Unsafe Harbor?

I’m no lawyer, or a huge fan of Windows, but a recent ruling by a U.S. magistrate may have some serious repercussions for those of us who a big fans of the free flow of information over the internet. On April 25, Judge James Francis IV (S.D.N.Y.) held that emails held on foreign servers were subject to US criminal search warrants. In making his decision, Judge Francis rejected Microsoft’s arguments that it shouldn’t have to comply with a criminal search warrant for data on its web-based email service stored on servers in Dublin because US courts lacked authority to issue warrants for extraterritorial search and seizure. While this is obviously not good news for the boys in Redmond, this decision also could help drive a stake through the heart of the US-EU Safe Harbor Framework for data transfers.

For those of you wondering why this is important, let me provide a brief overview of the concept of Safe Harbor. Essentially, a safe harbor provision clarifies what behavior within a larger statute is deemed to be acceptable or “safe”. In the context of internet communications such a provision can be used to identify what information is (or isn’t required) to be provided to a state authority in association with the movement of data. In ruling against Microsoft, Francis argued that under the US Stored Communications Act of 1986—a law that many legal analysts feel is antiquated—warrants for email differ than those for homes. This is music to the ears of the EU who were already considering pulling out of the existing agreement.

The EU’s concerns regarding maintaining the current Safe Harbor agreement have been substantially eroded by a variety of factors, not the least of which being the recent disclosures of NSA surveillance activities. Thus, Judge Francis’ ruling provides implies that information that crosses into the EU, and is stored there, is less secure, and thereby, a de facto safe harbor in and of itself.  Whether it’s a manifestation of the EU’s feelings of inferiority or that they don’t approve of US clandestine activities including listening in on their leader’s phone calls—of course they do the same things, but we had the misfortune of being caught—this decision provides them with the cover they desire to insist on the provision of more detailed information on the data moving across its frontiers.

While the EU’s position may appear logical on one level, their withdrawal from the Safe Harbor compact will have substantial consequences for internet communications. Added information requirements will only lead to the increased bureaucratization of the internet, and onerous data storage and retention requirements–an international Sarbanes-Oxley for lack of a better term– for internet providers and those that use their services. Paradoxically for those concerned that the current Safe Harbor agreement facilitated spying activities by the likes of the NSA, the collapse of the current arrangement will make sensitive data more easily available to an expanded array of “interested” parties. Coupled with the current desire of the US government to relinquish control of ICANN, the absence of a Safe Harbor agreement between the US and the EU opens the door for authoritarian and autocratic governments to impose rules and requirements that are in direct conflict with the internet’s position as a universal source of free and uncensored information.

Obviously, the global nature of internet communication strains the limitations of existing laws and tests the boundaries of national jurisdictional restraints, but in cases like Microsoft’s, the implications of judicial action can lead to consequences that are not limited to the decision itself. As a result, it is imperative that legal rulings should follow the law and not precede or anticipate it. As the impact of Judge Francis’ ruling demonstrate, if the internet is to continue to fulfill its role as an open communications medium, decisions made regarding its future should be made on a deliberative, rather than ad hoc, basis.