Microsoft Fights Search Warrants for Overseas Emails in the Supreme Court

Microsoft's Chief Legal Officer writes about "the landmark Microsoft case that will decide whether the U.S. government can use a search warrant to force a company to seize a customer's private emails stored in Ireland and import them to the United States." On Thursday, 289 different groups and individuals from 37 countries signed 23 different legal briefs supporting Microsoft's position that Congress never gave law enforcement the power to ignore treaties and breach Ireland's sovereignty in this way. How could it? The government relies on a law that was enacted in 1986, before anyone conceived of cloud computing... When the U.S. government requires a tech company to execute a warrant for emails stored overseas, the provider must search a foreign datacenter and make a copy abroad, and then import that copy to the United States. This creates a complex issue with huge international consequences. It shouldn't be resolved by taking the law to a place it was never intended to go...

The U.S. Department of Justice's attempt to seize foreign customers' emails from other countries ignores borders, treaties and international law, as well as the laws those countries have in place to protect the privacy of their own citizens... It's also a path that will lead to the doorsteps of American homes by putting the privacy of U.S. citizens' emails at risk. If the U.S. government obtains the power to search and seize foreign citizens' private communications physically stored in other countries, it will invite other governments to do the same thing. If we ignore other countries' laws, how can we demand that they respect our laws?
Amicus briefs supporting Microsoft have been filed in the U.S. Supreme Court by Ireland, France, and the European Commission and European privacy regulators. Microsoft even notes that on this issue, "Fox News agreed with the American Civil Liberties Union."

Force the company != force the individuals

[Alain+Williams]

The servers are located in Ireland in a data centre staffed by Irish people (or who, at least, live there). Will these people obey an order from a court in the USA and risk the wrath of the court in Dublin ? I would not if I were one of them. I do not know what control Microsoft (USA) has over servers in its Irish data centre, but generally the guy who can touch the machine is the one who makes the final decision; and him, being fearful of the Dublin court, could easily restrict access to anyone outside of their data centre.

No matter what the court in the USA decides, what will happen in reality will be interesting to see.

Re:Force the company != force the individuals

[CaptainDork]

This is not a matter of an American-issued search warrant delivered to person or persons of name, as in individuals.

Microsoft obviously has a pathway to the data in Ireland and there are no gatekeepers blocking that path, at this time.

At issue is custodianship vs ownership vs jurisdiction, and it ain't easy.

This is problem has already been addressed in the case offshore banking.

I think that's where SCOTUS will take this.

Re:Force the company != force the individuals

[Insanity+Defense]

The claim that something is being "imported" from Ireland to the U.S. is rubbish. The claim that this somehow violates Ireland/EU law is absurd, unless you are arguing that a person sitting at a computer in the U.S. is somehow bound by the laws of a foreign country.

Strange you should say that. The U.S. claims exactly that in the case of Gary McKinnon who hacked U.S. computers with off the shelf software. They were trying to extradite him with threats of 70 years hard time in a maximum security prison for his actions in the U.K..

Then there is the case of Dmitry Sklyarov who wrote software in Russia for his employer that was strictly legal but was arrested in the U.S. and charged for his employers sales of it to Americans. Skylarov was not in the U.S. when he wrote the program and had nothing to do with the distribution. Yet he was arrested.

How about Kim Dotcom? Again his breaking of American laws was entirely outside the U.S. but that hasn't stopped the U.S. legal system from persecuting him.

So yes the U.S. has repeatedly claimed computer "crimes" perpetuated by people outside the U.S. are punishable by the U.S.. So why shouldn't other countries do the same to Americans?

Re:Force the company != force the individuals

[Kjella]

The claim that this somehow violates Ireland/EU law is absurd, unless you are arguing that a person sitting at a computer in the U.S. is somehow bound by the laws of a foreign country.

Uh yes? If you hack an Irish server it's most definitively a crime in Ireland. Same if you plan and direct an IRA bombing from abroad, being physically present has never been a requirement. Sure enforcement can be tricky if they refuse to extradite, but that's just a practical problem.

This is a deliberate mis-stating of the issue. Right now, a Microsoft employee, sitting at a computer located in the U.S., can access those servers and find the information that is being requested.

Technical capability and legal permission are not the same. For example we've had doctors and nurses criminally prosecuted for snooping on journals of patients they had no business reading, that they're capable of copying this information doesn't mean they can do so legally. I think anyone who's held root/admin privileges on company servers understands this.

This is done every day as a matter of routine operation, by Microsoft and every other company that has operations in multiple countries.

Exactly, it is routine for employees in one jurisdiction to have access to data held in a different jurisdiction. And all of that is based on contracts and agreements that lets Microsoft US have access to Microsoft Ireland's servers and data within the boundaries of Irish law. The US courts are saying we can force Microsoft US to do whatever we want. The problem is that then they're saying those agreements are worthless, you can't trust an American to honor them because he can be forced by US courts to break them. Which means Microsoft Ireland will be forced by Ireland/the EU to rescind those permissions.

In fact all sorts of cloud/hosting/outsourcing industries could be hit with this, it'd be a total meltdown where the only way you can abide by domestic laws is to have only domestic people working on it. Imagine if India said "That's great we'll do like the US, everything that's outsourced or subcontracted to Indians can now be subpoena'ed under Indian law." and everyone would shit bricks. Which is why I don't understand why the US is pushing for this, if they win US employees and companies will become toxic for global operations.

Re:Force the company != force the individuals

[LowTechSwede]

This case is huge for Microsoft, Google and Apple. If the ruling goes against Microsoft, this likely means that no company with business in EU can use an American provider for emails for their EU employees under GDPR. GDPR which comes into effect in a couple of months has enough teeth to make compliance mandatory. To stay in business in EU, the three big ones would need to separate their hosting of EU data to a separate legal entity not under their control. License technology to a company, spin off the company and list it on a EU stock exchange or something similar. Sharing of data for interoperability then becomes a problem that has to be solved. This would not be unsolvable, but likely expensive and leading to service degradation in many ways. EU Governments would probably not be unhappy with this turn of events, but a large number of businesses will suffer in the short term, though none as much as Microsoft and Google.

Perhaps another country can try it.

[dwywit]

Lodge a warrant with the local MS subsidiary for some data stored on MS USA server/s, and see what happens. Put the shoe on the other foor and see how the USA DoJ reacts.

Re: They're going to lose

[Sique]

If the U.S. prosecution has its way, then the E.U. will simply forbid any foreign owned company to operate any data in the E.U.. The High Court of the E.U. already invalidated the "Safe Harbour" agreement with the U.S. because of the way the U.S. handles data of foreigners. In the end, Microsoft Ireland will have to become a separate entity, independent of Microsoft U.S., and only a contract between Microsoft U.S. and Microsoft Ireland will allow Microsoft U.S. access to data stored in Ireland, with an arbiter resident in Ireland deciding case by case if the access is to be permitted or not by handing out a digital certificate granting access and being revoked at any time the arbiter sees fit.

In a case like this, the certificate necessary to access said email would long have been revoked, and only with a formal request to the Attorney General and the Data Protection agency of Ireland, the U.S. prosecution would be able to get a new one granting access to the email they want.