Slashdot Mirror
American Judge Claims Jurisdiction Over Data Stored In Other Countries
New submitter sim2com writes: "An American judge has just added another reason why foreign (non-American) companies should avoid using American Internet service companies. The judge ruled that search warrants for customer email and other content must be turned over, even when that data is stored on servers in other countries. The ruling came out of a case in which U.S. law enforcement was demanding data from Microsoft's servers in Dublin, Ireland. Microsoft fought back, saying, 'A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the government disagrees.'
If this ruling stands, foreign governments will not be happy about having their legal jurisdiction trespassed by American courts that force American companies to turn over customers' data stored in their countries. The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime."
If this ruling stands, foreign governments will not be happy about having their legal jurisdiction trespassed by American courts that force American companies to turn over customers' data stored in their countries. The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime."
I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.
U.S has no legal jurisdiction in other countries. This verdict is meaningless. Just watch other nations laugh this off.
The problem is that most of the large computer and internet companies are American. I can think of two solutions. 1) Governments set up their own sovereign companies to duplicate the US companies services 2) The large US companies (who appear not to like this ruling) could establish foreign owned subsidiaries in those countries.
The judge said that the warrant served on Microsoft is valid, meaning that Microsoft, which has control of the servers in Dublin, can be required to use its access to its own servers to turn over information within its control. Nothing Earth-shattering here.
The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?
There are myriad of such questions. But the answer is always the same, "whatever is in the best interests of the richer guy".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?
There are myriad of such questions. But the answer is always the same, "whatever is in the best interests of the richer guy".
You are wrong. The richer guy is Microsoft in this case and the richer guy is being told to hand over his overseas data.
The last paragraph notes that email warrants are typically treated like subpoenas. Given that the U.S. have coordinated with local law enforcement before (Kim Dotcom), why would the increased overhead significantly hinder investigations? At a minimum, fishing expeditions would be minimized, so I see no reason for the distinction to continue. This would make for an interesting SCOTUS decision if it gets to that point.
Maybe this will end up requiring that the data stays in the U.S., complicating off-shoring.
With apologies to various political hacks in the judiciary, corporations are not people, and this is one of many examples why, If I had a house in Ireland, and the US wanted something in it, they couldn't do much about it legally without going through the proper legal channels (e.g., applying to an Irish judge), especially if I was also residing in Ireland. Companies reside in the countries they do business in, which means they are located anywhere and everywhere, and subject to the laws of all of those countries, especially the nation that they are incorporated in.
So, this is not surprising at all. I bet, too, that if Microsoft had some paper documentation relevant to this case , and those papers were in Ireland, the judge could order Microsoft to turn that over too.
The problem is that most of the large computer and internet companies are American. I can think of two solutions. 1) Governments set up their own sovereign companies to duplicate the US companies services 2) The large US companies (who appear not to like this ruling) could establish foreign owned subsidiaries in those countries.
That model works for China ... what could go wrong other than control of your products, technology and intellectual property?
Looks like the court is saying that US companies have to spin off separate companies to exist in markets that require that sensitive data stay within the country/region.
Combine this with actively subverting security of US based products and it sounds like internet based companies need to be run and hosted outside the US.
Apparently our government is entirely staffed by people who completely missed the point of King Solomon's cut the baby in half ruling.
EU law already makes it illegal to pass "personal data" to any location which lacks the protections available in Europe. The so-called Safe Harbor provisions apply for te US situation, but everyone who understands the EU law knows that the Safe Harbor arrangements are just smoke and mirrors - they afford precisely no protection at all - they exist to enable EU companies to export data to the US while claiming they have complied wth the law.
"Cock Up Your Beaver" does not mean what you think. This sig is intended to clog filters and annoy do-gooders
With apologies to various political hacks in the judiciary, corporations are not people ...
Actually the U.S. Supreme Court did *not* say that corporations are people. What the court actually said is that *groups of people* have the same rights as individual people, and that the nature of that group -- corporation, labor union, activist group, etc -- does not matter.
I apologize of actually reading the court decision rather than relying on the characterization of it by the talking heads on TV.
Hey American judge! Don't tread on me! Your jurisdiction ends at the border. You can request, and if there is a treaty we will try to oblige (given equal reciprocity). But demand? That's a guns/shooting/go-fuck-yourself sort of thing. Where the data is stored is where the data is. If the judge tries to pull this kind of crap, then at the very least expect cloud services migrating to non-American companies. Oh, and the rule is: if an American Judge demands things from people in other countries, the letterhead might be impressive, but it can be treated like a request from a Nigerian socialite trying to liberate billions and only needing a few bucks from you: round file.
How does this assertion square against the Spanish law that allows them to prosecute foreign citizens for crimes against humanity committed outside Spain?
The judge has now made sure that no American company will ever admit to having stored any data anywhere, or risk losing business.
Entia non sunt multiplicanda praeter necessitatem.
Denmark recently sold its digital infrastructure (digital identities, national bank payments, etc) to a US company. The Danish government said there was nothing to worry about, because the servers would still be in Denmark. Thank you, USA, for proving the Danish government wrong.
Amusingly enough, "corporation" comes from latin word meaning a "group of people"... so where's the difference?
I have many big problems with this.
It would be so much more economical and efficient for DoJ to send in a Goon-Squad of 100 to MS HQ in Seattle and just kill people !
What is to stop them ! Obama OWNS every butt in DoJ. Obama has claimed he has the right to kill, kidnap and torture any human beings on Earth so long as doing so .... Pleasures Him.
So why doesn't Obama ratchet up his 'Bad Kenyan' and send DoJ to MS Seattle and kill about 10% of the employees on Campus.
No one in Seattle, or any other place on Earth, will lift and finger or bat an eye.
Will 'the boys' in the Pentagon have a shit fit of outrage ?
Nope !
I mean come on!
This is reported on by Reuters, and they do not supply a link to the ruling itself. Which means they probably state the ruling all wrong and also leave out important details. In fact one detail I see at once is missing. Whose emails are these?
They could be Boris Putins,.or Kim Dotcoms, in which case I would have severe problems with the judges orders.
Or they could be Dread Pirate Roberts, or even Microsofts operating emails stored in Dublin just to avoid having to turn them over in which case I would have no problems with the judges orders.
In any case please get us all the facts before putting up such a story.
Is that really too much to ask?
it's very good
A Judge asks for information to make a decision, and because of that, the Judge is corrupt?
Why would I want to build an enforcement system when I don't know who's rules it will end up enforcing? Chinas? North Koreas? NSAs?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Regards,
A.
Seriously, is this even news? FATCA, anyone?
Hello internet, it was nice knowing you.
Really, people you're stupid if you've been using VPS and cloud services already, this is just the icing on the cake. If you don't to deal with US overreach, then you need to store your private data in the very same places rich people have been storing their money and don't give a care about US law.
In all seriousness, this basically says not to outsource to US-owned companies. Cloud/VPS services are effectively outsourcing the data processing and storage, even if it's physically somewhere else.
Then when that group of peoples actions kill a person, it should be treated as Murder? or Industrial Accident?
No, because the judge and (LEOs) are using the wrong tool.
A subpoena is an order to produce a document (or to require a person to appear). This is the tool they would normally use to get an email or any other document. The LEOs do not get any access except to have the document produced.
A search warrant is an order allowing LEOs to immediately search everything they want, and then seize whatever they think satisfies the warrant.
Normally a subpoena is used to get an email. The company searches their databases and provides it. Using a search warrant is absurd, it means the police break into the server room, and say "This computer seems like it might have email, we're seizing it."
Of course, that may be EXACTLY what the LEOs are trying to do in this case, but barring some exceptional power-grab by LEOs, it is the wrong legal tool.
//TODO: Think of witty sig statement
From the other side, if the US courts don't have jurisdiction, every time a US company is required to provide data on an individual or group of individuals or the company itself, they could move it outside of country and avoid due law.
The UN needs to settle this as a whole. There should be a cyber-law enforcing that if data is required (is required being qualified whole-heartedly), that one country's courts work with another country's courts to obtain the data required.
American courts can not enforce data acquisition in another country because they do not always have the appropriate physical presence in the country of data storage. It should be the courts of the country containing the data that promise to uphold data acquisition as part of an international treaty.
BYE and thats right go fuck yourself
Ireland could simply bomb the offending courts. They have the experience. Our country escalates disputes to military actions all the time.
The Judge ordered the information, there's not much a LEO can do except comply; or appeal to a higher court. This could be considered a stalling tactic. As for the reference to the judge as a tool; now I see comedy.
These days the public has a concept of what an American company is but i'm not so certain that the law shares the same concept. Corporations are multi-national these days and frankly the nature of multi national corporations sucks bilge water. Here is why: Going into WWII the Coca Cola company felt that they would take heat for producing product in Germany. So they created the Fanta line of sodas. That way they could still make money on all those lovely Nazi soldiers while keeping the public unaware that they were actively doing business within the Reich. Meanwhile IBM was actually aiding in the data handling of people inside the concentration camps. Wouldn't a normal person assume that these companies would have been seized and shut down with their assets held for the war effort? Who made money by allowing these conditions to exist?
Every company based in America just packed up its stuff and left the country. Democracy in action!
~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
Don't multilateral police cooperation agreements already permit cross-country law enforcement? Just sayin'.
I would suggest a law that forbids information to be retrieved from servers for the purposes of satisfying a warrant or supposed legal order that has not been validated by a court within jurisdiction.
The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?
I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.
It could depend on the structure of the company.
I used to work for $SOFTCO Canada, but my manager was in California and was officially employed by $SOFTCO Inc. I had a team mate in California and another in Switzerland. There were no barriers between the networks of $SOFTCO Canada and $SOFTCO Inc, and one could SSH from our management/bastion host (in California) to any server in Canada, Switzerland, Japan, etc. The network team was similarly distributed with members around the globe, with access to any networking device.
So if $SOFTCO Inc was ever ordered to do something by a court, the US employees had the ability to simply SSH in. How this interacted with Canadian wire tap statutes, privacy regulations, etc., is something you'll need a lawyer to decipher.
If the structure that would have been that I worked for $SOFTCO Canada, with my manager also with $SOFTCO Canada and was physically in Canada, with separate SSH accounts to our servers (on Canadian soil) that were not accessible to USian admins, then the USian warrant can say whatever it wants, but the USian employees would in that case not be able to do anything (short of trying to break in).
If US cloud providers want to provide guarantees to foreigners about privacy and protection, they'll need to start segmenting off their non-US data centers both in HR reporting structures, and admin accounts.
Article doesn't say the nationality of the person whose email is being sought, or where they are. There are multiple possibilities.
1. I'm a US national living in the US, and Microsoft happens to host my Hotmail account in Ireland. I don't really have too much problem with the idea that a federal search warrant applies in this situation. Microsoft and me are both under US jurisdiction.
2. I'm an Irish national physically present in the US, accessing my Irish-hosted Hotmail account from my location in the US. Maybe this is slightly shakier and lawyers can argue about it, but again I'm under US jurisdiction.
3. I'm a US national living in Ireland, accessing my Irish-hosted Hotmail account from Ireland. Now I have more of a problem with the idea of a US search warrant applying, but that's because there's some legal subtlety about US jurisdiction over what I do there. Lawyers can go figure it out and I'll probably believe what they say.
4. I'm an Irish national living in Ireland, accessing my Irish-hosted hotmail account from Ireland, so I'm not under US jurisdiction in any sane way. This is the case that destroys Microsoft if the search warrant sticks. For Microsoft to have any credibility with non-US customers, the US better deal with the Irish government and get an Irish warrant if it wants access to my email. There is international cooperation among law enforcement so if the US think I'm involved in smuggling Guinness beer from Dublin to Boston, they can contact the Irish government and get a damn warrant if their evidence supports it. It's not like their ability to fight crime is thwarted. I think people are mostly imagining this situation, but it's NOT clear from the article that it's the one that applies. They could be trying to get the email of an American.
The court is corrupt; their reasoning is often quite poor for educated, experienced and honorable judges. That is no more likely to be true than a Priest is safe around children; the title doesn't give them unquestionable character.
A group of people is entirely different than a legal corporation! I can't believe they'd do something so idiotic... while I expected the result, I found their justification embarrassingly flawed; I expected better BS.
The history of the word "corporation" is NOT the same as a legal corporation. It's just a word given to it, it could have been any word. It is not simply "a group of people" and never has been
Besides, the legal entities between unions, activists, religions, and corporations are fundamentally different in their purposes and needs - they should not be equated and to lump them together just because they (almost always) involve multiple people is gross over simplification. In addition, activists and religions have much less need for a legal entity for their survival - they can actually thrive simply as "a group of people."
I find the reasoning as flawed as religious / traditional marriage vs legal marriage being the same thing; when they are only similar by name and history (in that the law sprung from the commonality between popular religions.)
Democracy Now! - uncensored, anti-establishment news
Where the servers reside is simply not relevant because the corporation resides within the jurisdiction of the court, corporations are people and because a company is one legal entity the court has jurisdiction over all of the company, regardless of where it's assets are physically located. It's called personal jurisdiction and the ruling is correct, it will be upheld if appealed. If you don't want to be subject to american jurisdiction then don't incorporate in america, it's really that simple.
As far as I know, multinational companies are really a collection of separate companies, all incorporated in the countries they are physically located in and pay taxes in that country. It's the reason why much of Apple's income is held by foreign versions of Apple. Yes, they all report to the mothership, but that mothership doesn't have sovereignty or jurisdiction over it. I'd love for some Irish barrister to send a letter telling this Judge to go feck-off along with a subpoena the Judge's phone records because he's "being investigated" for child trafficking. Then hijinks ensue.
The Judge ordered the information, there's not much a LEO can do except comply; or appeal to a higher court. This could be considered a stalling tactic. As for the reference to the judge as a tool; now I see comedy.
Yes, a judge can order the information for himself, but that isn't what happened. Almost always it is the LEOs demanding the warrants, and that is what happened here.
The LEOs go to the judge and say "we need a search warrant", or "we need a subpoena". The judge reviews the request and signs off.
In this case the officers requested a search warrant, which allows the seizure of equipment. They want to capture entire servers, make images of them, and then store the servers for the court.
The correct legal instrument is a subpoena, which allows the company to search for the documents and provide them to a court. The reason to use a search warrant to seize the machines is if there is an immediate need to remove them. If there was a fear that the machines would all be wiped and the contents destroyed. This is unlikely to be the case with Microsoft. The other reason to use a search warrant by the unspecified government agency is that they want to mirror the machines and search it for other content beyond the specific emails. Unfortunately that looks like it is their goal, not obtaining the specific emails and documents but to make mirrors of the servers for their own purposes.
//TODO: Think of witty sig statement
How is this different than French judges insisting that the internet use French, German judges trying to ban Nazi logos in global games hosted elsewhere, etc?
I mean seriously, there's like a story a week about some dumbass judge thinking he can tell the internet what it can and cannot do?
It's about the "stupid", not the "America". Although those are often enough synonymous, I admit.
-Styopa
For EU companies it is now impossible to store user related or other sensitive data on servers or cloud nodes provided by US American companies. Data privacy regulations in the EU would prohibit the use of such infrastructure. Even though there is a "safe harbor" treaty.
That would mean that countries that want to have their laws respected must block American companies. Also would turn North Korea probably the only other sovereign country in the world (guessing that there are no American companies there).
The timing of this decision is also curious since Brazil just created specific internet law to protect it's citizens constitutional rights.
It's already sad that American's rights are not respected, and horrible that citizens from the whole world are having their human rights violated, but declaring universal jurisdiction is bad for international relations and for business. This might be the most undemocratic thing I've heard of.
Moron.
They do not speak for the majority of Americans, yet the world can't trust us anymore because of them. They should be found guilty of treason and strung up. The world is doomed if they continue to piss off the rest of the world. Its not just as if they absolutely want to kill off the population of the world it is showing through with every new piece of bad news, starting with us Americans. They think they are the stewards of the beast. What gives them the right?
The USA is bound to UCC now or Universal commercial code. We were sold out to international bankers long ago.
I wipe my butthole with the constitution now.
A subsidiary company has a separate board of directors. It is the task of those directors to run the company in the interests of the shareholder, in accordance with local law. In this case, given that the company is subject to European Data Protection legislation, it would be for the local directors to refuse to obey the court order - and invite MS USA to sack them at an AGM. By the time the AGM comes along, there's a good chance that either the Irish courts will have got involved, or the US government will realise that the enforcement of this will ensure that NOONE uses American companies for any purpose, and that the non-American alternative to Google and MS will gain market share....
to be something else in another country as a scheme for hiding stuff from the US government. Plenty of big (supposedly American) companies have been getting away with this for years now - being multi-billion-dollar enterprises that claim to have no profits and few corporate records, but having teeny-tiny "associated entities" in other countries that do very little but (amazingly) make massive profits or hold warehouses full of data and documents. These companies that claim to be American but have their profits and important data "accidentally" outside the US where it theoretically cannot be touched deserve NO benefit of American law (including IP laws). The judge in question DID NOT suddenly decide that he disliked O'Malley's pub in Dublin (ficticious top-o-the-head name) and then assert that Mr. O'Malley and his business were subject to US law (which would be preposterous). This is Microsoft pretending that part of Microsoft is not part of Microsoft and a judge seeing right through the baloney/blarney
The Americans like to complain about Russia's "invasion" of Crimea, and claim that it's a power grab.
But with this decision, the judge is trying for a GLOBAL power grab the likes of which the world has never seen.
Quite frankly, the US judge and administration can go fuck themselves. YOU ARE NOT THE WORLD.
I do not fail; I succeed at finding out what does not work.
With the NSA and this, there's almost no reason to be using American suppliers anymore
This whole problem would disappear completely if the American government would QUIT WITH THE UNWARRANTED SEARCHES. If they don't stop this nonsense soon I'm afraid it might result in a war between America and the entire rest of the world.
This is so out of the ordinary that I am forced to come out with a conspiracy theory. I mean... we are talking of a certain country's court granting a "search warrant" for data stored in another country... this is pretty hard to swallow under any normal circumstances. My conspiracy theory follows... 1) The Irish police knows their courts cannot (for some reason) grant a subpoena to obtain the data they want. If a subpoena is impossible, then a search warrant would definitely be out of the question. 2) To circumvent the legal barrier to their investigation, they ask their American counterpart to request an American court for a search warrant (which they figured an American court will grant). Granting a search warrant is one thing, performing the actual search in another country is another issue. 3) Since directly executing the search warrant is legally impossible (even if legally granted), the American LEO can asks the Irish LEO to perform the search on its behalf based on existing treaties for law enforcement agencies to help each other in crime investigation. 4) The end result is the Irish police can get what they want even if their own courts cannot legally grant them the power to get the data they want. I can be dead wrong, of course, but for some reason, this case looks and smells fishy. If my theory is correct, is this being done with the full knowledge and blessing of the Irish courts? (This is possible because an Irish court may want to assist the Irish police, but the court's hands are legally tied by precidence). I wonder how the Irish people will feel?
Amusingly enough, "corporation" comes from latin word meaning a "group of people"... so where's the difference?
Latin is not to be taken literally in modern english. For example to decimate does not mean we will kill 10%. :-)
"I don't know what data you're talking about." Or... "Who is that? We have no such user." Or... "Okay here are 50,000 ZB of data. It's all we have from every user ever. We don't maintain any information on which data goes with which user, since the account names are encrypted by a key that resides on the user's machine, and we have no access to that or the keys with which the data is encrypted. To avoid being prosecuted for failure to comply, we're giving you the entire contents of our servers. We can't even tell you where one user's data begins and another ends. Enjoy combing through it all!
(Then later, "What did you do with the 50,000 ZB datafile of pseudorandom-noise?" "Oh, that garbage? I gave it to the Americans. We'll just have to make another, should take about a day." "Great to hear, keep up the good work!")
It is data about a person, in many cases it is literally the documents, calls, emails, tweets, IMs of people to people. That clearly belongs to the persons themselves, not to some company that wrote an app used to interact with that data or the companies providing the pipes for it to travel across. So that it is an American company really has nothing to do with it if we see it from the logical point of view of who the data belongs to. If it belongs to a European then it is government by European law. People are also confused about cloud storage and data center storage of information. Storage is not ownership.
Yet another example of attempted USA extraterritorialism.
Does American Themis is armed with sword only and and no balance scales ?
The question is why do they rule so ?
- Because they CAN.
I wonder how the US would take it if a judge in another country made use of that claim for their benefit? It might be claimed that because company X chose to operate in their jurisdiction they accepted their jurisdictional boundaries. Various governments have already claimed jurisdiction in other countries for years, which is why they may claim tax on money earned by people working abroad, even though they may have done none of that work in that country...
The rest of us are the one's paying for it, though.
That's where I have a problem: Tax sheltered businesses and transactions aren't just suckering the buyer, but are a true burden to society.
Consider: These days large technology companies are not only clever about not paying taxes but they don't want help at all in training new skilled workers either. So with regards to the work-force, they're double-dipping. Worse, if you factor in their trying to swipe talented high school kids as well.
It's even worse when companies are transnational and I don't mind seeing some legal downsides & limitations thrown-in.
So if they can legally access the data stored on the Irish servers, they must produce that information.
This is really simple:
One cannot refuse a court ordered demand for documents just because those documents are stored in safe deposit box in Switzerland. If the person in possesion of the deposit box key is before a US court, they must produce the documents stored in that Swiss bank, as ordered, come hell or high water.
(IANAL) but this is just common sense. Is M$ Legal really this stupid?
OP is obviously frobnicating.
The US company is not the parent and cannot order the Dutch company to do anything.
On that note MS Ireland is a separate legal entity under Irish law. The US parent company can order it to produce data as the owner, but to comply officers of the Irish subsidiary would have to break Irish laws.
So I wonder what would happen if MS US orders MS Ireland to produce the information and no one in Ireland complies because they refuse to break the law?
While you are in jail you can request from the canadians all you want. But if it is illegal for them under canadian law to comply with your request you will be waiting a long time.
and we can't wait for foreign courts to do the same here