Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does US Have Right To Data On Overseas Servers? We're About To Find Out (arstechnica.com)

Posted by EditorDavid on from the thinking-globally dept.

Long-time Slashdot reader quotes Ars Technica: The Justice Department on Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world's servers with the assistance of the tech sector, no matter where the data is stored.

The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.
According to the article, the U.S. government told the court that national security was at risk.

32 of 265 comments (clear)

  1. National Security! by Calydor · · Score: 4, Insightful

    When isn't it national security?

    I don't recall the details of the case and can't be bothered to read up on it, but according to the summary it's a drug investigation. It's a pretty far leap from there to national security.

    Also, four years. If nothing's happened yet based on the information in those emails it's VERY unlikely anything is going to happen ever. That alone should rule out a national security issue.

    --
    -=This sig has nothing to do with my comment. Move along now=-
    1. Re:National Security! by Dog-Cow · · Score: 4, Insightful

      It's also a pretty big leap from "national security" to "we must trample the Constitution". Or at least, it used to be.

    2. Re:National Security! by renesch · · Score: 5, Insightful

      I'm waiting for the day that North Korea will issue a warrant to search the NSAs computers. After all, Kim might find stuff related to his national security....

    3. Re:National Security! by Solandri · · Score: 5, Insightful

      There is a national security issue here, but not the one you're probably thinking of.

      If the SCotUS decides this in favor of the U.S. government, this isn't going to end the way they think it will. The U.S. companies aren't going to roll over and hand over the information the U.S. government wants. They're going to expatriate and reincorporate in another country which doesn't have such overreaching search and seizure laws.

      The stupid IRS policy of taxing all income earned abroad simply because you're a U.S. citizen already causes wealthy Americans to move abroad (with their money) and give up their U.S. citizenship. A bad decision here will start the same exodus among U.S.-based multinational corporations. That's the national security issue here - the nation's economic security is being put at risk due to the U.S. government trying to make its laws and authority apply outside of the U.S.

    4. Re:National Security! by MoarSauce123 · · Score: 2

      Even worse...the Constitutions of foreign countries. The US has ZERO jurisdiction outside of its borders. Hard to believe with all the bombing and killing the US conducts overseas.

    5. Re:National Security! by green1 · · Score: 4, Insightful

      And here's the problem, the US can, as you point out, force a company that does business in the US to either hand over the data, or cease doing business in the US. But that's only the start of it. A precedent like that would trigger what is effectively a trade war, with other countries making laws that if you want to do business in their country you must not do business in the US, as well as the precedent that all data held in the US is also obtainable by any other country in the world, including places like China, Russia, and Iran. The US is a big market, but it's not as big as the rest of the world, and businesses worldwide would suffer from such a trade war, especially those based in the US.

      The question here has never been whether the US can force Microsoft to hand over the data, that part is obvious, they can. The real question is whether the US should do so, or if the cost is really too high. I believe it is.

    6. Re:National Security! by ray-auch · · Score: 2

      And here's the problem, the US can, as you point out, force a company that does business in the US to either hand over the data, or cease doing business in the US. But that's only the start of it. A precedent like that would trigger what is effectively a trade war, with other countries making laws [...]

      In fact the "other countries" have already made laws, in this case the EU has privacy and data protection laws which mean MS cannot hand over the data without being in breach.

      What is seemingly obviously required is international agreement so that the US can request the data from the relevant local jurisdiction who will be able to get it under the relevant local laws. Funnily enough, such an agreements (mutual legal assistance treaty) also already exist, and the EU laws which prevent MS handing it over also allow for access by local law enforcement subject to local laws.

      That is the real story, the US wants to get the data by the back door because it can't be arsed to do the job properly and use MLAT to (effectively) get a court order in the EU / Ireland. You can take your pick as to _why_ they want to do it this way from e.g.:

      a) the US is too lazy or incompetent to seek a foreign court order
      b) the US doesn't have evidence sufficient to convince a foreign court that an order would be required (add in your own take on how it managed to convince a US court...)
      c) the US believes on principle that it has jurisdiction everywhere so it shouldn't have to go to a foreign court, despite having signed treaties to facilitate exactly that

    7. Re:National Security! by alexgieg · · Score: 2

      I for one would like for the US Supreme Court to say the US government can do that. All the governments in the world would (that already don't do so) would enact laws saying that if those companies do that, they'll be punished, hard. All US Internet giants (Google, Microsoft, Facebook, Amazon, Apple and others) will find themselves forced to leave those countries, become US-only, and at most setting up partnerships with completely independent companies at every market and collecting royalties, but without servers located there. The mega-corp devaluation and breakage that'll cause due to what will basically amount to a industry-wide antitrust crackdown will be... glorious.

      --
      Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
    8. Re: National Security! by currently_awake · · Score: 5, Insightful

      If they are not soldiers then they are civilians, entitled to a lawyer and a speedy trial. Getting held for decades and getting tortured without even being charged with a crime is a clear violation of US law. Also they should be charged under the legal system where the "Crime" was committed (Afghanistan, Iraq etc), not the USA. If you want the world to treat you as the "Good Guys" you have to act the part.

  2. Actually we are not about to find out. by Anonymous Coward · · Score: 5, Informative

    What we *will* find out is the opinion of an American court, which has no international power. The proper place for this request is the international court of justice in the Netherlands. Unfortunately the US is the only non-dictatorial country that doesn't recognize this court.

    1. Re: Actually we are not about to find out. by Zontar+The+Mindless · · Score: 5, Insightful

      Actually, it's more like the US wants international law where it's favourable to the US, and wants to ignore it otherwise.

      Of course, the US is not alone in this regard.

      --
      Il n'y a pas de Planet B.
    2. Re:Actually we are not about to find out. by Freischutz · · Score: 2

      What we *will* find out is the opinion of an American court, which has no international power. The proper place for this request is the international court of justice in the Netherlands. Unfortunately the US is the only non-dictatorial country that doesn't recognize this court.

      I don't think this is about US courts thinking their search warrants are valid in the Ireland. The question is more like: can the US government, compel a US corporation to make available to US investigators an item of interest that is stored on foreign soil perhaps by remote access? Hell, if the US based corporation can be 'persuaded' to allow such access by means of threatening it with massive fines or worse there is no reason to involve the Irish government at all since Microsoft could simply make the decision to move this data or the entire system to a virtual server farm on US soil for the US authorities to poke their nose into. That might expose them to a civil lawsuit in Ireland but that would probably be easier to deal with than the 800 pound gorilla that is the US federal govt. This is not about whether the FBI can fly to Dublin or somewhere else in Ireland, barge into a data centre with an armed tactical team in an armoured car with a big ram on the front sporting an iron plate inscribed with the words 'Us law Trumps yours [pun intended]', flash US search warrants, seize servers and fly back to the US without Irish police being able to do something about it. If the FBI wanted to do that they'd still be shit out of luck unless they get the Garda Síochána to cooperate because they'd not just be pissing off the Irish they'd be pissing off the entire EU27. While this is still alarming, what is just as worrying is the fact that the US Govt. is increasingly hanging labels like 'national security threat' and 'affiliated with Al Qaeda/Isis/Hamas'/Hezbollah/Iran' on anything that label will stick to for 10 seconds in order to get a hold of warrants, make arrests or just launch a drone and bomb the bajeezes out of somebody they don't like.

  3. Re:I'm all for privacy and all that... by Great+Big+Bird · · Score: 5, Insightful

    Except for the little detail that the other country has data protection laws that make it illegal to do so. An American court should not be able to override the law where it seems to have had no intent to hide the data from the American authorities.

  4. Re:I'm all for privacy and all that... by Anonymous Coward · · Score: 5, Informative

    ...but it seems rather reasonable that if a court of law orders you to submit something, the fact that you had stored in another country shouldn't be much of an excuse for not doing so.

    The whole crux of the matter is a thing US law enforcement uses called "The Fishing Expedition". If the US had a legitimate legal need for this information all they would need to do is petition a foreign court and get a foreign court order (not that hard to do if an actual investigation is being conducted). Unfortunately for US law enforcement, INTERPOL and foreign courts usually require probable cause and actual evidence of wrongdoing before they will issue such an order, thus the attempt to back-door around that requirement.

  5. Ask yourself this by Mistakill · · Score: 4, Insightful

    Does China, Russia, Germany have a right to your data if you are in the USA but using a such a country's service? Because this is the gate being left open

    1. Re:Ask yourself this by AHuxley · · Score: 2

      Wait for the blasphemy rulings over cartoons.
      Extra crimes are listed if the blasphemous material is animated and has any music or songs.
      Every faith and cult will pour funds into their legal teams to get specific accounts or identifiers.
      Comment on a communist party, its history or leaders?
      Have to show up for mentioning the Tiananmen Square protests of 1989?
      Have to respond to some SJW in the USA over liking an author, movie or book on social media?
      Some US celebrity has an issue with a negative movie or song review?
      Link to a newspaper about German policy on illegal immigration and face questions in Germany?
      Big Pharma or punishing whistleblowers with US ag gag laws? (ag gag https://en.wikipedia.org/wiki/...)
      US gov or US mil stopping publication of whistleblower material in other nations?
      Recall Soviet history and now have to face a US court for supporting Russia?

      A US hosting service was just doing what it always has to when they receive a legally binding order or subpoena.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Ask yourself this by wvmarle · · Score: 2

      Extra crimes are listed if the blasphemous material is animated and has any music or songs.

      I'm sure the punishment for that will pale in comparison with the punishment on the copyright infringements of the music used in the cartoon.

  6. Re:I'm all for privacy and all that... by Anonymous Coward · · Score: 5, Insightful

    even if the laws in that other country prevent you from doing so? European data privacy laws tend tp be much stronger than in the US, and US courts have no authority outside the US to overrule other countries laws. If Microsoft complied with the US court order it would be breaking the law in Ireland. They're between a rock and a hard place...

  7. Re:I'm all for privacy and all that... by DaHat · · Score: 2

    Correct, but you can also get into interesting areas of the subsidiary being setup with binding corporate rules which can (in some cases) prevent the foreign entity from complying.

    --
    Help Brendan pay off his student loans
  8. Re:I'm all for privacy and all that... by radarskiy · · Score: 4, Insightful

    No one forces a multinational company into the shenanigans they play with moving things between jurisdictions. They could have considered beforehand whether they were painting themselves into a corner by doing something other than straightforward offering of services in different places.

    The laws of Ireland are not the concern of the courts of the USA, nor vice versa. The US court has issued an order on the US corporate entity which that corporate entity had stipulated that it could meet. Either the US corporate entity was lying before when the said they could satisfy the order or they are lying now when they say they cannot. One way or another the US corporate entity lied to the US court.

    If a multinational company wants to reap the benefits of having distinct corporate entities in different jurisdictions they also have the pay the costs, which consist of keeping track of when the obligations between the distinct corporate entities are constrained by the the different jurisdictions they were created to run in.

  9. Re:I'm all for privacy and all that... by jarkus4 · · Score: 4, Interesting

    Any employee of this local subsidiary can simply refuse to comply with the order (I expect every single country has a law that allows employee to refuse employer order to break the law). If we are talking about European countries then it would also be impossible to fire him for this, as such firing would be deemed as reprisal by (local) court. Given that the company (local subsidiary) is not even really interested in firing him, it would even likely lead to employee keeping the job (reinstatement).

  10. Re:US brands and their global profits by dwywit · · Score: 3, Insightful

    "Consider hosting in your own nation, with your own local brands and their much stronger data protection."

    That's almost exactly what I've recently told a customer who asked advice about web hosts. Sure, the el cheapo operations look attractive, until you find out where the servers are actually located.

    Qatar or UAE? I don't think so. Sydney or Melbourne are just fine, thanks. I'd prefer to deal with my own country's rules.

    --
    They sentenced me to twenty years of boredom
  11. You're missing the definition of a 'subsidiary'. by Bruce66423 · · Score: 3, Informative

    A subsidiary is a local company established under local laws and subject to all local laws. It will have its own board of directors - who may well all be employees of the owning company, but still have a separate duty to obey the law. If such a subsidiary breaks the local law, it is a criminal offence and the directors become liable. If they are outside the country, the assets of the company may be seized.

    If MS sets up the Irish subsidiary to own and operate the servers, it will be impossible for that subsidiary to obey the US order - because it is a separate legal entity which the US courts have no jurisdiction over.

    Between those two legal doctrines, the case is clear. If MS DIDN'T vest ownership in its Irish subsidiary, then it is an idiot. This appears to be part of the story here...

  12. Re:I'm all for privacy and all that... by Sique · · Score: 4, Interesting
    But then the other court sends a "contempt of the court" verdict to the U.S. judge and asks the U.S. to expel him to face prosecution for violation of local law. Simply put: The U.S. might really want to have jurisdiction about data stored in other countries, but in the end, does it really matter? Whatever the U.S. judge decides, he can't really get it through without the cooperation of a court in another country.

    So why not go the way it has always been and should be in the future: Ask the court in the other country to help in that matter. If the U.S. court can prove that the data is really needed in a case, then it should be no problem to get it in a way legal in the country it is stored.

    If the idea of U.S. jurisdiction to data stored in other country really gets track, the only result will be that companies will no longer directly operate in other countries, but always have local intermediates which are legally independent of the U.S. company.

    --
    .sig: Sique *sigh*
  13. Re:I'm all for privacy and all that... by Sique · · Score: 4, Insightful

    Put it more clearly: Any employee of the local subsidary has to refuse that order by the employer, because it is against the law. And firing him because of that refusal will bring the local employer into deep trouble because then the local prosecution could use the local equivalent of RICO laws to shut the company down.

    --
    .sig: Sique *sigh*
  14. Re:I'm all for privacy and all that... by Dracos · · Score: 4, Interesting

    Precisely. This is the US government asserting jurisdiction where it clearly has none, using the tenuous arguments of "cyberspace has no borders" and "corporate citizenship traces back to its origin". If the SCOTUS agrees, then the US has taken a step toward delegitimizing every other nation's sovereignty, over yet another skirmish in the "war on drugs" inflated into a bogus national security concern.

  15. Does Russia? China? North Korea? by kaur · · Score: 2

    Re-read the headline, replacing US with your favourite enemy.
    Does it still hold?
    If not, then the answer is "no".

    US is not special in international law in any way.

  16. Huge logical sink hole by Zemran · · Score: 4, Insightful

    A US warrant only has jurisdiction in the US. It cannot cover any other country. How can the US complain that Russia has hacked US computers and then want to hack other people's computers?

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
  17. Re:If the US gets their way, US corporations are d by gweihir · · Score: 2

    This is already happening. For example, the MS cloud in Europe is outsourced to Deutsche Telekom, exactly to make sure MS does not have any customer access. This also means a major part of the revenue goes to Deutsche Telekom and not to MS. The reason for that many prospective European customers would not use this service otherwise due to very shaky legal ground.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. EU Commission by Roger+W+Moore · · Score: 2

    That might expose them to a civil lawsuit in Ireland but that would probably be easier to deal with than the 800 pound gorilla that is the US federal govt.

    It's more likely to be a criminal lawsuit and expose them to the 850 pound gorilla that is the EU commission. The EU has a slightly larger economy than the US (by some measures) and an established record of swingeing fines on large US companies which ignore EU laws. Microsft itself has already been fined 1.3 billion euros.

  19. If you want something from overseas ... by angel'o'sphere · · Score: 2

    You approach the "overseas", provide enough evidence, ask for a warrant.
    Then the authorities, usually a judge, judges the evidence and issues a warrant.
    Then you get what you want.

    A company like FB/MS or any other can not simply provide data from a german server to an US authority. Regardless what the US man with the gun thinks.

    Privacy and data is the holy grail in Europe, like your free speech. If a company would simply send data to the US without a court ruling/warrant here in Europe it would break so many laws it likely would run bankrupt.

    How an US lawyer/congress/governor can come to the dumb idea he has a chance to make it law that his warrants are valid world wide is beyond me.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  20. Re:You're missing the definition of a 'subsidiary' by sexconker · · Score: 3, Interesting

    A subsidiary is a local company established under local laws and subject to all local laws. It will have its own board of directors - who may well all be employees of the owning company, but still have a separate duty to obey the law. If such a subsidiary breaks the local law, it is a criminal offence and the directors become liable. If they are outside the country, the assets of the company may be seized.

    If MS sets up the Irish subsidiary to own and operate the servers, it will be impossible for that subsidiary to obey the US order - because it is a separate legal entity which the US courts have no jurisdiction over.

    Between those two legal doctrines, the case is clear. If MS DIDN'T vest ownership in its Irish subsidiary, then it is an idiot. This appears to be part of the story here...

    The court simply has to find that the Irish company is not actually a separate entity. And it's not. It's a shell set up to dodge the law (primarily to not pay taxes). They don't even try to hide it. It's trivial to trace it to actual US citizens. Declare the "Irish" subsidiary to be a shell under the actual ownership and control of Americans (because it is), then throw them in jail for hiding tens of billions from the IRS and breaking tons of other US laws (because they are).