Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Fights Search Warrants for Overseas Emails in the Supreme Court (microsoft.com)

Posted by EditorDavid on from the search-results dept.

Microsoft's Chief Legal Officer writes about "the landmark Microsoft case that will decide whether the U.S. government can use a search warrant to force a company to seize a customer's private emails stored in Ireland and import them to the United States." On Thursday, 289 different groups and individuals from 37 countries signed 23 different legal briefs supporting Microsoft's position that Congress never gave law enforcement the power to ignore treaties and breach Ireland's sovereignty in this way. How could it? The government relies on a law that was enacted in 1986, before anyone conceived of cloud computing... When the U.S. government requires a tech company to execute a warrant for emails stored overseas, the provider must search a foreign datacenter and make a copy abroad, and then import that copy to the United States. This creates a complex issue with huge international consequences. It shouldn't be resolved by taking the law to a place it was never intended to go...

The U.S. Department of Justice's attempt to seize foreign customers' emails from other countries ignores borders, treaties and international law, as well as the laws those countries have in place to protect the privacy of their own citizens... It's also a path that will lead to the doorsteps of American homes by putting the privacy of U.S. citizens' emails at risk. If the U.S. government obtains the power to search and seize foreign citizens' private communications physically stored in other countries, it will invite other governments to do the same thing. If we ignore other countries' laws, how can we demand that they respect our laws?
Amicus briefs supporting Microsoft have been filed in the U.S. Supreme Court by Ireland, France, and the European Commission and European privacy regulators. Microsoft even notes that on this issue, "Fox News agreed with the American Civil Liberties Union."

35 of 68 comments (clear)

  1. Force the company != force the individuals by Alain+Williams · · Score: 4, Interesting

    The servers are located in Ireland in a data centre staffed by Irish people (or who, at least, live there). Will these people obey an order from a court in the USA and risk the wrath of the court in Dublin ? I would not if I were one of them. I do not know what control Microsoft (USA) has over servers in its Irish data centre, but generally the guy who can touch the machine is the one who makes the final decision; and him, being fearful of the Dublin court, could easily restrict access to anyone outside of their data centre.

    No matter what the court in the USA decides, what will happen in reality will be interesting to see.

    1. Re:Force the company != force the individuals by CaptainDork · · Score: 4, Informative

      This is not a matter of an American-issued search warrant delivered to person or persons of name, as in individuals.

      Microsoft obviously has a pathway to the data in Ireland and there are no gatekeepers blocking that path, at this time.

      At issue is custodianship vs ownership vs jurisdiction, and it ain't easy.

      This is problem has already been addressed in the case offshore banking.

      I think that's where SCOTUS will take this.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re: Force the company != force the individuals by muffen · · Score: 1

      One never knows what happens to things when they get to Ireland!
      God invented alcohol to prevent the Irish from ruling the world, as it so nicely says in a bar in temple bar...

    3. Re:Force the company != force the individuals by Insanity+Defense · · Score: 4, Informative

      The claim that something is being "imported" from Ireland to the U.S. is rubbish. The claim that this somehow violates Ireland/EU law is absurd, unless you are arguing that a person sitting at a computer in the U.S. is somehow bound by the laws of a foreign country.

      Strange you should say that. The U.S. claims exactly that in the case of Gary McKinnon who hacked U.S. computers with off the shelf software. They were trying to extradite him with threats of 70 years hard time in a maximum security prison for his actions in the U.K..

      Then there is the case of Dmitry Sklyarov who wrote software in Russia for his employer that was strictly legal but was arrested in the U.S. and charged for his employers sales of it to Americans. Skylarov was not in the U.S. when he wrote the program and had nothing to do with the distribution. Yet he was arrested.

      How about Kim Dotcom? Again his breaking of American laws was entirely outside the U.S. but that hasn't stopped the U.S. legal system from persecuting him.

      So yes the U.S. has repeatedly claimed computer "crimes" perpetuated by people outside the U.S. are punishable by the U.S.. So why shouldn't other countries do the same to Americans?

    4. Re:Force the company != force the individuals by silas_moeckel · · Score: 1

      That MS employee in the US accessing data in Ireland could be charged in Ireland. The correct method is get a warrant where the thing is. This is a power grab, in effect will the laws be the least restrictive of where anybody physical is that can access the data, suddenly taking a vacation changes the laws that cover a piece of data?

      --
      No sir I dont like it.
    5. Re:Force the company != force the individuals by Alain+Williams · · Score: 1

      This is a deliberate mis-stating of the issue.

      Right now, a Microsoft employee, sitting at a computer located in the U.S., can access those servers and find the information that is being requested. This is done every day as a matter of routine operation, by Microsoft and every other company that has operations in multiple countries.

      True, but today. What if the Irish court say that remote access were not to be allowed without agreement of the Dublin court (or whatever) - on the grounds that Microsoft USA was untrusted and that the data in Ireland had to be protected ? I assume that those who control the Irish data centres would have to restrict remote access over the internal Microsoft VPN from elsewhere. Thus Microsoft USA would be locked out or part of its network. What would the USA do ... it could order that Microsoft USA produce updates to its own data-centre operating system (or utilities) that contained back-doors that would give it covert access to Microsoft Dublin. Then when Microsoft Dublin discovers these it would have to take countermeasures ... life could get interesting!

      *YOU* do it every time you use your web browser to access a web page hosted on a server in a foreign country. Google and Microsoft (Bing) do it every time they index a page hosted on a computer in a country outside the U.S.

      Yes: but the only emails/web-pages that I can access are those that I am permitted to, either by being logged in to an email account or the web page being public, or something. What the USA courts want is to access other people's email without their agreement. This is very different.

    6. Re:Force the company != force the individuals by Wrath0fb0b · · Score: 1

      I think it's a bit disingenuous to say "the guy that can touch the machine" is the one who makes final decisions. That's certainly not the case in all the companies I've worked for: the guy accepts what management tells him. If he doesn't, he will be replaced by someone that does. No organization (no matter how enlightened) gives the IT dudes the final authority over who gets access to what systems.

      "Hey Bob, did you get a SCM account?"
      "No, I cut off the sysadmin for that system in the parking lot and my boss says he's the only one that can make an account. Tough luck I guess, can I borrow your login"

      I would imagine that Microsoft USA has constructive control over the datacenter operations in one form or another. They might not have machine permissions in the narrow technical sense, but effectively they can

      [ Reminds me a bit about the Planet Money about shell corporations. They would hire local dudes in the Cayman Islands or wherever to be shareholders and board members of a company. But they would then sign a separate contract with the local dude saying that the local dude will vote however some tax-dodger says they will.

      The claim then is that the tax scofflaw doesn't "own" the shell corporation (technically true: he has no shares) and so it doesn't have to be reported on their taxes. Meanwhile, through the voting contract, they get to control the company assets to pay for shit they want. The IRS decided pretty decisively that this BS doesn't fly -- you are the beneficial owner of a corporation based on the actual facts, not the nominal status.

      Of course, analogies are imperfect so I'm fine if you think this isn't entirely apt. But the parallels are a bit striking: Microsoft USA probably has constructive control over the datacenter, we'll see what the courts think soon I guess ]

    7. Re:Force the company != force the individuals by Kjella · · Score: 2

      The claim that this somehow violates Ireland/EU law is absurd, unless you are arguing that a person sitting at a computer in the U.S. is somehow bound by the laws of a foreign country.

      Uh yes? If you hack an Irish server it's most definitively a crime in Ireland. Same if you plan and direct an IRA bombing from abroad, being physically present has never been a requirement. Sure enforcement can be tricky if they refuse to extradite, but that's just a practical problem.

      This is a deliberate mis-stating of the issue. Right now, a Microsoft employee, sitting at a computer located in the U.S., can access those servers and find the information that is being requested.

      Technical capability and legal permission are not the same. For example we've had doctors and nurses criminally prosecuted for snooping on journals of patients they had no business reading, that they're capable of copying this information doesn't mean they can do so legally. I think anyone who's held root/admin privileges on company servers understands this.

      This is done every day as a matter of routine operation, by Microsoft and every other company that has operations in multiple countries.

      Exactly, it is routine for employees in one jurisdiction to have access to data held in a different jurisdiction. And all of that is based on contracts and agreements that lets Microsoft US have access to Microsoft Ireland's servers and data within the boundaries of Irish law. The US courts are saying we can force Microsoft US to do whatever we want. The problem is that then they're saying those agreements are worthless, you can't trust an American to honor them because he can be forced by US courts to break them. Which means Microsoft Ireland will be forced by Ireland/the EU to rescind those permissions.

      In fact all sorts of cloud/hosting/outsourcing industries could be hit with this, it'd be a total meltdown where the only way you can abide by domestic laws is to have only domestic people working on it. Imagine if India said "That's great we'll do like the US, everything that's outsourced or subcontracted to Indians can now be subpoena'ed under Indian law." and everyone would shit bricks. Which is why I don't understand why the US is pushing for this, if they win US employees and companies will become toxic for global operations.

      --
      Live today, because you never know what tomorrow brings
    8. Re: Force the company != force the individuals by lokedhs · · Score: 1

      That is actually an interesting question. Is it possible for a US court to force an individual to break the law in a foreign country? I'd hope the answer is no, but this is the US we're talking about some you never know.

    9. Re:Force the company != force the individuals by LowTechSwede · · Score: 2

      This case is huge for Microsoft, Google and Apple. If the ruling goes against Microsoft, this likely means that no company with business in EU can use an American provider for emails for their EU employees under GDPR. GDPR which comes into effect in a couple of months has enough teeth to make compliance mandatory. To stay in business in EU, the three big ones would need to separate their hosting of EU data to a separate legal entity not under their control. License technology to a company, spin off the company and list it on a EU stock exchange or something similar. Sharing of data for interoperability then becomes a problem that has to be solved. This would not be unsolvable, but likely expensive and leading to service degradation in many ways. EU Governments would probably not be unhappy with this turn of events, but a large number of businesses will suffer in the short term, though none as much as Microsoft and Google.

    10. Re:Force the company != force the individuals by coofercat · · Score: 1

      IANAL, but I'd say most European businesses would not be able to use US-owned providers *at all* if this goes ahead. EU law would need special exceptions for US access to EU data, which I suspect just ain't gonna happen.

      Even if I'm wrong about all this, it's a great opportunity for EU-based hosting providers to scoop up some big contracts from people hitherto using US owned providers. Be careful what you wish for...

    11. Re:Force the company != force the individuals by pnutjam · · Score: 1

      This is the US.
      Authoritarianism > business interests
      business interests > citizen interests

      --
      Cheap storage VM.
  2. Perhaps another country can try it. by dwywit · · Score: 2

    Lodge a warrant with the local MS subsidiary for some data stored on MS USA server/s, and see what happens. Put the shoe on the other foor and see how the USA DoJ reacts.

    --
    They sentenced me to twenty years of boredom
    1. Re:Perhaps another country can try it. by ilsaloving · · Score: 1

      I think we all know exactly what would happen.

      According to the US, national sovereignty is a one way street.

  3. ACLU and Fox News agreeing is the end of times by Anonymous Coward · · Score: 1

    I can understand that DoJ is required to make the request/filing, but I do not believe even many of their own lawyers actually think winning would be a good thing. When the ACLU and Fox News both agree the DoJ winning would be bad, you can pretty much take that to the bank. The only interesting question is how narrow the ruling will be.

  4. The reality is... by GerryGilmore · · Score: 1

    ...that, by the Constitution, international treaties DO supersede Federal law, though not the Constitution itself. Witness WTO lawsuits against Federal and/or State laws. A very bizarre situation, indeed, but you'd think that government lawyers would know this.

    1. Re:The reality is... by Anonymous Coward · · Score: 1

      This is factually incorrect. International treaties are on aa par with acts of Congress, and neither supersede nor are superseded by Federal United States law - see, e.g., Reid v Covert 354 US 1 (1958).

  5. There are already legal ways by DCFusor · · Score: 1
    As stated by several amicus briefs. We have treaties with most other countries where this would be an issue, all we have to do is deal with them. If they don't want to give it up, well...do you do war or what? Further, if MS gives up the stuff - they're breaking the law in the other country. Does it seem reasonable to demand someone else break the law? It might be legal, since we have any number of illogical, unconstitutional, just-us laws, but gheesh. Solve it the way it was already solved, you lazy govt fscks. The US is only the US, we don't own the world much as many stupid people might wish that as our empire ends - which is why we're thrashing around like a wounded animal these days.
    .

    To reiterate - there's already a legal way to do this where no one breaks any laws if the other country agrees. We should be done at that point and respect others. This might be the only time in recent memory I'm on the side of Microsoft.

    --
    Why guess when you can know? Measure!
    1. Re:There are already legal ways by AHuxley · · Score: 1

      PRISM https://en.wikipedia.org/wiki/...
      Nobody smart noticed all that data moving around from a big brand back to the gov/mil?
      The big brands even helped decrypt so the gov could get plain text.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:There are already legal ways by DCFusor · · Score: 1

      Of course we did. A: the parts of gov have turf issues with talking to one another. B: while it's effectively illegal, even if they do it anyway, if they have a hard on to bust someone with clout - it has to look legal, parallel construction might not fly.

      --
      Why guess when you can know? Measure!
  6. Scene: The trial of an oil or financial company by Wrath0fb0b · · Score: 1

    Prosecutor: The defendant has not turned over emails between their executives discussion the probability of an (oil leak) (fiscal collapse) (other bad thing).

    Judge: Why not?
    Defendant: Those emails are not stored in this country.

    Judge: Which country are they stored in?
    Defendant: Please refer to the statement from EvilCO IT explaining that our emails are stored in a database that is then sharded across all our subsidiaries around the world.

    Judge: And you need the pieces, the shards, from all the countries to reassemble them?
    Defendant: There's some redundancy for catastrophic failures, so no, not all.

    Judge: But most.
    Defendant: Yes.

    Judge: And this can be done from a server here in the United States.
    Defendant: No, email accounts are managed by those subsidiaries in those countries. Our EvilCO IT here doesn't have permissions to create them.

    Judge: But when a new employee starts, they get access? How?
    Defendant: Yes. The US office requests an account for them.

    Judge: So you do have permissions to create the new accounts
    Defendant: No, only the administrators at the subsidiaries do.

    Judge: But you can tell them to do so.
    Defendant: Yes

    Judge: And they can't say no.
    Defendant: I'm not aware of a sysadmin in a subsidiary refusing to create an account for their local shards to an employee authorized by corporate.

    Judge: So you claim you don't have permission, but if you make a request then it's always fulfilled.
    Defendant: It's fulfilled by an administrator in the subsidiary that has permission.

    Judge (daydreaming): Bailiff, please tase this lawyer in the balls repeatedly until he stop this bullshit.
    Judge (IRL): Counsel, I think you have constructive access if every time you request access, someone with actual permission grants it.
    Defendant: Multiple administrators are required, in each subsidiary, to grant access to the shards necessary to access the email system.

    Judge: Yes, multiple, OK, it's a nice shell game. How about turn over the documents about your damned oil spill already?

    1. Re:Scene: The trial of an oil or financial company by R3d+M3rcury · · Score: 1

      Judge (daydreaming): Bailiff, please tase this lawyer in the balls repeatedly until he stop this bullshit.

      I think you mean:

      Judge (daydreaming): Bailiff, whack his pee-pee!

    2. Re:Scene: The trial of an oil or financial company by jaa101 · · Score: 1

      The key difference here is that they're not after Microsoft's data; they're after data belonging to a Microsoft customer who is not a US citizen who has probably never physically been on US territory.

    3. Re:Scene: The trial of an oil or financial company by Wrath0fb0b · · Score: 1

      That is a difference. I don't see how it's a key difference who holds the record.

      In the bank/oil-co/bad-guy example, does using a 3rd party IT department instead of in-house change things? Or any number of intermediaries can be added: Oil company contracts ITCorpUS, ITCorpUS has a subsidiary in Ireland, Ireland has a subsidiary in Cook Islands ....

    4. Re:Scene: The trial of an oil or financial company by Anonymous Coward · · Score: 1

      Should read: "Defendant: I'm not aware of a sysadmin in a subsidiary refusing to create an account for their local shards to an employee authorized by corporate; but they know what's going on and I would expect a refusal this time."

    5. Re:Scene: The trial of an oil or financial company by jaa101 · · Score: 1

      The difference is that the bad company has a legal presence in the US, so US courts can demand company documents in some circumstances. Wherever the company has stored the documents, if the company is able to retrieved the documents itself then it can be compelled to retrieve them for a court. In this case the documents don't belong to a US company, they belong to an entity with no presence in the US.

      What if the this case was about a US bank which operated safety deposit boxes in Ireland? Can a US court require that bank to open a customer's box in Ireland, without notice to the customer, and provide copies of the contents? This is likely to violate the bank's contract with the customer and probably Irish and European law as well.

      Taking this example further, what if that US bank has a legal presence in Russia, China, Venezuela, or wherever. Can a court in one of those places require the bank to send them copies of material in your safety deposit box located in the US?

    6. Re:Scene: The trial of an oil or financial company by david_thornley · · Score: 1

      No matter what the contractual or physical arrangements, I can't, from here. open a safety deposit box in Ireland. I'd have to go there or have someone do it for me. If I'm there, I'm subject to Irish law, and if I employ someone to do it they're subject also. A US court could order me to provide the contents of the box, but I might not be able to comply.

      However, I may be able to access data in Ireland without anyone in Ireland doing anything to help me. From where I'm sitting, I'm not actually subject to Irish law, and the ones who are aren't doing anything. A US court could order me to hand over the data, and I sure can comply without involving anyone in Ireland.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    7. Re:Scene: The trial of an oil or financial company by jaa101 · · Score: 1

      I meant, imagine you are an Irish citizen who has never left Ireland but you have documents in your bank's safety deposit boxes in Ireland. Do you think a US court should be able to force that bank to produce copies of those documents without even telling you about it? It doesn't even need to be a US bank, just a bank with a legal presence in the US so the courts have access to company officers in the US. See how this is different from the court requiring access to bank documents stored in Ireland?

      And then turn it around. You're in the US and an Irish court compels your bank to produce copies of your documents. Surely you don't think that's acceptable.

    8. Re:Scene: The trial of an oil or financial company by david_thornley · · Score: 1

      Right, but this isn't the same thing. I was trying to point out that nobody in the US has direct access to an Irish safe deposit box, but that Microsoft apparently has direct access to data in Irish servers. It is possible for people in the US to access data overseas, but not physical objects.

      A US court can't order people in Ireland around. It can issue orders to people in the US. It can tell people in the US to say things to people in Ireland, but those people are going to be subject to Irish courts rather than US courts. It can tell people in the US to access servers in Ireland that they have access to, and there's nobody in Ireland who has to do anything, so there's no automatic way to invoke Irish law.

      Clearly, a US court can order people in the US to turn over stuff in US servers. Can a US court order people in the US to do the exact same thing on Irish servers?

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  7. Re: They're going to lose by Sique · · Score: 5, Interesting
    If the U.S. prosecution has its way, then the E.U. will simply forbid any foreign owned company to operate any data in the E.U.. The High Court of the E.U. already invalidated the "Safe Harbour" agreement with the U.S. because of the way the U.S. handles data of foreigners. In the end, Microsoft Ireland will have to become a separate entity, independent of Microsoft U.S., and only a contract between Microsoft U.S. and Microsoft Ireland will allow Microsoft U.S. access to data stored in Ireland, with an arbiter resident in Ireland deciding case by case if the access is to be permitted or not by handing out a digital certificate granting access and being revoked at any time the arbiter sees fit.

    In a case like this, the certificate necessary to access said email would long have been revoked, and only with a formal request to the Attorney General and the Data Protection agency of Ireland, the U.S. prosecution would be able to get a new one granting access to the email they want.

    --
    .sig: Sique *sigh*
  8. Sorry, MS has the statement of facts correct by davecb · · Score: 1

    Regrettably, the courts are aware of the "incidental" creation of copies in each location, as entered into evidence in suits about copyright and copies. They know full well that there is a copy made in RAM in Ireland, then another in the US, then the final copy on the printer in the US, the place where the data is wanted.

    If I request a web page from a site in the EU, I don't have to obey EU law, but the server administrator in the EU does. If the EU says "No foreigners may see this", then he can't serve it to me, so I can't import it.

    I might really really wish to view it, but if it's in the EU, EU laws apply.

    --
    davecb@spamcop.net
  9. Fuck Them by NicknameUnavailable · · Score: 1

    They sellout every US citizen with Cortana, and they won't give up some foreigner? Jail all the executives for treason and be done with it.

  10. Re:Ignoring Borders? by dave420 · · Score: 1

    It's not about borders but the jurisdictions operating within them. The EU has very strong data protection laws, the US does not.

  11. Sigh. by ledow · · Score: 1

    Fail to comply: Get sued in the US.

    Comply: Get sued by all the other countries.

    There's a reason that we have jurisdictions.

    Pretty much, even allowing the CAPABILITY for non-EU personnel to access EU data is an offence, which is why the EU side of Microsoft (an entirely different legal entity) cannot allow it to happen without an EU court order, cannot provide credentials that could make it happen, and cannot be seen to assist in any way, shape or form.

    And technically, because the Microsoft US entity doesn't have control of that data, they are then unable to do anything about getting sued into oblivion because what they are being ordered to do is impossible for them to do anything about and the only place that can do anything would be breaking their own laws.

    You want this data, you get the EU courts to order it. Good luck!

  12. Re:Has the data/email ever been access or crossed by ledow · · Score: 1

    If it did, it would be in breach of most of the data protection laws in the EU.

    They are either data processors (which would be very difficult to organise legally across international boundaries) or not (in which case they shouldn't have access to the unencrypted data at all).

    EU laws are much more strict in this, and I can't process any data for my employer outside the EU. Hence things like SurveyMonkey, etc. are off-limits as they are hosted in the US.