Microsoft and the US government have agreed that the company will be held in contempt for its refusal to hand over email stored in the cloud at its Dublin data center but won’t be fined or punished, giving it a chance to appeal a court order to cough up a customer’s communications.
Like many tech companies, NSA-gate stung Microsoft, with news coverage pointing to alleged collusion with US intelligence operations.
Since then, the company has pledged to encrypt just about everything, enhance code transparency, and bolster legal protection for customers’ data.
A few weeks ago, it did, in fact, put its brawn behind that promise of legal protection.
The company on 29 August refused to hand over to the US government a customer’s emails that are stored on its servers in Ireland.
Although the government agreed to hold Microsoft in contempt without sanctions, it held onto the right to seek sanctions if the situation changes, it said in a decision (PDF) submitted to US District Judge Loretta A. Preska on Thursday and filed on Monday.
The case concerns a narcotics trafficking investigation.
In December 2013, the government came to Microsoft bearing warrants for the emails, but the question of whether those warrants are valid outside the US has turned this into a bellwether case.
Brad Smith, Microsoft General Counsel and executive vice president for legal and corporate affairs, has said in an editorial published in the Wall Street Journal that the US Constitution’s Fourth Amendment provides “full legal protections” to customers’ emails stored in the cloud:
In our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution's Fourth Amendment.
Smith wrote that in this case, the US government must have a warrant (which it did have), but “well-established case law” holds that such search warrants can’t reach beyond US shores.
The government’s having none of it. Its lawyers argue that email stored in the cloud cease to belong exclusively to us, becoming instead the business records of a cloud provider.
Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
As Smith wrote, Microsoft believes our cloud emails are ours and have the same privacy protection as paper letters sent by mail.
At Naked Security, when we talk about issues like this, we’re always swapping “in the cloud” for “stored on somebody else’s computer”.
That’s a good stance to take when it comes to limiting our expectations with regards to the security and privacy of our data and communications.
But it’s another matter entirely when the government moves to make that “on somebody else’s computer” a legal definition – particularly when “somebody else’s computer” means “the state”.
Is this a misuse of the Fourth Amendment, or do we simply have to suck it up and deal with the fact that all bets are off – not only with regards to security/privacy, but also when it comes to the US court system?
This case looks like it will point the way to an answer.
Your thoughts are welcome in the comments section below.