Microsoft Fights Search Warrants for Overseas Emails in the Supreme Court (microsoft.com) 68
Microsoft's Chief Legal Officer writes about "the landmark Microsoft case that will decide whether the U.S. government can use a search warrant to force a company to seize a customer's private emails stored in Ireland and import them to the United States."
On Thursday, 289 different groups and individuals from 37 countries signed 23 different legal briefs supporting Microsoft's position that Congress never gave law enforcement the power to ignore treaties and breach Ireland's sovereignty in this way. How could it? The government relies on a law that was enacted in 1986, before anyone conceived of cloud computing... When the U.S. government requires a tech company to execute a warrant for emails stored overseas, the provider must search a foreign datacenter and make a copy abroad, and then import that copy to the United States. This creates a complex issue with huge international consequences. It shouldn't be resolved by taking the law to a place it was never intended to go...
The U.S. Department of Justice's attempt to seize foreign customers' emails from other countries ignores borders, treaties and international law, as well as the laws those countries have in place to protect the privacy of their own citizens... It's also a path that will lead to the doorsteps of American homes by putting the privacy of U.S. citizens' emails at risk. If the U.S. government obtains the power to search and seize foreign citizens' private communications physically stored in other countries, it will invite other governments to do the same thing. If we ignore other countries' laws, how can we demand that they respect our laws?
Amicus briefs supporting Microsoft have been filed in the U.S. Supreme Court by Ireland, France, and the European Commission and European privacy regulators. Microsoft even notes that on this issue, "Fox News agreed with the American Civil Liberties Union."
The U.S. Department of Justice's attempt to seize foreign customers' emails from other countries ignores borders, treaties and international law, as well as the laws those countries have in place to protect the privacy of their own citizens... It's also a path that will lead to the doorsteps of American homes by putting the privacy of U.S. citizens' emails at risk. If the U.S. government obtains the power to search and seize foreign citizens' private communications physically stored in other countries, it will invite other governments to do the same thing. If we ignore other countries' laws, how can we demand that they respect our laws?
Amicus briefs supporting Microsoft have been filed in the U.S. Supreme Court by Ireland, France, and the European Commission and European privacy regulators. Microsoft even notes that on this issue, "Fox News agreed with the American Civil Liberties Union."
Force the company != force the individuals (Score:5, Interesting)
The servers are located in Ireland in a data centre staffed by Irish people (or who, at least, live there). Will these people obey an order from a court in the USA and risk the wrath of the court in Dublin ? I would not if I were one of them. I do not know what control Microsoft (USA) has over servers in its Irish data centre, but generally the guy who can touch the machine is the one who makes the final decision; and him, being fearful of the Dublin court, could easily restrict access to anyone outside of their data centre.
No matter what the court in the USA decides, what will happen in reality will be interesting to see.
Re:Force the company != force the individuals (Score:5, Informative)
This is not a matter of an American-issued search warrant delivered to person or persons of name, as in individuals.
Microsoft obviously has a pathway to the data in Ireland and there are no gatekeepers blocking that path, at this time.
At issue is custodianship vs ownership vs jurisdiction, and it ain't easy.
This is problem has already been addressed in the case offshore banking.
I think that's where SCOTUS will take this.
Re: Force the company != force the individuals (Score:2)
God invented alcohol to prevent the Irish from ruling the world, as it so nicely says in a bar in temple bar...
Re:Force the company != force the individuals (Score:4, Informative)
The claim that something is being "imported" from Ireland to the U.S. is rubbish. The claim that this somehow violates Ireland/EU law is absurd, unless you are arguing that a person sitting at a computer in the U.S. is somehow bound by the laws of a foreign country.
Strange you should say that. The U.S. claims exactly that in the case of Gary McKinnon who hacked U.S. computers with off the shelf software. They were trying to extradite him with threats of 70 years hard time in a maximum security prison for his actions in the U.K..
Then there is the case of Dmitry Sklyarov who wrote software in Russia for his employer that was strictly legal but was arrested in the U.S. and charged for his employers sales of it to Americans. Skylarov was not in the U.S. when he wrote the program and had nothing to do with the distribution. Yet he was arrested.
How about Kim Dotcom? Again his breaking of American laws was entirely outside the U.S. but that hasn't stopped the U.S. legal system from persecuting him.
So yes the U.S. has repeatedly claimed computer "crimes" perpetuated by people outside the U.S. are punishable by the U.S.. So why shouldn't other countries do the same to Americans?
Re: (Score:2)
That MS employee in the US accessing data in Ireland could be charged in Ireland. The correct method is get a warrant where the thing is. This is a power grab, in effect will the laws be the least restrictive of where anybody physical is that can access the data, suddenly taking a vacation changes the laws that cover a piece of data?
Re: (Score:2)
This is a deliberate mis-stating of the issue.
Right now, a Microsoft employee, sitting at a computer located in the U.S., can access those servers and find the information that is being requested. This is done every day as a matter of routine operation, by Microsoft and every other company that has operations in multiple countries.
True, but today. What if the Irish court say that remote access were not to be allowed without agreement of the Dublin court (or whatever) - on the grounds that Microsoft USA was untrusted and that the data in Ireland had to be protected ? I assume that those who control the Irish data centres would have to restrict remote access over the internal Microsoft VPN from elsewhere. Thus Microsoft USA would be locked out or part of its network. What would the USA do ... it could order that Microsoft USA produce u
Sorry, MS has the statement of facts correct (Score:2)
Regrettably, the courts are aware of the "incidental" creation of copies in each location, as entered into evidence in suits about copyright and copies. They know full well that there is a copy made in RAM in Ireland, then another in the US, then the final copy on the printer in the US, the place where the data is wanted.
If I request a web page from a site in the EU, I don't have to obey EU law, but the server administrator in the EU does. If the EU says "No foreigners may see this", then he can't serve i
Re: (Score:3)
The claim that this somehow violates Ireland/EU law is absurd, unless you are arguing that a person sitting at a computer in the U.S. is somehow bound by the laws of a foreign country.
Uh yes? If you hack an Irish server it's most definitively a crime in Ireland. Same if you plan and direct an IRA bombing from abroad, being physically present has never been a requirement. Sure enforcement can be tricky if they refuse to extradite, but that's just a practical problem.
This is a deliberate mis-stating of the issue. Right now, a Microsoft employee, sitting at a computer located in the U.S., can access those servers and find the information that is being requested.
Technical capability and legal permission are not the same. For example we've had doctors and nurses criminally prosecuted for snooping on journals of patients they had no business reading, that they're capable of copying this
Re: (Score:2)
IANAL, but I'd say most European businesses would not be able to use US-owned providers *at all* if this goes ahead. EU law would need special exceptions for US access to EU data, which I suspect just ain't gonna happen.
Even if I'm wrong about all this, it's a great opportunity for EU-based hosting providers to scoop up some big contracts from people hitherto using US owned providers. Be careful what you wish for...
Re: (Score:2)
Authoritarianism > business interests
business interests > citizen interests
Re: Force the company != force the individuals (Score:2)
Re: (Score:2)
I think it's a bit disingenuous to say "the guy that can touch the machine" is the one who makes final decisions. That's certainly not the case in all the companies I've worked for: the guy accepts what management tells him. If he doesn't, he will be replaced by someone that does. No organization (no matter how enlightened) gives the IT dudes the final authority over who gets access to what systems.
"Hey Bob, did you get a SCM account?"
"No, I cut off the sysadmin for that system in the parking lot and my bos
Re: (Score:2)
Perhaps another country can try it. (Score:3)
Lodge a warrant with the local MS subsidiary for some data stored on MS USA server/s, and see what happens. Put the shoe on the other foor and see how the USA DoJ reacts.
Re: (Score:2)
I think we all know exactly what would happen.
According to the US, national sovereignty is a one way street.
Ignoring Borders? (Score:1)
Curious that "ignoring borders" is exactly the issue at present, when the US Government has exhausted its spending authority. The Republicans think that borders mean something and that illegal aliens should go home, while the Democrats apparently feel that there are no borders to the United States that anybody is obliged to respect. Europe has been having similar problems over the last year or so.
Re: (Score:2)
It's not about borders but the jurisdictions operating within them. The EU has very strong data protection laws, the US does not.
Re: They're going to lose (Score:5, Interesting)
In a case like this, the certificate necessary to access said email would long have been revoked, and only with a formal request to the Attorney General and the Data Protection agency of Ireland, the U.S. prosecution would be able to get a new one granting access to the email they want.
ACLU and Fox News agreeing is the end of times (Score:1)
I can understand that DoJ is required to make the request/filing, but I do not believe even many of their own lawyers actually think winning would be a good thing. When the ACLU and Fox News both agree the DoJ winning would be bad, you can pretty much take that to the bank. The only interesting question is how narrow the ruling will be.
The reality is... (Score:2)
Re: (Score:1)
This is factually incorrect. International treaties are on aa par with acts of Congress, and neither supersede nor are superseded by Federal United States law - see, e.g., Reid v Covert [wikipedia.org] 354 US 1 (1958).
There are already legal ways (Score:2)
Re: (Score:2)
Nobody smart noticed all that data moving around from a big brand back to the gov/mil?
The big brands even helped decrypt so the gov could get plain text.
Re: (Score:2)
Scene: The trial of an oil or financial company (Score:2)
Prosecutor: The defendant has not turned over emails between their executives discussion the probability of an (oil leak) (fiscal collapse) (other bad thing).
Judge: Why not?
Defendant: Those emails are not stored in this country.
Judge: Which country are they stored in?
Defendant: Please refer to the statement from EvilCO IT explaining that our emails are stored in a database that is then sharded across all our subsidiaries around the world.
Judge: And you need the pieces, the shards, from all the countries to
Re: (Score:2)
Judge (daydreaming): Bailiff, please tase this lawyer in the balls repeatedly until he stop this bullshit.
I think you mean:
Judge (daydreaming): Bailiff, whack his pee-pee! [youtube.com]
Re: (Score:2)
The key difference here is that they're not after Microsoft's data; they're after data belonging to a Microsoft customer who is not a US citizen who has probably never physically been on US territory.
Re: (Score:2)
That is a difference. I don't see how it's a key difference who holds the record.
In the bank/oil-co/bad-guy example, does using a 3rd party IT department instead of in-house change things? Or any number of intermediaries can be added: Oil company contracts ITCorpUS, ITCorpUS has a subsidiary in Ireland, Ireland has a subsidiary in Cook Islands ....
Re: (Score:2)
The difference is that the bad company has a legal presence in the US, so US courts can demand company documents in some circumstances. Wherever the company has stored the documents, if the company is able to retrieved the documents itself then it can be compelled to retrieve them for a court. In this case the documents don't belong to a US company, they belong to an entity with no presence in the US.
What if the this case was about a US bank which operated safety deposit boxes in Ireland? Can a US court
Re: (Score:2)
No matter what the contractual or physical arrangements, I can't, from here. open a safety deposit box in Ireland. I'd have to go there or have someone do it for me. If I'm there, I'm subject to Irish law, and if I employ someone to do it they're subject also. A US court could order me to provide the contents of the box, but I might not be able to comply.
However, I may be able to access data in Ireland without anyone in Ireland doing anything to help me. From where I'm sitting, I'm not actually subje
Re: (Score:2)
I meant, imagine you are an Irish citizen who has never left Ireland but you have documents in your bank's safety deposit boxes in Ireland. Do you think a US court should be able to force that bank to produce copies of those documents without even telling you about it? It doesn't even need to be a US bank, just a bank with a legal presence in the US so the courts have access to company officers in the US. See how this is different from the court requiring access to bank documents stored in Ireland?
And th
Re: (Score:2)
Right, but this isn't the same thing. I was trying to point out that nobody in the US has direct access to an Irish safe deposit box, but that Microsoft apparently has direct access to data in Irish servers. It is possible for people in the US to access data overseas, but not physical objects.
A US court can't order people in Ireland around. It can issue orders to people in the US. It can tell people in the US to say things to people in Ireland, but those people are going to be subject to Irish courts
Re: (Score:1)
Should read: "Defendant: I'm not aware of a sysadmin in a subsidiary refusing to create an account for their local shards to an employee authorized by corporate; but they know what's going on and I would expect a refusal this time."
Fuck Them (Score:1)
Re: (Score:2)
If it did, it would be in breach of most of the data protection laws in the EU.
They are either data processors (which would be very difficult to organise legally across international boundaries) or not (in which case they shouldn't have access to the unencrypted data at all).
EU laws are much more strict in this, and I can't process any data for my employer outside the EU. Hence things like SurveyMonkey, etc. are off-limits as they are hosted in the US.
Sigh. (Score:2)
Fail to comply: Get sued in the US.
Comply: Get sued by all the other countries.
There's a reason that we have jurisdictions.
Pretty much, even allowing the CAPABILITY for non-EU personnel to access EU data is an offence, which is why the EU side of Microsoft (an entirely different legal entity) cannot allow it to happen without an EU court order, cannot provide credentials that could make it happen, and cannot be seen to assist in any way, shape or form.
And technically, because the Microsoft US entity doesn'