Yottabytes: Storage and Disaster Recovery

Mar 27 2018   10:23PM GMT

CLOUD Act Ends Microsoft Ireland Supreme Court Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
Microsoft
privacy
Security

Oh hey. You know that Microsoft Ireland Supreme Court case?

Never mind.

In case you forgot, the case, which started in 2014, involved whether Microsoft must release data stored on one of its servers to a U.S. government agency, even though the data in question is outside the U.S. In January 2017, the Second Circuit Court of Appeals denied a rehearing of the case, which left the Supreme Court as the only option. At the very last minute – and after two extensions – the Department of Justice decided in June to go for it, and in October the Supreme Court agreed to hear the case. (Here’s a good description of it.)

The Supreme Court heard arguments on the case in February, and the consensus was actually that things didn’t necessarily look so good for Microsoft, but we would find out by June.

Which brings us to now. It’s been suggested all along that the proper way to address the situation would be to have Congress deal with it, and that’s just what happened. Legislation to update the Stored Communications Act and explicitly declare how the U.S. and foreign countries were to look at the data that each has about the other’s citizens was developed in February, cutely called the Clarifying Lawful Overseas Use of Data (CLOUD) Act. As it turns out, it was snuck into the omnibus spending bill that President Donald Trump signed on March 23.

Whether that’s a good thing depends on whom you ask.

The technology companies that have all been submitting amicus briefs on this case – Google/Alphabet, Apple, Facebook, and Oath, as well as Microsoft itself – said they were happy.

“The proposed CLOUD Act creates a modern legal framework for how law enforcement agencies can access data across borders,” writes Microsoft president Brad Smith, in a blog post. “It’s a strong statute and a good compromise that reflects recent bipartisan support in both chambers of Congress, as well as support from the Department of Justice, the White House, the National Association of Attorneys General and a broad cross section of technology companies. It also responds directly to the needs of foreign governments frustrated about their inability to investigate crimes in their own countries. The CLOUD Act addresses all of this, while ensuring appropriate protections for privacy and human rights. And it gives tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world.”

In particular, the law helps clarify what happens when a foreign government tries to get data about a foreign person from the same country who is in the U.S. “Partner governments can, pursuant to a long list of qualifications, directly request data of non-U.S. persons from U.S.-based providers without going through the [Mutual Legal Assistance] process,” write attorneys Jennifer Daskal and Peter Swire in Lawfare. “If the foreign government wants to request the data of a U.S. citizen or resident, it still needs to employ the MLA system.” This was an issue because, increasingly, foreign governments were demanding that data about their citizens needed to be stored in their country, because they didn’t want to have to deal with the U.S. court system to get it, they write.

On the other hand, the civil liberties organizations that have also been submitting briefs, such as the American Civil Liberties Union and the Electronic Frontier Foundation, are not happy.

“First, it empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules,” writes David Ruiz of the Electronic Frontier Foundation. “Second, it empowers the president to unilaterally enter executive agreements with any nation on earth, even known human rights abusers. Under such executive agreements, foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.”

In particular, the foreign country would then be able to seize the communication between the foreign person and U.S. people, and then be able to pass that data on to the U.S. government, Ruiz warns. “At no point need probable cause be shown. At no point need a search warrant be obtained.”

Pragmatically, the point can be made that 1) We likely weren’t going to get legislation that was much better, at least with this Administration and 2) If Microsoft lost the Supreme Court case, which is what it was looking like, then there wouldn’t be any protection at all. So to a certain extent it seems like it’s, at least, better than nothing. To what degree this can be modified going forward isn’t clear.

It’s also not clear exactly what this means for the Supreme Court case. Do they just drop it? Will they get together and then say never mind? Or can they still issue a ruling? I guess we’ll see.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: