Slashdot Mirror
Does US Have Right To Data On Overseas Servers? We're About To Find Out (arstechnica.com)
Long-time Slashdot reader quotes Ars Technica:
The Justice Department on Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world's servers with the assistance of the tech sector, no matter where the data is stored.
The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.
According to the article, the U.S. government told the court that national security was at risk.
The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.
According to the article, the U.S. government told the court that national security was at risk.
When isn't it national security?
I don't recall the details of the case and can't be bothered to read up on it, but according to the summary it's a drug investigation. It's a pretty far leap from there to national security.
Also, four years. If nothing's happened yet based on the information in those emails it's VERY unlikely anything is going to happen ever. That alone should rule out a national security issue.
-=This sig has nothing to do with my comment. Move along now=-
...but it seems rather reasonable that if a court of law orders you to submit something, the fact that you had stored in another country shouldn't be much of an excuse for not doing so.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
What we *will* find out is the opinion of an American court, which has no international power. The proper place for this request is the international court of justice in the Netherlands. Unfortunately the US is the only non-dictatorial country that doesn't recognize this court.
Does China, Russia, Germany have a right to your data if you are in the USA but using a such a country's service? Because this is the gate being left open
If we were to extend your analogy/theory to something like McDonald's, Google, Apple etc. it falls flat on its arse (yes, I'm English).
If a company can't operate or sell anything outside of the country it was originally incorporated in, it won't be able to grow much, will it?
The point here is that Microsoft US is legally different to Microsoft Europe and while they share the same name and corporate structure, US laws don't apply in Ireland, just like Russian laws don't apply in the US.
If Russia was investigating an oil baron who used Outlook online with his stored data on US servers to which Russia demanded access and got its courts involved, do you think the US company would/should oblige?
Your patriotism is evident but misguided and short-sighted.
The reason MS and every other hosting provider have datacenters in the EU is because they have to because their customers need to store data of EU citizens. The concern is not the court ordered warrants, but the requests made without oversight that are possible since the patriot act and its succesor. Given that Trump has made clear that US privacy laws only apply to US citizens, this is a valid concern. What would you do if some EU agency had warrantless access to US the data of US citizens or companies stored on servers in the US...
The US court is issuing an order to the Microsoft US corporate entity, which is constrained by US laws, to produce data that the Microsoft US corporate entity previously told the court it could produce. However, the Microsoft US corporate entity at some point handed the data off to the Microsoft IE corporate entity, which is constrained by IE laws. It turns out that the Microsoft IE corporate entity is constrained by IE laws for sending that data back to the Microsoft US corporate entity to comply with the US court order.
Imagine if you were a customer of the Microsoft US corporate entity and stored some data with them that they they then handed of to the Microsoft IE corporate entity. If it was data that IE laws prohibited the Microsoft IE corporate entity from sending back to the Microsoft US corporate entity when you wanted to retrieve the data, would you shrug it off or would you sue the crap out of the Microsoft US corporate entity?
Multinational companies reap benefits by having various corporate entities in various jurisdictions to a degree infeasible for lesser companies. This is reasonable as long as they are also willing to pay the costs of having these various corporate entities, among which are keeping track of the overlapping obligations. No one makes these companies operate like this.
"Consider hosting in your own nation, with your own local brands and their much stronger data protection."
That's almost exactly what I've recently told a customer who asked advice about web hosts. Sure, the el cheapo operations look attractive, until you find out where the servers are actually located.
Qatar or UAE? I don't think so. Sydney or Melbourne are just fine, thanks. I'd prefer to deal with my own country's rules.
They sentenced me to twenty years of boredom
A subsidiary is a local company established under local laws and subject to all local laws. It will have its own board of directors - who may well all be employees of the owning company, but still have a separate duty to obey the law. If such a subsidiary breaks the local law, it is a criminal offence and the directors become liable. If they are outside the country, the assets of the company may be seized.
If MS sets up the Irish subsidiary to own and operate the servers, it will be impossible for that subsidiary to obey the US order - because it is a separate legal entity which the US courts have no jurisdiction over.
Between those two legal doctrines, the case is clear. If MS DIDN'T vest ownership in its Irish subsidiary, then it is an idiot. This appears to be part of the story here...
That's a double edged sword.. it also means that that US would have to give information to foreign governments stored on US servers.
I mean.. we wouldn't want to be hypocrites now would we?
When will mandatory brain scans be required from all the world's population, not just US citizens?
What astonishes me the most about this case is that the feds even bothered to *get* a warrant for overseas data in the first place.
With all the rhetoric about warrantless laptop searches at the border one would think the feds think our constitutional rights only apply on US soil.
As for my armchair lawyer analysis:
Data stored on servers located on foreign soul isn't even subject to US jurisdiction to begin with, so presumably the warrant in question would need to issue from a court of the nation in question, and not a US federal court.
The proper way to handle it then is to forbid them from exporting data that might be necessary for US retrieval (well, forbid them from deleting it from US servers -- I realize that caching and such would require copying across initially,) rather than waiting until after the fact and then trying to walk all over a sovereign country's laws.
Of course, unless there's some apriori definition of "necessary for US retrieval," this amounts to having to retain local copies of all data on US servers. Though I can't really fathom much reason to store US data (exclusively) on non-US servers except to try and skip around US data (anti-)protection laws.
If the data is local to the jurisdiction no matter where in the physical world it is, cyberterrorism and spying over the internet doesn't exist, since what they do remains within their jurisdiction.
Of course, the merkin government only means for them to do this. Because fuck you, world.
When they can scale up the technology enough that it will cope with larger brains and more nuanced thought.
Governments do not typically have laws that give Sovereign Rights to other governments. Other jurisdictions are largely ignored and not talked about. If a company wants to do business in America it follows American laws, in some cases even if the law breaking happened entirely out of the country(victims, data, server) it can still either comply or flee the country entirely.
Troll is not a replacement for I disagree.
Re-read the headline, replacing US with your favourite enemy.
Does it still hold?
If not, then the answer is "no".
US is not special in international law in any way.
We are not rude you fuck faced arse nugget!
Realize that if this flies and the US can force any US corporation to surrender their data, no matter where that data is stored on the planet, nobody in their sane mind would use a US company to store their data. Or process it.
MS has every good reason to fight this tooth and nail. And Amazon would have every reason to put money behind them. If the verdict goes in favor of the US government, pretty much any US cloud provider is dead in the water. Because then even US companies would rather store their data in, say, Iran than with an US company.
Why does the US government hate the US industry?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I doubt that a ruling that the American government can seize data from overseas servers would have any power outside the borders of the USA, but it will cause a lot of headaches for companies operating inside the USA, and a LOT of headaches for American companies operating in foreign countries. The minefields are numerous, and a ruling favoring the American federal government is going to be bad for privacy in general, everywhere.
Make love, not reality television.
Ordinarily I think these national boundary constraints would limit the reach of US courts and warrants, but with the "national security" flag raised I think it stops being solely a question of legalism and jurisdiction and then escalates into diplomacy, where there are other tools available to gain compliance.
Microsoft may say to the US government, "No, your warrant doesn't work because MS IE has to follow IE law."
All this will mean is that ultimately the State Department gets involved and begins negotiating with the Irish on what data they want and how Ireland should let them have it. If the national security apparatus wants it bad enough, State will use diplomatic leverage to obtain it. The entire point of the State Department is to obtain agreements with other countries, either by compromise negotiation or leverage.
A US warrant only has jurisdiction in the US. It cannot cover any other country. How can the US complain that Russia has hacked US computers and then want to hack other people's computers?
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I karma to burn
In a nutshell, the US government claims it should not matter where the data is stored. What matters is whether the company can access that data in the US.
I have to agree with this, if the data is accessible to the US and it is a US based Company then I think the warrant should be valid. BTW, they have a warrant so I think they are following laws anyway.
Of course over the past few years the US is doing everything it can to give companies incentives to leave, so what is 1 more :)
...what would the US' reaction be if a Russian court wanted data stored on American-based servers?
Yeah.....
What we are about to find out is whether it _thinks_ it does have that right, which is a bit different. As we already see companies not storing data from European customers in their own systems but outsourcing that to European companies bound by European data protection laws, I guess id does not matter that much. US arrogance and greed already cost the US economy significantly.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Take a look at this propaganda piece against Scaleway (that they're somehow inferior for obeying the speed of light).
At this point, I quite don't see a rational person hosting their data in the US or at a company with US presence. Because, you see, you got the 4th Amendment, we don't, right?
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
This is already happening. For example, the MS cloud in Europe is outsourced to Deutsche Telekom, exactly to make sure MS does not have any customer access. This also means a major part of the revenue goes to Deutsche Telekom and not to MS. The reason for that many prospective European customers would not use this service otherwise due to very shaky legal ground.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This would undoubtedly drive business away from US companies that provide information services to users overseas, we is precisely what we need for economy. Make America Great Again(tm)!
Joking aside, how is a drug investigation a matter of national security? If you're going to claim you need some power for national security reasons, then only use it for national security reasons. Don't then turn around and use it to prosecute drug offenses.
I'm pretty sure if you get a warrant to search someone's laptop or computer in one jurisdiction, and it turns out the laptop is currently in another jurisdiction, they can't make you go get the laptop and bring it back - they need to get a warrant for the jurisdiction it's in.
The issue is the limit of the judicial district. If you want to search something in a particular place, you get a warrant from a judge in that place. The warrants in question are claiming that since you can access the information anywhere, then the warrant is good for anywhere the information is stored.
VPNs might muddle the issue further, since you could argue it's one large logical network anyways.
My Other Computer Is A Data General Nova III.
Though I can't really fathom much reason to store US data (exclusively) on non-US servers except to try and skip around US data (anti-)protection laws.
And that, right there, is the one question that everybody seems to be ignoring. If the data refers strictly to US customers, why is it being stored only in Ireland? Unless Microsoft can come up with an answer for that that doesn't include trying to dodge around US laws, they should be subject to whatever sanctions are appropriate for their actions. (IANAL, so I don't know the right terminology for this.)
Good, inexpensive web hosting
A precedent like that would trigger what is effectively a trade war, with other countries making laws that if you want to do business in their country you must not do business in the US
Nobody will pass laws like that they will just enforce the laws they already have. If Microsoft share the data stored in the EU with the US government I expect this will put them in violation of the EU data protection laws. The result will be fines and probably civil damage cases from those affected. This will severely damage large, global US companies making them far less competitive with local companies and also certainly lead to the US's current idiot in charge making wild accusations about the EU and others discriminating against US companies when, in reality, it's the direct consequence of the US trying to impose its laws on others backfiring and taking out US companies abroad.
Why is Microsoft protecting drug traffickers?
The only answer that makes sense to me is that Microsoft is also engaging in the drug trade.
Contribute to civilization: ari.aynrand.org/donate
Ask the court in the other country to help in that matter.
The problem is that this can't work because what the US court wants is illegal under EU data protection laws. It would be like country X asking to extradite someone in the US because they criticised their leader. The US court would refuse, regardless of any extradition treaty, because it would be an illegal violation of free speech rights.
However, the US does have intelligence sharing agreements so I would have expected that the better route to this data would be to use those by having the local intelligence forces request the data locally and then have them share the pertinent details with the US - this is how it seems to work in Canada and the UK. The fact that they did not go this route suggests that their need for the data probably does not hold up to scrutiny.
That might expose them to a civil lawsuit in Ireland but that would probably be easier to deal with than the 800 pound gorilla that is the US federal govt.
It's more likely to be a criminal lawsuit and expose them to the 850 pound gorilla that is the EU commission. The EU has a slightly larger economy than the US (by some measures) and an established record of swingeing fines on large US companies which ignore EU laws. Microsft itself has already been fined 1.3 billion euros.
Your naive proposal is exactly what Microsoft did in this case. The government where the main company is located has claimed: "it's your subsidiary therefore you can and will order them to comply."
If the courts don't smack this down, there will be no way to operate cross borders except with truly independent companies -- no financial benefit or control possible by either side. You think CEOs are gonna stand for not being able to grow their control or profits outside their own borders?
You approach the "overseas", provide enough evidence, ask for a warrant.
Then the authorities, usually a judge, judges the evidence and issues a warrant.
Then you get what you want.
A company like FB/MS or any other can not simply provide data from a german server to an US authority. Regardless what the US man with the gun thinks.
Privacy and data is the holy grail in Europe, like your free speech. If a company would simply send data to the US without a court ruling/warrant here in Europe it would break so many laws it likely would run bankrupt.
How an US lawyer/congress/governor can come to the dumb idea he has a chance to make it law that his warrants are valid world wide is beyond me.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Now, now Vladimir. Calm down.
Have gnu, will travel.
US law applies worldwide to all US citizens.
But this particular problem stems from the principle of corporate personhood. An individual may be a US citizen. But a corporation can declare its left hand to be Irish. And then it is exempt from these laws.
Have gnu, will travel.
We've already broached this issue a number of times within legal circles where someone within the US would like to impose US legalities or authority over other sovereign territories. The problem which arises are numerous; If the US does not respect the sovereignty of other nations, then other nations will stop recognizing the sovereignty of the US. Any attempt to circumvent diplomatic relations runs the risk of damaging relations between the US and other nations. If the US has a right to seek data in other nations, then it stands to reason other nations will begin to demand data from US sources. There is also the issue of applicable international law, which is generally more protective of rights than the US is. Just scratching the surface of the issue, attempting to assert any sort of right to data which is not natively hosted is a can of worms. Rather than trying to force a legal right, this is the sort of thing which belongs within the domain of diplomacy.
You can issue any kind of warrant.
But it remains illegal to send EU data to the US without an EU court order.
This is not about the physical servers or their location, it is about the data protected by EU privacy law
The solution is simple, the US applies in the EU for such an order and they'll get the data.
A little obstacle is the US would have to show cause, the present action shows that's what is lacking...
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Further to this, there's one thing I'm sure of, on these legal matters:
The US government has the right to kiss my ass.
Where are we going and why are we in a handbasket?
A subsidiary is a local company established under local laws and subject to all local laws. It will have its own board of directors - who may well all be employees of the owning company, but still have a separate duty to obey the law. If such a subsidiary breaks the local law, it is a criminal offence and the directors become liable. If they are outside the country, the assets of the company may be seized.
If MS sets up the Irish subsidiary to own and operate the servers, it will be impossible for that subsidiary to obey the US order - because it is a separate legal entity which the US courts have no jurisdiction over.
Between those two legal doctrines, the case is clear. If MS DIDN'T vest ownership in its Irish subsidiary, then it is an idiot. This appears to be part of the story here...
The court simply has to find that the Irish company is not actually a separate entity. And it's not. It's a shell set up to dodge the law (primarily to not pay taxes). They don't even try to hide it. It's trivial to trace it to actual US citizens. Declare the "Irish" subsidiary to be a shell under the actual ownership and control of Americans (because it is), then throw them in jail for hiding tens of billions from the IRS and breaking tons of other US laws (because they are).
I'm sure we all have many concerns about this case and the privacy of our data. Here are my thoughts and questions:
1.) If it's really National Security, why didn't it go through the FISA courts? Or, why hasn't the NSA/CIA simply covertly recovered the data for them?
2.) If MS won't give you the data because you're in the US, why don't they contact the Ireland courts with their warrant and request some international assistance? Perhaps they'll issue a warrant for the data in Ireland and release it to the US DoJ?
3.) Let's take this to the next [il]logical step - If a big company like MS, takes over an unclaimed island and becomes its own sovereign country, then places data centers there that store massive amounts of personal data from various countries; they make personal privacy their highest law; how do other countries retrieve data from there for court-ordered cases, when the data is clearly in a pro-privacy country? Do they use trespass on their sovereignty and use cyber-tactics to extract the data?
While this case has been running around for 4 years, a federal court has ruled, so the Supreme Court may simply let that ruling stand. They aren't obligated to hear the case. Plus, it might not be a Pandora's Box they want to open. Imagine then that Russian/Chinese/North Korean/Whatever courts could request data from US servers for companies that are doing business in/with Russian/Chinese/North Korean/Whatever jurisdictions. This could effectively set precedence how the DoJ would have to respond to foreign powers. That's really beyond the scope of the courts, isn't it?
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
no man can serve two masters.
A slave with two masters is a free man.
Have gnu, will travel.
"Ordinarily I think these national boundary constraints would limit the reach of US courts and warrants"
Please note I am not making any claim that the US Court has any authority outside of the US national boundary. My point is that the US Court is not trying to assert any such authority and those claiming that the US Court is claiming that authority are wrong.
Right, it's the corporation claiming its non-US subsidiary is just following local (non-US) law to not allowing access to data.
The involvement of State would come to convince IE or whatever foreign government it is to recognize that US process was followed and that parent company is playing the border game and to encourage local subsidiary to follow court order.
My guess is that most EU countries would be pretty tepid about defending a US multinational holding US data in their country. There's a point at which dealing with US diplomatic leverage isn't worth the headache when they have marginal intrinsic interest in the data.
They may be less compliant if it was their own nationals data that was being held and requested and the claim to the data was solely that the local subsidiary was a subsidiary of a US multinational.
So, we've had a previous ruling that companies are people. For the sake of discussion, let's say an American citizen hides money in an offshore account. Can a court compel that person to do something with those funds?... Answer: Yes. My question to legal scholars would be, how does this differ if an American company does something similar with data?
Disclaimer: I'm a privacy advocate, and don't agree with the companies = people ruling.
Just another day in Paradise
The court simply has to find that the Irish company is not actually a separate entity. And it's not. It's a shell set up to dodge the law
A shell company is a non-trading entity with no significant assets other than cash. What exactly do you think they do with their roughly 2000 staff? Do server farms count as assets in your book?
And in another part,
So, either the US government has started lieing, or stopped lieing and started telling the truth ; same difference for their shredded credibility.
Not that they've had any credibility for decades anyway. That probably went with Tricky Dicky (though I know enough people who distrusted them before Tricky became president).
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
They might be discussing the matter of having right to oversea servers data, but they already have them anyway. National Security my arse.
It's called https://en.wikipedia.org/wiki/...
Casteism
According to the article, the U.S. government told the court that national security was at risk.
The big two: "for the children" and "national security".
There are others, but these two shut down thinking faster than anything.
There's no time like the present. Well, the past used to be.