Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Denies US Government Appeal in Microsoft's Overseas Email Case (pcworld.com)

Posted by msmash on from the doing-what's-right dept.

An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft and other companies to turn over customer emails stored on servers outside the United States. From a report: The U.S. Court of Appeals for the Second Circuit, in a 4-4 decision Tuesday, declined to rehear its July decision that denied the DOJ access to the email of a drug trafficking suspect stored on a Microsoft server in Ireland. Microsoft has been fighting DOJ requests for the email since 2013. The DOJ has argued that tech companies can avoid valid warrants by storing customer data outside the U.S. Judges "readily acknowledge the gravity of this concern," but the 31-year-old U.S. Stored Communications Act (SCA) doesn't allow worldwide search under a U.S. warrant, wrote Judge Susan Carney. "We recognize at the same time that in many ways the SCA has been left behind by technology," Carney wrote in Tuesday's decision. "It is overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose."

42 of 71 comments (clear)

  1. Read as: by Anonymous Coward · · Score: 2, Insightful

    DOJ butt hurt about ruling continues to.seek unfettered access to all data regardless of where it is or who owns it.

    1. Re:Read as: by saloomy · · Score: 4, Insightful

      The DOJ is butt-hurt. But too bad. The US can't just decide that their warrants are valid EVERYWHERE, just because a company operates in the US as well. What happens when China wants data stored by Boeing in the US, because Boeing has offices in China, and there is a law-suit? There is a reason why the laws are written like this. If the drug traffickers data was so instrumental to the case, and the justification for the warrant is so compelling, then the US attorney should contact authorities in Ireland and seek the Irish courts to issue a warrant to MS.

      If there is anything fishy, they won't go that route, and if there isn't, an extra set of judicial eyes on the facts of the case can't hurt.

    2. Re:Read as: by Anonymous Coward · · Score: 1

      The US can't just decide that their warrants are valid EVERYWHERE,

      Well yes they can, in this case they decided otherwise. But even if they did, nobody else really HAS to listen. Despite what most Europeans may think about their "Right to be Forgotten" laws.

      What happens when China wants data stored by Boeing in the US, because Boeing has offices in China, and there is a law-suit?

      What happens is that Boeing can either give up the data, or they can shut down their China-based operations. And why bother with hypotheticals, when you could easily have come up with all sorts of actual real-world examples?

    3. Re:Read as: by bradley13 · · Score: 2

      "why bother with hypotheticals, when you could easily have come up with all sorts of actual real-world examples?"

      FATCA. Banks everywhere. 'nuff said...

      The US can and does try to push its law into other countries, where is clearly has no jurisdiction. Sometimes it succeeds. The rest of the world is getting fed up with this. If the US does try to push this, European privacy laws could well be the hill that US influence dies on.

      --
      Enjoy life! This is not a dress rehearsal.
    4. Re: Read as: by saloomy · · Score: 1

      That may be so, but you can't expect a corporation like Microsoft to be caught between US warranty laws and EU privacy laws. Somewhere the system has to accommodate the diverse laws in place, and jurisdiction is the solution to that problem

  2. Reciprocity? by scsirob · · Score: 2

    So, is US congress now going to change the law so a US judge can permit the US DOJ to access foreign servers? May we assume reciprocity, so that other countries can then serve warrants to providers in the USA and legally demand access to data stored on US soil?

    I think not..

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
    1. Re:Reciprocity? by alexo · · Score: 1

      So, is US congress now going to change the law so a US judge can permit the US DOJ to access foreign servers?

      Not really. The way I understand it, the idea is for the US congress to change the law so a US judge can permit the US DOJ to force a US company to surrender data that it stores on foreign servers.

    2. Re:Reciprocity? by vux984 · · Score: 1

      To be fair, to properly police a multinational corporation you really do need a multinational police force.

      I agree that we shouldn't be looking to change the law so that the US DOJ can simply access foreign servers. But we SHOULD be strengthening the ability of inter-national police forces to prosecute cases; to streamline international discovery. While the US can't and shouldn't try to enforce laws extra-nationally -- at the same time a multinational shouldn't be immune to prosecution by virtue of being simultaneously in multiple jurisdictions.

    3. Re:Reciprocity? by Anonymous Coward · · Score: 1

      There are processes in place for that already. And to most of us who daily work with people in other countries, regularly travel abroad etc. that would all seem relatively simple and obvious.
      However US law enforcement is stuck in a past where talking with someone from a foreign country, or worse even travel there to get things done is considered an unthinkable burden. So if such a need arises, they try to club it through on the US side, wasting everyone's time, and when it then predictably fails they tend to just drop the case. Because you know, fucking foreigners, can't be expected to deal with that.

    4. Re:Reciprocity? by Aighearach · · Score: 1

      No, SCOTUS will overturn this because very-well-established precedent says that US companies, including their controlled subsidiaries, have to obey all US court orders. Americans traveling overseas does not stop them from having to obey US law. Maybe US laws are only applicable inside the US for specific reasons, but in general US law applies to Americans and American companies at all times.

      An example, it is illegal for Americans to communicate with foreign governments for the purpose of affecting their response to US foreign policy; it is illegal for Americans to bribe foreign governments; it is illegal for Americans to have sex with minors in foreign countries. These laws are not legally controversial or gray areas, they are well-established.

      Strange rulings at the lower and intermediate levels are to be expected, but this is heading for a unanimous ruling at the SCOTUS.

    5. Re:Reciprocity? by gweihir · · Score: 1

      You have that backwards. And, coincidentally, with the last presidential elections the US has started to do it to itself with a wire-brush...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Reciprocity? by vux984 · · Score: 1

      There are processes in place for that already.

      They are not especially efficient or streamlined though. Which is why international crimes have to reach a much much higher bar before anyone even tries prosecuting them.

      I don't disagree with the rest of your post.

    7. Re:Reciprocity? by Aighearach · · Score: 1

      It has nothing to do with foreign servers though, it is about the DoJ telling US companies to turn over documents that are held by subsidiaries that they control. All of that happens in the US.

    8. Re:Reciprocity? by Kjella · · Score: 1

      An example, it is illegal for Americans to communicate with foreign governments for the purpose of affecting their response to US foreign policy; it is illegal for Americans to bribe foreign governments; it is illegal for Americans to have sex with minors in foreign countries. These laws are not legally controversial or gray areas, they are well-established.

      Extra-territorial laws where Americans are required to simultaneously uphold both US and local law are well-established. Extra-territorial laws that compel Americans to break local law would be extremely controversial. If US law says you drive on the right and you go to Britain where people drive on the left then obviously you follow local law. If you can't do that, then you can't drive. If you can't do business in the EU without breaking local law, you can't do business there. The US supreme court can say what they want. If Microsoft complies then Ireland should start putting Microsoft Ireland executives in jail and file extradition charges against Microsoft's US executives for crimes in Ireland against Irish law until they stop. It's really that simple.

      --
      Live today, because you never know what tomorrow brings
    9. Re:Reciprocity? by mrbester · · Score: 1

      It has everything to do with foreign servers because that is where the data is held. This data is also protected by the laws of the country it is held in from extradition just because a foreign party (in this case the US Govt is the foreign party) wants it.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    10. Re:Reciprocity? by rtb61 · · Score: 1

      More simply, extradition laws could be extended to include data, catch, no secret extraditions must be public because the affected citizen has the right to defend it, not a warrant but a data extradition request. The local government would than serve the warrant for that data in order to provide the data requested under the legally fulfilled data extradition request.

      --
      Chaos - everything, everywhere, everywhen
    11. Re:Reciprocity? by bsolar · · Score: 1

      As long as you accept it's a two-way street.

  3. Another solution by Okian+Warrior · · Score: 4, Insightful

    So, is US congress now going to change the law so a US judge can permit the US DOJ to access foreign servers? May we assume reciprocity, so that other countries can then serve warrants to providers in the USA and legally demand access to data stored on US soil?

    I think not..

    Another solution is to pass a law saying that all US citizen data has to be kept in servers in the US.

    The benefit is that foreign countries don't get to access our citizens' data as easily (Russia, China, Canada).

    The *real* solution is that E-mail and other data should be encrypted end-to-end, where the provider and location don't matter. Proton mail and Lavabit come to mind.

    I remember when DropBox first came out, it required a driver to install (in WinXP) to synchronize the data to the cloud, and asked whether they had any plans to add encryption. Their response was "Oh, we'll never add encryption! That's the end-user's responsibility, and besides... it's haaaaaard!"

    We need turn-key solutions. If good security is a checkbox "make my messages private", more people would use it.

    1. Re:Another solution by Falos · · Score: 1

      "[we have] encryption with zero key management" is a phrase I've seen touted as a feature. And something that, not just "will be" but "has already gotten" ...increasingly popular with vendors.

      It's not even a question of jurisdiction or ethics or legal rights, the reality is that sometimes (anywhere between some and all) private effects can't be accessed, not mere "should/n't".

      You might as well discuss the legal reach allowed to federal time travelers.

    2. Re:Another solution by Kjella · · Score: 1

      Another solution is to pass a law saying that all US citizen data has to be kept in servers in the US. The benefit is that foreign countries don't get to access our citizens' data as easily (Russia, China, Canada).

      Which would be a massive legitimization of Russia and China's nationalistic social media policies to make people only use services under Putin and the CCP's control. If US data is not safe in the EU, why is EU data safe in the US? And you're flipping the situation on its head, only the US is crazy enough to demand data from an Irish subsidiary. You think Ireland would demand data from a US subsidiary through Irish courts? The US would go ballistic. The US is asking for other countries to accept what it would never itself accept.

      --
      Live today, because you never know what tomorrow brings
    3. Re:Another solution by BitterOak · · Score: 2

      Another solution is to pass a law saying that all US citizen data has to be kept in servers in the US.

      What about e-mail or other service providers that don't have servers in the U.S.? Would it be illegal, under your framework, for U.S. citizens to sign up for e-mail or other data accounts with foreign providers with no U.S. presence? How exactly would enforcement work?

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  4. Work at the White House by Okian+Warrior · · Score: 5, Insightful

    USA is all that matters, the rest of the world can go fuck themselves.

    You should apply to work at the White House - I hear they're hiring.

    1. Re:Work at the White House by Anonymous Coward · · Score: 2, Insightful

      He's probably not rich enough to be accepted.

  5. Damn straight, skippy. by AnotherBlackHat · · Score: 1

    The DOJ has argued that tech companies can avoid valid warrants by storing customer data outside the U.S.

    It's not a valid warrant, because the court that issued it doesn't have jurisdiction.

  6. The ironic Catch-22... by geekmux · · Score: 4, Funny

    (Billionaire US business owner) "Hell yes! Go after those dirty drug dealers! Those bastards shouldn't be able to hide their evils in another country!"

    (Billionaire's accountant) "Sir, might I remind you that your tax haven data is stored in Ireland..."

    (Billionaire US business owner) "Nevermind! Those meddling DOJ bastards don't need access to anything."

    1. Re:The ironic Catch-22... by green1 · · Score: 2

      Which is why the DOJ will be given access, but the IRS will not.

      Politics is a game where the top 1% write the rules, you know who's favour they will be in.

  7. and this court was right to decline to make law by raymorris · · Score: 1

    This court was right, I think, to write that although there are problems either way, it's not the job of the court to rewrite the law - that's up to Congress to fix it.

    One possibility is that Congress won't allow warrants on foreign *servers*, but will allow some form on subpoenas on US *companies* who possess evidence about people in the US.

    One reasonable argument (maybe right, maybe wrong) is that if a US company has some evidence about a US person, related to a US case, they can, after a court hearing, be subject to a US subpoena. Where the US company chose to physically store the bits isn't all that relevant, some would say. Anyway, the court is correct, I think, in saying the Congress needs to work out the law on this - the court doesn't need to rewrite the law.

  8. Speaking of the DOJ... by Anonymous Coward · · Score: 1

    Speaking of the DOJ and government...

    AN IMPORTANT MESSAGE FROM MIKE PENCE
    WASHINGTON (WHPB)—Vice-President Mike Pence has issued the following message to the American people:
    Dear American People,
    What with all the hoopla and hullabaloo of Inauguration Week, we didn’t really get a chance to get to know each other. And so, if you don’t mind, I thought that I’d take a minute or two to tell you a thing or two about Mike Pence.
    I’m what most people would call a “fun guy.” In my spare time, I enjoy golf and heterosexuality. And I’m something of a voracious reader. My favorite book, of course, is the Bible, but I enjoy other books, too. I’m a big fan of “The Da Vinci Code,” which has a lot of stuff about the Bible in it. And Paul Ryan just gave me a copy of “Atlas Shrugged,” by Ayn Rand. I just started reading that one, so I haven’t gotten to any parts in it about the Bible yet, but it’s darn good.
    Another thing I read recently, and it’s probably become my second-favorite piece of reading material right after the Bible, is the Twenty-fifth Amendment to the United States Constitution. It’s all about how to remove the President and replace him with the Vice-President. I have to admit that it was a kick to start reading the dusty old Constitution for the very first time and see yours truly right in there!
    It turns out that the Twenty-fifth Amendment says that the country can remove the President if he is found to be “incapacitated.” That can mean anything from physically incapacitated, like being in an irreversible coma, to mentally incapacitated, like being seen raving like a lunatic during a visit to the C.I.A. Either way, if folks decide that it’s time to put a fork in you, see you later, alligator!
    Whenever I read something great, I tell everyone I know to go out and read it, too. And so, my fellow-Americans, I encourage each and every one of you, history buffs or otherwise, to read the Twenty-fifth Amendment today—especially Section 4, which is a little complicated but really exciting, too. If you enjoy reading it as much as I did, let me know. I’m in my office in Washington and you can reach me anytime—I’m of sound mind and body.
    Well, I’m super-glad we had the chance to get to know each other a little better. Until next time, here’s Mike Pence saying, God bless America. And God bless the Twenty-fifth Amendment.

    -MP

  9. Wrong tool for the job. by Frobnicator · · Score: 2

    The DOJ is butt-hurt. But too bad. The US can't just decide that their warrants are valid EVERYWHERE ... If there is anything fishy, they won't go that route

    The problem -- which the DOJ and other parties absolutely know -- is that they are using a warrant.

    You say they won't go that route if there is anything fishy, but the fact that they are attempting to use a warrant is extremely fishy.

    There is an enormous difference between a warrant which they are using, and a subpoena that they would be trying to do if the one person in the case was all they wanted.

    With a subpoena the company must produce information. They must produce the information no matter where it is held, and they must produce it as binding evidence. If they really want to capture the one person, a subpoena to provide all the information about the request is a simple matter. The government gets copies of all the documents they are demanding, particularly all the business records related to the subscriber. Since the DOJ is claiming they are trying to catch a subscriber and the people they're email, these subpoenas are more than enough.

    With a warrant to collect a server, they get the entire physical server. And the government gets to make a copy of the server, and search it for whatever they think is relevant to the information. A warrant means they can take all the objects so they can prevent evidence from being destroyed. They can also collect for more information from the customer about the contents of the communications.

    The DOJ could take measures to collect the information using tools other than a warrant that provide all the information and require Microsoft to keep it confidential. Instead of use those, they continue to demand a warrant to seize the entire server.

    --
    //TODO: Think of witty sig statement
    1. Re:Wrong tool for the job. by mrbester · · Score: 2

      Even if there is a subpoena, that again is irrelevant to obtaining data held in a different jurisdiction as, just like warrants, they have no legal force whatsoever outside the country of issue. If one is issued in Eire, then fine. Until then, tough shit.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    2. Re:Wrong tool for the job. by bsolar · · Score: 1

      I think the correct tool in this case would be an international letters rogatory requesting judicial assistance from Ireland, where the data lies.

  10. This is great by Actually,+I+do+RTFA · · Score: 1

    This is how I want tech companies to protect my privacy. With a four-year lawsuit designed to delay handing over my data (and it ultimately won!). Compare and contrast to Lavabit, which decided to shut down in 2013 after printing out its private keys in 2-pt. font.

    --
    Your ad here. Ask me how!
    1. Re:This is great by Anonymous Coward · · Score: 1

      Compare and contrast indeed.

      Microsoft, a huge multinational corporation, with billions in cash reserves and a legal department that could be a law firm by itself, had to go up against the Department of Justice (DOJ) in the regular American court system. The DOJ sought data that Microsoft (US) did not actually have. It was attempting to compel Microsoft (US) to force Microsoft (Ireland) to send that data to the United States, in contradiction to EU privacy laws governing Microsoft (Ireland).

      In other words, the DOJ was trying to force an American company to force an Irish company to break EU law. They lost, after 4 years of trying hard.

      LavaBit, a small private company, fought the NSA over Edward Snowden in FISA court. The operator was given no time to obtain a lawyer, and had to represent himself. After being crushed in court, and legally unable to disclose that information, he decided that it was better to shutter LavaBit (destroying the business he worked to create) rather than throw his loyal customers into the mouth of the NSA surveillance machine.

      Source: https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court
      Source: https://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email
      Source: https://www.wired.com/2016/03/government-error-just-revealed-snowden-target-lavabit-case/

      So, after this compare and contrast, do you still think LavaBit failed to protect its customer's privacy?

    2. Re:This is great by Actually,+I+do+RTFA · · Score: 1

      t, do you still think LavaBit failed to protect its customer's privacy?

      Yes, I think they failed to effectively protect their customer's privacy.. LavaBit had the time to hire a lawyer (although I have no idea how much money he had) He was crushed in court cause he was an idiot who didn't take the0 proceedings seriously. And the judge found him in contempt because instead of fighting the subpoena, appealing it, etc, he acted like an ass.

      All you're providing is reasons why LavaBit failed - not the actual charge that they did.

      --
      Your ad here. Ask me how!
  11. Microsoft has a backup plan by subanark · · Score: 1

    If worse comes to worse, Microsoft will give its foreign branches enough independence (enough to make it a separate company) to deny any request it wants from the US branch.

  12. Catch-22 by phorm · · Score: 2

    Realistically, doing so would create a catch-22 lose-lose situation for American corporations.

    Don't give information to US authorities from foreign servers: they're violation of US law and you get penalised

    DO give away information to US authorities from foreign servers: (often) they're in violation of the privacy/access/etc laws in said foreign country, and they get penalised

    I'm not American, and certainly not a fan of some of the international shenanigans perpetrated by US corporations, but allowing a law like this would be a *huge* disadvantage for US companies and possibly even a death sentence for some. As it is, many companies (including many I've worked at) have rules against doing business with US entities that store data outside of the service country, due to laws protecting customer information and privacy. So entities like Amazon, Google, etc are basically on the no-go list for vendors when it comes to any RFP that involves customer info.

      The government was arrogant and idiotic for even thinking to try pushing this through the courts. They might as well run a razor across their own throat.

    1. Re:Catch-22 by coofercat · · Score: 1

      ...such a law would make it illegal for US companies to operate servers in the EU in a lot of cases, because there are protections for EU data. There are some 'safe harbour' exceptions for certain types of data in certain circumstances, but that won't cover everything, and (I suspect) doesntt cover email.

      Moreover, many EU based companies would think very long and hard if they wanted to use a US cloud provider for anything at all, especially if the law allows for the US to grab 'chunks' of data (eg. a server at a time) rather than a person at a time. The prospect of having your companies data taken due to happening to sit on the same server as someone else doesn't go down too well in compliance meetings.

  13. nail in the coffin by bigtreeman · · Score: 1

    Just another case of multinationals are outside any countries control.
    It's a fecking free for all

    --
    Go well
    1. Re:nail in the coffin by gweihir · · Score: 1

      Ireland is not a country? News to me...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. International Community by lionchild · · Score: 1

    With the very recent event of the US pulling out of the TPP, I feel it's unlikely that others in the International Community, will take kindly to foreign powers accessing servers in their territories. Should US lawmakers update the law and change it to allow for US laws to operate in this manner, I imagine that companies like Microsoft, will outsource the administration of those non-US servers, so they have a non-US division operating them, thus leaving them outside of the reach of US laws.

    --
    Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
  15. Re:why push for that in the first place? by AHuxley · · Score: 1

    Who got in first? GCHQ? DEA? NSA? CIA?
    No legal team likes to see a case that starts with redacted pages in a public court setting.
    So the USA will often use charity groups, public private police partnerships to look at big company databases for words, terms, photographs that might surround drug culture. That then gets reported to a company as is then the clean origin of a case.
    A legal team can then talk in public about how the case started and the role of a GCHQ, DEA, NSA, CIA can stay historically PRISM like hidden.
    The other issue is a very Irish issue. The UK used its mil, the Royal Ulster Constabulary Special Branch, GCHQ to track every call and computer network in Ireland from the 1970's on. It was then easy to create new informants as they called interesting people already been watched.
    Interesting people got an offer to become informants or not. If they did, their role was secure. As they moved up in rank, more information flowed back to the UK.
    Ireland does not really want to have a new discussion about its data security nationally going back decades. Who is still been legally tracked and how.
    Are US, UK or Irish contractors now been used to legally watch people in Ireland or with Irish accounts for historical reasons?
    To keep users thinking their data is safe in Ireland the US shortcut is still hidden. The GCHQ, NSA, CIA will still have the same role as always.
    The DEA can now get some NSA data in the raw thanks to new raw data sharing options in the USA.
    "Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in Time for Trump" (January 14 2017)
    https://theintercept.com/2017/...
    "...NSA share vast amounts of private data gathered without warrant, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency, ..."
    Ireland can sell its international networking products as been legally secure and as been low cost in terms of staff and tax.
    Its win win win. The US and UK get to keep on spying and sharing the raw data with other agencies. Ireland can tell the world no nation can legally access data in Ireland.

    --
    Domestic spying is now "Benign Information Gathering"
  16. When I hear the word "Balance" I cringe by EmperorOfCanada · · Score: 1

    Quite simply there seems to be some kind of magical thinking that you can balance something unreasonable against basic rights. For instance anyone who thinks that it would be "Balanced" for a US court to order people in another country to do something is insane. The whole US revolution was about things like taxation without representation. So what makes the US seem to think that people in other countries should give two shits what their courts say when we have exactly zero input into the laws, the lawmakers, or any other body that would hold these bozos to account?

    This is the sort of thinking that as the US economy runs down will cause the rest of the world to not even lift a single finger as they finally slip into unrelenting pain and misery.