Microsoft wins email privacy battle against US government

shutterstock_370707185

Over the past few years, we’ve written several times about a ding-dong battle between Microsoft and the US Department of Justice (DoJ).

At the heart of the long-running legal wrangle is data, or more specifically, access to data.

It started in December 2013 with a US court order instructing Microsoft to hand over emails that were considered pertinent evidence in a narcotics investigation.

You might think that would be an uncomplicated request: a lawful US search warrant based on probable cause, issued in the US to a US company for a US investigation into alleged crimes committed in the US.

For all we know, there might have been technical reasons why Microsoft couldn’t have complied, such as end-to-end encryption making the data unintelligible, or data ageing policies meaning that it had already been deleted.

But Microsoft famously wouldn’t comply, digging its heels in and saying words to this effect: “The servers where that data is stored are in the Republic of Ireland, so a US warrant simply doesn’t apply.”

The US court wasn’t buying that, and Microsoft was formally found in contempt of court.

Ironically, the contempt ruling was a sort of peace-keeping arrangement agreed between Microsoft and the US government, described in the sort of prose that surely only the legal world could produce:

Microsoft has not fully complied with the Warrant, and […] does not intend to so comply while it in good faith seeks further review of this Court’s […] decision. While Microsoft continues to believe that a contempt order is not required to perfect an appeal, it agrees that the entry of an order of contempt would eliminate any jurisdictional issues on appeal. […] The parties further agree that contempt sanctions need not be imposed at this time.

In plain English, we think this means, “This battle isn’t over, so let’s formally agree we are disagreeing, go away and prepare for the next round, and defer any penalties until the whole thing’s wrapped up, one way or the other.”

Back to court

Fast forward to 2015, and Microsoft was back in court to revisit the matter.

You can see both sides.

On the DoJ’s side of the fence: Microsoft, headquartered in the US, should comply with US courts, and failing to do so would make a mockery of US warrants issued against US companies.

The servers were Microsoft’s; the customers were Microsoft’s; the warrant was Microsoft’s, so how hard could it be?

Just copy the relevant data back to the US and hand it over!

On Microsoft’s side: With contractual arrangements under Irish law in respect of these emails, to comply with the warrant would make a mockery of Irish sovereignty and EU data protection regulations.

The servers were in Ireland; the data was in Ireland; Irish and EU law applied, so how hard could it be?

Just put the warrant through the proper channels!

Fast forward to July 2016, and the US Appeals court has just decided that…

…US courts are not the proper channels in cases of this sort.

In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation.

[…]

We conclude that [the US] Stored Communications Act does not authorise courts to issue and enforce against US-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.

In legal terms, where one word never seems to be enough if there is room for two or even three, the warrant against Microsoft is “REVERSED, VACATED, and REMANDED.”

A privacy victory?

Privacy advocates were understandably concerned that the original decision against Microsoft could set a global precedent for what could be thought of as “privacy grabs.”

After all, if countries could insist on applying their own data security laws anywhere in the world, then the privacy terms offered by multinational companies could only ever be as strong as the weakest privacy laws out there.

Similarly, data-snooping requirements imposed on multinationals would end up as strict as the most represssive surveillance laws.

So, is this decision a victory for privacy?

Despite the definitive-sounding words of the Appeals Court, we have learned never to say never when computer security issues are concerned.

According to reports, the DoJ is disappointed by the decision, and is “reviewing its legal options.”

The next stop could be the US Supreme Court.


Image courtesy of StockStudio / Shutterstock.com