The Washington Post had an interesting article during the weekend. The article (at https://www.washingtonpost.com/world/national-security/supreme-court-case-centers-on-law-enforcement-access-to-data-held-overseas/2018/02/25/756f7ce8-1a2f-11e8-b2d9-08e748f892c0_story.html) gives us ‘Supreme Court to hear Microsoft case: A question of law and borders‘ where the issue debated is: “At issue is whether a U.S. company must comply with a court order to turn over emails, even if they are held abroad — in this case in a Dublin server. The litigation turns on a 1986 law, the Stored Communications Act, passed long before email became a ubiquitous way to communicate and before American firms began storing massive amounts of data outside U.S. borders“, in this case it goes even further then the lawmakers or lawyers have considered. Apart from the fact that the server is physically in Dublin and a case would be required to be made in Strasbourg, there is one additional need (beyond the stringent privacy laws in Europe). Microsoft is phrasing it that in opposition, “an adverse ruling would leave the government “no basis to object” when other countries demand Americans’ emails stored inside the United States, that it would “trammel” other nations’ sovereignty and erode trust in a way that poses “an existential threat” to the $250 billion cloud-computing industry“, this leads us to the Cloud Act, as we get the quote (in this case from WCCFTech) “Congress is currently considering to make it easier for the law enforcement to access international data – one of the major headaches that the prosecutors currently face. Microsoft, Google and other tech companies who have had their fair share of issues with the government have long asked for a revamp of the legislation that demands companies to hand over data stored on a foreign land“, the question is not why it is needed, but on how the changing rule of privacy is impacting those outside of the US, more important, how it could turn against the US in the long term.
The danger is seen, not in Europe, but in Saudi Arabia where banking laws are actually extremely protective of the customers. Let me explain with the following information.
There are certain secular regulations passed by government, which although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts. Examples of such regulations include:
- the Basic Law of Governance (no: A/90 dated 27th Sha’ban 1412 H (corresponding to 1 March 1992)), which provides that telegraphic, postal, telephone and other means of communications shall be safeguarded. They cannot be confiscated, delayed, read or breached.
- The Anti-Cyber Crime Law (8 Rabi 1, 1428 (corresponding to 26 March 2007)) (as amended), which generally prohibits, amongst other things, the interception of data transmitted through an information network, the invasion of privacy through the misuse of camera-equipped mobile phones and the like, illegally accessing bank or credit data of another, unlawful access to computers for the purpose of deleting, destroying, altering or redistributing private data, or the production, preparation, transmission or storage of material impinging on public order, religious values, public morals, and privacy, through an information network or computers;
- The Telecoms Act (approved pursuant to the Royal Decree No. (M/12) dated 12/03/1422H (corresponding to 3 June 2001), which states that the privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained, and disclosure, listening or recording the same is generally prohibited
The Regulations for the Protection of Confidential Commercial Information (issued by Minister of Commerce and Industry Decision No. (3218) dated 25/03/1426H (corresponding to 4 May 2005), and as amended), which governs the protection of data considered to be “commercial secrets” under these regulations.
(Source: DLA Piper, at https://www.dlapiperdataprotection.com/index.html?t=law&c=SA)
So if we see Saudi Arabia push for equally protection in regards to digital privacy and digital personal data, there would soon be a jump by many people to get a futuristic @gmail.sa account.
So now we see the US pushing and they could lose out twice, first the fact that others will demand US data in the same trend for their own criminal legislation reasons (which should make the Wall Street boys nice and nervous. the second is that those who they are trying to prosecute will take their business to Saudi Arabia and protective minded nations. With Saudi Arabia looking at billions of investments coming from the Tech sector, giving in to big business like Apple, Google and Microsoft would be a small step to get the infusion of massive cash drops, infrastructure and evolution of their technological infrastructure. That alone could push the ‘Vision 2030’ plan that has been the shiny jewel for Saudi Arabia as envisioned by Crown Prince Mohammad Bin Salman Al Saud ahead by several years.
Yet when we see the WCCFTech, we also see the dangerous finale. With “Tech companies have continued to hint for a legislative reform that could help them deliver data on criminals when a warrant is served but the data is stored outside of the country. What these companies feel about the Cloud Act, however, remains unclear“, we see the crucible. This test is not set in law, but in interpretation. With ‘deliver data on criminals when a warrant is served‘, you see, a person is innocent until proven guilty, so as such the warrant becomes useless if there is no conviction. Now, I feel certain that the Cloud Act will take such matters into account, but in the clarity of the Act, it is an American Act and as such, even when we get “Thomas Bossert, assistant to the president for homeland security and counterterrorism and Paddy McGuinness, deputy national security adviser for Britain wrote. “The first one would be with Britain, which already has the authority to enter into such a pact.”” I am personally not convinced of that. The entire mess of the Safe Harbour or Safe Harbour 2.0 and/or the EU-US Privacy Shield, when we see privacy, yet in some places we see “for commercial purposes”, which is causing more confusion than give clarity, the fact that a lot is not done in the open and merely between the US and big business is making plenty of people worried. So when we see “2,400 companies – including Facebook, Microsoft, Google and Alphabet Inc.” whilst we see “Facebook’s default privacy settings and use of personal data are against German consumer law, according to a judgement handed down by a Berlin regional court”, whilst at the same time we see that Facebook list a case in the Belgian courts too. So the entire setting as we are given the view by Reuters “EU justice commissioner Vera Jourova, who presented the first annual report on the agreement, the Shield is “working well”“, whilst at the same time we see that one of the three largest players in the data industry is handed their marching papers all over Europe is a much larger cause for concern and Saudi Arabia is gaining an unique position to cash in on that setting, and they are not alone, in that same view China could make equal protective leaps, enticing business and data away from the US.
In this regard, when we look back at the Washington Post where we see: “With congressional action unclear, the stakes are high for U.S. v. Microsoft, such that more than 30 friend-of-the-court briefs have been filed by the European Union, members of Congress, the U.S. Chamber of Commerce, tech firms, privacy advocates, and former law enforcement and national security officials, among others”, the issue is not merely what is in play, but with the changes towards G5 all bets are off because it is not merely more data and faster data, there will be a new dimension of machine learning and automation within the apps themselves and as such the issue on legislation on personal data and application data becomes a new and different fields of consideration. Now, this has no bearing on national borders yet, but when the value of application data grows (and it will soon enough on a near exponential scale), we will see these fields come into the view of consideration and debate.
The Saudi opportunity is seen in a much better light when we consider “E. Joshua Rosenkranz, who will argue Microsoft’s case, called the government’s position “a recipe for global chaos.” He added: “If ever there were a step that is sure to stoke international tension, it is sidestepping the treaties that were negotiated by countries precisely to protect their sovereignty, and instead unilaterally obtaining reams of personal letters”, so as we see that side in regards to the ‘sovereignty’ of accounts, we also see that if Mossack Fonseca pushes their boundaries and if they get their infrastructure and security up to scrap, they could open up new doors to alternative and additional revenues, because those who have the cash to secure their privacy will pay through the nose for it. So it will no longer merely be about tax avoidance, it will become about identity avoidance, repudiation avoidance and their cyber persona, all up for Encrypted Cyber Outsourcing. If your value in cyberspace is set to a value, being the one surfing with an economic value of $0 will be the most anonymous one and there are plenty of people who prefer to be that, out of sight of the Skip Tracers, the investigators and the media at large, in the cyber age, anonymity is becoming more and more important, especially to those who embrace anonymity.
The Washington Post gives a few alternative views and all very valid, yet in all this there is not merely the ‘criminal’ data as it is seen, it is the setting of data privacy within the persons national sovereignty set against the US, or any other nation that requests your data for whatever reason they give. We see this in the US case Blackwell, 2004, where we get “Illegally obtained evidence applies to criminal cases only and is typically “evidence acquired by violating a person’s constitutional protection against illegal searches and seizures; evidence obtained without a warrant or probable cause”“, that setting could stretch, especially when data obtained from another country is set against additional privacy laws and in addition, the proof required to set ‘or probable cause’ which might be another bump in the setting of borderlines, whether they are merely digital or physical. The law was never ready for Clouds and Cyberspace. This is seen in the unjust setting of ‘the law does not apply in Cyberspace‘, which is not true (proven on several settings), as the “conflicting laws from different jurisdictions would apply, and even as that happens for any person simultaneously, to some extent, to the same event. The Internet might not make geographical and jurisdictional boundaries clear, but Internet users remain in physical jurisdictions“. There is an agreement there, but as most systems as well as the lack of non-repudiation has been in play from even before I got my University IT degree, and since then too little changed, the failure to prove that the ‘internet user‘ is THAT ‘internet user‘ the law keeps on falling over and as that is paramount in setting the need of the warrant, the warrant should in the end go nowhere, which is exactly what the alleged criminal hopes for and legislation has remained behind the curve by a lot, optionally helping them out evading conviction.
So as we see these settings, we see that the U.S. v. Microsoft could in the end cost the US a lot more than they themselves bargained for, because that is in the end the nature of the beast of commerce, it goes where business and profit resides.