All Tech Considered

< For U.S. Tech Firms Abroad And Data In The Cloud, Whose Laws Apply?

March 3, 20165:00 PM ET

For U.S. Tech Firms Abroad And Data In The Cloud, Whose Laws Apply?

Download
Embed <iframe src="https://www.npr.org/player/embed/469066176/469083183" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
Transcript

KELLY MCEVERS, HOST:

The dispute between Apple and the FBI has gotten a lot of attention, but it really is more of a local skirmish in a larger, more global conflict. American tech companies are feeling similar pressure from law enforcement agencies around the world, and they say the lack of international legal standards is a problem. NPR's Martin Kaste has the story.

MARTIN KASTE, BYLINE: If you happen to turn on the TV in Brazil this week, you might have seen a story that sounds kind of familiar. In this clip from TV Globo, a reporter stands in front of a police station and describes the daylong detention of an executive with Facebook.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN: (Speaking Portuguese).

KASTE: He was arrested because a Brazilian judge was upset about - you guessed it - encryption - in this case, the encryption on WhatsApp, a messaging system used by suspects in a drug case there. The judge put the screws on Facebook because it owns WhatsApp. Frederico Meinberg Ceroy is a prosecutor in Brasilia specializing in computer privacy, and he says these showdowns are happening when American tech companies consider Brazilian law to be secondary.

FREDERICO MEINBERG CEROY: (Through interpreter) They argue that because they're American companies, they're not supposed to comply with court orders here. But we have a new statute that says any companies serving Brazilian consumers is subject to Brazilian law even if that company is based in Dubai or New York or San Francisco.

KASTE: But American tech companies have a real problem. If the requested data is stored on servers here in the U.S., our federal privacy law says the companies aren't allowed to just hand it over to foreign courts. Those courts are supposed to go through diplomatic channels, through something called a mutual legal assistance treaty or MLAT. But Brazilian prosecutor Ceroy says forget it.

CEROY: (Through interpreter) With the bureaucracy of the MLAT these days, there's no point pursuing an investigation because it will take two or three years just to get back the information you've requested.

KASTE: That kind of frustration is causing more countries to skip the diplomatic route, and it's not just Brazilians. In fact, American judges do it. A couple of years ago, a court in New York ordered Microsoft to turn over a user's emails which were stored on a server in Ireland. Microsoft refused, saying American courts don't have jurisdiction over data held overseas. The case is still on appeal, and at a congressional hearing just last week, Microsoft president Brad Smith said the broader trend is becoming a serious problem.

(SOUNDBITE OF ARCHIVED RECORDING)

BRAD SMITH: We appreciate that law enforcement needs information sometimes located in other countries to do its job. But this approach to using unilateral process is causing concern around the world. It is causing concern in other countries about people's privacy rights. It is causing concern about whether other countries can even trust and use American products and technology.

KASTE: The mantra of American tech companies has always been that they comply with quote, "all lawful orders" in the countries where they operate, but the rise of cloud computing has made that policy unworkable.

JEN DASKAL: And then they do comply with lawful orders, but there's a huge question about who's orders do you comply with at the moment.

KASTE: Jen Daskal is an assistant professor of law at American University, and she's been following this problem closely.

DASKAL: And in an ideal world, we would have some sort of universal agreement, and we would all - all the countries in the world would come together, and there would be, you know, a baseline set of procedural protections that apply to all requests. And there would be total agreement about what the jurisdictional hook is for when countries can get access to data. That's just not going to happen.

KASTE: So she says the next best thing is for the U.S. to strike deals with countries one at a time to allow their courts more direct access to their citizens' data on U.S. servers and vice versa. The administration is actually negotiating something like that right now with the United Kingdom. The end result could be a system in which your privacy rights are no longer determined by where your data is stored but instead by which country you call home, and that makes sense to Microsoft's Brad Smith.

SMITH: The most important thing is that people have the protection of their own rights by their own law.

KASTE: That would certainly make life simpler for American tech companies, though it could eventually mean lower privacy protections for foreigners who have data sitting on American servers. Martin Kaste, NPR News.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.