BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Inside Google's Fight To Keep The US Government Out Of Gmail Inboxes

Following
This article is more than 6 years old.

In at least six separate federal cases, Google is waging a quiet war against the U.S. government. It's taking the FBI to task over warrants demanding it hand over the contents of Gmail data stored overseas. And because Google stores customer accounts in fragments in servers around the globe, it's a fight that matters for every email user on the planet, not just non-American Gmail customers.

Alongside unsealed cases in California, Pennsylvania and Wisconsin, there are at least three other sealed court battles in which Google has claimed the government has no right to use the Stored Communications Act to demand data the firm holds overseas, sources close to firm's legal fight told Forbes. That's on top of multiple sealed state cases, they added.

Its tussle with the government has emerged after Microsoft won a landmark 2016 case against the U.S., in which it prevented the FBI from accessing data it stored in Ireland. That came after two appeals and is only legally binding across courts in the Second Circuit, which covers six districts in Connecticut, New York and Vermont. Now, court documents show that Google, backed by some of its biggest rivals from Microsoft to Amazon to Yahoo, is trying to change the state of play across the rest of America, bringing more privacy to users whose information is stored on foreign soil.

Just a year after Apple's bitter war with the FBI over a demand the company open the iPhone of San Bernadino shooter Syed Rizwan Farook, the outcomes of these cases will likely have significant ramifications for both the average citizen's privacy and for law enforcement, which is finding it increasingly difficult to access the information it requires from tech providers. Together, the multiple cases are skirmishes in an increasingly tense war between a government hungry for access to private communications and Silicon Valley firms trying to protect them.

"This is important for personal privacy and for public governance of surveillance," said Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF). "These cases illustrate our reliance and dependence on intermediaries actually taking our privacy seriously. I applaud companies for fighting for their users' privacy.

"All these companies are places where the government goes to find out about us, without necessarily telling us about it."

The cases

At the heart of all the court cases are questions over the legal application of the Stored Communications Act. The law is clear that it only applies to domestic territory. On the one side, the government is arguing the statute allows it to access information as long as it pertains to a domestic case. On the other, tech companies and rights groups like the EFF have said the statute is clear: search and seizure warrants can't be used to raid data on foreign land under any circumstances.

The most pressing case is in Philadelphia, where Google was ordered in February to hand over Gmail account information as part of a domestic fraud investigation despite its protestations. It's now appealed and has the backing of other Silicon Valley heavyweights, including Apple, Amazon, Cisco, Microsoft and Yahoo, who all signed amicus briefs in support of Google in mid-March. They've argued that though it isn’t under the jurisdiction of the Second Circuit, the court for the Eastern District of Pennsylvania should follow the decision in the Microsoft case, citing concerns about privacy, "an intrusion upon foreign sovereignty that Congress has not authorized" and "an impermissible extraterritorial application of U.S. law."

"Equally troubling, it invites foreign nations to reciprocate by likewise demanding that local offices of U.S. technology companies turn over U.S. citizens' private communications stored on U.S. soil," the amicus brief read. "It also places technology companies that store customer data abroad in the untenable position of being compelled to risk violating foreign data privacy laws to comply with warrants issued by U.S. courts.

"Customers do not expect that the government will conscript the provider to access, copy, and transmit their emails to the United States for purposes of handing them over to law enforcement. Such an extraordinary, government-mandated act is an invasion of privacy, plain and simple."

A final decision in that Philadelphia case is expected by the end of the month. It's likely to have an impact on Google's other cases in California and Wisconsin, in which the actual reasons for the prosecutors' data grabs remain under seal. In the former, a source close to the case said Google will this month be filing a motion to quash an order made in late April, opposing a warrant for information on an unspecified number of email accounts. A judge had previously deemed the warrant legal, as it was made on domestic soil for a company that was under the court’s jurisdiction and so did not represent any unlawful "extraterritorial application of U.S. law.” It didn’t matter how Google’s algorithms decided what data was stored where, the judge wrote in his initial dismissal of the firm’s appeal.

In Wisconsin, Google was asked to hand over information on February 17th for two Gmail accounts. It handed over the information that was stored in America, but declined to do so for data held abroad. In its latest move, the government sent a letter to the magistrate judge adjudicating the case, in which it noted the California court's ruling that went against Google, as well as the Philadelphia case and a decision in Florida, where Yahoo was told it had to hand over an email customer's data on 7 April. (Forbes could find no other public court documentation for that case. Yahoo declined to comment on any ongoing cases).

Sources close to Google's legal team noted that all cases were proceeding in a similar fashion to Microsoft's: Google’s losing at the magistrate level, before moving on to the appeals courts, where Microsoft ultimately prevailed. They're betting on a similar outcome.

The Department of Justice (DoJ) is feeling confident it will win out, though. Peter Carr, DoJ spokesperson, pointed Forbes to a previous DoJ statement on Google's losses in Philadelphia and its proposed legislation sent to Congress last year, adding: "Other judges examining the Second Circuit's ruling have concluded that its reasoning is flawed and creates results that Congress could not have intended. In all of the cases decided thus far, the government has prevailed."

Unsuitable laws

For the DoJ, the Microsoft decision and the subsequent efforts by Silicon Valley giants to block the have become "really problematic," according to one senior department official. "There isn’t a Plan B for this," the official added. They said that Google's decision to build a global architecture had made it considerably more difficult for the FBI to access data, though it was apparent the tech giant hadn’t set up its system to purposefully thwart investigations.

For the tech giants and their supporters, the Microsoft decision showed the government was overreaching to the point of absurdity, said Tien. "This is especially disturbing from a Fourth Amendment perspective. What are we doing to Fourth Amendment law and thinking when this kind of a search-and-seizure is deemed 'domestic'? It's as though the once-overseas data magically appeared in the United States," he added. "If cops have a search warrant that’s good for a house, but the stuff cops want to seize or search is actually next door, that's a fail. I hope no one thinks it's OK for the cops to pay someone to move it from the house next door to the house identified in the warrant."

What all parties agree on, though, is that clarity is needed regarding the statutes that delineate what data it can and can't access. The law simply hasn't kept up with the technology. Looking at Google's infrastructure, for just a single file, multiple pieces could be stored in different locations around the world. When a law says data should only be accessed by feds in domestic settings, it's obvious why the application of that law is complicated.

For instance, the Stored Communications Act, implemented back in 1986, is deemed hopelessly outdated by tech companies and government in a world where data is flying across borders every day.

There's another hugely controversial statute at play too, known as Rule 41 of the Federal Rules of Criminal Procedure. That law was updated late last year to the chagrin of privacy activists, as it added a provision allowing magistrate judges to sign off on warrants for data located outside their districts if a device's physical location was "concealed through technological means," -- i.e. with IP-cloaking software like a VPN (Virtual Private Network) or the Tor network. In its amicus brief, Yahoo argued that even with this change, Rule 41 still did not permit extraterritorial access to information. If Congress wants to clarify the law, it should look at Rule 41 again too, Yahoo said.

But any immediate cessation of the multiple court battles is likely to prove something of a chimera. Mark Krotoski, a partner in the privacy and cybersecurity practice at Morgan Lewis and former Department of Justice criminal attorney, said the only way through the current impasse would see Google and others take the unlikely step of accepting a DoJ invitation for a temporary "narrow solution" in which warrants would allow data grabs for any information regardless of location until the rules were clarified, added Krotoski. For Google, its lawyers would prefer the law pay attention to where the user is located, rather than where the data is.

But progress on either Rule 41 or the SCA is unlikely to happen anytime soon given how sluggish Congress can be. Krotoski thinks it will take well over a year for Congress to produce a law acceptable to both sides, given the myriad issues at play. And as if to prove how slowly the cogs can turn up on Capitol Hill, just earlier this month, a Senate Judiciary Committee hearing to discuss the scope of the SCA was postponed. It's been rescheduled for May 24th.

Follow me on TwitterCheck out my websiteSend me a secure tip