A controversial district court ruling ordering Microsoft to turn over customer e-mails stored in a data center overseas to U.S. federal authorities as part of a criminal investigation is raising concerns about the power of the government to obtain electronic data stored overseas.
The case centers on a search warrant that New York Magistrate Judge James Francis issued in December 2013 to obtain e-mails from a user account hosted by Microsoft on a server located in Ireland. Microsoft refused to turn over the e-mails, arguing that electronic content stored overseas extends beyond the reach of domestic search warrants.
“This is bigger than just a U.S. issue, because if the United States is able to get data stored abroad with a domestic search warrant, than I think we’re going to see a lot of countries around the world following that lead,” Michael Vatis, a partner with the law firm Steptoe & Johnson, says.
Cloud companies, for example, could face numerous demands from foreign countries to turn over data, regardless of where it’s stored. “That could lead to conflicts of law that become very difficult to navigate,” Vatis says.
Preet Bharara, U.S. Attorney for the Southern District of New York, argued in the case that the location of the data is irrelevant. “Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production,” he wrote in a reply brief to the court.
In April, Francis ruled in favor of the government: “It has long been the law that a subpoena requires the recipient to produce information in its possession … regardless of the location of that information,” Francis wrote.
On July 31, U.S. District Judge Loretta Preska for the Southern District of New York agreed, upholding Francis’ ruling and ordering Microsoft to turn over the content of the customer’s e-mail.
“It should be the organization that owns the data controls the data. They need to be the ones at the table.”
Elad Yoran, CEO, Vaultive
The case, currently on appeal in the Second Circuit, appears to be the first to uphold a domestic search warrant seeking electronic content held abroad. “To my knowledge, this is the first case seeking the content of e-mail traffic stored outside the United States,” says Craig Newman, managing partner at law firm Richards Kibbe and Orbe.
The ruling could strike a blow to current views on data privacy and the law. The 1986 Stored Communications Act, for example, prohibits service providers “from knowingly divulging the contents of any communication while in electronic storage by that service to any person other than the addressee or intended recipient.” When Congress enacted the SCA more than a quarter of a century ago, however, cloud computing and data storage centers didn’t exist.
“Now we find ourselves grappling with emerging technologies that have so far outpaced the law,” Newman says. “As the Microsoft case demonstrates, it’s a tall order to shoe-horn traditional search and seizure law into a digital world where everything is global, and the Internet has broken down traditional borders and notions of geographical and physical jurisdiction.”
Elad Yoran, CEO of cloud data encryption company Vaultive, says the ruling has “tremendous implications” on cloud computing. As more companies contemplate migrating their IT systems to the cloud, “this ruling will make businesses, especially international businesses, think twice before doing so,” he says.
Prior to cloud computing, when government agencies wanted access to corporate data, they would obtain it directly from the companies by presenting them with a subpoena or search warrant. That enabled the company to go through the necessary legal review process.
When a court compels a cloud provider to turn over data, on the other hand, the company doesn’t have an opportunity to seek legal advice. “What we’re seeing, in essence, is a ping pong match that’s taking place between governments around the world and cloud providers,” Yoran says. Cloud providers can disclose data to the government “without the business having a seat at the table,” he says.
The problem is that neither the government nor the cloud provider controls data, Yoran adds. “It should be the organization that owns the data controls the data,” he says. “They need to be the ones at the table.”
The potential breadth and scope of the ruling has sounded alarm bells at several U.S. technology companies. AT&T, Apple, Cisco Systems, and Verizon have all filed amicus briefs in support of Microsoft’s challenge of the ruling.
“U.S. technology companies are now concerned, and rightfully so, that Judge Preska’s ruling could extend beyond customer e-mail traffic and reach other information,” Newman says. “What about proprietary or confidential information stored by a corporate customer in a foreign cloud? These are the types of questions that are keeping the lawyers up at night.”
Web of Laws
The Microsoft ruling, if allowed to stand, likely will incite “outrage” from officials in the European Union, Vatis says, because it steps on the toes of the country’s stringent data protection and privacy laws. “That is really going to be a sore spot when it comes to diplomatic relations and law enforcement cooperation between the U.S. and EU countries,” he says.
The ruling may even influence how the European Union develops, and ultimately implements, the new data protection regulation it’s currently considering, Vatis says. The regulation could end up explicitly stating that service providers cannot turn over EU information to a non-EU government, unless the request for the information comes through an EU government agency, he says.
MOTION TO VACATE
Below is an excerpt from the Justice Department’s Motion to Vacate in the Microsoft case.
The government respectfully submits this memorandum in opposition to the motion of Microsoft Corporation to vacate a sealed warrant directing it to produce stored records under its custody and control, as required by the Stored Communications Act.
Microsoft’s motion is premised on the misimpression that, because it allegedly has chosen to store certain records overseas, it need not comply with a warrant issued by this Court under the authority of the SCA and in full compliance with the procedures set forth in Rule 41 of the Federal Rules of Criminal Procedure.
In pressing this argument, Microsoft errs on multiple levels. First, nothing in the text or structure of the SCA permits U.S. service providers to avoid compliance with compulsory disclosures mandated by statute simply by storing the data abroad.
Second, longstanding precedent requires the production of all records controlled by a party who receives compulsory process in a federal criminal investigation, regardless of where the records are stored physically.
Third, Microsoft’s attempts to impose limitations on an SCA warrant by analogizing to warrants providing for the search and seizure of physical evidence is misguided, as warrants directing service providers to produce records pursuant to the SCA are fundamentally different from search warrants authorizing law enforcement to enter physical premises and seize evidence.
Fourth, Microsoft is wrong to describe a warrant compelling disclosure of records by a U.S. service provider under the SCA as ‘extraterritorial’ as the subject of the warrant is the service provider, not a physical location abroad.
Fifth, policy considerations weigh heavily against Microsoft’s position, which serves as a dangerous impediment to the ability of law enforcement to gather evidence of criminal activity. Accordingly, the motion should be denied, and Microsoft should be directed to comply with the warrant.
Source: Department of Justice.
In Ireland, where Microsoft maintains a significant presence, Irish law states that the government may require a cloud service provider to disclose customer data through a search warrant, which a judge may issue based on reasonable grounds that the data contains evidence relating to a serious offense.
Furthermore, so long as the Irish government can assert jurisdiction over the entity, Irish authorities can require the production of customer data from a cloud server located in another country but under the entity’s control. The Irish government, thus, can require a cloud service provider to obtain data from both domestic and foreign servers.
Some countries already have enacted laws requiring that personal data about their citizens be hosted locally. Russia, for example, just recently passed a law requiring that personal data of Russian citizens be stored in Russia. It takes effect in 2016.
“This means that any foreign companies that have data about Russian customers, for example, will now need to store that personal data in Russia,” Vatis says. “And Russian companies that use a cloud storage service that stores data outside Russia will need to move their data inside Russia.” Brazil and Germany also have talked about enacting similar localization laws, but haven’t done so yet.
Every cloud has at least one silver lining—and in the cloud computing world, that silver lining is encryption. Encryption is the method of converting an original message into encoded text through means of an algorithm.
Yoran says companies that depend on cloud providers like Microsoft to store their data can protect themselves from having their private data compromised in the event of a criminal investigation by encrypting the data prior to storing it with the cloud provider, and maintain ownership of the encryption keys.
Without encryption, the data is “naked and can be exposed,” Yoran says. By encrypting data, enforcement authorities have no choice but to approach the company directly to obtain the encryption keys to unlock the data, enabling the company to go through the appropriate legal review process and ensure that the company doesn’t have its head, well, in the clouds.