Business

hiawatha bray | TECH LAB

New tech vs. old law: How far can police go with digital searches?

aleutie-stock.adobe.com

By this time next year, American law enforcement agents may have a lot more power to investigate our online activities. Or a lot less, depending on which way the US Supreme Court jumps.

The high court is taking up a pair of critical cases that will establish how far police can go in searching for digital evidence of criminal activity. Whatever the justices decide, the two cases have already proven that current laws and court precedents are inadequate for these digital times, and badly need a rethinking.

Just look at Carpenter v. US, a case I wrote about in June. Convicted robbers Timothy Carpenter and Timothy Sanders were tracked down when the FBI got hold of their cellphone location data, providing a road map of the men’s crimes. But the feds lacked a search warrant for the data, because they didn’t believe they needed one.

Advertisement

Technically, the FBI may have been right. Agents didn’t listen in to the criminals’ calls. Instead, they obtained telephone “metadata” related to the users’ locations. According to a 1979 Supreme Court ruling, they could get such data with a subpoena, which simply requires telling a judge that the information will help in an investigation.

Get Talking Points in your inbox:
An afternoon recap of the day’s most important business news, delivered weekdays.
Thank you for signing up! Sign up for more newsletters here

But in 1979, metadata revealed only the location of fixed landline phones. With today’s mobile phones, a metadata search will reveal every place the phone has been, going back months or years. In effect, the cops can hit the rewind button and put anybody under retroactive surveillance.

It’s a scary concept, and it calls for rigorous regulation.

Before getting so much data, police ought to get a full-fledged warrant. That means persuading a judge that the suspects are probably guilty of a crime. It’s a much higher standard than the one the FBI applied in the Carpenter case, which is why I’ll have to root for the bad guys this time, and hope that Carpenter and Sanders go free. The Supreme Court will hear that case Nov. 29.

The right decision on Carpenter could clear up the metadata problem for years to come. But on Monday, the court agreed to take up a far messier case — US v. Microsoft Corp. is a legal showdown with global implications.

Advertisement

In 2o13, federal agents served a warrant on Microsoft, seeking e-mails of a suspected drug smuggler. Microsoft complied, but only with data stored on the company’s computers in the United States. The suspect had signed up for Microsoft’s Outlook.com free e-mail service as a resident of Ireland, and so Microsoft had stashed his e-mails at a data center in Dublin. The company said a US search warrant didn’t apply there.

In 2014, a federal judge disagreed, but Microsoft won on appeal. The government had relied on a 1986 law that allows court-ordered e-mail searches. But when the law was written, American e-mail services were based on American soil, not lodged in data centers around the world. The appeals court ruled the old law didn’t extend to overseas servers.

On one level, the ruling seems bizarre. If you use Gmail, your messages may get shuffled through many servers around the world. But they’re all owned by Google, which can access the data in the United States with a few keystrokes. So why are files in Alabama subject to a warrant, but not those at the equally accessible Google data center in Chile? That’s the view of the Justice Department and 33 state governments that want the Supreme Court to overturn the appeals ruling.

But it’s not so simple. For instance, the government hasn’t identified the person being investigated, or his nationality. If he’s a not a US citizen, he may be covered by the European Union’s privacy laws, which are significantly more strict than ours. Officials of Ireland and the EU have warned that complying with such a warrant could violate sovereignty. And US civil liberties advocates warn that foreign police may start demanding data on Americans under investigation, even when it is stored in the United States.

All these problems are avoided if Microsoft wins, as I believe it will. But such a ruling would hamstring American police. What we really need is a better law.

Advertisement

A bipartisan group of senators are pushing legislation to extend the power of search warrants to data stored abroad, when the person being investigated is a US citizen or resident. Foreign countries would be notified of warrants pending against their citizens, and the law would establish a streamlined procedure for countries seeking to challenge such warrants in US courts. Countries wishing to take advantage of this law would be required to offer the same deal to Americans facing criminal investigations under their laws.

US v. Microsoft is what happens when you apply landline-era laws to a broadband world, and it will take more than a Supreme Court ruling to set things right.

Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.