Thoughts on foreign data storage and the Patriot Act
Over the past year there has been extensive discussion around the world about government demands for data. Last week, Verizon released a Transparency Report outlining the number of law enforcement requests for customer information that we received in 2013. In the report we noted that in 2013 we did not receive any demands from the United States government for data stored in other countries.
Although we would not expect to receive any such demands, there are persistent myths and questions about the U.S. government’s ability to access customer data stored in cloud servers outside the U.S. Now is a good time to dispel these inaccuracies and address the questions, which have been exacerbated by the stream of news reports since last June about national intelligence activities in the U.S. and elsewhere.
Our view on the matter is simple: the U.S. government cannot compel us to produce our customers’ data stored in data centers outside the U.S., and if it attempts to do so, we would challenge that attempt in court. Here’s why.
The section of the national security laws often cited as granting the U.S. government authority to access data stored abroad is Section 215 of the Patriot Act. While Section 215 allows a court to issue an order requiring a company operating in the U.S. to produce certain business records, it does not give the U.S. government the power to act outside the U.S. More importantly, Section 215 does not grant the U.S. government access to customer data stored in the cloud; it only applies to business records of the cloud provider itself. So the U.S. government cannot use Section 215 to compel a company to produce customer data stored in data centers outside the U.S.
If Section 215 isn’t available, are there other methods potentially available to the U.S. government? Search warrants are not an option – they cannot be enforced outside the U.S., and nothing in the Patriot Act changes this limitation. The same is true of subpoenas. Finally, Section 702 of the Patriot Act also is not an option for the U.S. government to compel a U.S. company to turn over customer data stored in a data center outside the U.S. because the U.S. company does not have possession, custody or control of that data.
For all these reasons, we do not believe the U.S. government may lawfully demand that Verizon turn over customer data stored in data centers outside the U.S., and if it were to do so, we would oppose the request in court.
So, where does this leave the government when it wants access to data stored outside the U.S.? The short answer is the Mutual Legal Assistance Treaty process, which the U.S. government can – and we understand does – use to request assistance from local, in-country law enforcement, just as other governments around the world do.
Verizon has a long history of standing up for the privacy rights of our customers. We believe that the privacy concerns expressed by many over the security of their data are important, but we also believe that the authority of the U.S. government to reach data stored in the cloud outside the U.S. is misunderstood or mischaracterized by many. Whatever interpretations others may apply to U.S. law, we want our position on the matter to be clear: there should be no concern about the U.S. government compelling Verizon to disclose data our customers store in Verizon data centers outside the U.S.