Slashdot Mirror
Microsoft Agrees To Contempt Order So It Can Appeal Email Privacy Case
An anonymous reader writes: Microsoft made news some weeks ago for refusing to hand over customer emails stored on its Dublin, Ireland servers to the U.S. government. The district judge presiding over the case agreed with the government and ordered Microsoft to comply with its demands. On Monday, Microsoft struck a deal with the U.S. government in which the company would be held on contempt charges but would not be penalized for it until after the outcome of an appeal. The district judge endorsed the agreement (PDF) on Thursday.
First time I've wanted to actually compliment Mickeysoft on something in years.
Just another day in Paradise
The ruling applies to anyone doing business in the United States. So it would apply to European companies having a cloud that included the USA as well. What it will mean is either:
a) Europe and the USA create a treaty covering this so there is black letter law
b) There are not global clouds
c) There is de-facto situation where the USA rules governing warrants are enforceable for most everyone and anyone not wanting to be subject to USA warrants needs to stay on Europe only cloud services.
Microsoft has already hedged themselves in Europe by informing their customers that using Azure is agreeing to export and to not upload any data for which would be illegal to export. So legally they should be fine in Europe. I think they are very worried about (b) becoming the outcome. I just don't see it though. Apple, Google, IBM, Amazon... all face the same issue. Corporations want global clouds. They are probably on balance hostile to European privacy laws. The pressure is going to be applied to European governments to go towards (a) or (c).
Better yet: D) Microsoft incorporates (entirely or just the relevant business areas) outside of the US and tells overstepping US judges to go f#ck them selves.
The physical location of the data matters because of European Data Protection laws. Microsoft would run afoul of the laws of Ireland if they gave data stored on servers in Ireland to a third party without the actual owner of the data agreeing or a court order by an Irish court. The government lawyers obviously tried to argue that they don't need an Irish court, and the U.S. judge at first bought the argument. And now it seems as if the U.S. court might have changed its mind but want this to be sorted out by the higher court.
The previous poster implies that the law applies to ANY company doing business in the US. If that is the case, Microsoft would have to stop doing business in the US.
There needs to be a clarification of the law as to the scope of jurisdiction and whether it is domestic or international law that applies.
The scope of jurisdiction in the ruling is clear cut. Physical presence on the USA. BTW there is no law. This has been existing law for two centuries. It is just being applied to computer data the same way it was to objects and paper historically. The difference is that law enforcement agencies didn't ask for multiple shipping containers full of paper documents but with big data search tools are perfectly comfortable asking for those kinds of quantities of electronic data.
In terms of USA law the law enforcement agencies are using established international channels and legal orders. They aren't doing anything different from what they've done for decades. Microsoft is asking to do something different because the frequency and quantity as opposed to the previous situations with paper records is skyrocketing.
Also it is important to understand that between WWI and the 1970s we lived in a world where governments were mostly mildly hostile to international trade. Governments were perfectly comfortable with lower levels of international trade and laws that mildly discouraged trade. You really have to look at the colonial age 1812-1914 to really have a period comparable to today where governments were strongly pro-trade.
I don't think Microsoft has a problem. Imagine for a moment that all customer data on European Azure was always copied back to the USA. That wouldn't be illegal. Now imagine that some European application used copy-Azure for their data storage which had personal data. That's what would be illegal.
Microsoft has already told their European customers don't store information illegal to export on European Azure. I'm not sure that Microsoft can be held responsible at this point. They've made it clear that they are structurally unable to comply with European privacy laws in Europe while fighting with the USA to change USA law.
I don't think you get the real problem. It's not about the export of data (which is not at issue here), it's disclosing private data to a third party. This doesn't mean export - even if the third party in question appeared in Ireland in front of the data center, this still would be illegal.
Because Microsoft will become persona non grata in Europe if they are required to hand over data to the US against local law.
This has always been something people have warned about ... the PATRIOT act basically says "we can force any company to hand over your data from anywhere in the world, and we don't give a damn about your laws and it stays secret".
So Microsoft is in the position of complying with the US government, and losing business elsewhere ... or telling the US government to shove it.
When the US has decided their secret laws trump the laws of every other country, this was inevitable -- and people have been warning about this for years.
I know many governments already basically say "you can't store government data in a US cloud service or on a US server" for exactly this reason.
Basically, the US passed a law which put companies between a rock and a hard place. And now they have to choose between long term profits, or America's zeal for security.
Quite frankly, the US needs to get slapped back down and told by the rest of the world not our fucking problem.
Lost at C:>. Found at C.
First time I've heard that in years... How's the weather in the 1990's ?
Microsoft has already hedged themselves in Europe by informing their customers that using Azure is agreeing to export and to not upload any data for which would be illegal to export. So legally they should be fine in Europe.
Just because they put something in a license, doesn't make it legal.
For instance, EULA's are meaningless in a number of European countries.
Also, contract do not trump law. So if there are laws that prohibit this, the contract (or atleast those specific terms) is invalid.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
They already do this. Microsoft Ireland, Microsoft UK ltd. Etc.
Whatever this costs Microsoft in fines and legal costs is going to be paltry compared the the revenue they have likely been losing from overseas business since the Snowden revelations. Doing this puts on a good show that makes it look like they care about they are fighting the U.S. government to protect their customers. Deep down I wonder how many of their executives want to see Snowden locked up as well.
I get that it would be illegal in Ireland. The issue is whether it is illegal in the USA. That's where the disclosure it taking place.
Take for example a situation where a European uses Gmail. Clearly they understand that this is governed by USA law and a USA warrant would apply. The issue here is that Europeans on /. believe that this wouldn't apply to Azure because Azure is "in Ireland" which is factually untrue and Microsoft has officially notified their customers it is untrue.
Yes that is what I'm saying. The US government in fact has notified American companies and customers that is the rule. That Huawei answers to the Chinese government and they should not store things they wouldn't want China to make use of for its own purposes. This isn't a situation where the USA is being hypocritical this is a situation where Europeans want to apply a geographical model and the USA wants to apply a financial model. In addition to just factually asserting this is the law I think a financial model makes more sense on the internet because "where" is quite slippery when we talk about networked computers; while who is usually still able to be determined.
It is actually illegal. You can't deliberate engage in activities to make it more expensive or complex for law enforcement to search subpoenaed records. That's contempt of court.
But where did the crime occur? No one argues that gmail is subject to these privacy laws because gmail is known to copy information to the USA. The problem here is that Europeans believed that Azure Europe wasn't part of a global system. Now Microsoft has informed that isn't true. Uploading to Azure is transferring data to the USA. It is not Microsoft doing the transfer but their customers. Their customers are now prohibited from uploading data that it is illegal to export. They are the ones breaking the law.
What law in Europe prevents a company from copying their own data?
What law in Europe makes it legal to deliberately copy data to the USA and then argue the American company that accepted the data is the one violating the law?
I imagine that criminal law has been updated to the same standards as civil law, under FRCP you can no longer bury the opponent with paper, if they make a request for digital records in a digital format then you must supply the records in that format if it is at all reasonable to do so (ie if you ask for PDFs from email that is reasonable, as would be TIFF, but .123 files would probably not be reasonable unless the source documents were in that format)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I'm not sure that is ever true. But we certainly aren't using military force in Europe. There are Europe only cloud companies and last I checked we didn't hit them with cruise missiles.
Let me just say the US postal service can open letters with a warrant. The issue for privacy of correspondence was about them doing it without one (i.e. random searches in transit). What the European /.ers are asking for is that warrants simply don't exist at all and the postal service freely, openly and deliberate act to facilitate crime. (I get that the warrants can pass between countries and so this analogy doesn't quite hold).
But in general and not in this specific, it is a real problem how the laws are being applied selectively. Far better than the courts having to guess how best to apply old laws to new technology would be for congress to create black letter law making it explicit. That's what should be happening.
MS can sell data to anyone they want, including USG. If they win this, then they can charge USG a much higher price for access than the 'reasonable costs' for responding to a court order.
That's not quite accurate.
If the intent is to make it more difficult... then you best not have any evidence that it was done deliberately then you will be in for a world of pain.
If however it is part of your normal business processes and as a side effect it makes law enforcement's job harder... that is still perfectly legal.
Help Brendan pay off his student loans
What law in Europe prevents a company from copying their own data?
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
The company in this hypothetical has the data electronically is refusing to turn it over electronically and instead prints it. Obviously a company that only uses paper records is free to hand those over and doesn't need to create electronic records.
OK good example. Given the structure of Azure and your laws it seems to me the company was violating German law when they stored emails on Azure. Azure has always been managed out of Washington and thus Americans have always had access. The question (which IMHO isn't really a question it is too clear cut) is whether a count can compel Americans to use their access not whether they had it.
A directive is not a law. Moreover the directive is binding on Ireland not Microsoft. It is Ireland that needs to pass laws. But even if we ignore that your interpretation is questionable. "Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law," Which is clearly the case here. There is an official authority the USA federal government, the regulator for Azure. You may not like the particular authority but I could easily see Ireland arguing they are fully compliant with the directive.
Correct, Lavabit tried just that ( http://nakedsecurity.sophos.co... ) and was held in contempt for it ( http://www.theguardian.com/tec... ).
Help Brendan pay off his student loans
It is actually illegal. You can't deliberate engage in activities to make it more expensive or complex for law enforcement to search subpoenaed records. That's contempt of court.
Emphasis in your quote.
As gets mentioned every time this story appears on slashdot, this is a warrant not a subpoena. The two are different tools. Both are used to find things but one is clean and neat, the other broad and aggressive. As a parallel, a subpoena is a scalpel and a warrant is a chainsaw.
A subpoena says 'We know you have this specific information, provide it to us within a time frame'. They get subpoenas of this type all the time. There is no dispute a subpoena would get the document no matter where in the world Microsoft held it.
A warrant says 'We will search for and take anything even remotely related to this, search it ourselves on our own terms.' When they demanded dumps of servers and copies of databases they were told the servers were in another nation and were not subject to a US warrant.
As was discussed in the previous incarnations of this story, the warrants are rather broad demanding they turn over everything related to the email address and user in question even if it isn't related to a criminal investigation. They want it all, everything the user ever touched or potentially touched, everything sent to the user, everything related to the user. While government investigators can usually get that through a broad warrant, they cannot get that with a subpoena. A subpoena would give them the specific emails related to the crime under investigation, but it is quite likely they already have the specific documents they could ask for.
//TODO: Think of witty sig statement
Again; all that is meaningless if it contradicts local laws.
If Microsoft wants to sell to users in a country that has laws that Microsoft cannot obey, then it cannot sell regardless of any claims or notifications they make.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Microsoft is obeying the law now. Cutting out the middle man, when a user uploads data that user is exporting the data to countries without protections. Including the middle man: when application uses Azure as its backend that application is certifying that all its data is legal for export. Gmail isn't illegal in Europe.
Go to Azure website and read the terms of service they are crystal clear that law enforcement has access. I don't know what they said in private but I do know what they've said in public. They have never claimed that the US group that administers Azure doesn't have access to everything on Azure. This is the reason they sell Azure pack: http://www.microsoft.com/en-us... . That way a company can use Azure technology and Microsoft doesn't have Azure.
The article linked seems odd since it certainly has Microsoft saying the opposite of the truth. The author is probably misunderstanding something. For example confusing Azure technology with Azure cloud service.
OK. So assume I'm right that the Americans always had access. Were the German companies who uploaded the emails in the first place breaking the law?
In this case, the disclosure takes place in Ireland, as the data is actually stored there. And that's sufficient here to fall under irish legislation.
Not so simple if they knew Americans had the ability to copy at will. That makes the upload the criminal act.
Can everyone agree that there exists information that is legal to export from an EU country and there exists information that is illegal to export from said EU country? If so, then how is Microsoft in violation of the law if it tells its users that anything uploaded may be exported and to, therefore, not upload non-exportable things? Are we now expecting companies to employ the magic fairies to divine which uploads contain exportable data and which do not?
Well put. I'm not sure why the European /.ers are having such a hard time with this.
Employees of Microsoft working in, living in and generally citizens of the USA.
EU Directive 95/46/EC is a directive to countries in the EU to implement laws. It isn't a directive for Microsoft. What it does say is that the countries need to implement laws which protect privacy. So first off it is the laws that come from the directive not the directive that have anything to do with Microsoft. Now if we tried to apply the directive directly to Microsoft one of the exceptions is law enforcement which would apply in this case, so I'm not even sure there is an issue at all under that directive. But assuming there is an issue rules that govern companies preventing them from exporting data to countries not bound by such laws. The USA is clearly a country that doesn't support European privacy laws. So Microsoft by announcing that all data uploaded to them is exported would be a non-complying company and thus it would illegal for other companies in the EU to share personal data with them.
Which is to say applications that store personal data can't use Azure as their backend. Which is precisely what Microsoft is telling their customers.
If you snail-mail a letter from one EU country to another EU country, are you also exporting that letter to the US?
Microsoft claims that uploading data to a European server is the same as exporting data to the US.
European laws may prohibit that re-interpretation, making it invalid.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Well again I disagree that Azure ever claimed to be an EU datacenter. The claimed to be a global cloud service that used an EU datacenter for delivery. For example if I created contact in Italian I can upload it to Alkamai in the USA and it will distribute locally to Italy. On the other hand if someone in Mexico wanted to watch it and I allowed that, Alkamai would pass a copy over to them in Mexico. Alkamai is a global network.
But how is Microsoft going to know what customer data is legal to export and what is illegal? Holding Microsoft responsible for that is incoherent. Their policy is anything in Azure must be export legal because they freely move data all the time.
The EU's laws assumed a corporate owned data center for a one country company. They really don't make sense for global companies. They don't make sense for hosting companies with international backup and/or DR. They don't make sense for cloud companies. I think what's going to happen is best practices are going to emerge. And those best practices are likely going to say European companies have to use Europe only cloud, DR, backup, distribution services. They can't be on the global internet because they want protections that the global internet doesn't provide. Which means a European version of Azure. Which is fine, Microsoft licenses Azure's technology and there are Europe only hosting companies. Likely a Europe only version of Alkamai. OpenStack of course is no problem. Amazon doesn't sell their technology and won't but OpenStack has a rapidly developing AWS command set so European hosting companies can just use that. Etc...
A lawyer isn't going to add much. European hosting and cloud companies are just going to experience a ton of new employees.
What Microsoft is doing is standard US legal practice. They want an unambiguous appealed all the way up ruling. Everyone is agreeing to move forward this way. Which means the contempt fine will just be token. I think both the judge and the government see the problem. Were the government serious about wanting the data they would not accept a fine. Instead something like the court issues a warrant, the FBI would walk into the Azure USA hosting location and tell the employees to move the data now or face immediate arrest. Which BTW could happen the next time. Probably one of the reasons Microsoft is fighting this one is because the prosecutor doesn't care very much and everyone agrees this case is to set precedent. Remember America is a common law country not a civil law country like most of the EU. So I think you are reading much to much into Microsoft fighting this.
As for the article. The article is wrong on the facts. So I think the article is confusing Azure pack where what's said in the article is true with Azure cloud service where the whole system doesn't work that way.
Or another possibility is that contrary to European /.ers EU regulators are fine with US courts having the ability to seize documents because they don't like the privacy laws and think they interfere with law enforcement. We do know of other situations where European governments have used the USA legal system as an end run around their own courts and legal systems.
I don't think Microsoft would promise something they could never deliver in their contracts. I've never seen them do that. If this were EMC, then sure that would be possible. But Microsoft doesn't like to go into obvious breach of contract.
Colonial powers did use force to get people to at least be in a position where they had to trade with the colonizing power or suffer. The opium wars were about the Chinese trying to ban the sale of opium and the British using military force to overturn that ban.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The USA I don't think ever forced markets open with violence. Japan there was a threat of violence but to the best of my knowledge that's the worst we've ever done. The British I agree forced markets open that way. Though I think you are missing a bit of context on the opium wars.
I think this is our core point of disagreement. I'm asserting this is 100% false.
a) What they say unambiguously under the security section of their website
b) What is unambiguously true about their architecture
c) That they offer another product that does do what you are claiming Microsoft is promising to do with Azure Cloud Service because Azure Cloud Service doesn't offer this sort of protection.
I think that's pretty good evidence you are dead wrong about them making the promises you are claiming they are making. Clearly if Microsoft is promising to European customers that their data can't move while running a system administered in the USA that's a real problem. That's simply fraud, forget about the disagreements regarding EU data laws.
And that's not quite what's happening here. MOIL is leasing a physical data center from another Microsoft subsidiary. They are purchasing port from a variety of network connections. MOIL is buying services from Microsoft USA but get them at a discount since they are bringing their own infrastructure. MOIL is selling a service to Europeans based on those things. MOIL is not the one offering the service however they are just offering to resell it. Same as when MOIL sells licenses for Microsoft Office and Microsoft Windows, neither of which they write.
MOIL does not operate Azure. I am an Azure channel partner. I can resell Azure. With other cloud services (not Azure) I could even white label them and sell them under my company's brand name. That doesn't mean I get to run them or set policy. MOIL just sells Azure and rents some physical infrastructure that Azure uses. Azure is not Irish, it doesn't claim to be Irish and it doesn't operate with European law. It is an imported good.
MOIL has already told companies they can't follow Irish data protection laws so don't upload that stuff. Unambiguously and publicly.
MOIL employees don't do anything. It gets done by USA employees. The second you upload any data of any kind to Azure anywhere in the planet the USA administrators have access to it. The breach of European privacy laws doesn't happen when Microsoft hands the data over, it happens on upload. Which is what they say publicly. The defense is not going to be "Uncle Sam made me do it" the defense is going to be the people who uploaded the data exported the data to the USA as was clearly publicly indicated on Microsoft's website.
Now if you are correct (and again I doubt it) that MOIL Europe is making promises they can't keep about this data being private in these secret contracts you claim exist, then certainly they are going to answer to European courts for having made those promises. In which case MOIL gets fined and pays damages for having made promises that Microsoft USA, from whom they are buying the service, has no intention of honoring.
___
The problem as far as a lawyer goes is these secret contracts. That's the point of dispute. We aren't disagreeing about the laws. In practice I do agree a lawyer can help with how they are interpreted. What I suspect is that the laws are going to have to be weakened in practice since Europeans want to be pa
If you send that letter through a courier service that tells you before you give it to them that they will make a photocopy of the letter and send the copy to the US and tell you not to use their service if all of that would violate the law because they don't read the letter to verify whether it is in violation of the law, then continuing to use them is not the burden of having violated the law on you instead of the courier service?
How is it that the EUers seem to want to totally exhonerate individuals and vilify corporations and their employees when the individual lies to the corporation and the corporation believes them without verifying when the only way to verify would be a total invasion of the individuals privacy?