Sophos Cloud Optix
OK, Microsoft has said to the US government, so you want us to crack open our servers, even though they’re on Irish soil. You’ve got a warrant, and you say it gives you the legal power to force us to dig out a users’ email and hand it over, even though Irish and European data protection laws protect that content.
The company has further challenged this notion in its latest salvo over the US’s insistence that it may search Microsoft’s overseas servers with a valid US warrant, begging the question: How would you like it if the shoe were on the other foot?
Microsoft lawyers invited the US government to picture a scenario in which a foreign state – say, Germany – similarly sidesteps international law and demands that a foreign company’s US offices produce personal communications of an American journalist:
Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter's box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.
Microsoft has been battling the warrant since 29 August, when it refused to hand over to the US government a customer’s emails that are stored on servers in a Dublin data center.
This has been a closely watched case that will turn on the question of who owns data stored in the cloud.
It all began with a narcotics trafficking investigation.
In December 2013, the government came to Microsoft bearing warrants for the emails, but the question of whether those warrants are valid outside the US has turned this into a bellwether case.
Microsoft’s counsel has maintained that the US Constitution’s Fourth Amendment provides “full legal protections” to customers’ emails stored in the cloud and that while the US did have a warrant, “well-established case law” holds that such search warrants can’t reach beyond US shores.
The government lawyers have resisted this argument, claiming that email stored in the cloud cease to belong exclusively to us, becoming instead the business records of a cloud provider.
Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
US District Judge Loretta Preska has agreed with the government, ruling that the information’s location doesn’t matter:
It is a question of control, not a question of the location of that information.
In September, Microsoft and the US government agreed that the company would be held in contempt for its lack of compliance with the warrant but that it wouldn’t be fined or punished, pending its appeal.
Not surprisingly, other tech companies – Apple, AT&T, Cisco and Verizon – have sided with Microsoft.
Verizon has said that if the US prevails in this case, it would produce “dramatic conflict with foreign data protection laws.”
Apple and Cisco have also come out against the government, saying that the tech sector runs the risk of being sanctioned by foreign governments and that the US should instead seek cooperation with foreign nations via treaties: a position the US has deemed impractical.
The Department of Justice has responded that global jurisdiction is necessary in an age when “electronic communications are used extensively by criminals of all types in the United States and abroad, from fraudsters to hackers to drug dealers, in furtherance of violations of US law.”
In its recent appeal, filed on Monday, Microsoft suggests that if the shoe were indeed on the other foot and Germany got its hands on data in the US, the US Secretary of State would “fume”, outraged over the decision to bypass existing formal procedures that the European Union and the US have set up to ensure bilateral cooperation.
Germany could then claim that it’s got a warrant, and that none of its police had stepped foot in the US, as the DoJ is now trying to do with its demand for data stored in Ireland:
Germany's Foreign Minister responds: "We did not conduct an extraterritorial search - in fact we didn't search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter's privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate."
Brad Smith, Microsoft Executive Vice President and General Counsel, on Monday said in a post that if the US prevails in this case, it can’t complain if foreign agents pull the same maneuver on US tech companies, forcing them to download emails stored on US soil.
It’s a question that the DoJ “hasn’t yet addressed,” he said, “much less answered.”
But, Smith continued, it boils down to the Golden Rule: Do to others as you would have them do to you – not just in human interaction, but in international relations.
Image of US flag and servers courtesy of Shutterstock.
“But, Smith continued, it boils down to the Golden Rule: Do to others as you would have them do to you – not just in human interaction, but in international relations.”
Well, one doesn’t need to be a genius to understand that, historically speaking, this is exactly the thing that the U.S. govt. has a problem with, and when people in faraway lands finally get get p***** off at U.S. arrogance, the U.S. govt. calls those people “terrorists”.
Someone once quipped that “the U.S. doesn’t have a foreign policy, they have a domestic policy with global implications.”
The outcome of this case will have a big impact on EU business for US corporations. If the US insists that doing business with a US company removes your protections from local laws, then many in the EU will start looking for European alternatives for their cloud needs.
Could the world work if every nation insisted it had world-wide jurisdiction? No! Who made the US king of the world? NO ONE!
The hubris in this claim is staggering.
The outcome of this case will have a big impact on US government business as well.
Supposing that they are successful and wrestle the information from Microsoft, what’s to say that Microsoft doesn’t “backlash” by canceling support and future services to them? How many U.S. agencies have droves of PC’s/networks using MS products? Outlook, Excel, Access, Word, Windows, etc…
Some “people” just don’t know what fights to back down from. Maybe that is just what needs to happen though.
I (and many across the world) would laugh as the US “sues” MS, and MS turns around making them have to pay billions to acquire new software, transfer all information & services, train everyone on the new software, etc… And that is only -if- another company is willing to submit to their demands. If they can’t find a supplier, they would need to create another billion-dollar branch of government to develop and maintain their own software products.
As long as the servers aren’t Micro$oft, USA is safe.
If Microsoft loose the case, then the EU data protection people should seize the Irish data centre in question, and cut it’s internet link to prevent a crime in progress, and only let Microsoft have it back if they transfer ownership it to another company that is not under US jurisdiction.
That way even if the US government win the case, they still get nothing, and if they still want the records, they will have to go to an Irish judge like they should have done in the first place.
Loosing the data centre would be an expensive slap in the face for Microsoft, which is unfortunate seeing as they have been fighting on the side of good in this case, but as they say, if you cannot operate your business while complying with all applicable laws, you cannot be in business.