New Laws Needed for Government Access to Cloud Data, Google Says


Google general counsel Kent Walker this week called for fundamental changes to statutes governing law enforcement requests to customer data stored by Internet companies like itself.

In a speech at the Heritage Foundation in Washington, D.C.—an excerpt of which was posted on the company’s The Keyword blog—Walker described current laws governing digital evidence gathering on the Internet as archaic and slow moving. Rather than helping enable the flow of information to law enforcement, current laws are hindering the flow and jeopardizing user privacy in the process, he said.

Walker proposed a new framework that Google has developed that he said strikes a better balance between privacy and the government’s legitimate need to obtain information from Internet providers for law enforcement purposes.

“The laws that govern evidence-gathering on the Internet were written before the Information Revolution,” Walker said. “These rules are due for a fundamental realignment in light of the rapid growth of technology that relies on the cloud [and] the very real security threats that face people and communities.”

Further reading

  • Microsoft Links Azure Media Services and Azure AD
  • Industrial IoT Is Getting Real

In Walker’s opinion, the law that is in biggest need of immediate change is the U.S. Electronic Communications Privacy Act (ECPA), which governs request for content from law enforcement.

The law was passed in 1986, and is primarily designed to govern requests for data from domestic law enforcement authorities. It is not equipped to address the requirements of an environment where data moves across borders and is stored all over the world. The law, as written, does not allow law enforcement authorities in other countries to directly obtain content held by an Internet company in the United States, like domestic agencies can.

As a result, they are forced to rely on cumbersome diplomatic mechanisms such as Mutual Legal Assistance Treaties (MLATs), Walker said. Foreign law enforcement agencies that go through the MLAT process for obtaining data from U.S. Internet companies have to wait on average for 10 months to receive it.

That process is far too long for most investigative purposes and has begun prompting other nations to assert that their own laws apply to companies outside of their borders. Such assertions of ex-territorial authority put companies like Google in a situation where they are forced to violate either U.S. laws or the laws of the countries making the demands for data, Walker said.

Frustrations over processes like the MLATs have also begun pushing some countries to require Internet companies to store data on their citizens within local borders, Walker said. This again is problematic because it requires U.S. companies to set up small, one-off datacenters in multiple countries.

ECPA’s outdated provisions have also begun complicating things for U.S. law enforcement authorities, he said. For example, there is considerable ambiguity over whether warrants for digital searches issued under ECPA cover data stored on servers outside the U.S.

Google’s proposal is for ECPA and similar statutes to be changed so that law enforcement authorities from countries with good human rights records can obtain information directly from the service provider, rather than through an MLAT or similar process.

The Google proposal also calls on the U.S. Congress to codify a standard for search warrants for content from Internet companies. Many countries currently lack robust standards and safeguards for government access to customer data stored in the cloud. The U.S. as the country where some of the world’s largest Internet companies are based should take the lead in codifying a warrant standard, the Google proposal said.