Thursday, August 14, 2014

"National Hosting" of archives

The LOCKSS team are working with some countries to build in-country Private LOCKSS Networks (PLNs) to preserve the content such as e-journals and e-books that they pay for. Other countries are considering outsourcing their national archive of this content to foreign providers. One of the questions that countries ask about these efforts is "where is the data stored?" Recent developments in the US and the UK mean that this is no longer the right question to ask. Follow me below the fold to find out what the right question has become.

The revelations of Edward Snowden and the US Department of Justice's (USDoJ) position in a recent lawsuit involving data in a Microsoft data center in Ireland make it clear that the US regards any information in the custody of an organization that has US operations, no matter where in the world it is stored, as subject to US jurisdiction. The USDoJ's position is set out here and summarized thus:
In essence, President Barack Obama's administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas. ... A magistrate judge has already sided with the government's position, ruling in April that "the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information."
Although in preparation for a July 31 hearing at which the magistrate judge's ruling was upheld but stayed pending appeal Microsoft very publicly objected, as did other companies that have filed amicus briefs such as AT&T, this is likely just PR from a company that has betrayed its users in the past, for example over the encryption of Skype communications. In upholding the ruling Judge Preska said (emphasis mine):
the warrant lawfully required the company to hand over any data it controlled, regardless of where it was stored. “It is a question of control, not a question of the location of that information,”
Note that the Data Retention and Investigatory Powers (DRIP) Act, recently rushed through the UK Parliament, takes the same position. It is already law; it is being challenged in the courts but the process will take years. Thus, asking where the data is stored is no longer relevant, it doesn't tell you whose laws apply to that data. If the organization with custody "has operations" in the US or the UK, US or UK courts will exert jurisdiction.

Given this position, it would be prudent for a national hosting organization (NHO) to ensure not merely that the copies were on their country's soil in a system owned by their country's nationals, but also that the system was exclusively operated by their country's nationals. This would ensure that no-one subject to US jurisdiction would have administrative access to the system, and thus prevent such persons from impairing the operation of the system, for example by removing content from the system in response to an order of a US court. Such orders can be envisaged, for example, in cases where the US government classes information, even after publication, as "sensitive but unclassified", or attempts to secretly rewrite history such as court transcripts, or when copyright claims are made under the US Digital Millennium Copyright Act (DMCA).

The New America Foundation has a fascinating report, Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & Cybersecurity (PDF), that provides many details and references for those interested in this area. The German government, more sensitive than others after Angela Merkel's phone was tapped, seems to have figured out that there is a problem:
But since April, any company that cannot guarantee that foreign services or authorities will not obtain any of their data is being excluded from federal contracts in Germany.
EU countries are, ironically, in a poor position on principle to oppose extraterritorial application of Internet law on principle:
In March 2014, members of the European Parliament passed the EU’s much-debated Data Protection Regulation and Directive by an enormous margin. The rules impose strict limitations on what can be done with the data of EU citizens. ... The new rules apply to the processing of EU citizens’ data no matter where that data is located, ensuring that personal information from Europe is still protected by EU laws when it travels elsewhere, especially to the United States.
A further question that needs to be answered is how any disputes arising from the operation of the national hosting service would be resolved. Two kinds of dispute could be envisaged:
  • Unsatisfactory service provision to participating libraries (PLs) using the national hosting facilities:
    • In the case of a service provided, for example, by a US-based organization, this would be a dispute about the terms of the contract between the NHO and the service provider. This contract would have been written by the service provider's lawyers and be governed by US law. The aftermath of the financial crisis has shown the USDoJ and the US courts to be less than even-handed as between domestic and foreign litigants. The PLs themselves would not be parties to the dispute. The prospects for a satisfactory resolution would be poor.
    • In the case of a service owned and operated by the NHO, the dispute would be between the PLs and the NHO over the terms of their contract. The PLs would be parties to the dispute. The contract would have been written by the NHO's lawyers and governed by national law.
  • Failure of publishers to deliver content to the archive:
    • In the case of a service provided, for example, by a US-based organization, this would be a dispute over the terms of the contract between the service provider and the publisher, which would be governed by US law. Neither the PLs nor the NHO would be parties to the dispute. They could only hope that their interests would be represented by the service provider.
    • In the case of a service owned and operated by the NHO, this would be a dispute over the terms of the contract between the NHO and the publisher, which would be governed by national law. The NHO would be a party to the dispute and would represent the interests of the PLs.
For example, the international version of Portico's Journal Archive License Agreement states:
10.7 This Agreement shall be governed by and interpreted and construed according to the laws of the State of New York or United States Federal law, as applicable, excluding any law that might direct the application of the laws of another jurisdiction. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods shall not be applicable to this Agreement. The English language version of this Agreement shall be controlling over any other version.

10.8 Any controversy or claim arising out of or relating to this Agreement shall be settled by arbitration conducted in English in New York, New York, in accordance with the Commercial Arbitration Rules of the American Arbitration Association, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. The parties agree to exclude any right of application or appeal to non-U.S. courts in connection with any question of law arising in the course of the arbitration, or with respect to any award made.
Caveat Emptor. "Agreements" such as these, and the End User License Agreements or click-through Terms Of Service that we accept every day, are carefully constructed to ensure that, regardless of the facts of the case, there is no possibility whatsoever of the customer prevailing in a dispute with the service.

These developments appear to have destroyed any case there might have been for outsourcing archiving across national borders.

14 comments:

David. said...

Jennifer Baker at The Register reports today that:

"More than 30 big US tech firms are breaking international agreed-upon US-EU Safe Harbor commitments to safeguard Europeans’ data, according to a complaint filed with the US Federal Trade Commission (FTC) on Thursday."

"The Washington-based Center for Digital Democracy (CDD) claims tech giants such as AOL, Adobe, Salesforce, Datalogix, Marketo, BlueKai, Criteo, Merkle and others are ignoring their promise to keep EU citizens’ data private – as opposed to sharing it with other organisations."

David. said...

Commendably, Microsoft is strongly resisting the US Government's warrant to provide access to the e-mails in Ireland.

"Microsoft will not be turning over the email and plans to appeal," a Microsoft statement notes. "Everyone agrees this case can and will proceed to the appeals court. This is simply about finding the appropriate procedure for that to happen."

David. said...

There's been an interesting, and tangentially related, discussion on the Liblicense mail list. It was occasioned by a vendor asking a customer who was an institution of a US State, specifically a state university, to waive their "Sovereign Immunity".

The 11th Amendment means that, except in certain very limited circumstances, Federal courts do not have jurisdiction over State institutions. The vendor was obviously worried that the only way to sue the customer would be in the State's own courts.

The part of the discussion tangentially related this post addressed whether it was possible for a State institution to waive its Sovereign Immunity by agreeing to mandatory arbitration. It was apparently the practice of international bodies, who have a related kind of immunity (diplomatic) to do so, but it was not clear whether State institutions could do so.

Of course, in practice State institutions have almost certainly been agreeing to mandatory arbitration via click-through or shrink-wrap licenses in a enormous number of cases. But it speaks to the one-sidedness of such licenses that the issue of whether such agreement was in fact valid appears never to have been tested in court. Even the State institutions realize that they have no prospect of prevailing against the vendors. If a State can't prevail, how likely are you to?

David. said...

The UK has appointed a former ambassador to the US as special envoy on intelligence and law enforcement data sharing. His role is described as working to ensure that: "lawful and justified transfer of information across borders takes place to protect our people's safety and security".

Either this is a recognition that the UK, unlike the US, is probably not powerful enough to enforce extraterritoriality, or it is a smart PR move to obscure the fact the GCHQ will continue to play its part in the "Five Eyes" ransacking of the Internet.

David. said...

A bill to reduce somewhat the extraterritoriality of US law has been introduced in the Senate.

"Under the new proposal by Senators Orrin Hatch (R-UT), Chris Coons (D-DE), and Dean Heller (R-NV), the US could still reach into global servers with a US search warrant, but it would be limited to obtaining Americans' data. If the US government wants a foreigner's data stored on foreign servers, it would have to follow the legal process of the nation where the servers reside."

As you can see, the bill actually emphasizes the principle of extraterroriality in just the same way the US tax law does. The US has access to American's data, just as it has access to American's money, wherever it is.

Privacy groups are not impressed.

"Greg Nojeim, a senior attorney with the Center for Democracy & Technology, said the measure was a step forward for US respect toward data storage laws in other countries. But he worries about how well the bill's ideas would work in practice."

Of course, these days the fact that a bill has been introduced in the Senate means very little.

David. said...

The US DoJ is maintaining its position that data held outside the US has no rights:

"The US government may hack into servers outside the country without a warrant, the Justice Department said in a new legal filling in the ongoing prosecution of Ross Ulbricht."

David. said...

The Guardian has an interesting interview with Brad Smith, Microsoft's general counsel, by Dominic Rushe. They discuss Microsoft's attitude to the forthcoming case.

David. said...

Brad Smith himself has posted on the ten amici briefs in the case filed today by a wide range of organizations. Among the amici are a group of civil liberties organizations including the EFF and a group of 35 leading computer scientists coordinated by Prof. Ed Lazowska.

David. said...

Senator Orrin Hatch has introduced the Law Enforcement Access to Data Stored Abroad bill. Ars Technica reports:

"The bill would require companies based in the US to turn over data stored on its overseas servers only if the warrant targets a "US person." The legislation does not alter the law requiring US industry—when presented with a warrant—to hand over data stored on US servers no matter the target's nationality.

The measure also requires a court to modify or vacate a warrant if a company makes a motion to the court and the court finds that the warrant would require the provider to violate the laws of a foreign country."

This sounds a little better than Senator Hatch's earlier bill but, given the DoJ's opposition, it isn't likely to go anywhere.

David. said...

Tomorrow before the Appeals Court for the 2nd Circuit the US government will argue their case that any data anywhere in the world stored by a company with operations in the US is subject to US jurisdiction. As David Kravets at Ars Technica writes:

'Even if the Obama administration were to lose the case, the US has other legal options available. The senior counsel for the Irish Supreme Court said a US-Ireland "Mutual Legal Assistance Treaty" would be the "efficient" (PDF) legal avenue for the US to take in its quest for the data. The Ireland government said it would consider the US government's request for the data under the treaty "as expeditiously as possible."'

Given the position of the Irish government, it is clear that this case is not about getting access to the data in question, but about establishing a legal precedent that data anywhere in the world is subject to US jurisdiction.

David. said...

Jennifer Baker at The Register reports on the European Court of Justice's view of the data agreement between the EU and the US:

"The top advisor to the European Court of Justice (ECJ) has said the current agreement between the EU and US is not worth the paper it’s written on .

Advocate General Yves Bot’s opinion on the so-called Facebook vs Europe case is not legally binding, but the court’s final ruling almost always follows his advice.

...

Today’s opinion puts the whole safe harbour arrangement in jeopardy. Sixteen years ago, the EU and US set up the arrangement to allow personal data to be transferred to the US jurisdiction, despite it not have sufficient privacy laws to qualify for EU adequacy.

Following revelations by whistleblower in chief Edward Snowden, the European Parliament calling for the safe harbour programme to be suspended. However the EU executive, the European Commission, was reluctant to do so and instead pinned its hopes on renegotiating the terms of the agreement."

David. said...

Mike Masnick at Techdirt points out that the downside of the NSA's actions is potentially to fragment the Internet across the Atlantic:

"But, in the short term, this could create quite a mess for the internet. Once again, we see how the NSA's actions, which it claims are to "protect" America could end up doing massive economic damage to the internet."

David. said...

Andrew Orlowski at The Register writes in On its way: A Google-free, NSA-free IT infrastructure for Europe:

"But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to Google, Dropbox and other Californian over-the-top players.

They don’t have much choice, says Rafe Laguna, the open source veteran at Open Xchange.

What the Schrems vs Facebook decision in the European Court means, Laguna argues, is that any data protection guarantee that a US company makes in Europe is worthless, and so any business processing a European individual’s data on US servers exposes them to lawsuits they can’t win."

Open Xchange is a collaboration between the open soource community and European telcos to displace US-based companies:

"Open Xchange provides the office, secure email and secure storage, and is gradually building a trusted infrastructure with European telcos. Its partners will cheerfully provide you with IM and video conferencing over the top. That leaves huge gaps in the picture - consumer social networks like Facebook, and CRM services like SalesForce still dominate their respective markets. But with the customer base for OX climbing towards 200 million seats, it’s not to be sniffed at."

The effects of extraterritoriality are starting to be felt.

David. said...

Glyn Moody at Ars Technica teases out the ramifications of the ruling by the Court of Justice of the EU that the "safe harbor" isn't safe. The ruling is:

"based on the EU Charter of Fundamental Rights. As the European Commission's page on the Charter explains: "The Charter of Fundamental Rights of the EU brings together in a single document the fundamental rights protected in the EU." Once merely aspirational, the Charter attained a new importance in December 2009: "with the entry into force of the Treaty of Lisbon, the Charter became legally binding on the EU institutions and on national governments, just like the EU Treaties themselves."

Being based, in effect, on the EU Treaties the ruling cannot be legislated away, since that legislation would conflict with the treaties.