US Supreme Court To Decide Microsoft Email Privacy Dispute

The U.S. Supreme Court on Monday agreed to resolve a major privacy dispute between the Justice Department and Microsoft Corp over whether prosecutors should get access to emails stored on company servers overseas. From a report: The justices will hear the Trump administration's appeal of a lower court's ruling last year preventing federal prosecutors from obtaining emails stored in Microsoft computer servers in Dublin, Ireland in a drug trafficking investigation. That decision by the New York-based 2nd U.S. Court of Appeals marked a victory for privacy advocates and technology companies that increasingly offer cloud computing services in which data is stored remotely. Microsoft, which has 100 data centers in 40 countries, was the first U.S. company to challenge a domestic search warrant seeking data held outside the country. There have been several similar challenges, most brought by Google.

America owns the world

Therefore there is no jurisdiction issue.

Re:America owns the world

This has nothing to do with "owning the world". If a Microsoft employee, located in the U.S., can access a server located in [some other country], then the location of that server is irrelevant. That is the argument being used by the U.S. government, and in this case they are correct.

To argue otherwise means:

You're claiming that a person located in the U.S. is governed by EU law, e.g., they can't access a server they own and control except in accordance with EU law, despite the fact that they are not in the EU. You are, in fact, trying to impose EU law on a person sitting at a computer in the U.S.

Any person/business located in the U.S. just has to put all their servers outside the U.S. and access them remotely and they become immune to all U.S. laws. Want to investigate Microsoft/Google/Whoever for securities fraud or some other wrong doing? Sorry, all their documents and e-mails are located on a server outside the U.S. and they don't have to give them to you.

Re:America owns the world

[Errol+backfiring]

Well, that's the beauty of a world-wide network. A person can be sitting in front of a terminal in the U.S. and do business from, say, Europe because he has put a web server there that does all his transactions. I am really curious as to what would happen if he put his web server in orbit, outside any country. Or on an asteroid.

In fact, pilots of armed drones can kill someone in another country. The law can only make sense if the owner/controller has to comply with laws of both the residential country AND the country the action took place. When selling something on the internet, that would also include the laws of the person at the other end of the transaction.

Hey, nobody said it would be easy.

Re:America owns the world

[Okind]

You're claiming that a person located in the U.S. is governed by EU law, e.g., they can't access a server they own and control except in accordance with EU law, despite the fact that they are not in the EU. You are, in fact, trying to impose EU law on a person sitting at a computer in the U.S.

Actually, where the person is located does not matter much.

We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.

Another issue here is the EU-US Privacy Shield: whatever the US supreme court decides must be in line with the agreement with the EU, or we'll face new problems as we did when the previous safe harbor provisions were struck down.

Given that the email belongs to people in the EU, both the provisions of the EU-US Privacy Shield and the EU privacy protection laws apply. AFAIK, this means that the decision to hand over the data must be decided by a EU judge.

Re:America owns the world

[Sique]

No. The claim is that just because a person is technically able to do something it does not mean that the person is legally able to do it. Most people are technically able to kill someone, but not many are legally entitled to do so.

Yes, a person in the U.S. can copy personal data from a computer located in the E.U. to a computer located in the U.S.. But doing so without the consent of the person the data belongs to is illegal in the E.U.. The European High Court has decided that even U.S. legal enforcement is not allowed to do so without serving a warrant to the responsible european court first. If a court in the U.S. decides otherwise it would be in contempt of the EHC. I wonder what happens if the EHC then serves a warrant against an U.S. court for doing so.

Re:America owns the world

[nospam007]

"You're claiming that a person located in the U.S. is governed by EU law, e.g., they can't access a server they own and control except in accordance with EU law, despite the fact that they are not in the EU. You are, in fact, trying to impose EU law on a person sitting at a computer in the U.S."

You mean like when you get delivered the guy who hacked a US computer from England, because he violated US law from his mother's British cellar?

Re:America owns the world

[Sique]

And what should happen in your opinion if the warrant is granted in the U.S., but an E.U. court knowing about the announced breach of European law serves another warrant that forces Microsoft's european technicians to disconnect all servers storing the data in questions from the network? How does the U.S. court then enforce its warrant?

Re:America owns the world

[jedidiah]

Then the US company should be held in contempt and charged with obstruction of justice and destruction of evidence. The question here is whether or not you can hide evidence from courts. The fact that it's being done with computers is really quite irrelevant.

This is not a "tech" article at all.

A corporation wants to pretend it's above the law by engaging in a shell game with their documents.

Re:America owns the world

[Frobnicator]

That is exactly the situation that makes it so interesting from a legal view.

The US courts can order the US company to take the action. But the instant they start messing with the data in Ireland, the emails of a the citizen who lives in Ireland, then the international treaties between the US and Ireland come into play.

If that happens -- meaning the US Supreme Court orders or allows the government to violate the international treaty even though proper channels exist through the treaty -- the consequences get complicated very quickly. Nations routinely violate treaties and the US does it all the time, particularly around military actions. Exactly how the nations respond varies by nation.

Ireland may quietly do nothing and allow the treaty violation. Diplomatic channels have been active since this started, and whatever action is taken will have closed-door diplomatic consequences. More publicly, Ireland's politicians may raise the issue with the international courts or with the UN. They may instead chose a more passive-aggressive stance either with or without public declarations, requiring more strict scrutiny to law enforcement requests and requiring extra time as they triple-check every detail of the request against all applicable law. Since international law enforcement requests must be vetted by all nations involved, Ireland could respond extremely slowly or find reasons to disallow the bulk of future requests, perhaps only allowing the most extreme cases (like child sexual abuse) to pass through in a timely manner.

Other nations may also respond in varying degrees. Like above this may range from no visible response, closed-door diplomatic responses, to increasing difficulty working with the nation, to public statements of disapproval, to full-blown official actions in international policy organizations.

Nations that are firmly against the US could rightly publicise it as yet another instance of the US willfully ignoring their treaty obligations. With Trump routinely going to the media to declare he will disregard treaties this is not a surprising thing. Even before Trump, as a nation the country lost its moral high ground on treaties decades ago; the US is a nation that generally follows the rule of law, but has demonstrated no qualms about violating the rule of law when those in power think they can get away with it. Although this one is relatively small, yet another treaty violation can be added to the stack and the rallying cries about the duplicitous actions of the country, and how the US does whatever it wants without regard to treaties and promises it has made.

If it goes forward, probably the US government will get the data they have been fishing for, they'll win that specific battle, but it will come at a cost for future international cooperation. There will be an enormous cost to all the other international police investigations that use the treaty. While they get the data in one specific case, untold thousands of other cases that are legitimate and using the proper channels will face the negative repercussions, in addition to whatever political fallout comes with it.

Re:America owns the world

We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives.

That's hardly surprising, since the laws were passed by greedy states that saw their sources of revenue threatened by businesses located in other states. But it really doesn't make any sense in terms of natural law. If I go into a store in Oregon (no sales tax) to buy a camera, then take it home, I'm not charged tax. But if I buy the camera off the store's web site, based off a server in their equipment closet, suddenly the transaction takes place in my home? Same store, same transaction, different result. The law is, as Dickens wrote, an ass.

Re:America owns the world

Back in the day before computers were all the rage, hard copies of documents that resided outside a country were not subject to the warrants of a country other than where those documents reside. How is it ANY different here in that the actual data resides outside the US. If the US wants the information they should go through the proper channels in Dublin & get the Irish police to issue a warrant for the information. Again, 'back in the good old days', if I called someone up in Dublin & said 'can you please read me what it says on that document titled 'Securities Fraud', its filed in the filing cabinet under 'I' for 'Illegal stuff we're doing', I 'gained access remotely to the information'...does that now mean the US can issue a warrant to get the documents located in Dublin? I don't think so.

Again, if the US wants access to this data then go through the proper channels in Ireland, otherwise keep your hands off data that doesn't reside in your country. Note, this isn't even about MSFT data but data they are holding on behalf of a 3rd party...there used to be 'document warehouses' (there may still be), and warrants could be issued to get access to documents held on a 3rd parties behalf...BUT that warrant would not apply to some company in Ireland holding documents on a 3rd party's behalf.

Just because we went digital doesn't mean the rules of data handling & warrants change.

Re:America owns the world

Why are you making this so damn difficult on yourself. Take digital out of it, if they were hard copy documents on an server in orbit or on an asteroid then 'international laws' regarding space would apply. Though if I OWNED the asteroid & could defend it, I would presume those laws would be moot. But of course that's a silly example, if the documents reside in another country, the laws of that country apply. That doesn't mean I can't be charged with a crime I might commit using the information in those documents or as in this case recording my discussions of some illegal act I'm doing. The illegal act is still happening, 'evidence' of it may reside in another country, that's what international treaties are about & having the country where the data resides execute a warrant. The issue here isn't that the US couldn't issue a warrant, if the data resided in the US they certainly could & would expect to get access, but the data resides outside the US & therefore US warrants cannot be the guiding law.

As for the drone kill, whatever the laws are in the country you may have killed someone with a drone apply as do the laws in the country where I flew the drone from. Nothing stops a country from requesting extradition. If I called someone up in Dublin & participated in a conspiracy to commit murder in Dublin then I'd be charged in my local country...presumably I could & would be charged in Dublin too what's so damn hard about that.

But here's the thing, this case isn't about whether the US has jurisdiction to file a charge against someone who might be dealing drugs on the internet (dealing drugs in the US is illegal, if you do that from your home in the US than you can be charged for it), this is about trying to gather evidence of a crime, if the evidence resides in a 3rd country then the US has to go through that country to get a warrant issued to get the evidence.

Let's consider this in the reverse. Let's pick an example where you're sitting in China and you access something in the US, say just some information on the Tienanmen Square massacre. I can see how that might be illegal to do in China, so the Chinese government charges you with a crime & issues a warrant for the information you were consuming...should the US give that information to them? Now, whether or not the Chinese government would bother with 'evidence' in this case might be open to debate. The point however is there are laws in many 'non-free' countries that we might reasonably object to, and presuming that country would bother using 'civilized procedures of law' we might not want any supposed 'evidence' of this to be passed to that country just because they issue a warrant for it.

Push comes to shove we are subject to laws in all countries, so are the governments in those countries. A US warrant issued in the US doesn't apply outside the US. That's what is going on here. If the Irish government feels a crime has been committed they can issue warrants to get the data & that would be legal. Nothing hard about this whatsoever, unless of course your the US Government who thinks they can take anything from anyone & apply US law anywhere in the world.

Re:America owns the world

You are talking about interstate commerce & in theory any state could set up border crossings that would require you to declare anything you purchased in another state when returning to your home state & then collect tax (duty) on it. I go back & forth to Canada regularly (I live in the US but am a Canadian citizen), I can be taxed on various things above a certain 'duty free' amount. It is in theory no different when traveling among states in the US. Now, just because you're not traveling to the other state to buy your stuff doesn't mean the state you reside in doesn't have some right to tax you (place duty) on your purchase. If I ordered something from Canada, I may very well pay import duties (taxes) on it.

Now, having said that, IF there are 'interstate commerce' laws whereby states agree not to place duty/taxes on goods imported to 1 state from another state then how I purchase the items or how they are delivered to me doesn't matter as Interstate commerce laws would apply

Re:America owns the world

[Sique]

And if the technicians don't disconnect the servers, they are charged with obstruction of justice in Europe.

And if police forces come into the data center in Ireland and then serve the warrant to disconnect the servers, can the technicians (and thus Microsoft) claim duress? They can even obtain a paper from the european police men that they tried to fulfill the court order but were hindered by the european police forces. How does the U.S. court enforce its warrant now?

Re:America owns the world

WOW. When did we get so stupid as to think that a warrant issued in the US applies outside the US just because...'computer'. If this was about PHYSICAL documents stored in Ireland, there would be NO case here at all regarding trying to execute a warrant issued in the US for data held in Ireland. The US would be expected to work through local authorities to get them to execute the warrant. They MIGHT try convincing Ireland to issue a warrant under their rules of evidence & law. That's what the US should be doing here, just because 'computer' or 'internet' or 'cloud' is not a compelling reason to ignore laws that have been around for a VERY long time & try to get MSFT to turn over the data. The US should just follow proper international treaties & be done with it. If the Supreme's find for the JD in this case you might as well kiss 'cloud computing' of ANY sort good-bye. I can tell you that my company would not be able to run a legitimate service (nothing illegal) that our customers are looking to us to provide, at least not at any kind of reasonable price and likely 'quality' because we'd have to set up something franchises where a local company would have all the rights (we would have none and therefore could not be subject to US warrants for data held in another country when we aren't the operators of the service). We are a US company & could make some serious cash providing a good legal service to our customers, but if the JD wins this, kiss that growth good-bye.

What's next? Is the US going to issue arrest warrants & come take people in other countries away without any extradition hearings? You know just because 'computer'? Even the kid in Britain who hacked a US site was given an extradition hearing, the Brits didn't just pack him off to the US no questions asked.

Re:America owns the world

[Frobnicator]

A corporation wants to pretend it's above the law by engaging in a shell game with their documents.

Are you following the same story? This is not the shell game you propose.

The US government refuses to include details like if the person is an American, but instead they have bound the details of the case in secrecy. Microsoft is a global company with smaller corporations in each nation to follow the local laws. The US government in a local criminal investigation (for something not criminal in much of the world) has issued a search warrant for one company to seize information held by a sister-company in another nation, for hardware held in another nation, against someone who is probably a citizen of another nation, for crimes that are probably not illegal in that other nation.

For those who have followed the case for the past several years, it is clear the US government is looking for a way to sidestep existing international law and international treaties. Instead of following standard protocol for international warrants, and using the international crime-fighting treaties to get an Irish warrant against Microsoft of Ireland to seize data stored on servers in Ireland about a person who is probably an Irish citizen or perhaps a citizen of the EU, the government has doubled-down on the bad bet. For the past four years they could have cancelled the warrant and gone through the regular international channels to get a warrant for international communications.

It is nonsensical. As some parallels, consider how Microsoft has offices in Dubai. Imagine the response if the Dubai government demanded of Microsoft's Dubai office that Microsoft USA turned over all emails from Microsoft's American servers about Americans because they might be related to an investigation of Dubai's laws forbidding sexual relations, even flirting, outside of marriage. So to investigate a Dubai woman who might have had indirect contact with someone in America, in order to find evidence to punish her, instead of going through regular international courts they produce a search warrant in Dubai that requires Dubai police to seize servers in the US. Then they fight for four years in an attempt to get that search warrant executed.

Or another parallel, consider how Microsoft has offices in China. Imagine if the Chinese government demanded Microsoft's Chinese office that Microsoft USA turned over all emails from Microsoft's American servers about Americans because they might be related to an investigation about Chinese laws prohibiting ill-speaking of government workers. To investigate someone in China who might have had indirect contact with someone in America, so they can find evidence that perhaps the Chinese person really did write something subversive to the government, instead of using the international legal tools, they produce a warrant that requires Chinese investigators to seize servers in the US. Then they fight for four years in an attempt to get that search warrant executed.

There are simple existing tools for this. They can submit a request for Irish law enforcement to execute the search warrant against Microsoft of Ireland so they can search the servers held in Ireland. That type of international search warrant happens all the time. They are choosing to ignore it not because Microsoft in America is playing a shell game, but because the police are looking for ways around the safeguards that have been established to protect people from abuses of other nations.

Re:America owns the world

[n329619]

This has nothing to do with "owning the world". If a Microsoft employee, located in the U.S., can access a server located in [some other country], then the location of that server is irrelevant. That is the argument being used by the U.S. government, and in this case they are

incorrect. That is because the Microsoft employee can access a server located in [some other country] due to permission from someone ([some other country] MS employees) at the location to enable access to the server. The [some other country] MS employee have 100% rights to physically disconnect their server at anytime under their judgement and the local country's jurisdiction.

Simpler concept: Guy 1 has a ball and Guy 2 also has a ball. Separated by land while under agreement and regulation, both of them can throw the ball to each other. Then separate land Police 1 and Police 2 came. Police 1 can ask Guy 1 to give him his ball. Police 2 can ask Guy 2 to give him his ball. But Police 1 cannot ask Guy 2 for his ball without asking Police 2 first, where Guy 1 is irrelevant. The problem is now Police 1 is asking Guy 1 for Guy 2's ball without asking Police 2.

We are not "claiming that a person located in the U.S. is governed by EU law", but the person located in the EU is governed by the EU law., and outsider can't tell him/her to bypass their law.

Re:America owns the world

[Okind]

Same store, same transaction, different result. The law is, as Dickens wrote, an ass.

Although I won't dispute your comment about the law (I frequently agree), the fact that it's the same store does not mean that the transaction is the same: part of the transaction is a location. Obviously, any location related to the transaction could have been chosen as transaction location:

• where the store is
• where the sales clerk / server is
• where the customer is at the time of transaction

For a physical transaction in a brick&mortar store, these are all (approximately) the same, so we don't notice if the law uses a different one than we / most people do. But when the transaction is handled online, the differences become apparent and thus what we interpret to be the same transaction (after all: same store, same item, same price, so same transaction, right?) suddenly is not.

This is where the law suddenly becomes illogical, cumbersome and/or subject to greedy politicians. It is also the point where laws start to create new conflicts. US law and EU law may both be internally coherent (I'm not claiming they are), but their combination most likely is not. Hence the current dispute over accessing emails on a server in the EU by people in the US. And as a bonus for this quagmire: whose judge gets to decide on the issue? This is most certainly not just an issue of law, but also an issue of government power.

Re:America owns the world

It's actually more complicated than that. Discounting on line sales completely if you live in Florida and buy a product in another state, while on vacation for example, with a tax rate of 6% you must pay a use tax when you bring that product back to Florida.
There isn't a barrier at the Florida border. The state expects you to own up and report and pay it. Other states which have income taxes, like Virginia have a spot on the state income tax form where you're suppose to report use tax for out of state purchases.
So most likely if the buy the camera in Oregon and live in Florida, even if you bought it while an vacation you're suppose to pay tax on it.

Re:America owns the world

We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.

FALSE: Customers pay sales tax, retailers collect sales tax on behalf of the government, but the tax liability is the purchasers, not the sellers (see use tax). The argument becomes whether a government can require a citizen of a different state to operate on it's behalf by requiring them to collect this tax. (answer: they cannot -this is why establishing nexus becomes relevant.)

Re:America owns the world

You are pretending that any of this is relevant to the court(s).

The court can not care if something is hard for you to do, or has consequences for you in another jurisdiction. The court can only rule on what the law requires of you in it's own jurisdiction.

Re:America owns the world

[Godwin+O'Hitler]

Ireland may quietly do nothing and allow the treaty violation.

And the data's owner could then take the matter directly to the European Court of Justice. Possibly event preempt the violation by an ECJ injunction (not sure if such a thing exists).
This does not of course stop the US prosecuting the person involved for failing to turn the data over voluntarily. That has nothing whatsoever to do with server location.

Re:America owns the world

[Okind]

We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.

FALSE: Customers pay sales tax, retailers collect sales tax on behalf of the government, but the tax liability is the purchasers, not the sellers (see use tax). The argument becomes whether a government can require a citizen of a different state to operate on it's behalf by requiring them to collect this tax. (answer: they cannot -this is why establishing nexus becomes relevant.)

While you are correct that retailers do not pay sales tax, this does not invalidate my argument: the sales tax must be paid where the transaction takes place. This is where the customer is. Who must pay the tax (in this case the customer) is irrelevant.

Re:America owns the world

[Sique]

And so does the European court. Imagine the following: The European High Court serves a warrant to the U.S. Supreme Court for contempt, and put out a search warrant for the justices. They should never travel abroad then.

Who owns the server?

[Opportunist]

MS in the US or MS in Ireland?

If you say "doesn't matter", realize that SAP is based in Germany, and we'd want to see some data you have over there. Schnell!

Re:Who owns the server?

For tax purposes, I bet its MS in Ireland that owns it

Re:Who owns the server?

[ytene]

It will almost certainly be owned by Microsoft Ireland, a wholly-owned subsidiary of Microsoft Inc, US.

Unfortunately, this is where the story gets interesting. Whilst MS Inc, the US Parent, is incorporated under US Law and therefore subject to US jurisdiction, if the Irish subsidiary is incorporated under Irish law, then the ability of the US government to exert demands on it are potentially eliminated.

I have found that a good test to apply in a situation like this is to reverse the scenario. Here's a hypothetical situation to put this to the test: imagine that "Microsoft Ireland" was found guilty of a criminal offence [it doesn't matter what] and that the fine levied for this was equal to $100 Billion US. Now imagine that Microsoft Ireland are worth a grand total of say $40 Billion US and that extracting even this from them will completely bankrupt them.

Would the Supreme Court / Microsoft (US) inc be willing to allow the reciprocal to happen - i.e. that the plaintiff in the Irish case has the authority to go after Microsoft US for the remaining $60 Billion of their settlement? In other words - does that liability go both ways?

Obviously this is an academic question for a hypothetical situation; my sense is that the US parent would not want an open-door liability like this to be allowed. Which, whilst different in some respects, rather serves to enforce the view that these are two entirely different legal entities, incorporated under the laws of entirely different countries. If Microsoft Ireland had been incorporated under US law, then there might be an argument supporting the view of the US government. If it exists under Irish law, I don't see how the US government's case can have merit.

But then again, I'm not a lawyer...

Re:Who owns the server?

[Brett+Buck]

It doesn't matter. MS (the people in the USA) can certainly be compelled to provide the information or, more likely, be sanctioned. If they made a deal with a foreign company (MS Ireland, presumably) that precludes them from doing so, then, there might be a price to pay for that. MS doesn't have to be permitted to do business in the USA if they start ignoring court orders, for instance.

  SAP, same story, if SAP themselves own data in Germany, the USA can try all they want to get it, but they only get it if a German or possibly EU court demands it.

  Of course, you can probably assume that there are other means to obtain the information for national security purposes but that's not going to matter or be available for purposes of the court.

Re: Who owns the server?

You are assuming MS Ireland allows MS US employees to have the data. From a practical point of view it may be that Microsoft employees have the rights administratively to pull the information, but I don't think there's a way for them to prove that option exists if Microsoft Ireland, which is its own company no matter how the admin rights are divided, publicly states that they do not give permission for the information to be move to the United States from technically their servers.

Ultimately Microsoft could decide to let their Irish employees remove admin rights from their US employees so they could have plausible deniability.

Re:Who owns the server?

[Anubis+IV]

It doesn't matter who owns the server, since even if it is MS Ireland, they're almost certainly a wholly owned subsidiary of MS US, meaning that MS US owns that data regardless. And if the US government compels MS US to hand the data over, they'll be making a request that's illegal in the country where the action must be undertaken, regardless of whether it's MS US or MS Ireland doing the deed, so in that regard it also doesn't matter who owns the server.

Of course, just because it doesn't matter who owns the server doesn't mean it's legal for the US government to make that request, nor that it's legal for MS (regardless of which brand we're talking about) to hand the data over.

Ideally, the people on the ground in Ireland would simply refuse to comply with the order if MS was compelled to hand over the data. After all, the US government has no authority over them, nor an ability to prosecute them, nor an ability to pursue a prosecution of them via diplomatic channels given that the request was illegal in the first place. In fact, the proper way for this to work is that the US government uses those diplomatic channels to seek an extraction of the data pursuant to its treaties with Ireland or the EU.

Unfortunately, it may be possible for MS US to extract the data from Ireland without the involvement of the people in Ireland. If that's the case, then those Americans may be opening themselves up to contempt or court and other charges for failing to produce documents that they are capable of producing. When Apple was facing a similar situation with the FBI attempting to compel them to add a backdoor to iOS, the rumors leaking from internally indicated that the team that would have been compelled to take those actions planned to quit if push came to shove, and that other companies were already lined up to accept them if need be. I'd expect that the same would be true here: anyone who quit over an issue like this would have no trouble finding work elsewhere in the industry.

Re: Who owns the server?

You are assuming MS Ireland allows MS US employees to have the data.

This is probably a reasonable assumption, though. What leverage does MS US have over MS Ireland?

Well, for starters, MS US could sue MS Ireland for trademark violation. Stop calling yourself "Microsoft." That's our company, not yours. And needless to say, we'll make sure you lose any domain names that use any of our trademarks.

And of course, the Irish branch would not have access to any MS products or services. Their EULAs could all be revoked so that they not only don't have the legal right to run MS Windows on any of their computers, but they can't develop executables for that platform either, unless they write all the libraries from scratch (or use GNU tools or something like that).

In the end, here's the problem that Irish branch faces: they simply aren't independent. They can maybe show some legal forms that say they're independent, but the practical reality is otherwise. Basically, any sort of nasty dirty trick that the US branch could possibly perform against the Irish branch, they can be compelled to do. You point guns at the US' peoples' faces, telling them to make MS Ireland's job as hard as possible until they comply, or else the US people will suffer greater harm than whatever it costs them to attack the Irish.

If you say "doesn't matter", realize that SAP is based in Germany, and we'd want to see some data you have over there. Schnell!

Maybe they should try exerting their force; it could work.

And in both cases, the cure is the same: dependencies are a means of getting compromised, so you need to be running Free Software (or else at least your own software) if you need to be able to resist coercion. If there are US companies using German proprietary software, then HELL YES they are subject to this same sort of thing happening to them. That's one of the reasons you don't get yourself into situations where you rely on proprietary software. Because you don't want to be someone else's bitch. And MS Ireland is definitely MS US' bitch. I guarantee that they exist totally at MS US' pleasure, and that pleasure is not something they can count on if MS US is bullied by someone stronger (US government).

Re:Who owns the server?

After all, the US government has no authority over them, nor an ability to prosecute them

Not directly, but suppose the US government really wanted the data. So they grab the US branch of Microsoft by the balls, and squeeze, saying "squeeze the Irish harder or else you're dead."

What measures, not involving any sort of illegal use of force, could US Microsoft take against the Irish Microsoft, if the US branch were required to inflict maximum (but lawful under Irish law) harm^H^H^H^H pressure?

For example, does the Irish branch use any Microsoft-licensed software? (Licenses are agreements, and agreements can end if one of the parties is sufficiently motivated.) How fast can Microsoft Ireland upgrade their entire business, and also their own customers' businesses, to Linux?

Re:Who owns the server?

If the courts can legally compel Microsoft US to access the data, no laws of Ireland need be broken. The question then becomes whether or not Microsoft US has legal access to that data. I suspect this is the case. I'm sure it's already in the EULA that Microsoft (international) can use the data for various purposes. If they can use it, they can also be compelled by a suitable warrant to reveal it.

If on the other hand the data is truly residing outside the US, not usable by Microsoft US, and not the data of US customers... then I agree 100% that no US warrant should be able to touch it even if Microsoft US wholly owns the foreign company that hosts the server. The key difference is in whether Microsoft US has the right to access the data through its international arms or not.

Re:Who owns the server?

[Alain+Williams]

Even simpler case: an Irish company is ordered by an Irish court to obtain data from its subsidiary in the USA. Which court wins ?

Re: Who owns the server?

[Brett+Buck]

I am not assuming that at all. All I am assuming that if MS doesn't come up with it for whatever reason, they are liable for sanctions. "Gee, we asked them and they said no" isn't going to get them out of it.

      It would be a real stretch but depending on the rest of the case (and of course I didn't RTFA...) MS could be liable for obstruction of justice for squirreling the data/evidence away from US jurisdiction. They may never make the original case for lack of the evidence but nothing keeps them from going after MS for having blocked their access. Taking a bit of evidence that everyone agrees exists, and hiding it or removing it from access, is definitely something you can get in trouble for. It would be a tough case to win but it would seem impossible to dismiss summarily.

Re:Who owns the server?

[Alain+Williams]

It doesn't matter who owns the server, since even if it is MS Ireland, they're almost certainly a wholly owned subsidiary of MS US, meaning that MS US owns that data regardless.

The EU might not agree that that is the case.

Can anyone tell me where I can buy popcorn in bulk ?

Re:Who owns the server?

[HiThere]

Given the US data protection laws, there's no conflict of law.

Re:Who owns the server?

[Anubis+IV]

Yeah, that was a typo. I realized I was using "data" interchangeably with "server" when I shouldn't have been. I went back and replaced most of them, but missed that one, apparently. I didn't want to get anywhere near the topic of who owns the data, since that wasn't the point of my post and wasn't at all something I was trying to address.

Re:Who owns the server?

[HiThere]

IIUC, the laws of Ireland prohibit exporting personal information to the US because of US laws on data protection. So for someone in Ireland to ship the data to the US would be in violation of Irish law.

This isn't just corporate maneuvering, it's also governments arguing about jurisdiction. The US is demanding that Irish laws be violated on Irish soil. And Irish law derives from EU law, so this is also the US vs. the EU.

Re:Who owns the server?

[lionchild]

I suspect that this will be a split decision, but I would surmise that the SCOTUS will not be willing to set the precident that it's okay for another country to access data across boarders with traditional search warrants, but this will require cooperative search warrants. That is, if the US issues a Search Warrant, and then the country in which the server resides will, in turn, issue a matching Search Warrant, then the data can be accessed.

However, I do not believe the SCOTUS will want Ireland or Dubia or any other of these 40+ countries to be able to unilaterally issue a single Search Warrant for data inside the US. If SCOTUS allows the US to do it, they set the precident that they would agree that other countries could do it to the US.

Just my gut feeling on the matter.

Re:Who owns the server?

[Kjella]

You talk a lot about legal and illegal without mentioning jurisdiction which is rather important since the US got jurisdiction over MS US, Ireland over MS Ireland. The US can legally put the thumbscrews on MS US to produce the documents, Ireland can legally put the thumbscrews on MS Ireland to not produce the documents. Which puts Microsoft in a "damned if you do and damned if you don't" position, but there's no "world court" they can appeal to. The US can say we're right, appeal denied and Ireland can say the same. It still won't be possible for Microsoft to comply with both.

It's clear to see why the US - or indeed any country - don't like the idea that you can "jurisdiction shopping", like oh all our company data is outsourced to our wholly owned subsidiary in the Cayman Islands and we wouldn't want to break any local laws, you'll have to go through the courts there. But if that's a problem you should restrict the export of information, like if you're a US company the data on US citizens must be accessible to US courts. Trying to demand that all data held by foreign subsidiaries, even on foreign citizens be available to US courts is begging for trouble.

The reciprocity here is that a Chinese court can demand data on US citizens stored on US servers by a US subsidiary because it's owned by a Chinese company. The US would never grant the permissions it's trying to create for itself, it's one rule for us and one rule for everybody else. Hopefully the supreme court is smart enough to see that, otherwise there is only one choice: Stop making any product made by a US company in any privacy-sensitive context.

Re:Who owns the server?

[Anubis+IV]

Great points all around, I'm glad someone made them. You're right that I glossed right over those distinctions, though I'll say that I did so intentionally since I wanted to focus on other aspects of the situation.

Thanks for the insightful comment!

Re:Who owns the server?

What's the rush? Windows doesn't have code within it to accept a license revocation initiated by the remote end. And I wouldn't be surprised if any amount of pressure to do an illegal thing is unlawful under Irish law, thus immediately authorizing countermeasures.

Trump Platform Module

Results
We detected insecure key
Key type     X509 certificate (PEM)
Bit length     2048
Test result     Vulnerable

My God!  We're all gonna die!

No longer US Government

Now it's "the Trump Administration", at least for pretty much everything msmash posts.

Re: No longer US Government

Yeah, the ones that scream and cry the loudest about "bias" are always the worst offenders. It's called projection, and it's really the only thing liberals are good at.

Re:No longer US Government

Yes, the nuances of unbiased journalism are lost upon her (or is it him...wouldn't want to trigger xer by assuming gender).

Microsoft posts

Could someone point me to the posts where we praise Microsoft for protecting our privacy?

Re:Microsoft posts

[HiThere]

Give me a reason to believe that's what they're doing. They're protecting corporate secrets from an intrusive government.

OTOH, the US government seems to be demanding that Irish (EU) laws be violated on Irish soil in order to satisfy their demands. Which seems a definite overreach.

RFC 3156

We have had PGP since 1991, 26 years, and it has been a standard for email since 2001 in RFC3156.

At this point if you are not encrypting your data in flight you have little excuse to blame anyone else for disclosure of said data. The solutions have been available for decades. Everyone wants access to your email - Google, your govt, other govts, etc. Encrypt it end to end if you care about preventing them from seeing it.

If MS is compelled,

Does that mean that my country's government can compel MS to hand over data stored on servers in the US?

Re:If MS is compelled,

[jedidiah]

If it's the data of one of your country's citizens or corporations, then why not? Even our right to privacy is not a universal shield against a warrant or subpeona.

Re:If MS is compelled,

[ilsaloving]

Of course not. Standard US foreign policy has always been, "What's good for the goose ISN'T good for gander."

Re:If MS is compelled,

[tomhath]

Even a "secret" Swiss bank account can be subpoenaed in a criminal trial.

Re:If MS is compelled,

Ah...NOW we get to the heart of the matter. NO, 'secret Swiss bank accounts' were turned over due to any 'legal subpoena', any information turned over by Swiss banks was out of black mail (e.g. you will NEVER do banking with any bank in the US if you do not turn over this data). The US government placed only a 'thin veneer' over such black mail via any reference to subpoena's & warrants.

MSFT & siimlar better damn well hope the SCOTUS gets this one right otherwise MSFT, Google etc. will be left scrambling only for dollars in the US market. Other companies will not enter the US market so they won't be subject to US laws & they'll be happy to do business with the rest of the 7 Billion people not in the US.

In Microsoft's own words

[Khopesh]

This is also mentioned on Microsoft's own post on US Supreme Court will hear petition to review Microsoft search warrant case while momentum to modernize the law continues in Congress, in which MS states:

We will continue to press our case in court that the Electronic Communications Privacy Act (ECPA) – a law enacted decades before there was such a thing as cloud computing – was never intended to reach within other countries’ borders.

... We challenged the warrant that resulted in this ligation because we believed U.S. search warrants shouldn’t reach over borders to seize the emails of people who live outside the United States and whose emails are stored outside the United States.

This is really important not only for international privacy but also for US business profits from international sources (which is a major reason for Microsoft being on the right side of the issue).

Re:In Microsoft's own words

Yeah, and if Microsoft wins a massive legal loophole gets opened whereby everyone exports data overseas and pretends it doesn't exist or retrieving it is illegal in its locale when subpoena'd.

The very next day Congress will shut down the internet by giving it borders: you will no longer be able to export data freely.

Re:In Microsoft's own words

This simply will not happen. Congress is most likely to modify the law in such a way is to make access to this information harder. This is part of the issue. Under existing law email and other electronic information have strong protection, right up until the information is 180 days old. Then the data is available almost warrantless.
This is also about who owns the data. Does Microsoft own the data, which the DOJ claims, or do the individuals to whom the email belongs own it? This is really the cusp of the matter and why the DOJ says they don't need to go the the EU court. If it's corporate data it's, if I understand it properly, not subject to EU privacy laws in the same way as if it's a person's data, then MS has to turn it over. IF it belongs to the owner of the email then the DOJ needs to go to the EU courts to get it.
Congress seems to be coming down on the it's owned by the person's whose email it is. This is in line with what the EU privacy laws say.

I Side With Microsoft

Because they gave us Windows 8. Now I side with them on everything.

Sauce for the gander

OP's snark was directed at the US Government's long history of prosecuting people under claims that persons located in the EU are governed by US law (anti bribery US laws are but one example).

Such prosecutions become even higher profile when those EU located persons are accessing computers located in the US. The exact obverse of this case.

In other words ... what's sauce for the goose is also sauce for the gander.

Request Is Improper

There are clear-cut jurisdictional issues here. The US government has no jurisdiction in Ireland, full stop. This is settled law.

It won't stop the US government from trying of course, but as a matter of international law this is drop-dead simple. Thus even if the US Supreme Court rules in favour of the US government, that would be an illegal and unenforceable ruling on the international stage.

Stop trying to go around the system, plaintiff dickwads! Make a diplomatic request to the Irish government. These channels are well-known and have been in place for a very long time.

Re:Request Is Improper

[tomhath]

The issue has nothing to do with Ireland. It's data on a US citizen that Microsoft (a US company) has.

Re: Request Is Improper

The data is stored in Ireland.

Re: Request Is Improper

[tomhath]

Nobody is asking Microsoft to go to Ireland in order to retrieve the data; it can be accessed from the US.

Re: Request Is Improper

I highly doubt you know it can be accessed from the US.

Re: Request Is Improper

The DOJ's petition certainly implies that it can be:

The provision [of the SCA] is applied domestically when a court issues a warrant to a provider in the United States requiring disclosure in this country of material over which the provider has control, regardless of whether the provider stores that material abroad.

Get a goddamn treaty

Seriously US government just do things properly for a change instead of setting up nasty precedents and start setting up reciprocality treaties. Allow their warrants to access US servers and your warrants to access their servers, perhaps with some degree of validity checking between the two (such as meeting a certain standard of evidence and/or the cause for said warrant being a crime in both countries).

You don't want to establish a precedent to let say China demand access to US servers for searching for dissidents or a pretense to steal proprietary information for their own industries.

Where was data sent/received from/to?

If email or data was sent from or to US jurisdiction, then I think that tips that scales into MS USA having to provide the data.
Imagine it is a painting, if is was sold in USA and stolen from within USA and found in Ireland shouldn't it still be returned to USA?

If you view it from US jurisdiction off of Ireland server, then where is the data: US or Ireland?

Why not privacy laws for everything

Let users decline spying in Windows 10, Skype, Office, SQL Server, Google, Android, Chrome, Roomba, MOZILLA (Do ABOUT:TELEMETRY and see the scary shit it collects), Verizon (It's there if you opt in of course) and more. We need to reign in Privacy and stop the digital rape of consumers.

On another note, Shouldn't there be third party verification that demonstrates that if you are allowed to turn of spying in different products that it REALLY does stop? If the ability is there then it can be activated at any time.

We are just comfortable with it. Like your windows 10? Take a look a the super scary stuff it collects. Mozilla now has the ability to record every where you go.

Search warrant != Subpoena

[Lost+Race]

A search warrant does not compel anyone to provide anything. A search warrant just means that the holder of the warrant is allowed to search, and the results of the search will be admissible as evidence. When the police say, "We're going to search your property," whether they have a warrant or not, all you have to do is step aside and not interfere.

Now, if they have a subpoena, then you may be compelled to produce some evidence, by whatever means are at your disposal.

So if the US police show Microsoft a warrant to search some data center in Ireland, all Microsoft has to do is step aside and let them search that datacenter in Ireland. (Good luck with that, US police.) If they want Microsoft to log into that data center remotely and retrieve the data for them, they'll need a subpoena to that effect. In the case at hand, the police got lazy and the court smacked them down.