OK, Microsoft has said to the US government, so you want us to crack open our servers, even though they’re on Irish soil. You’ve got a warrant, and you say it gives you the legal power to force us to dig out a users’ email and hand it over, even though Irish and European data protection laws protect that content.
The company has further challenged this notion in its latest salvo over the US’s insistence that it may search Microsoft’s overseas servers with a valid US warrant, begging the question: How would you like it if the shoe were on the other foot?
Microsoft lawyers invited the US government to picture a scenario in which a foreign state – say, Germany – similarly sidesteps international law and demands that a foreign company’s US offices produce personal communications of an American journalist:
Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter's box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.
Microsoft has been battling the warrant since 29 August, when it refused to hand over to the US government a customer’s emails that are stored on servers in a Dublin data center.
This has been a closely watched case that will turn on the question of who owns data stored in the cloud.
It all began with a narcotics trafficking investigation.
In December 2013, the government came to Microsoft bearing warrants for the emails, but the question of whether those warrants are valid outside the US has turned this into a bellwether case.
Microsoft’s counsel has maintained that the US Constitution’s Fourth Amendment provides “full legal protections” to customers’ emails stored in the cloud and that while the US did have a warrant, “well-established case law” holds that such search warrants can’t reach beyond US shores.
The government lawyers have resisted this argument, claiming that email stored in the cloud cease to belong exclusively to us, becoming instead the business records of a cloud provider.
Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
US District Judge Loretta Preska has agreed with the government, ruling that the information’s location doesn’t matter:
It is a question of control, not a question of the location of that information.
In September, Microsoft and the US government agreed that the company would be held in contempt for its lack of compliance with the warrant but that it wouldn’t be fined or punished, pending its appeal.
Not surprisingly, other tech companies – Apple, AT&T, Cisco and Verizon – have sided with Microsoft.
Verizon has said that if the US prevails in this case, it would produce “dramatic conflict with foreign data protection laws.”
Apple and Cisco have also come out against the government, saying that the tech sector runs the risk of being sanctioned by foreign governments and that the US should instead seek cooperation with foreign nations via treaties: a position the US has deemed impractical.
The Department of Justice has responded that global jurisdiction is necessary in an age when “electronic communications are used extensively by criminals of all types in the United States and abroad, from fraudsters to hackers to drug dealers, in furtherance of violations of US law.”
In its recent appeal, filed on Monday, Microsoft suggests that if the shoe were indeed on the other foot and Germany got its hands on data in the US, the US Secretary of State would “fume”, outraged over the decision to bypass existing formal procedures that the European Union and the US have set up to ensure bilateral cooperation.
Germany could then claim that it’s got a warrant, and that none of its police had stepped foot in the US, as the DoJ is now trying to do with its demand for data stored in Ireland:
Germany's Foreign Minister responds: "We did not conduct an extraterritorial search - in fact we didn't search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter's privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate."
Brad Smith, Microsoft Executive Vice President and General Counsel, on Monday said in a post that if the US prevails in this case, it can’t complain if foreign agents pull the same maneuver on US tech companies, forcing them to download emails stored on US soil.
It’s a question that the DoJ “hasn’t yet addressed,” he said, “much less answered.”
But, Smith continued, it boils down to the Golden Rule: Do to others as you would have them do to you – not just in human interaction, but in international relations.Follow @NakedSecurity