Tech companies could be hindering criminal investigations, under outdated law

When police showed up at his parents’ rural Mississippi home this past winter, Brian Lee Davis confessed to owning hundreds of digital photos and videos that showed young children being raped. In July, the 20-year-old college student was sentenced to a decade in state prison. Catching him gave police a shot at pursuing an entire child pornography network — including the people who had abused those children in the first place.

Instead, police hit a dead end.

State investigators say they still cannot access emails that could help them identify victimized kids or track down the “very bad, bad people” Davis admitted to contacting. Although Google tipped off cops about the child porn files that had crossed its network, the company refused to give them access to his Gmail account — despite the fact that police had a search warrant.

Google’s argument: The data is “out of jurisdiction.” In other words, some data in that Gmail account is stored on Google servers outside the United States — and, since a ruling last year that is now before the Supreme Court, technology companies are not required to turn over that information.

Since the legal decision, major technology companies such as Microsoft and Yahoo have begun defying judges’ orders in criminal investigations, refusing to turn over potentially crucial digital evidence of crimes. Their actions are impeding hundreds of criminal investigations, according to public testimony to Congress and interviews with law enforcement officials by CNN. These cases include ones of human trafficking, drug smuggling, and fraud.

“This is a tremendous problem that is becoming more acute by the day,” Brad Wiegmann, a deputy assistant attorney general, told members of a Senate judiciary subcommittee in May. “These cases directly affect public safety and may even affect national security.”

In the Davis case, for instance, “that account could contain a treasure chest of information to help identify other child pornographers,” Mississippi Attorney General Jim Hood told CNN in a statement. “This is a man who pled guilty to exploiting innocent children, yet Google is more worried about protecting their own interests than the safety of our kids against child predators.”

Google, Microsoft, and other companies say they’re caught amid a duty to their customers, clashing interpretations of an outdated American law, and increasingly stringent privacy laws abroad. “In the absence of consistent legal doctrine, we’re deferring to the judgment of the most senior federal court to rule on the issue,” Google told CNN in a statement.

Microsoft’s deputy general counsel, David Howard, also issued a statement to CNN: “This outdated law doesn’t serve today’s law enforcement needs, nor does it adequately protect people’s privacy. We’re particularly troubled that if the US government requires companies to turn over their customers’ data abroad, other governments may follow this example and seek the private information of American people and businesses.”

Until last year, technology companies routinely gave American law enforcement whatever information was listed in a search warrant, no matter where it was stored.

But in a July 2016 decision, the US Second Circuit Court of Appeals ruled that the 1986 Stored Communications Act does not compel companies to give up data held abroad. The law does not directly address a reality few politicians at the time imagined: Today, for greater convenience, the American companies that dominate the global technology market have come to store our emails, documents, and other data on servers all around the world.

The stalemate between technology companies and law enforcement is urgent enough that the Department of Justice is trying to resolve it through multiple avenues. On Monday, the Supreme Court decided to review the lower court ruling, a move that could keep the legal limits in place or return power back to police. The DOJ is simultaneously lobbying Congress to change the underlying law. Meanwhile, the tech industry’s own proposal for an update to the law has become a bill that’s now making its way through the House and Senate.

Still, for now, American police who have lawful search warrants approved by judges are hitting a wall. Until the Supreme Court weighs in, or Congress changes the law, criminals have some cover.

A fateful decision

Technology companies store data all over the world. They’ve designed their systems that way to deliver data faster, or in some instances, to reroute signals in cases of traffic jams or downed networks. For a user in Belfast, Microsoft can house an MSN email account at its data center in Ireland, rather than the United States. Google keeps data in tiny “shards” all across its global network, so a single Gmail file might exist as fragments on computers in Belgium, Finland, and Hong Kong.

The criminal investigations hitting roadblocks involve the data of not just American suspects, but often foreigners as well. Either way, those people’s data can reside all over the world.

But the data housed beyond American borders has taken on special meaning since a 2013 case in which Microsoft refused to help federal agents in an investigation of drug traffickers, denying them access to emails on computer servers in Dublin. Microsoft’s lawyers argued that the 1986 Stored Communications Act did not, in fact, give police the right to seize information stored in another country without that foreign government’s approval.

The company eventually won before the federal appellate court in New York on July 14, 2016. The controversial ruling said the Stored Communications Act does not give American judges “extraterritorial” powers, and that therefore they cannot grant search warrants that reach outside the United States. A US judge could not demand that a company give up a video held on a European machine, for instance, even if it documented a crime committed by one American against another on American soil.

In comments clarifying the decision later, the appellate court itself described the ultimate result as nonsensical. The ruling does not create “a rational policy outcome,” one judge concluded. And it “severely restricted an essential investigative tool used thousands of times a year in important criminal investigations around the country,” another judge on the appellate panel wrote.

Since then, tech companies’ refusal to comply with similar search warrants have set off legal battles in federal courthouses across the United States.

The Senate Judiciary Committee, which is now reviewing the tech industry’s version of a bill to resolve the problem, has heard about this issue firsthand from Wiegmann and others who want to see the law changed.

DOJ officials have told Congress about a wide range of affected cases. In one instance, a man charged with child pornography cut off his electronic monitoring device and fled before his trial — but Google would not give federal agents access to emails that could help track him down. In another, Google refused to provide emails concerning a drug trafficking investigation spanning Canada, China, and the United States. In yet another, Microsoft withheld data that could identify a suspected tax fraudster’s accomplices.

The problem extends to local and state investigations, too, according to Tennessee Bureau of Investigation special agent in charge Richard Littlehale. In California, investigators trying to track down a missing young girl — feared dead — couldn’t access photos saved online that could help locate her.

In federal cases in California, the District of Columbia, Florida, Pennsylvania, and Wisconsin, prosecutors have argued that the “Microsoft Ireland decision” was wrongly decided. Magistrate judges in every one of those regions have sided with prosecutors and ordered the tech company to deliver data. Yet the companies have appealed, stalling investigations. In just the last few months, US district judges in D.C., Philadelphia, and San Francisco have stepped in to reaffirm those orders. But, to date, tech companies have not budged.

Despite the cases underway across the country, the impasse has received scant media attention. The search warrants pertain to ongoing criminal investigations, so most of the court documents are sealed and kept secret from the public. But CNN has been able to glean some details by reviewing hundreds of pages of public legal documents and court transcripts.

One effect of tech companies’ resistance can be to delay investigations, as one case in eastern Pennsylvania shows. FBI agents are investigating how a person in the United States defrauded an American victim. On August 19, 2016, agents received a search warrant to obtain emails and files from the suspect’s Gmail account. Google and the feds went back and forth for weeks. Google repeatedly told the FBI it had received the search warrant but didn’t provide the data. When the company finally relented, it gave agents access to file folders — that were mostly empty.

In the end, 69 days passed before the company’s attorneys finally called the FBI to explain the missing information: Google wouldn’t be delivering the data, because it was on a foreign server.

Other cases show the stalemate impeding justice in other ways — for example, by limiting investigators to just bits and pieces of evidence. In San Francisco federal court last year, prosecutors asked Google to turn over emails in a case involving “ongoing and wide ranging criminal activity.” After five months, Google turned over some emails, but the company withheld some attachments because they were stored outside the country.

William Frentzen, a veteran federal prosecutor in the region’s gangs task force, wrote that because of Google’s refusal to comply, “the government is restrained from investigating the full extent of the illicit activity and from identifying potential co-conspirators.”

The Second Circuit ruling is even affecting cases where investigators already have evidence in hand. In August, a New York jury convicted Fabio Gasperini of computer hacking. His defense lawyer, Simone Bertollini, told CNN he’ll try to get the appellate court — the same one that ruled in the Microsoft case — to toss out the conviction because the incriminatory emails likely came from a Google server in Europe.

Law enforcement doesn’t have an effective alternative strategy for getting this information. In a typical investigation, American cops can ask for a foreign government’s cooperation through diplomatic channels — a method called a mutual legal assistance treaty request, or MLAT. But investigators say the process is notoriously slow. And given that some companies’ computer networks keep data in tiny bits that are always moving, it can be impossible for cops to know which country they should ask for help.

Putting up a fight

In court, prosecutors have pointed out that the technology companies do still have the option to give up data held abroad. They added that even the Second Circuit’s decision, which allows them to withhold the data, is only binding in court cases in that circuit’s states — Connecticut, New York, and Vermont.

Google, however, noted that it was following the guidance of the highest court to weigh in on the issue, and told CNN that “production of users’ data under a single federal law shouldn’t depend on where in the country they live.” In other words, it should not be easier for federal agents to spy on the emails of someone in Oregon than on those of someone in Vermont.

Some experts in technology law say the companies may see the refusal as a matter of protecting their public image.

“It’s bad press for Google if they just acquiesced and didn’t promote what is deemed as the privacy interests of their customers. This is particularly important for their international customer base. The idea of the US being able to reach anywhere to get anything is especially concerning to foreigners,” said American University law professor Jennifer Daskal, who specializes in privacy and law enforcement access to data.

Fears of the government’s reach into private data have been particularly heightened since 2013, when leaks by National Security Agency contractor Edward Snowden revealed how US intelligence was tapping American technology companies to spy on users worldwide.

“After Snowden, there was a change in public trust of government access to data. And for a tech company, appealing to that change in public trust is important,” said Fred Jennings, a tech and civil rights lawyer at the New York firm Tor Ekeland.

In the wake of Snowden’s disclosures, foreign governments, such as Brazil and the European Union, have adopted stricter data privacy laws. That, in turn, is giving tech companies even more reason to be resistant to US law enforcement. In court filings, the tech industry claims that responding to an American search warrant and pulling data out of foreign countries could break those new laws.

The technology industry has banded together to stake out its position. Amazon, Apple, Cisco Systems, Microsoft, and Yahoo have filed joint legal briefs in courts nationwide to support Google’s efforts to block federal search warrants.

Even as the tech sector attempts to block these search warrants in court, it’s also lobbying Congress to update the 1986 law in a way that would clarify their dealings with both American police and foreign customers.

Technology companies have rallied behind the International Communications Privacy Act, which would draw a sharp distinction between “US persons” and foreigners. Under this legislation, tech companies would have to give police with warrants access to Americans’ data, no matter where it’s stored. “Law enforcement requests for digital evidence should be based on the location and nationality of users, not the location of data,” Google’s general counsel Kent Walker said in a speech at the Heritage Foundation in June.

But, according to the bill, if US officials want a foreigner’s information, the foreign country would be notified first. If that country doesn’t object, American police could access the data. Countries with legal systems the United States considers unjust would not have this veto power. Russia, for example, which is notorious for shielding its hackers from the FBI, would not have a way to block legitimate investigations.

Senators Orrin Hatch of Utah and Christopher Coons of Delaware introduced the bipartisan bill in July. It’s their second attempt, after a similar version in 2016 never made it out of committee.

Despite its urgency about changing the law, however, the DOJ has surprised some observers by hesitating to publicly support the bill. Some suspect it’s because the bill doesn’t go far enough, putting limits on the ability of American police to obtain data on foreigners that didn’t exist before the 2016 Microsoft-Ireland decision.

“The tech community has shown a greater willingness to move to the middle on this issue than has law enforcement, which appears to be banking on a Supreme Court reversal of the Microsoft decision,” said Matt Whitlock, the press secretary for Sen. Hatch.

Instead, the DOJ has asked Congress for a simpler fix: Give American judges those “extraterritorial” powers to force tech companies to move foreign data back to the United States.

Meanwhile, even the proposed new bill is highly asymmetrical in what it permits US law enforcement versus that of other countries. American tech companies produce much of the world’s most popular communication tools. Yet foreign police can’t access any evidence kept by US tech companies to solve local crimes.

For example, Brazilian federal police told CNN that WhatsApp is the preferred messaging service for drug traffickers and kidnappers there, but the company won’t give them access to conversations. WhatsApp has claimed it does not have copies. But it would be illegal for WhatsApp to share them directly anyway. The Stored Communications Act — the same outdated law frustrating police in the United States — also blocks American tech companies from directly sharing information with foreign governments.

Scholars and industry experts warn that ignoring international interests could come back to haunt the United States.

Right now, America holds sway because its tech companies are powerful. But Chinese companies, for instance, are also making popular apps. Some of them will soon live on the phones of millions of Americans and store lots of their data. When that happens, American police will be at the mercy of Chinese laws.

“There’s going to be some super cool Weibo app that we want on our phones, and it’s going to cause headaches for US law enforcement,” said Andrew Keane Woods, who teaches technology law at the University of Kentucky. “There’s a much more immediate need for us to play nice with countries.”

For now, American investigators are impatiently waiting to see how this problem gets addressed. The Supreme Court could issue a landmark decision that once again gives American judges the ability to reach across borders — or not.

Either way, Congress could render any Supreme Court decision null and void if it changes the law. But that would require passing a bill that failed the last time around — at a time when Congress has only grown more divided.