Microsoft Defies Court Order, Will Not Give Emails To US Government

schwit1 sends this excerpt from a report about Microsoft: Despite a federal court order directing Microsoft to turn overseas-held email data to federal authorities, the software giant said Friday it will continue to withhold that information as it waits for the case to wind through the appeals process. The judge has now ordered both Microsoft and federal prosecutors to advise her how to proceed by next Friday, September 5.

Let there be no doubt that Microsoft's actions in this controversial case are customer-centric. The firm isn't just standing up to the US government on moral principles. It's now defying a federal court order. "Microsoft will not be turning over the email and plans to appeal," a Microsoft statement notes. "Everyone agrees this case can and will proceed to the appeals court. This is simply about finding the appropriate procedure for that to happen."

That's nice, but...

[SternisheFan]

Isn't there a NSA backdoor to MS?

Re:That's nice, but...

What, is this all just for show? Why would the Feds want to make news over them demanding the data from Microsoft?
Is this just to make us believe they can't get the data without Microsoft's cooperation?

Re:That's nice, but...

[PPH]

What, is this all just for show?

Its either plausible deniability or the need to demonstrate an unbroken and untainted chain of evidence. The NSA may in fact already have access to this data. But acting like they don't, or even loosing a minor case might set other criminals at ease about the security of their data within the Microsoft infrastructure. And they won't switch to a more secure platform. The chain of evidence might be needed to keep a subsequent trial from being thrown out due to tainted evidence. The NSA may already have the evidence (through questionable means), but getting a clean copy removes issues of it being fruit of the poisonous tree.

Re:That's nice, but...

[russotto]

The government could almost certainly get this data by going through the proper procedures in Ireland. That they can also get it surreptitiously doesn't matter; they're trying to establish precedent that they can legally get any data held by any US company anywhere in the world without involving any other government; that precedent is the important part, not the particular data involved.

Re:That's nice, but...

[ShanghaiBill]

The government could almost certainly get this data by going through the proper procedures in Ireland.

Maybe not. If the Irish government caves in to American pressure, then data centers will start leaving Ireland, taking money and jobs with them, just like they are already leaving America. If Microsoft loses this case, and the extra-territorial reach of American Law is upheld, then, if you want privacy, you will need to not only store your data outside America, but not even with a company that does business there. The American government cares more about reading our mail than about keeping our jobs.

Re:That's nice, but...

[s.petry]

Dunno, the Russian FSB has actually wrung Windows code reviews out of Microsoft so if they didn't find any back door in that code I'd say there are none to find..

A viable alternative is that they found and use the same back doors available to the NSA. It's speculation either way, because there are no independent reviews of Microsoft's source code and shipped binaries. The released binaries may not even match the source they provided for review.

Re:That's nice, but...

[Charliemopps]

Isn't there a NSA backdoor to MS?

They do. The feds already have the data but cannot use it in court. Getting the companies in question to play ball is essential for legal procedures, not for the actual data acquisition.

Re:That's nice, but...

[Kijori]

Will they? There are a lot of advantages to running this in Ireland: low tax rates without the negative publicity of operating in a tax haven, other favourable financial and tax rules that allow foreign companies to book their profits there to further reduce their tax bills, a skilled workforce, good infrastructure, and all the up-front costs that come from building and equipping the data centre in the first place have been paid already. Call me cynical, but I'm not convinced that many data centres will move if Irish law allows the authorities to get this data.

Re:That's nice, but...

[PPH]

Could you give an example of a more secure platform?

Sure. Any e-mail system which has users encrypt/decrypt their content locally and then use the storage and transport system solely for storage and transport Slap some directory and key management for (public keys only) on top of that and there you go.

You (the gov't) subpoena the content from the service provider? Sure, here's an encrypted copy. We don't have anything else. Need that decryption key? Go see the sender or recipient. We don't have that.

customer-centric

[TubeSteak]

Microsoft's actions might seem "customer-centric," but really they're fighting for their lives.

If MS can be forced to give up European data, stored on European servers, that's game over for them.
Lawsuits and investigations will flourish in Europe, because their data protection laws are much stronger/stricter than ours.

This could kill MS's European business.

Re:customer-centric

You mean "Kill every company on the internet's business that serves customers in Europe and America."

Legal precedent would compel Google, and everyone else, to do the same stupid thing this judge has ordered, who is apparently unaware of international laws and seems to assume that US law is the only thing that exists or even should exist. If MS loses, everyone loses.

Re:customer-centric

[rtb61]

It's all just a matter of legal principle. Can any internet company be publicly ordered to break laws in other countries, regardless of where it is based. So M$ is challenging the order to publicly establish a principle and protect it and all other internet companies in this regard. Technically speaking all other internet companies are now getting a free ride on M$'s dime, so it seems sometimes they do pay back to the industry. This is an important principle of law and something the US Federal government should be paying attention to and legislating to ensure the future of all US internet companies is not severely threatened.

Re:customer-centric

[PPH]

Its an American's data stored under a European account in European servers.

Perhaps. But if it was an American, residing on European soil, there would be extradition procedures to follow. And those would involve having the local (EU) police generate their own warrant and make their own arrest based upon a formal request. The aprehended suspect would then be turned over to the requesting country.

The same sort of thing should happen here. The USA should make a formal request to the Irish court to secure the evidence and turn it over to US authorities.

Re:customer-centric

[bloodhawk]

Can any internet company be publicly ordered to break laws in other countries, regardless of where it is based?

Why shouldn't they? MS is a United States company. Why should MS, or any other corporation, be able to only abide by US law when it is convenient for them, and break it other times? If the laws of two jurisdictions are incompatible with each other, the corporation should have to make a hard choice and only operate in a single jurisdiction, and use other avenues to expand business to the other.

This is not a case of the US trying to compel a European Company into doing something, it is compelling Microsoft, subject to US law, to turn over data it holds, albeit in a different company. If an American individual is subpoenaed for information relating to a crime, resisting turning it over because it's held in a safe deposit box abroad, is no more an acceptable excuse than "it's in my other pants".

An individual in the United States must abide by US law even when abroad, in addition to abiding by the rules of the foreign country. It's still illegal for an American to smoke weed or solicit 14 year old prostitutes abroad, despite those being legal in some places of the world. If American persons have to play by United States rules 24x7, why should a corporation get to pick and choose?

The US legal system starts and ENDS at the US borders. You seem to have completely misunderstood this situation, For example your safe deposit box example, if the US wanted the contents of a safe deposit box in Europe they cannot legally seize it, doing so would be a violation of europan law and the US officials doing it would be guilty of bank robbery and treated like any other common criminal. They must go through the countries legal system that holds the goods they want to seize, similarly the same applies to Data, the US can get access to it as long as it follows the appropriate laws and procedures. What the US government is trying to do is say other countries laws don't matter with data and therefore are asking a US companies to break another countries laws. You yourself said it that when in other countries you must abide by that countries rules, you cannot compel an individual or company to break the laws of another country. No one is suggesting that MS gets to ignore US laws, it is the US government saying that they get it ignore other countries laws and can compel US companies to do the same while they are in those countries.

Re:customer-centric

[silas_moeckel]

Actually they data is in Europe the judge is trying to say since they have access to it from the US they need to turn it over. The data is under the control of a division incorporated in Europe.

There is established procedure to get this it called ask the European courts.

Re:customer-centric

[Dcnjoe60]

You mean "Kill every company on the internet's business that serves customers in Europe and America."

Legal precedent would compel Google, and everyone else, to do the same stupid thing this judge has ordered, who is apparently unaware of international laws and seems to assume that US law is the only thing that exists or even should exist. If MS loses, everyone loses.

Actually, this same scenario happened with the banking industry and what the judge is proposing actually follows the international law and treaties that came out of it. In short, it doesn't matter where the assets are stored as to who has jurisdiction, but as to who has control over them. For instance if the IRA had deposits in Irish Allied Bank, but the cash was stored in the US, then the Irish Government could still freeze the account. So, if the data is stored somewhere else, but the company is headquartered in their land, why not the same thing?

Re:customer-centric

[Dcnjoe60]

Its an American's data stored under a European account in European servers.

Perhaps. But if it was an American, residing on European soil, there would be extradition procedures to follow. And those would involve having the local (EU) police generate their own warrant and make their own arrest based upon a formal request. The aprehended suspect would then be turned over to the requesting country.

The same sort of thing should happen here. The USA should make a formal request to the Irish court to secure the evidence and turn it over to US authorities.

That is true, but it's not about an American, but an American's data that is in question. You can only extridte people. If an American only needs to store their data in a foreign country to keep from complying with a warrant, then every criminal organization will do that. What the court is saying is that jurisdiction follows whoever has control over the data, which in this case is Microsoft, but could just as easily be drug cartel or terrorist group.

Re:customer-centric

[Atryn]

A judge is demanding a United States company to play by the rules of the United States? And you have a problem with that? US law is and should be the only law the judge needs to consider. If US laws are incompatible with other nation's laws, then don't blame it on the judge, complain to your legislators.

Another great reason for an inversion besides taxes.

Re:customer-centric

[niftymitch]

Except it isn't European data, Its an American's data stored under a European account in European servers. Small difference.

It is not the data that is the issue.

It is a US Judge requiring a company to reach out across international borders and
as an agent of the judge grab the data and spirit it across international borders and
deliver it to the judge. This something that the US judge could not require of the
State Department, CIA or NSA any other government agency to do.

If it was not data the rule would be more obvious. If a storage company had
a large box of cigars perhaps from some random country close to Florida could that
company be compelled to ship that box of cigars to the judge to determine
if the owner of the box of cigars was engaging in the trade of and trade with
a foreign country that the US has issues with. Only by inspection of the
contents of the box would the judge know.

Now it is possible that Cuban cigars are no longer the smoking gun of illegal
trade with Cuba but the point is that this judge is forcing a company to reach out
across international borders and do the judges bidding.

What if the company name was Blackwater Security Consulting (since renamed Academi)
and that company was directed by a judge to import or export anything or anyone
at the behest of the judge (with or without payment for services BTW).

If it was a physical container the decision in my mind is obvious
that the judge is reaching, reaching, reaching well beyond charter and
jurisdiction.

It gets more interesting if the transport of the physical container crosses
other international borders. Most nations have laws that prohibit trafficking
in stolen goods. So a packet map showing how each and every fragment
of this container traveled could also be a topic of a United Nations inquiry.
Blood diamonds, ebony, ivory... trafficking in crime tainted desirables and
this judge covets this stuff.

Re:customer-centric

[Whatsisname]

if the US wanted the contents of a safe deposit box in Europe they cannot legally seize it, doing so would be a violation of europan law

They can't take the box by force, but the US can instead throw you, the owner of it, in the slammer until you cough up the requested evidence. Where the evidence is, is irrelevant.

Re:customer-centric

[Dcnjoe60]

But if an American visits a foreign country, they and their property are subject to the laws of that county. We expect the same of foreign visitors entering our country. And if that foreign countries data protection laws differ from those of the USA, they should still be honored.

Having some foreign government insist on the right to root around in their citizens possesions while in this country, either as a tourist or a refugee would open up a human rights as well as an intellectual property can of worms. Imagine an H-1B worker's home country insisting on receiving copies of all of their work product while employed here.

But the criminal in question didn't visit Ireland and leave his data there. Microsoft didn't visit Ireland, either, but it did send the data there. Also, this is not tangible personal property. It is a bunch of electrons.

As for the H-1B worker, that is a strawman argument and has nothing to do with this. Here is a concrete example of what is going on here. I steal a painting in the US and send it via FedEx to Amerstam where it sits in FedEx's hangar waiting to be picked up. The feds arrest me and ask FedEx to send the painting back for evidence. Should FedEx say no, because it is now in their possession in a foreign country? Before you answer, the courts have already answered it and said yes, FedEx would need to return it as long as it is still in their possession.

Or, lets say two child pornographers both store the pictures they have taken in the US (so US law is broken) on Google's servers and one of the pornographers pictures happen to reside on a server under Google's control in Ireland and the other on a server under Google's control in the US. Is guy who had the luck of his data being routed to Ireland off scott free while the other guy goes to jail, when both of these accounts and servers are under Google's control? While the courts haven't answered this question, they have done so with banking and found that US banks must still turn over seized assets of US bank holders even if those assets are now held in foreign countries. Most other countries also have the same laws, too.

So, the question really is whether or not a criminal should be able to use a US company to hide it's data just because the US company has a server farm somewhere other than the US?

Re:customer-centric

[ShanghaiBill]

A judge is demanding a United States company to play by the rules of the United States?

NO! This ruling is not limited to only American companies. It also applies to anyone doing business in America. So if America wants banking records of a German citizen, living in Germany, they could compel Deutschbank to provide them. Likewise, if the Chinese government wants records for an American citizen's account at Bank of America, then America will have no reason to protest since BofA has offices in China, and the principle of extra-territorial subpoenas has been established. If Microsoft loses this case, it will be a terrible precedent, and a victory for oppressive governments all around the world.

Re:customer-centric

[Demena]

Excuse me but you appear to be mistaken. it is written in the US constitution that international treaties become part of US law. Where that introduces contradictions the treaty law applies. And judges have to repeat this. It may not apply in this particular case but it remains true.

Re:customer-centric

[nabsltd]

But if it was an American, residing on European soil, there would be extradition procedures to follow. And those would involve having the local (EU) police generate their own warrant and make their own arrest based upon a formal request.

If you had followed this case, you would know that this is exactly what the US tried to do.

The US asked an Irish court to issue a warrant to force production of the data. The Irish court refused to issue the warrant. So, the US issued a subpoena to Microsoft, who rightly told the US that although the data was on a Microsoft computer, the data was owned by a customer of Microsoft, therefore a warrant would be required. The US court then issued a warrant for Microsoft to produce the data. Microsoft refused, noting that the data was in a foreign country, and warrants are only valid when issued by a court that has jurisdiction over the location of the requested object/data/person. No US court has jurisdiction over Irish soil, thus we end up at today's story.

The actual point of Microsoft's appeal is that the US wants to have a court to be able to issue an order that has the all the advantages of both a warrant and a subpoena, while ignoring their limitatations. The problem with this is that subpoenas are allowed to be fairly vague and apply to anything that is "owned" by the target of the subpoena, regardless of where it is located. Warrants, OTOH, can force the target to hand over something they don't own but over which they have control, but can only request very specific items/data, and have to be issued by a court that has jurisdiction over where the item/data is located.

Re:customer-centric

[Bert64]

The data belongs to a US company, and is on servers which US based employees have access to. Those employees are beholden to US laws, and should retrieve the data if directed to do so by a US court.
Also the Irish company is a subsidiary of the US company. The Irish employees don't have to obey US law, but they do have to obey their bosses who in turn do have to obey US law.
So long as the data is stored on servers operated by an organisation which has a chain of command extending upwards in the US, they are beholden to the demands of the US government. The opposite probably wouldn't apply, as the Irish employees wouldn't have seniority over the US and thus couldn't compel them to do anything.

If they don't like it, the Irish part could be spun off as an entirely separate entity free of US control.

Re:More accuratly "self preservation"

[queazocotal]

By a not too unreasonable extension of the theory that allows the judge to compel microsoft to deliver things they control on a computer in another country - I see no reason exactly the same would not apply to compelling them to deliver a personalised update to one particular computer and deliver access to that computer - wherever in the world it was, and whoever owned it.

Re:More accuratly "self preservation"

[arbiter1]

Well its not just MS, ANY company. Google, Apple, etc would be effected by this as well.

And on a side note...

[MindPrison]

...anyone who seriously store sensitive information on a cloud service like free-email, should be spanked with a trout over and over again.

re I don't care

[jelizondo]

Frankly, I don't care if MS is standing up out of self-interest or for some other cause, the tyrants in D.C. need to be stopped. Period.

You can't apply U.S. laws to the world at large, regardless of your 'legal' standing.

Many U.S. organizations have presence and pay taxes in many different jurisdictions, making them subject to that particular territory's law. Will the U.S. allow some other country to violate U.S. laws because the subsidiary is present, in say, Aman and thus, by extension, the entire organization is subject to Aman's Law?

The answer is no, because jurisdiction is territorial. You can't apply Ireland's law to MS in the U.S. simply because they have a corporate office there, thus the reverse is true too: you can' t apply U.S. law to a subsidiary in Ireland.

Who owns it is irrelevant; corporations are legal entities of their own, regardless of ownership. Ships owned by, say Americans (most cruise ships for example), are registered in Panama, thus bypassing U.S. Labor laws because who owns them is irrelevant.

Trust me, you don't want to go there: it will open lawsuits against U.S. firms, under U.S. laws, against the owners of such ships and other corporations that use underage labor, exceed working hours / conditions, etc. in other countries.

It would basically make International Law obsolete as we know it.

It appears that the U.S. Government is bent in destroying the American economy while 'preserving' American security.

Globalization

[jmd]

I'm suspecting the zeal MS is showing in challenging the US gov't has more to do with laying the groundword of "nation-states" being neutered. This is about power in the future. If they win against the US gov't this is just one more nail in the coffin of the battle to make governments useless. This goes hand in hand with the Trans Pacific and other trade agreements. These things are designed to strip power from government.

This is just one more step in the march of capitalism that will likely destroy civilization in the long run.

Re:Globalization

[rsborg]

I would imagine it is laying groundwork for tax inversion.

I already replied in this argument, but this is probably the most insightful comment I've seen on this story. Setting up a very good reason why they should relocate their HQ for tax purposes (i.e., privacy of their files) seems a good PR move to offset any public outcry.

This is huge ...

[CaptainDork]

People and businesses and governments everywhere will be watching this one.

If America can force Microsoft to reach out to Ireland for data, then Germany (etc.) can force Microsoft to tunnel into America, right?

And, as mentioned, people, businesses and governments are already skeptical of the cloud, anyway.

People, businesses and governments may force "data nationalism" to become the norm.

Stop the US-centric crap already

[msobkow]

The US needs to wake up to the fact that they are not "world law." Their law ends at the boundaries of the US.

It doesn't matter if the email account in question is owned by an American. It doesn't matter if the servers are indirectly owned by an American company.

They are in a foreign jurisdiction and the US government needs to go through the judicial and legal processes of that jurisdiction if they want access to the data.

Quite frankly, fuck the "war on terror", the "war on drugs", and every other tired old excuse the US government and it's subservient courts use to try to justify shoving the US legal system down the world's throat.

They are not defying an order

[debrain]

Notwithstanding some really rare cases (e.g. interlocutory), which this does not appear to be, an order is unenforceable while under appeal.

Doing what an order asks is grounds for dismissal of an appeal, notwithstanding cases where acts are made explicitly with the agreement of the parties and sometimes affirmation of the court to be without prejudice to the right of appeal. However in cases of disclosure of information, the disclosure is generally a form of prejudice (since it cannot be undone) that undermines appellate entitlement.

So it is wrong to say they are are defying an order. They are doing what everyone does on appeal.

If they were to defy an order they could be held in contempt of court. That would be an interesting story.

Re:They are not defying an order

[Dcnjoe60]

Notwithstanding some really rare cases (e.g. interlocutory), which this does not appear to be, an order is unenforceable while under appeal.

Doing what an order asks is grounds for dismissal of an appeal, notwithstanding cases where acts are made explicitly with the agreement of the parties and sometimes affirmation of the court to be without prejudice to the right of appeal. However in cases of disclosure of information, the disclosure is generally a form of prejudice (since it cannot be undone) that undermines appellate entitlement.

So it is wrong to say they are are defying an order. They are doing what everyone does on appeal.

If they were to defy an order they could be held in contempt of court. That would be an interesting story.

Actually, the judge lifted the freeze on the court order, so Microsoft is in fact defying it. Microsoft states they plan to appeal, but until they do appeal, they are still defying it.

code reviews are perfect and impossible ?

[raymorris]

> Russian FSB has actually wrung Windows code reviews out of Microsoft so if they didn't find any back door in that code I'd say there are none to find...

So it's entirely possible to do a code review of an entire operating system and be sure that there are no vulnerabilities?
Of course, you can't be sure that something as simple as an ssl library is safe, but an entire OS is no problem. Despite the fact that there's no way to know if the code you're reviewing matches the installed binaries.

> there is always the option of doing a personal code review of what is it now, 200 million plus? lines of Linux source code and then compiling your own Slackware
Yep, that'd be even easier than the Windows code review, especially since thousands of other people have already done some initial review for you. You can then compile it yourself and know that the source code matches the binary, unlike Windows.

(The trojaned compiler attack is fairly trivial to defeat, so don't bother going there .)

Re:code reviews are perfect and impossible ?

[raymorris]

Pick two or three compilers from different sources. It's okay if they are all trojaned.
Compile each compiler with the other two compilers. Unless they are all trojaned in precisely the same way, including exactly the right cross-trojans for each other, you can see which one(s) can be trusted.

https://www.schneier.com/blog/...

Other defenses are also available. If you don't have the source to the compiler, you write a loop that automatically builds up the program line by line from "return 1". If adding one line of ansi C code adds several kilobytes of binary, there's a problem. Inspect the newly added portion using your choice of tool.

Re:Since when did Microsoft become a EU company

[drinkypoo]

Microsoft is headquartered and incorporated in the US and thus subject to US law.

Yep. That's completely true. So if there were some data held on a server in the EU, and a judge decided it was relevant to a lawsuit and demanded that it be presented, they could reasonably hold some representative of the corporation to be in contempt of court until such time as they produced the data in question. However, it would not actually establish any entitlement to that data, nor make it not a violation of various laws if they were to seize it be force.

QED.

QED, what you have said is irrelevant.

US laws ---- vs the world and blowback

[doginthewoods]

The US is in a weak position, because in order to create a uniform standard of international law to address this sort of thing, the US will have to work as an equal with other countries who are already suspicious of US motives. The US knows this, which is why they are trying to bulldoze their way through this. The issue here is international law, and the laws of other countries involved. The HUGE problem is this: If MS is forced to turn over the data that is in another country (and possibly causing MS to violate the laws of that country) , then another country, using exactly the same ruling, could force a US company to obey its laws. Here's and example: Russia finds a worm , virus, whatever in some software that it's government is using, and that their data was stolen. Russian law allows confiscation of all computer hardware and the people involved held in jail until trial in Russia. The Russian government decides that the infection was present in software that was on the computer at the time of purchase, and as a result that company must have Russia's data, so now Russia can send its enforcers over here and confiscate..... Ooops. What MS is doing is trying to prevent a very shortsighted US ruling of opening a Pandora's box that can be used against the US.