Yottabytes: Storage and Disaster Recovery

May 31 2014   6:14PM GMT

Judge to Microsoft: ‘All Your Data Are Belong to Us’

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
Microsoft
privacy

We’ve written before about the notion of “data sovereignty,” or the issue of which country’s laws should govern data: Where it’s located? The nationality of the company that owns it? The nationality of the company that hosts it? These are questions that took on new significance in light of Edward Snowden and the revelations of NSA surveillance and which led companies in some countries to avoid having their data stored in the U.S.

A recent court decision has made the issue even more complicated and is putting U.S. companies in the position of trying to follow mutually exclusive laws from multiple countries.

In the case, Microsoft had received a U.S. government search warrant (we don’t know which agency; court records are all sealed) regarding data about one of its web-based email users. Microsoft ascertained that the data for that user was stored on a server in Dublin, Ireland, and said the U.S. didn’t have jurisdiction over that server. But Magistrate Judge James Francis, in the Southern District of New York, has ruled that Microsoft has to provide the data anyway.

“This was true for “traditional” warrants but not for those seeking online content, which are governed by federal law under the Stored Communications Act,” explains the BBC. “He said the warrant should be treated more like a subpoena for documents. Anyone issued with a subpoena by the US must provide the information sought, no matter where it was held, he said.” Francis also said, basically, that part of the reason for his ruling is that it would be too hard for the U.S. to negotiate with all those foreign countries.

So what makes this bad?

It means any company, worldwide, that uses a company with a U.S. presence to store its data — Microsoft, Google, Amazon, and so on — could find its data subject to U.S. laws. In some cases, these laws conflict with privacy and data protection laws in other countries.

If nothing else, non-U.S. companies that are concerned about this may be much less likely to use U.S. companies to store their data, which isn’t good for those companies’ business. “If the U.S. cloud industry was worried before about lack of confidence of foreign customers, this judgment just upped the ante very considerably,” Caspar Bowden, an independent privacy researcher, told the U.K. paper The Guardian.

“This startling ruling could have a significant impact on not only the use of free email services like Hotmail and Gmail, but also all cloud-based services like Office 365, Google Apps, and even cloud providers like Amazon,” agree three attorneys from Drinker Biddle & Reath LLP in a response published in the National Law Review.

What could be interesting — if by interesting we actually mean “scary and really bad” — is if other countries decide that, given this as a precedent, their various laws about data — such as the recent “right to be forgotten” — should also apply to the U.S. Ultimately, it could mean a hodgepodge of data control Balkanization that could result, as the saying goes, in the end of the Internet as we know it.

Microsoft, in particular, is screwed, legal experts conceded. Well, they didn’t say “screwed.” Being legal experts, they said it more nicely. “Microsoft appears to face the unpalatable choice of either breaching European data transfer laws or failing to comply with a US court order,” writes Rob Corbet, a partner at Arthur Cox, in Data Protection Ireland.

Microsoft said it intends to appeal the case and, in fact, indicated that it had expected to all along, just to get this issue decided. “When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a U.S. district court judge and probably to a federal court of appeals,” writes David Howard, Microsoft’s corporate vice president and deputy general counsel. “This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.”

7  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Callahandroid
    If in the interest of national security, all stored data must be made available. Although it gives federal agencies a wide-berth, I would rather err on the side of safety.
    30 pointsBadges:
    report
  • Beardba28
    Anyone with an understanding of this decision has to to say that this spells the end of cloud computing.
    20 pointsBadges:
    report
  • Sharon Fisher
    Yeah, it doesn't sound good. We'll need to see what happens with the appeal. 
    570 pointsBadges:
    report
  • Callahandroid
    a or sure. If you don't want it publicized, keep it at home. It is too bad. How about a "private-cloud"? Is there a way to lease space in a way that data is not subject to company scrutiny, or management , such as a "safety deposit cloud"?
    30 pointsBadges:
    report
  • Sharon Fisher
    I've mentioned before that we need a "Switzerland" for data. :)
    570 pointsBadges:
    report
  • RACLAPP
    I would order a health check of this Judge for advanced Senility.  In another country, then you HAVE TO play by their rules.  That is the whole basis of the legal concept of Sovereignty...
    10 pointsBadges:
    report
  • DStrangmeyer
    One question is - If you used the US postal system and mailed the data or mail (email) to another country for storage could the US courts demand the data and get it. Why doesn't the US law provide the same privacy to email that it provides to mail, especially if the email is encrypted. The storage privacy should apply even in the continental US.
    25 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: