After the Snowden disclosures America’s leading technology companies were mad. They found themselves in the middle of a political firestorm not of their own making. The toll of the Snowden disclosures on American business is unknown, but estimates range from $22 to $180 billion. These companies understood the crucial role they played as stewards of consumer data. In the wake of the intelligence disclosures many argued that revamped privacy policies were critical to promote the interests of US technology firms in foreign markets. Microsoft Executive Vice President and General Counsel Brad Smith spoke about many of these issues in a recent event hosted by the Center for Technology Innovation at the Brookings Institution.
Smith outlined a number of principles that were important for stakeholders to consider when crafting new privacy protections. He also argued that conversations about privacy tend to conflate two intertwined relationships. The first is the relationship between citizen and government. The second is between a company and the consumers. Ensuring transparency both in terms of how governments and companies use data is critical to establishing trust with people around the world. Empowering consumers to control their data and ensuring robust oversight of government agencies is equally important. Establishing accountability for both firms and governments through regulations or court rooms helps to ensure that all actors play by the rules. Finally Smith highlighted the importance of respecting not just the wishes of Americans but also those of other countries.
He proposed three recommendations for reform:
One- Changes to the FISA Court
Currently the Chief Justice of the Supreme Court appoints FISA Court judges. Smith suggested that it could enhance accountability if Congress had a role in the decision. The court also lacks transparency as nearly every decision remains shrouded in secrecy. The FISA Court does not include an advocate for the defendant, which could result in biased outcomes. Smith also pointed out that litigation is difficult for companies that seek to challenge rulings because even individuals with security clearance can’t access the relevant evidence.
Two- Specific Warrants for Accused Offenders
The subpoenas Microsoft receives from the government often request all available data associated with a single username. Smith argued this constitutes a general search which is unconstitutional. It also deputizes Microsoft to in effect carry out the search on its own. Including more detailed records requests could help ameliorate this problem.
Three- Follow the Laws of the Country Where the Data is Hosted
Smith also suggested that the location of the data center should determine what rules were in place for a criminal investigation. For example if a European customers’ data was stored on a server in Ireland than Irish law would apply. If the US wanted to request information for an investigation they could follow the guidelines already laid out in the treaty between the two countries.
Check out the event video below and the tweet to #TechPrivacy to join the conversation.
Commentary
3 Ways to Promote Cybersecurity
June 25, 2014