By:
who has been tracking the case since it began in 2012)
16 October 2017 – The infamous MICROSOFT IRELAND data protection case is going to the U.S. Supreme Court: the clash between the demands of law enforcement and the companies’ desire to shield the information they collect to protect their customers’ privacy goes to the top table. And Federal prosecutors await the result: can they force technology companies to turn over data stored outside the United States?
A summary of the case
Just to be brief (five points from my longer brief on this subject):
- The case (United States v. Microsoft, No. 17-2 on the Supreme Court calendar) arose from a federal drug investigation. Prosecutors sought the emails of a suspect that were stored in a Microsoft data center in Dublin. They said they were entitled to the emails because Microsoft is based in the United States.
- A federal magistrate judge in New York in 2013 granted the government’s request to issue a warrant for the data under section 2703 of the Stored Communications Act, a 1986 federal law. Microsoft challenged the warrant in 2014, arguing that prosecutors could not force it to hand over its customer’s emails stored abroad.
- A three-judge panel of the United States Court of Appeals for the Second Circuit, in Manhattan, ruled that the warrant in the case could not be used to obtain evidence beyond the nation’s borders because the 1986 law did not apply extraterritorially. In a concurring opinion, Judge Gerard E. Lynch said the question was a close one, and he urged Congress to revise the 1986 law, which he said was badly outdated.
- The government asked the full Second Circuit to rehear the case, but the court deadlocked by a 4-to-4 vote. In dissent, Judge José A. Cabranes wrote that the panel’s decision had restricted an investigative tool used thousands of times a year while failing to “serve any serious, legitimate, or substantial privacy interest.”
- In urging the Supreme Court to hear the case, the Justice Department said nothing should turn on Microsoft’s business decision to store data abroad that it “can access domestically with the click of a computer mouse.” The panel’s ruling, the department’s brief said, “is causing immediate, grave, and ongoing harm to public safety, national security, and the enforcement of our laws.”
Microsoft’s position
Microsoft’s position is pretty simple. In its response (full copy here), Microsoft told the justices that it is up to Congress to revise the 1986 law and noted that both houses have recently held hearings to consider overhauls. A ruling upholding the warrant, the company warned, would embolden foreign countries to seek the emails of Americans stored in the United States.
Microsoft added that the DOJ’s position posed a threat to technology companies by requiring them to choose between complying with a warrant and disobeying foreign laws:
“These conflicts can place U.S. companies in the untenable position of being forced to violate foreign privacy laws to comply with U.S. warrants. And the growing privacy concerns of customers around the world mean that granting U.S. law-enforcement agencies that broad authority would hamstring U.S. companies’ ability to compete in the multibillion-dollar cloud computing industry.”
And this case is part of the broader clash between the technology industry and the Federal government in the digital age, for instance the Apple battle with the F.B.I. over helping investigators break into a locked iPhone that had been used by a gunman in a mass shooting.
Some random thoughts
Disputes between leading technology companies and the Justice Department have become increasingly common. In fact, just last month Google announced it would not contest new warrants for overseas data – as long as they are made outside the Second Circuit.
In fact, that was according to the DOJ in a reply brief issued as part of the very ongoing battle between the U.S. government and Microsoft. The DOJ said Google has altered its previous position after a series of unsuccessful challenges to warrants issued to it for overseas data (in Europe), which include an August ruling in a California federal court and a February ruling by a magistrate judge.
In its brief, issued this week, the DOJ said:
“In the wake of those decisions, Google has reversed its previous stance and informed the government that it will comply with new Section 2703 warrants [the same Section in contention] outside the Second Circuit.”
NOTE: I will leave for another day the issue of whether this means that Google can look forward to some exceedingly large fines in the EU under the GDPR:
“Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.”
And the other unspoken issue, as one of my ex-Google engineer friends said: “look, we’ve been a front for spies for as long as we’ve been a search engine. This merely gives the rest of the world good formal pretext to treat them accordingly.” It’s the same reason the NSA loves Facebook and taps into it: 2 billion plus people with an amazing array of connections they’d spend months to configure. Zuckerberg has done all the work for them.
When I first got involved in the Microsoft case, frankly, I never understood it. There have been rules in effect for decades on getting this information: you petition the Irish courts (in this particular case) with the assistance of the local authorities and if the case has any merit, the information will be given to the local authorities and they will hand it over to the US. It would have been much quicker and have caused a lot less fuss.
NOTE: Microsoft has attempted to fix this by making sure local data custodians are required to approve access requests, i.e. someone based in the U.S. doesn’t have the access rights to get EU data without the appropriate EU approvals.
But then I quickly realized it was really about “Team America: World Police”. The U.S. government needs to have acknowledged that U.S. law applies globally which is what they have tried to pretend to date – despite growing evidence to the contrary. Such as the World Trade Organisation decision back in November 2004 which decided that U.S. Federal and state “global laws” breached the General Agreement on Trade and Services, albeit this was a somewhat minor online gambling dispute.
Yes, a bit of the obvious. The U.S. government wants to intimidate these people into breaking the law for them, and tell the hold outs to do the same. The U.S. could get all this data if it wanted by cooperating with the countries the servers are in. But, no. Far easier to strong arm their own companies rather than ask for help no matter how willingly it would be rendered.
And, hey. It is not as if the DOJ is ethical. Most salient point: FBI agents stole the data disks in the Kim Dotcom extradition case and breached a court order by removing them from New Zealand to the U.S. … after a high court judge had explicitly ordered that they notdo that. And the said judge was unimpressed because when he was told of the theft for some reason he did not declare the prosecution’s case null and void.
To be fair, a few points:
- The underlying issue in the Google case I referenced above is that despite this being very questionable under EU data protection law, Google can relocate the data to be processed to U.S. without the explicit consent of the data subject. It is based on the umbrella consent in their end-user agreement (come on, surely you always read your “Terms of Service” agreement!). This is the basis of the DOJ argument in their cases. Rather unsurprisingly DOJ has won this one every time so far. It just asks for the data to be relocated and now has full subject access.
- Microsoft was slightly smarter (or dumber; depends on the viewpoint). Its end-user agreement actually does not allow for this. Thus, Microsoft claims that it cannot relocate the data from Ireland to the U.S. without the subject consent and while in Ireland it is under governance of Microsoft Ireland and thus not subject to U.S. law. The DOJ as a result tried to argue that Microsoft Ireland, which is an Irish company, is subject to U.S. law as a wholly owned subsidiary. That rather unsurprisingly did not fly up to now.
- But in Microsoft’s defense, if you really care about it, Microsoft offers a “bring your own keys” option with secure HSMs where even Microsoft can’t access your encrypted data. (A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto-processing).
- So all it will take for Google to get off the hook is to make its EULA legal per EU law. Not for the present case because they are already on trial (facto has already been established), but for the future. It is illegal as per the most recent changes to it which prohibit change of jurisdiction for dispute resolution to outside EU …. oh, and a whole raft of other things. Too much for this post.
The effects already
This case is already trickling through the corporate world. There are hundreds of email providers that are not located in the U.S. or affiliated with any U.S. company and many corporate law departments are telling their clients “switch to a non-U.S.provider”. I can see a huge disadvantage to sending or receiving emails via Google or any other U.S. service provider when communicating anything you want off U.S. radar. And in the e-discovery world, while artificial intelligence advances makes it easier to find stuff, it is also making it far easer to hide stuff. More in a subsequent post.
My own preference would be for the DOJ to use mutual legal assistance treaties where they exist, and in particular in the Microsoft case in Ireland. However, it is fairly clear that there is more complexity to the issue than is commonly noted in public discussion. Orin Kerr has discussed some of this in a number of Washington Post articles.
It also is clear that many corporations are setting up businesses in the U.S. to operate servers in a foreign country in such a way that the U.S. owners and operators are immune from these warrants (because the data are stored outside the U.S.) and the country where they are stored has no capability to produce the stored data (for instance, because nobody in their jurisdiction has access to a necessary decryption key). Some are finding this desirable, but it is not clearly good public policy to give such aid and comfort to criminals and others for whom law enforcement officials can justify search warrants.
The more interesting questions …
So … the U.S. Supreme Court decides to side with the DOJ. What happens when Moscow based employees disclose the data on all US citizens without leaving their desks? Or Beijing based employees? Or Paris based employees? Or [fill in country]. Microsoft, Google, etc. are also corporations registered according to the laws of these countries, with rules and regulations they must comply with.
And I can almost guarantee there will be a diplomatic incident when the shoe is on the other foot, when a country requests data on American citizens held outside their territory. My guess? One rule for the U.S., and another for everyone else.
The gorilla NOT in the room
But note the Goliath missing: Facebook. Why? Ah. Now you have the crux of data and globally distributed networks, a point made by Andrew Woods and Orin Kerr. If you read the Second Circuit majority opinion and the concurring opinion what you have is a statement that states have the authority to regulate the data stored on disks in their territory … but nothing beyond that.
I spend a lot of time in the TMT zone (technology-media-and-telecommunications) and this is called the “data-location-centric test”. Highly welcome if your network is structured around state lines – AT&T, Verzion, Microsoft’s country-specific cloud offerings (which will now increase), etc.
Ah. But what about those networks independent of state lines? How about those networks where the data is located in the U.S. or Europe of “somewhere in the network”. You know: a firm like Facebook.
Such a rule as I outlined hurts them because they structure their network largely independent of state lines. There are scores of legal cases in Europe (and elsewhere) where U.S. tech firms have argued that their data is in the U.S., even if it is really pinging around a globally distributed network. They rely on a control test to determine jurisdiction.
This Microsoft case rejects such a test and thereby gives a competitive edge to firms, like Microsoft, that have built networks along country lines. For a more in-depth look I recommend an excellent law review article titled Against Data Exceptionalism by Andrew Woods which addresses these issues of how major Internet companies like Google and Facebook argue that “data is different”. Data is “un-territorial,” they argue, and therefore incompatible with existing territorial notions of jurisdiction.
I suspect the Microsoft Ireland case decision will have implications quite complex. The policy and legal decisions made in its wake will determine whether the opinion is ultimately an advancement of or a blow to privacy and innovation on a global Internet. Ultimately, this decision may have more impact on Internet innovation and development than it does on preserving privacy.
No comments yet... Be the first to leave a reply!