US Supreme Court To Decide Microsoft Email Privacy Dispute

The U.S. Supreme Court on Monday agreed to resolve a major privacy dispute between the Justice Department and Microsoft Corp over whether prosecutors should get access to emails stored on company servers overseas. From a report: The justices will hear the Trump administration's appeal of a lower court's ruling last year preventing federal prosecutors from obtaining emails stored in Microsoft computer servers in Dublin, Ireland in a drug trafficking investigation. That decision by the New York-based 2nd U.S. Court of Appeals marked a victory for privacy advocates and technology companies that increasingly offer cloud computing services in which data is stored remotely. Microsoft, which has 100 data centers in 40 countries, was the first U.S. company to challenge a domestic search warrant seeking data held outside the country. There have been several similar challenges, most brought by Google.

Re:Who owns the server?

[ytene]

It will almost certainly be owned by Microsoft Ireland, a wholly-owned subsidiary of Microsoft Inc, US.

Unfortunately, this is where the story gets interesting. Whilst MS Inc, the US Parent, is incorporated under US Law and therefore subject to US jurisdiction, if the Irish subsidiary is incorporated under Irish law, then the ability of the US government to exert demands on it are potentially eliminated.

I have found that a good test to apply in a situation like this is to reverse the scenario. Here's a hypothetical situation to put this to the test: imagine that "Microsoft Ireland" was found guilty of a criminal offence [it doesn't matter what] and that the fine levied for this was equal to $100 Billion US. Now imagine that Microsoft Ireland are worth a grand total of say $40 Billion US and that extracting even this from them will completely bankrupt them.

Would the Supreme Court / Microsoft (US) inc be willing to allow the reciprocal to happen - i.e. that the plaintiff in the Irish case has the authority to go after Microsoft US for the remaining $60 Billion of their settlement? In other words - does that liability go both ways?

Obviously this is an academic question for a hypothetical situation; my sense is that the US parent would not want an open-door liability like this to be allowed. Which, whilst different in some respects, rather serves to enforce the view that these are two entirely different legal entities, incorporated under the laws of entirely different countries. If Microsoft Ireland had been incorporated under US law, then there might be an argument supporting the view of the US government. If it exists under Irish law, I don't see how the US government's case can have merit.

But then again, I'm not a lawyer...

If MS is compelled,

Does that mean that my country's government can compel MS to hand over data stored on servers in the US?

In Microsoft's own words

[Khopesh]

This is also mentioned on Microsoft's own post on US Supreme Court will hear petition to review Microsoft search warrant case while momentum to modernize the law continues in Congress, in which MS states:

We will continue to press our case in court that the Electronic Communications Privacy Act (ECPA) – a law enacted decades before there was such a thing as cloud computing – was never intended to reach within other countries’ borders.

... We challenged the warrant that resulted in this ligation because we believed U.S. search warrants shouldn’t reach over borders to seize the emails of people who live outside the United States and whose emails are stored outside the United States.

This is really important not only for international privacy but also for US business profits from international sources (which is a major reason for Microsoft being on the right side of the issue).

Re:Who owns the server?

[Anubis+IV]

It doesn't matter who owns the server, since even if it is MS Ireland, they're almost certainly a wholly owned subsidiary of MS US, meaning that MS US owns that data regardless. And if the US government compels MS US to hand the data over, they'll be making a request that's illegal in the country where the action must be undertaken, regardless of whether it's MS US or MS Ireland doing the deed, so in that regard it also doesn't matter who owns the server.

Of course, just because it doesn't matter who owns the server doesn't mean it's legal for the US government to make that request, nor that it's legal for MS (regardless of which brand we're talking about) to hand the data over.

Ideally, the people on the ground in Ireland would simply refuse to comply with the order if MS was compelled to hand over the data. After all, the US government has no authority over them, nor an ability to prosecute them, nor an ability to pursue a prosecution of them via diplomatic channels given that the request was illegal in the first place. In fact, the proper way for this to work is that the US government uses those diplomatic channels to seek an extraction of the data pursuant to its treaties with Ireland or the EU.

Unfortunately, it may be possible for MS US to extract the data from Ireland without the involvement of the people in Ireland. If that's the case, then those Americans may be opening themselves up to contempt or court and other charges for failing to produce documents that they are capable of producing. When Apple was facing a similar situation with the FBI attempting to compel them to add a backdoor to iOS, the rumors leaking from internally indicated that the team that would have been compelled to take those actions planned to quit if push came to shove, and that other companies were already lined up to accept them if need be. I'd expect that the same would be true here: anyone who quit over an issue like this would have no trouble finding work elsewhere in the industry.

Re:Who owns the server?

[Kjella]

You talk a lot about legal and illegal without mentioning jurisdiction which is rather important since the US got jurisdiction over MS US, Ireland over MS Ireland. The US can legally put the thumbscrews on MS US to produce the documents, Ireland can legally put the thumbscrews on MS Ireland to not produce the documents. Which puts Microsoft in a "damned if you do and damned if you don't" position, but there's no "world court" they can appeal to. The US can say we're right, appeal denied and Ireland can say the same. It still won't be possible for Microsoft to comply with both.

It's clear to see why the US - or indeed any country - don't like the idea that you can "jurisdiction shopping", like oh all our company data is outsourced to our wholly owned subsidiary in the Cayman Islands and we wouldn't want to break any local laws, you'll have to go through the courts there. But if that's a problem you should restrict the export of information, like if you're a US company the data on US citizens must be accessible to US courts. Trying to demand that all data held by foreign subsidiaries, even on foreign citizens be available to US courts is begging for trouble.

The reciprocity here is that a Chinese court can demand data on US citizens stored on US servers by a US subsidiary because it's owned by a Chinese company. The US would never grant the permissions it's trying to create for itself, it's one rule for us and one rule for everybody else. Hopefully the supreme court is smart enough to see that, otherwise there is only one choice: Stop making any product made by a US company in any privacy-sensitive context.