Sophos Cloud Optix
Microsoft and the US government have agreed that the company will be held in contempt for its refusal to hand over email stored in the cloud at its Dublin data center but won’t be fined or punished, giving it a chance to appeal a court order to cough up a customer’s communications.
Like many tech companies, NSA-gate stung Microsoft, with news coverage pointing to alleged collusion with US intelligence operations.
Since then, the company has pledged to encrypt just about everything, enhance code transparency, and bolster legal protection for customers’ data.
A few weeks ago, it did, in fact, put its brawn behind that promise of legal protection.
The company on 29 August refused to hand over to the US government a customer’s emails that are stored on its servers in Ireland.
Although the government agreed to hold Microsoft in contempt without sanctions, it held onto the right to seek sanctions if the situation changes, it said in a decision (PDF) submitted to US District Judge Loretta A. Preska on Thursday and filed on Monday.
The case concerns a narcotics trafficking investigation.
In December 2013, the government came to Microsoft bearing warrants for the emails, but the question of whether those warrants are valid outside the US has turned this into a bellwether case.
Brad Smith, Microsoft General Counsel and executive vice president for legal and corporate affairs, has said in an editorial published in the Wall Street Journal that the US Constitution’s Fourth Amendment provides “full legal protections” to customers’ emails stored in the cloud:
In our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution's Fourth Amendment.
Smith wrote that in this case, the US government must have a warrant (which it did have), but “well-established case law” holds that such search warrants can’t reach beyond US shores.
The government’s having none of it. Its lawyers argue that email stored in the cloud cease to belong exclusively to us, becoming instead the business records of a cloud provider.
Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
As Smith wrote, Microsoft believes our cloud emails are ours and have the same privacy protection as paper letters sent by mail.
At Naked Security, when we talk about issues like this, we’re always swapping “in the cloud” for “stored on somebody else’s computer”.
That’s a good stance to take when it comes to limiting our expectations with regards to the security and privacy of our data and communications.
But it’s another matter entirely when the government moves to make that “on somebody else’s computer” a legal definition – particularly when “somebody else’s computer” means “the state”.
Is this a misuse of the Fourth Amendment, or do we simply have to suck it up and deal with the fact that all bets are off – not only with regards to security/privacy, but also when it comes to the US court system?
This case looks like it will point the way to an answer.
Your thoughts are welcome in the comments section below.
Image of gavel courtesy of Shutterstock.
Would this not mean that MS are breaking European Law and would rather break the law here where there are lower penalties?
Perhaps if the warrant were issued in Ireland they would be breaking Irish law.
Or it means that the US authorities feel that they would be turned down if they sent a request via an Irish court.
Cross-border search warrants happen all the time – and get slapped down hard if the other country believes they are fishing expeditions or are based on fruit of a poisoned tree (ie, illegally obtained intelligence).
This should be interesting in the very least. Depending on how it goes it could have a very chilling impact on the entire cloud structure. If the courts rule that things on the cloud belong to the business then what can the businesses do with our data without our consent? Its a very slippery slope.
@shdwmage, the law isn’t what holds these cloud providers back. They believe they can do whatever they want with the data already. Did you consent to Google having a program reading all your gmail for the purposes of showing directed ads? The slippery slope goes both ways. Let’s assume in this case the suspect is also American. So we have an American company and an American suspect, should it really matter that MS decided the bits will be stored in Ireland versus California? I’m as pissed off about the NSA stuff as anyone, but let’s keep in mind that we still have a need for law enforcement in this digital world. If a US provider wants to avoid having to respond to warrants from law enforcement, they just store all their data in Elbonia? That not only makes law enforcement harder, it creates an economic disincentive to create data centers in the US.
I know they do this stuff already, but if the court rules that they own the data then they can do it and we have no recourse to fight against them. They “own” it anyway.
What the USA mis-government is trying to do is control all information wherever it is – another form of empire building – and similar to many dictatorships who want to know what you have been thinking, reading or saying
It is quite simple. If the courts rule that things on the cloud belong to the business, then there will be a stampede away from US cloud providers and to European ones. That will negatively impact Microsoft, IBM, Amazon, and just about any other US-registered cloud company.
I doubt it. No other country has a 4th Amendment equivalent of equal or greater strength. So, a move to another country will make the problem worse for the customers of those providers.
As far as I am aware there is no 4th Amendment. i.e. AFAIK it does not protect non-US citizens, especially if they are located outside of the US.
And whilst it should be remembered that the EU privacy laws do allow states to use national security as a reason to bypass normal protection, this does still legally have to be notified and justified to the EU Commission.
I believe that EU data privacy system is likely to move more towards protecting ‘any’ citizens rather than just EU citizens. And with the e-economy benefits to non-EU countries in harmonising with EU privacy laws the trans-border safety (other than to or from the US) appears to be growing in many regions of the world.
Also there are several respectable sources quoting $billions lost already from US economy due to business miss-trust of USA privacy behaviour. And it has already encouraged significant international investment in explicitly non-USA controlled or located internet infrastructure and services.
I find it surprising that the US Government does not put a halt to this case as what ever the legal result there will be a lot more damage to the USA than any possible gain could achieve.