A New Law for the Internet

At Microsoft’s recent World Partner conference, Chief Legal Officer Brad Smith declared that the world needed an “internet which respected international law”.

What he’s talking about here is the issue of global data privacy. Microsoft are one of several major technology companies who are currently fighting the notion that governments across the world could have the ability to access any online data – whenever and wherever they want.

When you look at some of the recent legal tussles between governments and various technology giants (the Microsoft Ireland case and Apple vs. the FBI are a few examples), it’s clear that this is in fact a huge issue, which has been borne out of the exponential growth of online activity.

It’s now come to a point where a definitive course of action is needed to address the fact that the current laws of the internet were created decades ago. Before instant messaging. Before Facebook. And before business cloud adoption went through the roof.

In fact, 21 years ago last week saw the launch of Internet Explorer 1.0. Here’s what it looked like. It sends some shivers down the spine to think about how much the internet has developed since then, whilst the laws designed to police it have hardly changed at all.

To take a look at one of the cases more closely, Microsoft have been battling the US government for three years with regards to a particular case of drug trafficking. The government wanted to access some data which was kept in Outlook emails belonging to a non US citizen who was the main suspect in the case. The emails were stored in a Microsoft data centre in Dublin.

Microsoft refused to allow the US government access without going through Irish law first. After a New York district court judge ordered Microsoft to give up the emails anyway, and they still refused, they put themselves in contempt of court.

So why didn’t Microsoft, a US company, want to help their own government bring someone to justice (if indeed the emails housed any incriminating evidence)?

Brad Smith said at the time,

“The government is using power that Congress never gave it: the ability to go around the world and hoover up emails pursuant to a search warrant,”

“It’s in effect saying to the people of Ireland, their law doesn’t matter … that is not a recipe for the success of the US technology sector, and not a recipe that people have trust in technology.”

That trust is crucial. If Microsoft want more and more businesses to use their cloud technology (Office 365, Azure etc.) then they have to be able to say that their data is safe, secure, and protected by international law.

Last month, the Microsoft Ireland case came to an apparent end when the Second Circuit Court of Appeals ruled in Microsoft’s favour. Microsoft said the ruling is a win for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments. Speaking after the news was made public, Brad Smith said,

“We obviously welcome today’s decision by the Second Circuit Court of Appeals. The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”

You can read Brad’s full statement here.

From my personal point of view, I’m not a data privacy fanatic, nor do I have anything to hide. So I believe that in certain circumstances, governments should be able to order technology companies to hand over incriminating data belonging to their customers, even if that data is stored overseas. But crucially, I believe they should only be able to do that if that government has gone through the correct process to make this request and don’t circumvent international laws.

The trouble is, there is no definitive process at the moment. At least not one which isn’t based on principles constructed thirty years ago.

Earlier this year the FBI wanted Apple to unlock an iPhone 5c belonging to the now deceased Syed Rizwan Farook, who murdered 14 people in San Bernardino last December and wounded 22 more. Farook was suspected to have terrorist links, and the FBI believed that the data stored on his iPhone would be the key to proving that.

Apple claimed that they couldn’t give the FBI the data – Apple’s phones carry encryption on them, and the only way to unencrypt one is to know the user’s passcode. If they tried to force break the passcode, there was the risk that Farook had chosen a certain iOS setting which would mean his phone would be wiped of all data if 10 incorrect passcodes were entered.

In answer to that, the FBI asked Apple to build a new SIF (System Information File) to circumvent all the iPhone security features. Apple again refused. I believe it was on the basis that Apple, for reputation’s sake, couldn’t prove that there was a way to crack an iPhone without knowing the passcode.

In the end the FBI found its own way in with the help of a third party. This circumstance for me is different to the Microsoft Ireland case. I understand completely why Apple are incredibly stringent about their security. That makes complete sense. But in an extreme case like this, it’s my personal view that Apple could, and should, have done more.

And this is why a new set of laws for the internet is needed. At the moment there is so much ambiguity, that almost anything can be challenged. That is why we’re seeing cases such as these – governments being in the position to order the technology companies to hand the data over, and technology companies being in the position to refuse. Particularly with the disintegration of Safe Harbour, a new precedent must be set.

The internet is at the centre of everything that is unfolding in technology. 67% of executives believe that digital transformation is now “a question of survival” for businesses. Importantly, companies need to know that when they put their faith in digital technologies, it is regulated and supported to the same level.

So what happens now?

I think it’s about agreeing on a strong and strict level of criteria, should a government want to access someone’s data which is hosted in the Cloud.

It’s the equivalent of gaining access to a house – you need a warrant. There needs to be an international court warrant which is agreed to and rubber stamped. If they are legally bound to do so, then Microsoft or Apple or whomever hosts the data must release it, assuming all the criteria has been met, and international law has not been circumvented.

The problem with that of course is that sometimes, if not most of the time, there will be a level of urgency to the request. And the bill needs to allow for that.

So what is being done at the moment? Companies including Apple, Microsoft, Amazon, Facebook and Twitter are backing a new bill, the International Communications Privacy Act (ICPA).

Noticeably absent from the list is Google, who have more ties to the US government than anyone else. No further comment on that one…

After Microsoft won their Ireland case, Brad Smith said, “Now we can focus on creating the internet laws of the future”.

It’s not going to be easy to get international agreement for something like the ICPA (if indeed it’s the best solution), but it is critical to developing trust and security.