Slashdot Mirror

← Back to Stories (view on slashdot.org)

American Judge Claims Jurisdiction Over Data Stored In Other Countries

Posted by Soulskill on from the su-casa-es-mi-casa dept.

New submitter sim2com writes: "An American judge has just added another reason why foreign (non-American) companies should avoid using American Internet service companies. The judge ruled that search warrants for customer email and other content must be turned over, even when that data is stored on servers in other countries. The ruling came out of a case in which U.S. law enforcement was demanding data from Microsoft's servers in Dublin, Ireland. Microsoft fought back, saying, 'A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the government disagrees.'

If this ruling stands, foreign governments will not be happy about having their legal jurisdiction trespassed by American courts that force American companies to turn over customers' data stored in their countries. The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime."

17 of 226 comments (clear)

  1. American company by Todd+Knarr · · Score: 5, Informative

    I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

    1. Re:American company by K.+S.+Kyosuke · · Score: 3, Insightful

      What if it breaks the law of the foreign country in question?

      --
      Ezekiel 23:20
    2. Re:American company by Anonymous Coward · · Score: 4, Insightful

      Then the company is going to have to choose which country's laws to break, and suffer the consequences. In the extreme case, this will result in companies deciding that it's not worth operating in particular sets of countries.

    3. Re:American company by knightghost · · Score: 3, Interesting

      What if I encrypted a block of my data, broke those blocks up, then stored separate (non-duplicate) pieces in every country in the world? Would a court need to get every country's permission to assemble the data? Is the data an entity that has to be pursued independently of the owner (me)? Or as the owner, can my citizenship country (or a country that is pursuing me) instead demand all pieces based on me as the owner?

      To summarize: Is my data legally independent from me?

    4. Re:American company by QuasiSteve · · Score: 3, Insightful

      Right - that's why AMS-IX opened 'their' NY location as a separate company, so that U.S. jurisdiction can't touch their Dutch operations.

      https://ams-ix.net/newsitems/1...

      Or so their lawyers are interpreting anyway - probably nothing a stroke of the pen in the U.S. can't make disappear.

    5. Re:American company by Em+Adespoton · · Score: 5, Interesting

      I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

      What is an "American" company? MS Europe is incorporated in Ireland, has a datacentre in Ireland, and pays taxes in Ireland. The FBI should be approaching the Irish authorities for access to this data.

      Or look at it another way: Is Sony USA an American company, or a Japanese company? If it's a Japanese company, that means that the Japanese have the right to all data stored on Sony USA servers.

      Or let's take this further: let's say the government of China had reason to believe that Cisco China had an NSA backdoor in its products as they were being deployed in China, and so ordered Cisco USA to turn over all emails, technical specifications and documentation.

      Rinse and repeat with pretty much any middle east country and Haliburton.

      This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

    6. Re:American company by St.Creed · · Score: 3, Informative

      Data is legally owned and controlled by somebody, and that's the one getting the subpoena. So as far as I know the law over here (IANAL) the answer is yes: the court that can claim jurisdiction can apply its laws and if they say they can order you to give up the data and decrypt it, then you have to.

      In my (amateur) opinion, the only way Microsoft would have gotten out of this one is if they had sold the data to another company that would reside in Ireland and that would be legally independent. Say, "MicrosoftDataHolding Ireland". However, *that* company could be ordered by the Irish courts to turn over the data to the Irish government, independent of what Microsoft USA would want. They wouldn't even be part of the case.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    7. Re:American company by Frobnicator · · Score: 5, Informative

      I think the fact that it's an American company being ordered to produce the data factors in here.

      Close, but wrong.

      Being ordered to produce data is called a subpoena. That is the normal tool for producing emails and documents. A subpoena orders the company to find the documents meeting the criteria and produce them for the court.

      A search warrant allows LEOs to enter the building, search for everything themselves, and seize anything that might appear to satisfy the warrant. So they would enter the server room and immediately seize any computer that looks like it might have the email on it.

      The unnamed government agency got a warrant to seize a bunch of computers, and are acting under the guise that they are asking for specific information.

      It is completely the wrong tool. It would be nice to think it was a simple mistake, picking the wrong tool to get information. ... unless it is an agency looking to do far more than find some specific emails. Unfortunately it is probably the latter, given that everything is under seal and they are demanding to allow US federal agents into a non-US facility to seize servers.

      --
      //TODO: Think of witty sig statement
    8. Re:American company by sumdumass · · Score: 3, Informative

      It's been that way a lot longer than 20 years. The difference now is that instead of buying large yachts and other luxury items as business expenses that can be depreciated then resold as a capital gain later, other countries have lowered their tax rates so moving the funds around makes more sense.

      But if you really want to blame a president, you can blame Clinton because all of this off shoring wasn't prevalent until he became president and enacted policies that globalized companies in the way we see them today. You can say it was in the works before he was president, but he enacted NAFTA and several other free trade agreements that made this possible and likely.

    9. Re:American company by Frobnicator · · Score: 4, Insightful

      Data is legally owned and controlled by somebody, and that's the one getting the subpoena.

      Read it again. Even the /. summary covers it properly.

      They did not get a subpoena, which would have forced Microsoft to turn it over. The used a search warrant, which allows the (unspecified) government to swoop in and seize the servers. Located in Ireland. Using a US's renound paramilitary law enforcement. In Ireland. Seizing Irish equipment from an Irish branch of the company, used by Irish people and defended by an Irish police force.

      The (unspecified) US government agency requested the ability (and the judge authorized) to enter the Irish facility and take the machines by force if necessary -- that is how search warrants work.

      The fact that they even requested it is troubling. The fact that the agency was granted it is fairly terrifying. If this doesn't get taken down in an appeal, the article and summary are correct, it means the US government is basically declaring sovereignty over the world even more than before. This isn't Afghanistan or Iraq, but Ireland they would be using force against.

      --
      //TODO: Think of witty sig statement
    10. Re:American company by radarskiy · · Score: 3, Informative

      Stop lying.

      The actual articles says *nothing* about US agencies gaining physical access purely on the basis of a US warrant.

      From the actual article:
      "A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said."

      So the instrument really is more like a subpoena in that it forces action on the recipient, in this case to retrieve the data from the foreign location. It does not authorize any US official to seize the data from the foreign location without the involvement of the foreign authorities.

      This ruling literally does NONE of the things you accuse it of.

  2. Re:No jurisdiction by devman · · Score: 4, Informative

    Microsoft, however, is subject to the jurisdiction of the U.S. Federal Court system, and when a Magistrate Judge orders them to produce something, they are compelled to produce it. It doesn't really matter where the something is. Basically the court is saying the search warrant can be executed like a subpoena.

    From the linked article:
    A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said.

  3. Already in place.... by CaptainOfSpray · · Score: 3, Informative

    EU law already makes it illegal to pass "personal data" to any location which lacks the protections available in Europe. The so-called Safe Harbor provisions apply for te US situation, but everyone who understands the EU law knows that the Safe Harbor arrangements are just smoke and mirrors - they afford precisely no protection at all - they exist to enable EU companies to export data to the US while claiming they have complied wth the law.

    --
    "Cock Up Your Beaver" does not mean what you think. This sig is intended to clog filters and annoy do-gooders
  4. And Denmark just sold its digital IDs to USA... by Anonymous Coward · · Score: 5, Interesting

    Denmark recently sold its digital infrastructure (digital identities, national bank payments, etc) to a US company. The Danish government said there was nothing to worry about, because the servers would still be in Denmark. Thank you, USA, for proving the Danish government wrong.

  5. Re:No jurisdiction by Brett+Buck · · Score: 4, Informative

    The search warrant analogy is completely spurious. An American court cannot compel a search of a foreign property. But they can certainly compel an American company (or individual) to produce information owned by the company that happens to reside in a file folder in another country, or be liable for contempt of court.

          Sensationalism, thy name is slashdot.

          Brett

  6. Re:No jurisdiction by Kjella · · Score: 3, Insightful

    In what appears to be the first court decision addressing the issue, U.S. Magistrate Judge James Francis in New York said Internet service providers such as Microsoft Corp or Google Inc cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies.

    Emphasis mine. I read this to mean that if you use any US owned mail provider the FBI can subpoena anything they want through a US judge. That just seems horribly wrong and would put the world wide operation of any company at the mercy of the jurisdiction where they're headquartered. By this logic the NSA can get a subpoena to demand all US companies turn over any information they got anywhere in the world. You could never trust a foreign company to follow local laws. If this stands it's a horrible precedent.

    --
    Live today, because you never know what tomorrow brings
  7. Re:No jurisdiction by physicsphairy · · Score: 3, Insightful

    Microsoft does not own the information; they as a third party own the server on which someone else's information resides, a server which is held and taxed as a foreign asset outside US regional jurisdiction. It's one thing to compel Microsoft as a transnational company to produce one of their corporate records regardless of where they have stored it: agreeing to subject themselves to the US judicial system is part of incorporating in the US. It's entirely another when they are being told their foreign offices are actually territory of the US government and anyone or anything which resides there must submit to the pleasures of the US judicial system.

    If I had written a letter in Britain and put it in a British safety deposit box I don't think the court would have the guts to demand it, even if the bank were jointly owned in the US. But scan that letter and store on the server and suddenly it's free game. Why? Because now it's easy to sneak the data out of the country without bothering the local authorities? Good news for people torrenting.

    I suppose if you live in other countries you should doublecheck that any web companies you do business with do not also have a US presence because if they do any of your data could be subject to requisition by the US government even if it's data which has never left your country.

    --
    When things get complex, multiply by the complex conjugate.