Over the past few years, we’ve written several times about a ding-dong battle between Microsoft and the US Department of Justice (DoJ).
At the heart of the long-running legal wrangle is data, or more specifically, access to data.
It started in December 2013 with a US court order instructing Microsoft to hand over emails that were considered pertinent evidence in a narcotics investigation.
You might think that would be an uncomplicated request: a lawful US search warrant based on probable cause, issued in the US to a US company for a US investigation into alleged crimes committed in the US.
For all we know, there might have been technical reasons why Microsoft couldn’t have complied, such as end-to-end encryption making the data unintelligible, or data ageing policies meaning that it had already been deleted.
But Microsoft famously wouldn’t comply, digging its heels in and saying words to this effect: “The servers where that data is stored are in the Republic of Ireland, so a US warrant simply doesn’t apply.”
The US court wasn’t buying that, and Microsoft was formally found in contempt of court.
Ironically, the contempt ruling was a sort of peace-keeping arrangement agreed between Microsoft and the US government, described in the sort of prose that surely only the legal world could produce:
Microsoft has not fully complied with the Warrant, and […] does not intend to so comply while it in good faith seeks further review of this Court’s […] decision. While Microsoft continues to believe that a contempt order is not required to perfect an appeal, it agrees that the entry of an order of contempt would eliminate any jurisdictional issues on appeal. […] The parties further agree that contempt sanctions need not be imposed at this time.
In plain English, we think this means, “This battle isn’t over, so let’s formally agree we are disagreeing, go away and prepare for the next round, and defer any penalties until the whole thing’s wrapped up, one way or the other.”
Back to court
Fast forward to 2015, and Microsoft was back in court to revisit the matter.
You can see both sides.
On the DoJ’s side of the fence: Microsoft, headquartered in the US, should comply with US courts, and failing to do so would make a mockery of US warrants issued against US companies.
The servers were Microsoft’s; the customers were Microsoft’s; the warrant was Microsoft’s, so how hard could it be?
Just copy the relevant data back to the US and hand it over!
On Microsoft’s side: With contractual arrangements under Irish law in respect of these emails, to comply with the warrant would make a mockery of Irish sovereignty and EU data protection regulations.
The servers were in Ireland; the data was in Ireland; Irish and EU law applied, so how hard could it be?
Just put the warrant through the proper channels!
Fast forward to July 2016, and the US Appeals court has just decided that…
…US courts are not the proper channels in cases of this sort.
In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation.
[…]
We conclude that [the US] Stored Communications Act does not authorise courts to issue and enforce against US-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.
In legal terms, where one word never seems to be enough if there is room for two or even three, the warrant against Microsoft is “REVERSED, VACATED, and REMANDED.”
A privacy victory?
Privacy advocates were understandably concerned that the original decision against Microsoft could set a global precedent for what could be thought of as “privacy grabs.”
After all, if countries could insist on applying their own data security laws anywhere in the world, then the privacy terms offered by multinational companies could only ever be as strong as the weakest privacy laws out there.
Similarly, data-snooping requirements imposed on multinationals would end up as strict as the most represssive surveillance laws.
So, is this decision a victory for privacy?
Despite the definitive-sounding words of the Appeals Court, we have learned never to say never when computer security issues are concerned.
According to reports, the DoJ is disappointed by the decision, and is “reviewing its legal options.”
The next stop could be the US Supreme Court.
Image courtesy of StockStudio / Shutterstock.com
Han
So if the “server and data” are stored in “any” other country does that make any company in any industry that operates in the U.S.in the same situation? If GM or Ford decide to store all “records” in the Bahamas do they now have Bahamian sovereignty? Or what about multi country storage options. Is Ireland the new Luxembourg or Switzerland for storage of data instead of corporate registration or numbered bank accounts? I am wondering at this point if Microsoft complies with the EU’s more stringent privacy rights laws etc for US customers/citizens? RE: wouldn’t a US consumer have the right to file suit against Microsoft for non compliance of EU privacy and “op out” laws that totally “erase” the personal data that Microsoft keeps when one decides to “unsubscribe”?
Paul Ducklin
AFAIK, if the data had been approached via the Irish authorities, they’d have played ball, subject to Irish and EU procedures. In other words, if the Irish courts agreed thare was a legally-valid reason to issue a search warrant (or whatever the correct term is when it’s data to be extracted from a database), they would have done so. I am pretty sure the Irish said as much, but in the end were never asked.
Part of Microsoft’s argument seems to have been that if this were about bank funds outside the US, a US court could require the local bank to produce transaction records, but any court order seizing assets from an overseas branch would have no authority overseas. Same story with physical searches. Imagine you lived in the US, and the Gardai (Irish cops) showed up with an Irish search warrant and demanded entry to your house. Would you let them in? Or would you politely ask them to go away and come back with US cops bearing a warrant issued by a US court, in accordance with US laws relating to search and seizure?
jkwilborn
Seems to me, that local laws would have to be used. I don’t use some sites because they store their data ‘world wide’. I don’t know who to protect. I’m in the US, so we are pretty behind in privacy or any protection laws for the people compared to the EU.
I did read that some EU countries don’t allow their data to be stored or routed through the US because of our draconian laws associated with data and people. It would be nice to know.
It won’t be long before everything is encrypted, so it won’t be an option. Even if the US makes it only in a ‘backdoor’ model, we will sell nothing. It also brings up the question about building my Linux box with an encrypted disk, no back door. Now am I a criminal?
Thanks good article.
Jack
Jim
I can’t believe the Justice Department missed this: If the data was EVER in the US, then it is covered by US law. It makes no difference where it is NOW, what matters is where it was when the crime was alleged to have been committed.
In fact, Microsoft could be charged as an accessory after the fact for moving the data offshore, if they did so knowingly (which would include any movement designed to remove the data from US soil for purposes of avoiding warrants).
Paul Ducklin
Microsoft didn’t do what you are suggesting, as far as I am aware. The servers were outside the US when the data was first stored, simple as that.
Jim
It doesn’t matter where the data was first STORED. It matters where the data first EXISTED.
I’ll admit it’s a novel legal theory, but I can’t think of any loopholes in US law or the Constitution that would counter it. I’m sure some enterprising lawyers would, but my guess is that it would be an uphill battle for them.
However, it might not be Microsoft that’s on the hook for it. It depends on how the data got from point A to point B.
For a non-data example, if I kidnap someone in Minnesota and drive them to Wisconsin, I’ve violated laws in both states and at the Federal level. It doesn’t matter if I never (willingly) go back to Minnesota. I’m still guilty in all three jurisdictions.
Probably the biggest problem with my theory is that nobody really knows how specific data gets from Point A to Point B. It’s only while traveling or in storage in any jurisdiction that that jurisdiction has authority over it.
Anyhow, if Microsoft has servers in the US, then if that data ever passed through them, they’re on the hook. Proving it did would be another matter.
Paul Ducklin
Looks like the DoJ never thought of that.
Anyway, my understanding is that the data didn’t “pass through Microsoft’s servers in the US,” and even if it did, that wouldn’t imbue a US court warrant with magic powers overseas. This isn’t about Microsoft being punished in the US for allowing the data to be uploaded in the first place from the US to Ireland for storage by its Irish subdidiary. It’s about whether US court orders apply in Ireland specifically, and the EU in general, and thus whether the warrant was issued in the right jurisdiction.
Jim
Agreed: no warrant will get the actual data.
BUT, if MS’s intent was to put the data offshore for the purpose of avoiding US warrants, then they are accessories-after-the-fact. Proving that intent could be difficult, but ….