In December 2013, U.S. federal agents served a search warrant on Microsoft’s U.S. headquarters requiring the firm to search for a customer’s private emails, copy them, and hand them over. This type of warrant is usually a routine matter, but in this case there is an added twist: The emails sought are located on a server in Dublin, Ireland. In addition to clearly being located outside the U.S., they are protected by both Irish and European privacy laws.
The U.S. Justice Department’s position appears to be that the location of the data is irrelevant and that U.S. courts have the power to order a company located in the U.S. to execute a search in a foreign country even if it violates the laws of the country in which the data is located. Instead of respecting Irish sovereignty and requesting assistance through appropriate law enforcement channels, the Justice Department is simply demanding that Microsoft provide the data.
In a recent brief to the United States Court of Appeals [Link: https://www.documentcloud.org/documents/1376674-microsoft-brief-to-appeals-court.html ], Microsoft puts the U.S. Government’s absurd position into context:
“Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.…The letters the reporter placed in a safe deposit box in Manhattan are her private correspondence, not the bank’s business records. The seizure of that private correspondence pursuant to a warrant is a law enforcement seizure by a foreign government, executed in the United States, even if it is effected by a private party whom the
government has conscripted to act on its behalf. This case presents a digital version of the same scenario, but the shoe is on the other foot.”
Clearly, this scenario would be completely unacceptable to the United States, as it should be to any government.
In their brief, Microsoft argues that the search occurs where the email is located, “the Supreme Court applied these same principles to a search of electronic data in the cloud. It observed that ‘cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.’When the police access that information from a smartphone on the street ‘at the tap of a screen,’the search occurs on the ‘remote server,’ not on the street.”
Executing this warrant would affect an American law enforcement search and seizure in Ireland in violation of international law norms as well as Irish sovereignty. As if that isn’t bad enough, the U.S. Government also needs to consider the economic damage to U.S. firms.
In addition to potentials fines and other sanctions for the violation of foreign data protection laws, extending the reach of U.S. law enforcement to data held in other countries will make it increasingly difficult for U.S.-based multinational service providers to meet the security and privacy obligations of their foreign customers. The result will be lower revenues as international customers shift their business away from providers with physical ties to the United States.
This impact will be strongly felt in the area of cloud computing because customers have their own compliance obligations. For example, a German company may purchase cloud computing services from Amazon Web Services and build their service in Amazon’s Frankfurt data centre to comply with German law. However, if the U.S. Government is able to order Amazon to provide a copy of data from Frankfurt without proper authority from the German courts, it places both Amazon and their German customer in an untenable position. The only winners in this scenario will be service providers that operate in more favourable jurisdictions or who limit their operations to one country.
Meeting security, privacy, and compliance obligations are increasingly complex for organizations operating in multiple jurisdictions. Forcing corporations to conduct American law enforcement operations abroad in violation of local laws and national sovereignty is unconscionable.
If Microsoft loses this appeal it will place all service providers with physical ties to the United States in direct conflict with foreign data protection laws, and if other governments follow suit the result will be jurisdictional chaos.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…