Terms of Service: How the US denies foreign users’ rights at American tech companies

by claire mcnear

Many US tech companies see the vast majority of their traffic come from outside the United States. Analytics firm Alexa found that nearly 70% of Google’s traffic originates abroad, as does 78% of Facebook’s and 71% of Twitter’s. All three have headquarters in the San Francisco Bay Area.

Yet the majority of non-US users accessing websites and accounts operated by American tech companies may lack the rights – notably of privacy and freedom of expression – afforded to American users. Indeed, a 2013 US District Court ruling suggests that most foreign nationals do not even have legal standing to challenge the seizure of their data in the United States, highlighting the dangers of an area where experts say that the law has been slow to catch up to tech.

In early 2011, an Ecuadorean court ruled that the Chevron Corporation owed damages of as much as $18 billion to indigenous peoples in the Lago Agrio region for pollution caused by Texaco Petroleum Corporation during the 1970s and 1980s. Chevron acquired Texaco in 2001.

The company disputed the claim, alleging that the Ecuadorean judgment was the result of racketeering and fraud. The charges themselves, Chevron argued, were an attempt to extort and defraud the oil company based on fabricated evidence. In February 2011, Chevron sued.

A year later, Chevron demanded personal information related to the Ecuadorean defendants from three US-based email providers, Google, Yahoo!, and Microsoft. The subpoenas were wide-ranging, stretching beyond the approximately 50 individuals who were the target of Chevron’s lawsuit.

In a subpoena filed in the Northern District of New York, Seattle-based Microsoft was ordered to hand over data for 30 email addresses, including the identities of their owners and nine years’ worth of IP logs, which could be used to identify the geographic location of each log-in during that time. These email addresses belonged to individuals who were not parties to the original litigation, but who were, in the words of the court, “involved directly or indirectly.” (The contents of messages from these accounts were not requested.)

EFF, which frequently assists in digital rights defense cases, joined EarthRights International to challenge the subpoena on behalf of three of the account holders.

The District Court of the Northern District of New York denied the motion to quash the subpoena in June 2013. Among the judge’s reasons: the account holders were not American citizens and lacked a strong connection to the US, so were therefore not entitled to First Amendment protections.

The question of who is protected by the rights of the US Constitution has long been a thorny subject. The Supreme Court ruled in 1990 that the protections extend only to “a class of persons who are part of a national community or who have otherwise developed sufficient connection with this country to be considered part of that community.”

Foreign nationals who are not found to have that connection are denied those rights.

The District Court’s decision meant, in essence, that the ownership of an account at an American company – here, an email address with Microsoft-owned Hotmail – does not constitute a sufficient connection with the United States. The users therefore had no ability to dispute the requests for their data.

The court’s ruling could have enormous implications for millions of users of American tech services around the world. The issue of whether all data at American companies is American – and if so, what that means for users who are not – is murky.

The legal wrangling extends to users’ home governments as well. In June, Britain’s Office for Security and Counter Terrorism admitted that it considers all communications that pass through American tech companies to be foreign data, even when the messages are exchanged between British citizens in the United Kingdom. This means that Brits who use services like Gmail or Facebook are subject to higher levels of scrutiny and to government interception without a warrant, which is typically required by law.