Slashdot Mirror

← Back to Stories (view on slashdot.org)

American Judge Claims Jurisdiction Over Data Stored In Other Countries

Posted by Soulskill on from the su-casa-es-mi-casa dept.

New submitter sim2com writes: "An American judge has just added another reason why foreign (non-American) companies should avoid using American Internet service companies. The judge ruled that search warrants for customer email and other content must be turned over, even when that data is stored on servers in other countries. The ruling came out of a case in which U.S. law enforcement was demanding data from Microsoft's servers in Dublin, Ireland. Microsoft fought back, saying, 'A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the government disagrees.'

If this ruling stands, foreign governments will not be happy about having their legal jurisdiction trespassed by American courts that force American companies to turn over customers' data stored in their countries. The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime."

31 of 226 comments (clear)

  1. American company by Todd+Knarr · · Score: 5, Informative

    I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

    1. Re:American company by K.+S.+Kyosuke · · Score: 3, Insightful

      What if it breaks the law of the foreign country in question?

      --
      Ezekiel 23:20
    2. Re:American company by Anonymous Coward · · Score: 4, Insightful

      Then the company is going to have to choose which country's laws to break, and suffer the consequences. In the extreme case, this will result in companies deciding that it's not worth operating in particular sets of countries.

    3. Re:American company by knightghost · · Score: 3, Interesting

      What if I encrypted a block of my data, broke those blocks up, then stored separate (non-duplicate) pieces in every country in the world? Would a court need to get every country's permission to assemble the data? Is the data an entity that has to be pursued independently of the owner (me)? Or as the owner, can my citizenship country (or a country that is pursuing me) instead demand all pieces based on me as the owner?

      To summarize: Is my data legally independent from me?

    4. Re:American company by Anonymous Coward · · Score: 2, Insightful

      They don't hide their money, that is illegal. What they really do is use evey tax loophole they can to shift money around to the most favorable spot on he planet for tax purposes. They report every red cent to the US agencies, and use every trick they lobbied to put into the book to say "Neener neener its legal and you can;t have any."

      Been this way for about 20 years or more now, thank you Reagan.

    5. Re:American company by Anonymous Coward · · Score: 2, Informative

      "Why the fuck the legal system isn't going after THAT shit [...]"

      Cause they've been paid not to. Lobbied, bought and paid for, our tax system is literally the best money can buy now.

    6. Re:American company by QuasiSteve · · Score: 3, Insightful

      Right - that's why AMS-IX opened 'their' NY location as a separate company, so that U.S. jurisdiction can't touch their Dutch operations.

      https://ams-ix.net/newsitems/1...

      Or so their lawyers are interpreting anyway - probably nothing a stroke of the pen in the U.S. can't make disappear.

    7. Re:American company by Em+Adespoton · · Score: 5, Interesting

      I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

      What is an "American" company? MS Europe is incorporated in Ireland, has a datacentre in Ireland, and pays taxes in Ireland. The FBI should be approaching the Irish authorities for access to this data.

      Or look at it another way: Is Sony USA an American company, or a Japanese company? If it's a Japanese company, that means that the Japanese have the right to all data stored on Sony USA servers.

      Or let's take this further: let's say the government of China had reason to believe that Cisco China had an NSA backdoor in its products as they were being deployed in China, and so ordered Cisco USA to turn over all emails, technical specifications and documentation.

      Rinse and repeat with pretty much any middle east country and Haliburton.

      This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

    8. Re:American company by St.Creed · · Score: 3, Informative

      Data is legally owned and controlled by somebody, and that's the one getting the subpoena. So as far as I know the law over here (IANAL) the answer is yes: the court that can claim jurisdiction can apply its laws and if they say they can order you to give up the data and decrypt it, then you have to.

      In my (amateur) opinion, the only way Microsoft would have gotten out of this one is if they had sold the data to another company that would reside in Ireland and that would be legally independent. Say, "MicrosoftDataHolding Ireland". However, *that* company could be ordered by the Irish courts to turn over the data to the Irish government, independent of what Microsoft USA would want. They wouldn't even be part of the case.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    9. Re:American company by Frobnicator · · Score: 5, Informative

      I think the fact that it's an American company being ordered to produce the data factors in here.

      Close, but wrong.

      Being ordered to produce data is called a subpoena. That is the normal tool for producing emails and documents. A subpoena orders the company to find the documents meeting the criteria and produce them for the court.

      A search warrant allows LEOs to enter the building, search for everything themselves, and seize anything that might appear to satisfy the warrant. So they would enter the server room and immediately seize any computer that looks like it might have the email on it.

      The unnamed government agency got a warrant to seize a bunch of computers, and are acting under the guise that they are asking for specific information.

      It is completely the wrong tool. It would be nice to think it was a simple mistake, picking the wrong tool to get information. ... unless it is an agency looking to do far more than find some specific emails. Unfortunately it is probably the latter, given that everything is under seal and they are demanding to allow US federal agents into a non-US facility to seize servers.

      --
      //TODO: Think of witty sig statement
    10. Re:American company by St.Creed · · Score: 2

      Well... let's follow up on the argument a bit.

      If MS Europe is *really* independent, they can now turn down the request of MS USA for the data and the request will have to go through the Irish courts. But if they are *not* all that independent, and the data is not in fact controlled by them but by MS USA, then they can't interfere, MS USA will have to comply and I can just imagine what the tax authorities are going to do the morning after they produce the data: go after MS with a pretty big hammer.

      Interesting case, this :)

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    11. Re:American company by sumdumass · · Score: 3, Informative

      It's been that way a lot longer than 20 years. The difference now is that instead of buying large yachts and other luxury items as business expenses that can be depreciated then resold as a capital gain later, other countries have lowered their tax rates so moving the funds around makes more sense.

      But if you really want to blame a president, you can blame Clinton because all of this off shoring wasn't prevalent until he became president and enacted policies that globalized companies in the way we see them today. You can say it was in the works before he was president, but he enacted NAFTA and several other free trade agreements that made this possible and likely.

    12. Re:American company by swb · · Score: 2

      This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

      This is exactly what multinationals do. They love to have some weird, three-room office in an industrial park near the airport in someplace like Ireland that they can use as their tax headquarters to shelter a bunch of income from American taxes, but then keep their business headquarters in the US so they can run to the State Department every time they have an issue with a non-US government.

      This is a big reason why these tax dodges suck -- they get to dodge taxes but use the government to do their bidding. You want to be an Irish company? Great, see how little weight the Irish Ministry for Foreign Affairs can throw around.

    13. Re:American company by sumdumass · · Score: 2

      More likely than not, it is because no matter how nasty and illegal you want to think hiding those assets off shore in havens might be, there is a possibility that it is done legally even if not ethically.

      Look at it this way, several years ago, I purchased a rehab home. I moved into it, rented the old home out which made it my primary residence. I then used a grant through the utility company paid for by the state in order to remove the old plaster and lath, install modern insulation, seal the walls and drywall them. I had to pay for the ceilings but the rest came from the state through the utility company. But I also replaced the single pain windows with a tax program the state had so the difference in the trim actually allowed the purchase of the drywall on the ceilings. So essentially, I gutted and insulated the entire home, upgraded the windows for free if you accept spending money I would have already paid in taxes as not being a new expense.

        I then replaced the aging roof shingles (slate) with Owens Corning 25 year shingles under another program for energy efficiency by the feds granted to the state. Because I went from slate to asphalt shingles, I had to install a venting system and all which ended costing me about $3000 but everything else was covered by the program. But there is more, I bought new appliances too with another energy grant through the utility company which was through the state so I ended up only paying 40% of the cost of those.

      Basically, by the time it was all said and done, I spend about 5 years of my taxes on an investment home instead of paying the state and federal governments and got a bunch of free (think refunds) money on top of what I would have paid in. It was all legal as long as I lived in the house another 5 years. I sold it off at the height of the real estate bubble and made a killing. This was a tax shelter much the same way as those off shore havens work. It's all legal even though you think they shouldn't be.

      The tax code is so complex that even IRS officials cannot follow it enough to stay out of trouble with their own taxes. What is obvious isn't always illegal and what is illegal may only be illegal in certain situations. And what is obviously illegal can be perfectly legal if your accountant structures something specifically with the intent of making it legal. Then again, people have been wrong before and get busted for thinking their illegal thing was legal but it turned out to be illegal. If that confused you a bit, it was supposed to just like the tax code.

    14. Re:American company by Frobnicator · · Score: 4, Insightful

      Data is legally owned and controlled by somebody, and that's the one getting the subpoena.

      Read it again. Even the /. summary covers it properly.

      They did not get a subpoena, which would have forced Microsoft to turn it over. The used a search warrant, which allows the (unspecified) government to swoop in and seize the servers. Located in Ireland. Using a US's renound paramilitary law enforcement. In Ireland. Seizing Irish equipment from an Irish branch of the company, used by Irish people and defended by an Irish police force.

      The (unspecified) US government agency requested the ability (and the judge authorized) to enter the Irish facility and take the machines by force if necessary -- that is how search warrants work.

      The fact that they even requested it is troubling. The fact that the agency was granted it is fairly terrifying. If this doesn't get taken down in an appeal, the article and summary are correct, it means the US government is basically declaring sovereignty over the world even more than before. This isn't Afghanistan or Iraq, but Ireland they would be using force against.

      --
      //TODO: Think of witty sig statement
    15. Re:American company by radarskiy · · Score: 3, Informative

      Stop lying.

      The actual articles says *nothing* about US agencies gaining physical access purely on the basis of a US warrant.

      From the actual article:
      "A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said."

      So the instrument really is more like a subpoena in that it forces action on the recipient, in this case to retrieve the data from the foreign location. It does not authorize any US official to seize the data from the foreign location without the involvement of the foreign authorities.

      This ruling literally does NONE of the things you accuse it of.

  2. Slightly misleading... by Anonymous Coward · · Score: 2, Insightful

    The judge said that the warrant served on Microsoft is valid, meaning that Microsoft, which has control of the servers in Dublin, can be required to use its access to its own servers to turn over information within its control. Nothing Earth-shattering here.

    1. Re:Slightly misleading... by Richard_at_work · · Score: 2

      And what happens when Ireland, the UK, the EU etc pass laws which specifically prevent Microsoft et al from responding to such warrants when they are issued from countries where the data does not reside?

      Microsoft would be between a rock and a hard place.

    2. Re:Slightly misleading... by Trepidity · · Score: 2

      That's precisely why Microsoft is opposing this order, not so much to avoid turning this particular data over, but because it may damage their European business. Microsoft has made a big marketing push in Europe trumpeting that their cloud products comply with EU data-protection laws, and this has been somewhat successful: several big companies and universities have signed up with Office 365 as their email/calendaring provider, in part because they were convinced that doing so is compatible with their obligations under EU law. Google in particular has usually not been in the running, because they can't or won't certify that data in Google Apps for Business is treated in accordance with European regulations, whereas Microsoft has been claiming that data in Office 365 is.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  3. Re:No jurisdiction by fustakrakich · · Score: 2

    They're not demanding from the countries. They're going after Microsoft, which happens to have offices in the US. Either way, those who believe should encrypt their mails. The rest can hide their secret messages in spam.

    --
    “He’s not deformed, he’s just drunk!”
  4. Re:No jurisdiction by devman · · Score: 4, Informative

    Microsoft, however, is subject to the jurisdiction of the U.S. Federal Court system, and when a Magistrate Judge orders them to produce something, they are compelled to produce it. It doesn't really matter where the something is. Basically the court is saying the search warrant can be executed like a subpoena.

    From the linked article:
    A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said.

  5. Already in place.... by CaptainOfSpray · · Score: 3, Informative

    EU law already makes it illegal to pass "personal data" to any location which lacks the protections available in Europe. The so-called Safe Harbor provisions apply for te US situation, but everyone who understands the EU law knows that the Safe Harbor arrangements are just smoke and mirrors - they afford precisely no protection at all - they exist to enable EU companies to export data to the US while claiming they have complied wth the law.

    --
    "Cock Up Your Beaver" does not mean what you think. This sig is intended to clog filters and annoy do-gooders
  6. US Court did *not* say corporations are people ... by drnb · · Score: 2

    With apologies to various political hacks in the judiciary, corporations are not people ...

    Actually the U.S. Supreme Court did *not* say that corporations are people. What the court actually said is that *groups of people* have the same rights as individual people, and that the nature of that group -- corporation, labor union, activist group, etc -- does not matter.

    I apologize of actually reading the court decision rather than relying on the characterization of it by the talking heads on TV.

  7. And Denmark just sold its digital IDs to USA... by Anonymous Coward · · Score: 5, Interesting

    Denmark recently sold its digital infrastructure (digital identities, national bank payments, etc) to a US company. The Danish government said there was nothing to worry about, because the servers would still be in Denmark. Thank you, USA, for proving the Danish government wrong.

  8. Re:US Court did *not* say corporations are people by cryptolemur · · Score: 2

    Amusingly enough, "corporation" comes from latin word meaning a "group of people"... so where's the difference?

  9. Get the facts. by MouseTheLuckyDog · · Score: 2

    I mean come on!
    This is reported on by Reuters, and they do not supply a link to the ruling itself. Which means they probably state the ruling all wrong and also leave out important details. In fact one detail I see at once is missing. Whose emails are these?

    They could be Boris Putins,.or Kim Dotcoms, in which case I would have severe problems with the judges orders.
    Or they could be Dread Pirate Roberts, or even Microsofts operating emails stored in Dublin just to avoid having to turn them over in which case I would have no problems with the judges orders.

    In any case please get us all the facts before putting up such a story.
    Is that really too much to ask?

  10. Re:No jurisdiction by Brett+Buck · · Score: 4, Informative

    The search warrant analogy is completely spurious. An American court cannot compel a search of a foreign property. But they can certainly compel an American company (or individual) to produce information owned by the company that happens to reside in a file folder in another country, or be liable for contempt of court.

          Sensationalism, thy name is slashdot.

          Brett

  11. Cyber Law? by ultranova · · Score: 2

    The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime.

    Why would I want to build an enforcement system when I don't know who's rules it will end up enforcing? Chinas? North Koreas? NSAs?

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  12. Re:No jurisdiction by Kjella · · Score: 3, Insightful

    In what appears to be the first court decision addressing the issue, U.S. Magistrate Judge James Francis in New York said Internet service providers such as Microsoft Corp or Google Inc cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies.

    Emphasis mine. I read this to mean that if you use any US owned mail provider the FBI can subpoena anything they want through a US judge. That just seems horribly wrong and would put the world wide operation of any company at the mercy of the jurisdiction where they're headquartered. By this logic the NSA can get a subpoena to demand all US companies turn over any information they got anywhere in the world. You could never trust a foreign company to follow local laws. If this stands it's a horrible precedent.

    --
    Live today, because you never know what tomorrow brings
  13. Re:No jurisdiction by physicsphairy · · Score: 3, Insightful

    Microsoft does not own the information; they as a third party own the server on which someone else's information resides, a server which is held and taxed as a foreign asset outside US regional jurisdiction. It's one thing to compel Microsoft as a transnational company to produce one of their corporate records regardless of where they have stored it: agreeing to subject themselves to the US judicial system is part of incorporating in the US. It's entirely another when they are being told their foreign offices are actually territory of the US government and anyone or anything which resides there must submit to the pleasures of the US judicial system.

    If I had written a letter in Britain and put it in a British safety deposit box I don't think the court would have the guts to demand it, even if the bank were jointly owned in the US. But scan that letter and store on the server and suddenly it's free game. Why? Because now it's easy to sneak the data out of the country without bothering the local authorities? Good news for people torrenting.

    I suppose if you live in other countries you should doublecheck that any web companies you do business with do not also have a US presence because if they do any of your data could be subject to requisition by the US government even if it's data which has never left your country.

    --
    When things get complex, multiply by the complex conjugate.
  14. Re:American? by Dwedit · · Score: 2

    http://www.snopes.com/cokelore...