Yottabytes: Storage and Disaster Recovery

Jul 20 2016   12:57PM GMT

Microsoft Wins One for the Data Privacy Team

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


Is data owned by a company based in one country, but stored in another country, subject to seizure by warrant by the government of the first country? U.S. courts have been batting the issue back and forth since 2014, and the most recent verdict is that no, it isn’t.

The subject of the case (which has a lot of complex legal nuance) is Microsoft, which reportedly had email messages from one of its customers stored on a server in Ireland. The Department of Justice wanted access to those email messages while pursuing an unspecified case, claiming that since the email messages were controlled by Microsoft, an American country, the DoJ had jurisdiction over them even though they were stored in Ireland.

This scared people, for multiple reasons.

  • Because so many computer companies are American, it would mean an awful lot of data worldwide would be subject to access by the U.S. government.
  • Computer companies worried that worldwide customers would stop using them because they were afraid they’d get their data accessed.
  • Having the data subject to U.S. access could mean that the company – Microsoft in this case, but any company – could be violating data privacy laws in force at the second country. (For that reason, dozens of companies and civil liberties organizations – as well as the government of Ireland itself — filed amicus curiae briefs supporting Microsoft.)
  • If this precedent was set with the U.S., all the other countries in the world could declare that, in that case, all their data laws could apply to any company doing business in their countries, which could be an incredibly complicated, contradictory mess.

So, needless to say, everybody but the Department of Justice was pretty happy with the 3-0 decision by the 2nd U.S. Circuit Court of Appeals in Manhattan. “Circuit Judge Susan Carney said communications held by U.S. service providers on servers outside the United States are beyond the reach of domestic search warrants issued under the Stored Communications Act, a 1986 federal law,” writes Jonathan Stempel for Reuters. “Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” Carney wrote in her decision. “The focus of those provisions is protection of a user’s privacy interests.”

For its part, the Department of Justice said that if users could stash their data overseas, it would make it hard for them to catch bad guys. While there were other methods that would give the U.S. government the ability to request the data stored in the foreign country, the DoJ said they are hard to do, Stampel writes.

For that matter, the new ruling – which applies only in the region served by the court — means a company could ostensibly choose to store data in a foreign country to keep it out of the hands of law enforcement, notes Peter Henning in the New York Times. “Imagine the possibility that a company might offer an email service — perhaps called ‘Crim Mail’ — guaranteeing users that their electronic files would be stored overseas,” he speculates. “It could even choose to put servers in a location that is notably hostile to the United States and that would welcome the chance to throw a wrench in law enforcement efforts. The company could charge a premium to have files maintained only in specified locations, making it almost impossible for investigators to ever gain access to them.” He called such a possibility far-fetched, though.

But hey! We’re not done! The Department of Justice could still appeal the appeal, as it were, which would send the issue to the U.S. Supreme Court.  “We are disappointed with the court’s decision and are considering our options,” said U.S. Department of Justice spokesman Peter Carr in a statement cited by Elizabeth Weise in USA Today, who went on to say that the government was expected to appeal.

What could happen there is anyone’s guess. First, we don’t actually know that much about the current court’s views on worldwide data sovereignty. Second, at the moment we have only eight Justices, meaning that if they have a tied decision, it would apply only to this single case, not as a precedent.  If a ninth Justice is appointed by then, who it is and what their views are will depend a lot on who gets elected President in November – not to mention which party ends up in control of the Senate, which has to approve any new Justices before they could be seated. Plus, if the current eight-member Court starts hearing testimony before the new Justice is seated, the new Justice still wouldn’t be able to rule on the case.

The appeals court judges suggested that what really needed to be done is for the U.S. government to write other laws to make it less complicated to request data stored in another country, while still giving that country sovereignty over the data stored within its borders.

“The case turned on how broadly a court can apply the Stored Communications Act, a law adopted in 1986 as part of the Electronic Communications Privacy Act to give a measure of protection to the then-nascent technology of email,” Henning writes.  “Like almost any 30-year-old law dealing with technology, it is hopelessly out of date because it has not been meaningfully updated by Congress to address how digital information is created and stored.”

Chances are, that too is also something that could come out very differently depending on who gets elected President. Another reason to vote in November.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: