hard to predict or guarantee is whether a Microsoft customer would know if he or she isthe subject of an investigation and if the U.S. government has sought his or her customer records fromMicrosoft. Such notice would depend on the specific investigation. Some investigative processes requirenotice to a customer. For example, under certain circumstances, if the government uses a subpoena orcourt order to obtain communications stored by Microsoft, the government must give prior notice to thecustomer. (See 18 U.S.C. § 2703(b)(1)(B).) Other investigative processes, such as those filed underseal with the court, forbid notice to the customer. Still others are silent on notice and the provider maynotify the customer on its own.2 Likewise, if Microsoft stored its data in the United States but maintained a sales office in Toronto,Canadian law enforcement could serve a court order on the Toronto office, demanding that records storedin the United States be produced.3 And the same is true, in the reverse, about Canadian law enforcement seeking data stored in theUnited States: they could make a mutual legal assistance request asking the United States to obtain andturn over to them data that is stored in the United States.4 The reverse also would be true for a person in Canada, with data stored in the United States, who wasserved legal process by the RCMP. 6
  7. 7. International Laws Similar to the U.S. PATRIOT ActWhile the Patriot Act has received a lot of national and international media attention, the United States isfar from the only country to seek such laws. For example, in 2000, the United Kingdom enacted theRegulation of Investigatory Powers Act of 2000 ("RIPA"), which updated processes for the interception ofcommunications and other related investigative powers. While quite cumbersome, the long title for RIPAprovides a view into the scope of changes to the law: "An Act to make provision for and about theinterception of, communications, the acquisition and disclosure of data relating to communications, thecarrying out of surveillance, the use of covert human intelligence sources and the acquisition of themeans by which electronic data protected by encryption or passwords may be decrypted or accessed; toprovide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on andinterferences with property or with wireless telegraphy and to the carrying out of their functions by theSecurity Service, the Secret Intelligence Service and the Government Communications Headquarters;and for connected purposes."Likewise, in Canada, on June 18, 2009, the Technical Assistance for Law Enforcement in the 21stCentury Act was introduced and is currently pending in the House of Commons.5 If enacted, the Act willrequire service providers to include interception capability in their networks and to supply basic subscriberinformation (e.g., name, address, telephone number, IP address, e-mail address, service provideridentification and certain cell phone identifiers) to law enforcement agencies and the Canadian SecurityIntelligence Service (CSIS) on request. According to the Canadian Public Safety Ministry, there currentlyis no legislation specifically designed to require the provision of this information to police forces and CSISin a timely fashion.6 As a result, the practices of releasing this information to police forces and CSIS varyacross the country: some service providers release this information to law enforcement immediately uponrequest; others provide it at their convenience, often following considerable delays; while others insist onlaw enforcement obtaining search warrants before the information is disclosed.U.S. Privacy Protections Meet or Exceed Those of OtherCountriesWhat may be the biggest surprise to those who are concerned about their privacy and the security of theirdata is that the privacy protections in the United States – as they relate to government access – farexceed those in Europe and they are quite comparable to the protections in Canada. The generalperception is that there are greater protections in the United States than in Europe regarding governmentaccess to data; conversely, there are far better protections in Europe with regard to how corporatebusinesses are allowed to handle their user data and a user’s personal information. For example, datacollected in the EU by businesses can only be used for the limited purpose for which it was collected andcannot be transferred outside the EU, to the United States, unless the datas "owner" has given expressconsent to do so – and only then under strict security rules – or for law enforcement purposes. (Manybelieve this privacy regime hinders global business operations.)In truth, the United States has a very mature and detailed legal regime for restricting government accessto data. Privacy protections begin with the U.S. Constitution and extend to federal and state lawsprotecting health care and financial records, electronic communications, and other kinds of information.Unfortunately, such things as the debate over the Patriot Act renewal have had a negative effect onperceptions of data privacy and data security in the United States.5 See Bill C-47, “An Act regulating telecommunications facilities to support investigations,” available at Summary of Technical Assistance for Law Enforcement in the 21st Century Act, Canadian Public SafetyMinistry, June 18, 2009, available at 7
  8. 8. Another way to analyze the effectiveness of privacy protections is to compare the extent to whichindividual countries access customer data. In this regard, the United States and Canada share acomparable level of privacy protections and use of investigative powers to access data. Europeancountries are far more liberal with regard to investigators access to data, and their procedures are farless rigorous. This conclusion is based on independent reporting and analysis (see below).One of the best barometers for judging respect for civil liberties and use of investigative powers to accessdata is analysis of the use of lawful interception of communications by individual countries. Maintenanceof national statistics concerning interceptions is often mandated by national laws. (In the United States,reports are not prepared by law enforcement; instead, the Administrative Office of the U.S. Courtsprepares them, as it gets its data from the individual courts that approve interception requests from lawenforcement.) In addition, the interception of the content of a communication is considered by many to bethe most egregious invasion of privacy and therefore countries restraint (or lack thereof) in using thistechnique is a powerful indicator for other, less monitored, investigative techniques. Through countryreporting, the following data is available for total number of annual interceptions: Total Number of Interceptions 2001 2002 2003 2004 2005 2006 2007Italy7 32,000 45,000 77,000 100,000 n/a n/a n/a (est.)Germany8 21,874 n/a n/a >30,000 42,508 35,329 n/aU.S.9 1,405 1,273 1,367 1,633 1,694 1,714 2,119Canada10 1,203 2,131 1,498 1,292 839 855 726France11 n/a 4,654 n/a n/a n/a 5,985 n/aU.K.12 1,445 1,605 1,983 1,973 2,407 1,435 2,0267 Italian GSM provider warns: too many wiretaps, European Digital Rights, Feb. 24, 2005, available at German court outlaws wiretapping without court order, European Digital Rights, Aug. 10, 2005, availableat; Paul M. Schwartz, EvaluatingTelecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’s Study, 72 Geo.Wash. L. Rev. 1244, 1255 (2004), available at;Privacy International’s Privacy Profile for the Federal Republic of Germany, Dec. 18, 2007, available at[347]=x-347-5595359 Annual Wiretap Reports of the Administrative Office of the United States Courts, available at Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness on the Use ofElectronic Surveillance, 2007, available at; Annual Report of the Canadian Minister of Public Safety and Emergency Preparedness onthe Use of Electronic Surveillance, 2005, available at KEVIN M. KEENAN, INVASION OF PRIVACY 46 (ABC-CLIO 2005); Privacy International’s Privacy Profile for theFrench Republic, Dec. 18, 2007, available at[347]=x-347-559537 8
  9. 9. Because reporting of interceptions is not entirely uniform among countries, a 2003 study ontelecommunications surveillance by the Max Planck Institute in Germany created a common denominatorfor comparison; it took the available statistics from 14 countries and calculated the number of surveillanceorders per 100,000 inhabitants13: Surveillance Orders Per 100,000 Inhabitants, 1998-2000 (Max Planck Institute 2003 study) Italy 76.0 surveillance orders per 100,000 inhabitants Germany 15.0 surveillance orders per 100,000 inhabitants UK 6.0 surveillance orders per 100,000 inhabitants US 0.5 surveillance orders per 100,000 inhabitants Canada 0.4 surveillance orders per 100,000 inhabitants ***SummaryThe USA PATRIOT Act is neither the savior nor demon it has been portrayed to be. Rather, it is acollection of amendments to existing laws that seek to enhance public safety. In certain instances, lawenforcements tasks are made easier and communications data is more readily accessible. Like all U.S.laws, the Patriot Act applies equally to every company doing business in the United States – whether12 Report of the Interception of Communications Commissioner for 2007, at 6, July 22, 2008, available at; Report of the Interception ofCommunications Commissioner for 2006, at 13, Jan. 28, 2008, available at (the 2006 numbers above are from April 1,2006 through December 31, 2006); Report of the Interception of Communications Commissioner for2005-2006, at 19, Feb. 19, 2007, available at (the 2005 numbers above are from January 1,2005 through March 31, 2006); Report of the Interception of Communications Commissioner for 2004, at13, Nov. 3, 2005, available at; Report of theInterception of Communications Commissioner for 2003, at 11, July 22, 2004, available at; Report of theInterception of Communications Commissioner for 2002, at 12, Sept. 9, 2003, available at; Report of the Interceptionof Communications Commissioner for 2001, at 18, Oct. 31, 2002, available at Source: Max Planck Institute 2003 study on telecommunications surveillance, (in German); see also Paul M. Schwartz,Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute’sStudy, 72 Geo. Wash. L. Rev. 1244, 1255 (2004), available at 9
  10. 10. U.S.-based or not – and most developed countries have similar investigative powers that also reach everycompany that conducts business within their borders. 10