NSA spying has cost US tech firms $180 billion in lost revenues

Nearly unique among nations, the U.S. broadly imposes extraterritoriality– in the case, the enforcement of U.S. laws in other, sovereign nations.

An Exceptional Nation

Many examples of extraterritoriality grow out of America’s archipelago of military bases around the world, where Status of Forces Agreements (SOFA) allow service members exemption from local laws, even when they commit crimes against host country people. The U.S. also stations Customs and Border Patrol agents in other nations, denying boarding on U.S.-bound flights from Canada, for example, to Canadian citizens otherwise still standing in their own country. Imagine the outcry in America if the Chinese were to establish military bases in Florida exempt from U.S. law, or if the Russians choose which Americans could fly out of Kansas City Airport. Never mind drone strikes, bombings, deployment of Special Forces, invasions and CIA-sponsored coups.

The snowballing NSA revelations have already severely damaged U.S. credibility and relationships around the world; nations remain shocked at the impunity with which America dug into their private lives. NSA spying has also cost American tech firms $180 billion in lost revenues, as “We’re not an American company” becomes a sales point.

A New Level

An American court has just taken things to a new level of extraterritorial offensiveness by requiring Microsoft to turn over to the U.S. government emails it holds on its servers. But in this case, those servers are located in Ireland, a European Union nation with its own privacy laws. Those laws are apparently of no real concern to the United States.

In a July 31 ruling upholding a lower court decision, U.S. Magistrate Judge James Francis in New York ruled that an American search warrant can be applied outside the country and served on a foreign company if that company has some business connection to an American corporation. The ruling makes all data in the world subject to a U.S. court, assuming some nexus to an American entity can be found. The nexus question is important; U.S. law holds that a company doing business in the U.S., say Malaysian Airlines, can be sued in the U.S. for some event that occurred abroad, such as an air crash in the Ukraine. The court ruling could in theory require Credit Suisse to open its servers in Zurich to the U.S. government simply because they have an office in Manhattan.

In the current case, the theory was that because Microsoft owned and controlled a foreign subsidiary company based in Ireland, any data stored in that overseas office or its data centers fell within (virtual) U.S. territory. This exposes massive amounts of foreign cloud-stored data, including emails and web searches, to American law enforcement working through an American court system that has been compliant in satisfying its needs post-9/11.

Rules are For Fools

The Judge went further is his decision, claiming official channels between countries that currently allow for cross-border law enforcement operations, called mutual legal assistance treaties (MLATs), are “generally… slow and laborious, as it requires the cooperation of two governments and one of those governments may not prioritize the case as highly as the other.” The judge added: “The burden on the government would be substantial, and law enforcement efforts would be seriously impeded.”

MLATs, the system that has been in place for many, many years prior to this week’s court ruling, are formal treaties whereby countries agree to share law enforcement information when it is to the benefit of both sides. They are subject to transparency and scrutiny, court review and have numerous steps built in to protect the rights of the accused. An example of an MLAT’s typical use might be a cross-border investigation into an alleged narco trafficker doing bad things in both nations. MLAT’s are usually administered abroad through the FBI’s Legal Attache stationed at the U.S. Embassy.

EU Data Laws

The American court’s ruling, allowing the United States to simply demand Microsoft’s data from Ireland for whatever purpose it may decide to use it, is a big, big deal. European information law is very strict. Data held by a company in Europe is considered to ultimately belongs to the citizen who generated it. A citizen can request access to his or her own data, and when it’s no longer needed, it must be deleted.

In the U.S., data is considered the property of the tech company that has its hands on it at the moment. So, in America, your Facebook posts and Instagram pictures don’t really belong to you, and you can’t block those companies from giving them to the government, or selling them to a third party for that matter.

Yet the most amazing thing about the judge’s ruling is its sheer audacity. In the immediate wake of the revelations that the NSA has been stealing Europe’s data, the judge has ruled that it is in fact now legal for the U.S. government to simply demand that data.

Microsoft to Appeal

In hopes of salvaging its business in Europe, Microsoft is appealing the decision. http://publicpolicy.verizon.com/blog/entry/verizon-files-amicus-brief-in-support-of-microsoft Verizon, Apple, AT&T, and Cisco, despite handing over their data to the NSA domestically willy-nilly, are supporting Microsoft in its efforts to block the European grabs.

In its appeal, Microsoft summed up the issue concisely:

A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the on line world, but the government disagrees.”

————————–

Peter Van Buren writes about current events at blog. His book,Ghosts of Tom Joad: A Story of the #99Percent, is available now from from Amazon.

Image by Elif Ayiter under Creative Commons license