NordVPN Promotion

Home / Blogs

Extraterritoriality

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Black’s Law Dictionary defines it as “the extraterritorial operation of laws; that is, their operation upon persons, rights or jural relations, existing beyond the limits of the enacting state, but still amenable to its laws. The term is used to indicate jurisdiction exercised by a nation in other countries, by treaty…” Extraterritoriality is also the most significant emerging development today in the law shaping virtual network architectures and services that includes OTT and NFV-SDN. The related developments extend from the development of the new public international law to the imposition of forensic handover requirements to local law enforcement officials. The latter is now centered on a landmark case before the U.S. Supreme Court for which the briefs have been recently filed. Case. No. 17-2, United States, Petitioner v. Microsoft Corporation is set to be argued on 27 February and decided this term ending in June. The Court’s docket is available online.

This case has been coursing its way through the U.S. appellate system now for the past four years since the initial Microsoft search warrant was served in December 2013. Although there are other similar cases, this one was selected by the U.S. Supreme Court at the beginning of its term in October 2017 for consideration. The case has also disgorged a plethora of lobbying, pundit views, and hyperventilating on the streets of Washington DC, notwithstanding the essentially simple facts of the case and the application of law that has existed for hundreds of years.

Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.

An amazing 29 amicus curiae briefs were submitted to the Supreme Court from almost anyone who had a view on the matter and some kind of theory to advance. Perhaps not unexpectedly, every brief raised extraterritoriality as an issue.

What was rather mind-boggling, however, is that the 27 parties—basically supporting the refusal to comply with the warrant—raised the subject of extraterritoriality, ignorant of 167 years of public international telecommunication law dealing with the subject. It was rather obvious that for most of them, the topic was only recently discovered as a “me too” devise to advance for some perceived organizational benefit or mantra. Only two amicus briefs—the States Attorney Generals, and the typically always-practical UK Government noted the obvious.

In today’s global communications environment that does not respect geographic boundaries, the U.K. believes that the location of data should not be solely determinative of access for law enforcement purposes. Such an approach would remove the ability of sovereign nations to protect life and prevent and detect crime within their jurisdiction. [Brief of the Government of the United Kingdom of Great Britain and Northern Ireland]

The reality is that ever since communication internets across multiple borders were first treated in multilateral instruments in 1850, the need to obtain evidence has existed. Then as now, law enforcement authorities obtain that evidence via a lawful order compelling a communication provider within their jurisdiction to hand it over. Indeed, the technical interfaces are called “Handover Interfaces” and global eWarrants standards exist for this purpose. At a fundamental level, the requirements and the networks remain the same, notwithstanding every new generation arguing that their new technology Kool-Aid is fundamentally different.

What remains almost untreated in the commentaries on this case, however, are the potential collateral effects of the case itself—including a likely decision in favour of U.S. law enforcement—on the evolution of public international cybersecurity and infrastructure protection law and the architectures of rapidly emerging transnational network virtualization platforms.

The extraterritorial considerations of schlepping an eMail message among data centers are trivial compared to those same data centers orchestrating entire network architectures and services autonomously across national borders among unidentified endpoints including IoT devices using multiple encrypted data streams. Over the Top (OTT) services are vexing precursors; but it is the new Network Functions Virtualisation (NFV) provisioning now at the threshold of deployment that is the real concern. Put another way, what rational sovereign State is going to allow this to occur without effective multilateral instruments?

So the Microsoft eMail case is only a mere “sneak peek” at the fascinating realm of extraterritoriality that will be emerging in the brave new world of virtual networks today. A hundred years ago, the major industry providers enlisted the U.S. government to develop the multilateral instruments necessary to roll out their radio-based transnational virtual internets from data centers a hundred years ago to avoid redundant implementations in every nation. Will history repeat itself?

By Anthony Rutkowski, Principal, Netmagic Associates LLC

The author is a leader in many international cybersecurity bodies developing global standards and legal norms over many years.

Visit Page

Filed Under

Comments

>notwithstanding the essentially simple facts of the Charles Christopher  –  Jan 23, 2018 9:47 PM

>notwithstanding the essentially simple facts of the case and the application
>of law that has existed for hundreds of years.

4000 years ago non-standard hieroglyphs were carved into the tombs of walls to hide their true meaning.

3500 years ago folks in Mesopotamia cryptographically encoded commercially valuable intellectual property.

2500 years ago we have Hebrews using the the Atbash cipher. Around the same time in India the art of understanding writing in cypher, and the writing of words in a peculiar way was documented in the Kama Sutra for the purpose of communication between lovers.

The scytale transposition cipher was used by the Spartan military.

The desire for privacy is thousands of years older than the use of mans law to pierce it. Back then papyrus and clay tablets were expensive so few were affected, now that this is becoming more of an issue for “common folks” its not surprising that more people have something to say about it.

Resistance to discovery, and desire for more secure communications, are of course expected results. If you use a service that you believe offers this, and they fail you, you are likely to NEVER used them again. So market forces are not to be ignored here. The laws serve us, not the other way around .... I am sure Microsoft is aware of these facts of real life.

interesting nonsequitor Anthony Rutkowski  –  Jan 23, 2018 10:47 PM

However, it is unclear what the comment has to do with turning over emails concerning narcotics trafficking and importation for which a magistrate judge believed there was probable cause; nor with the larger challenge of protecting national infrastructure when it is orchestrated from another country.  There were no apparent expectations of privacy here.  The eMail(s) simply ended up on a datacenter server outside the U.S.  See Microsoft’s Objections to the Magistrate’s Order Denying Microsoft’s Motion to Vacate in Part A Search Warrant Seeking Customer Information Located Outside the United States, Case Nos. I 3-MAG-2814; M9-l 50, U.S.D.C. S.D.N.Y, 6 Jun 2014.

On the other hand, if you are attempting to argue that drug traffickers have an absolute right of privacy, I’ll pass on the rebuttal.

>There were no apparent expectations of privacy Charles Christopher  –  Jan 23, 2018 11:27 PM

>There were no apparent expectations of privacy here.

https://www.globalprivacyblog.com/privacy/microsoft-stands-up-in-court-for-european-privacy-rights/

“Microsoft Stands Up in Court for European Privacy Rights?”

“For its part, the Southern District of New York judges sided strongly with the government position that Microsoft has “control” over the e-mails stored on servers in Dublin and therefore has to produce the requested information. “

“Microsoft refused to produce these, and ultimately moved to vacate that portion of search warrant effectively requiring its US personnel (acting as agents of the United States government)  to effect a search and seizure of data not physically located on servers in the US.

In Europe, data protection authorities and policymakers voice concerns over the potential privacy law implications of the case. They argue that the due process considerations under Irish law should have compelled U.S. law enforcement to opt for the procedures set forth in the Mutual Legal Assistance Treaty in Criminal Matters between Ireland and the US has been in force in place since 2001. They also claim that otherwise the transfer of the data would infringe Irish privacy law. “

https://www.supremecourt.gov/DocketPDF/17/17-2/22918/20171206204555098_United States v. Microsoft Joint Appendix.pdf

“A US attempt to force Microsoft to hand over emails held on servers in Ireland has drawn a strong re- buke from Brussels in one of the first tests of cross-border privacy raised by cloud computing.
The US demand could contravene international law and should have been handled through the official channels normally used for law enforcement between different regions, according to Viviane Reding, vice-president of the European Commission.
The case comes as US technology is already caught up in a transatlantic privacy dispute over revelations about widespread US internet surveillance.

Not my words.

From Microsoft's Own Lawyers:https://cdt.org/files/2014/07/msft-reply-brief.pdf"The premise is dead Charles Christopher  –  Jan 23, 2018 11:44 PM

From Microsoft’s Own Lawyers:

https://cdt.org/files/2014/07/msft-reply-brief.pdf


“The premise is dead wrong—so obviously wrong that the Government avoids mentioning the two cases that disprove it. The first is United States v. Warshak, 631 F.3d 266 (6th Cir. 2010), which observed that stored email content contains individuals’ “sensitive and intimate information,” and worried that “government agents” who access that content have “the ability to peer deeply into [the owner’s] activities.” Id. at 284. More recently, in Riley, a unanimous Supreme Court affirmed that such electronic files contain “[t]he sum of an individual’s private life,” including “a record of all his communications,” “a thousand photographs,” and materials like “a prescription, a bank statement, a video.”

“The Government needs bilateral cooperation to obtain a stack of correspondence sitting in a foreign safe deposit box or in a UPS envelope sitting in Dub- lin. Emails stored on a Dublin server are no different.”

“The Government can readily obtain emails stored in Ireland by making a request under the Ireland-U.S. MLAT, which, according to the former Minister of Justice and Attorney General of Ireland, was intended “to serve as the means for law enforcement authorities in the respective countries to obtain evidence located in the other treaty party.”

still a non-sequitor Anthony Rutkowski  –  Jan 24, 2018 1:35 AM

Ms. Reding and others in Europe and here can certainly opine all they wish about their views on privacy and European law.  However, that does not alter the fact that the basic issue in the case as well as the 2nd Circuit’s decision being appealed, dealt with the magistrate judge’s authority “to enforce the Warrant against Microsoft…because Microsoft has complied with the Warrant’s domestic directives and resisted only its exterritorial aspects.”  Microsoft in the record also admitted that they can rather trivially easily obtain what the warrant demanded.

I may be wrong, but I expect the Court will find that the magistrate judge did have the authority to require Microsoft to comply because as the Petitioner, the States Attorney Generals, and United Kingdom note, the matter turns on control rather than location.  To do otherwise would create an untenable situation which - as noted by the U.K. - would “remove the ability of sovereign nations to protect life and prevent and detect crime within their jurisdiction.”  Legal systems tend to opt for self preservation.

It will then fall to Nation States to begin developing effective public international law for extraterritorial architectures and services.  Doing so for the acquisition of evidence under the aegis of the Cybercrime Convention for cloud data centres, and for architectures under the aegis of the ITU treaty instruments, are already underway.

>To do otherwise would create an untenable Charles Christopher  –  Jan 24, 2018 2:30 AM

>To do otherwise would create an untenable situation which - as noted by the
>U.K. - would “remove the ability of sovereign nations to protect life and
>prevent and detect crime within their jurisdiction.”

My read was the other country wants a say, simple as that.

I believe that is often referred to as accountability.

IIRC another wrinkle was that the servers Todd Knarr  –  Jan 24, 2018 9:26 AM

IIRC another wrinkle was that the servers weren’t owned/operated by Microsoft the US company but by a subsidiary company incorporated in Ireland. That adds a wrinkle to the case that the DOJ kind of glosses over, and is the basis for a lot of the amicus briefs supporting Microsoft’s position.

it is control that is determinative Anthony Rutkowski  –  Jan 24, 2018 10:56 AM

the warrant/subpoena was served on Microsoft Corporation at its headquarters in the State of Washington concerning an account that was "maintained, controlled, or operated" by Microsoft. The court had jurisdiction over Microsoft. The matter turns on whether authority existed to obtain the described evidence for criminal activity "pertaining to narcotics, narcotics trafficking, [etc.] and the use of ports or other places of entry to receive or ship narcotics or narcotics proceeds, [and[ related to the physical location of the target subjects and their co-conspirators."

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion