Oath makes a stand for privacy in Supreme Court case

By Julie Jacobs, General Counsel

August 15, 2017 -- Today Oath, along with other technology companies, submitted a 'friend of the court' brief to the Supreme Court in Carpenter v. U.S., a case that could modernize the application of Fourth Amendment principles to digital information. In the fall, the court will hear arguments to decide the bounds of individuals' Fourth Amendment rights in the information transmitted by their mobile phones to the cell sites operated by their wireless carriers. The court will consider several questions, including whether the government needs to secure a warrant based on probable cause to obtain such cell-site information or whether the transmission is a voluntary disclosure of information to a third party obviating the need for a warrant. Although we did not take a position on how this particular case should be resolved, we urged the Court to eschew an outdated application of existing Fourth Amendment doctrines and consider fresh thinking in light of the daily habits of our customers and their associated privacy expectations.

Oath is also weighing in on issues related to user privacy and government access to customer data in other forums. In the U.S., congressional lawmakers recently introduced the "ECPA Modernization Act of 2017," legislation updating the Electronic Communications Privacy Act (ECPA) to more accurately reflect the public's expectation of privacy when it comes to law enforcement accessing their emails, texts and other electronic communications. Under the current ECPA law, a warrant is not required to obtain emails older than six months. The ECPA Modernization Act amends the status quo by doing away with that anachronistic temporal limitation on privacy. It also makes other important changes like requiring a warrant for all electronic communications content held by a third party and a warrant for geolocation information; mandating notification by the government to a user when their stored communications content is searched; and requiring the government to articulate a particular need for communications metadata before acquiring it. We support passage of this legislation, and other previously introduced reform bills that would improve digital privacy protections by setting clear requirements for government acquisition of customer data.

Congress is also examining how rules for government access to customer data should operate internationally. In late July, a bill was introduced in the U.S. Senate to construct a framework for U.S. law enforcement to obtain data stored overseas and for foreign governments to request data of non-U.S. customers from U.S. internet companies. The legislation, known as the "International Communications Privacy Act" (ICPA), resolves an issue addressed in the 2016 Microsoft v. U.S. case, where the U.S. government tried to compel Microsoft to turn over a customer's electronic data stored on a server in Ireland. Microsoft challenged releasing the information, arguing that the warrant served by the U.S. government did not extend to data held outside of the U.S. The Second Circuit agreed with Microsoft, but the issue is the subject of repeated litigation with differing outcomes in courts across the country. The current state of the law creates uncertainty for all stakeholders--for companies about whether and how to comply with court orders for data held overseas, for law enforcement about whether they will receive the data when requested, and for customers who are unsure about the protections given their electronic communications. ICPA would settle these questions by requiring U.S law enforcement to obtain a warrant for all electronic communications content stored anywhere in the world. And it would establish a comprehensive set of procedures to allow U.S. companies to respond to foreign government requests for data consistent with U.S. principles of due process and respect user privacy and human rights. By supporting this legislation, we stand alongside others for legal rules that provide customers and law enforcement with clarity on when and how internet companies must disclose customer data.

The activity surrounding these issues suggest a growing consensus that existing law in the U.S. does not yet strike the right balance between consumers expectations of privacy and law enforcement's legitimate need for data to solve crimes. Oath's legacy companies (Yahoo and AOL) had a long history of putting customers first and pushing back on overbroad or inappropriate government requests. Today we extend our commitment to protect and defend our customers and engage in constructive conversations that will allow us to reach the best outcomes for them and our company.